diff options
author | Andreas Schneider <asn@samba.org> | 2022-03-24 13:04:54 +1300 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2022-03-25 20:58:33 +0000 |
commit | 6a125b0ac9fc5b9845a58e6ae4a17263de8396b4 (patch) | |
tree | 7879b4a9c6b7b915839d7981e8d0790722cd932b /testprogs/blackbox/test_pkinit_simple.sh | |
parent | c27f17df379e7c38975f93e3a919516d5b0a07fe (diff) | |
download | samba-6a125b0ac9fc5b9845a58e6ae4a17263de8396b4.tar.gz |
testprogs: A PKINIT test which runs against Heimdal and MIT Kerberos
There is no need to specify the enctype and it isn't supported with MIT
Kerberos.
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'testprogs/blackbox/test_pkinit_simple.sh')
-rwxr-xr-x | testprogs/blackbox/test_pkinit_simple.sh | 232 |
1 files changed, 131 insertions, 101 deletions
diff --git a/testprogs/blackbox/test_pkinit_simple.sh b/testprogs/blackbox/test_pkinit_simple.sh index f5465071e04..c63d1da37fe 100755 --- a/testprogs/blackbox/test_pkinit_simple.sh +++ b/testprogs/blackbox/test_pkinit_simple.sh @@ -1,11 +1,13 @@ #!/bin/sh # Blackbox tests for kinit and kerberos integration with smbclient etc +# # Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> # Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> +# Copyright (C) 2022 Andreas Schneider <asn@samba.org> -if [ $# -lt 5 ]; then +if [ $# -lt 7 ]; then cat <<EOF -Usage: test_pkinit_simple.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX ENCTYPE SMBCLINET +Usage: test_pkinit_mit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLINET EOF exit 1 fi @@ -16,60 +18,57 @@ PASSWORD="${3}" REALM="${4}" DOMAIN="${5}" PREFIX="${6}" -smbclient="${8}" -shift 8 +smbclient="${7}" +shift 7 failed=0 -samba4bindir="$BINDIR" -samba4srcdir="$SRCDIR/source4" -samba4kinit_binary=kinit -if test -x $BINDIR/samba4kinit; then - samba4kinit_binary=$BINDIR/samba4kinit -fi - -samba_tool="$samba4bindir/samba-tool" -wbinfo="$samba4bindir/wbinfo" -samba4kpasswd=kpasswd -if test -x $BINDIR/samba4kpasswd; then - samba4passwd=$BINDIR/samba4kpasswd -fi - -ldbmodify="ldbmodify" -if [ -x "$samba4bindir/ldbmodify" ]; then - ldbmodify="$samba4bindir/ldbmodify" -fi +samba_bindir="${BINDIR}" -ldbsearch="ldbsearch" -if [ -x "$samba4bindir/ldbsearch" ]; then - ldbsearch="$samba4bindir/ldbsearch" +samba_kinit="$(command -v kinit)" +if [ -x "${samba_bindir}/samba4kinit" ]; then + samba_kinit="${samba_bindir}/samba4kinit" fi +samba_tool="${PYTHON} ${samba_bindir}/samba-tool" +wbinfo="${samba_bindir}/wbinfo" -. $(dirname $0)/subunit.sh -. $(dirname $0)/common_test_fns.inc +. "$(dirname "$0")"/subunit.sh +. "$(dirname "$0")"/common_test_fns.inc -unc="//$SERVER/tmp" +unc="//${SERVER}/tmp" KRB5CCNAME_PATH="$PREFIX/tmpccache" +rm -f "${KRB5CCNAME_PATH}" KRB5CCNAME="FILE:$KRB5CCNAME_PATH" -samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" export KRB5CCNAME -rm -f $KRB5CCNAME_PATH -PASSFILE_PATH="$PREFIX/tmppassfile" -rm -f $PASSFILE_PATH -echo $PASSWORD >$PASSFILE_PATH -USER_PRINCIPAL_NAME=$(echo "${USERNAME}@${REALM}" | tr A-Z a-z) -PKUSER="--pk-user=FILE:$PREFIX/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,$PREFIX/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem" +USER_PRINCIPAL_NAME="$(echo "${USERNAME}@${REALM}" | tr "[:upper:]" "[:lower:]")" + +kbase="$(basename "${samba_kinit}")" +if [ "${kbase}" = "samba4kinit" ]; then + # HEIMDAL + X509_USER_IDENTITY="--pk-user=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem" + OPTION_RENEWABLE="--renewable" + OPTION_RENEW_TICKET="--renew" + OPTION_ENTERPRISE_NAME="--enterprise" +else + # MIT + X509_USER_IDENTITY="-X X509_user_identity=FILE:${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,${PREFIX}/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem" + OPTION_RENEWABLE="-r 1h" + OPTION_RENEW_TICKET="-R" + OPTION_ENTERPRISE_NAME="-E" +fi +OPTION_REQUEST_PAC="--request-pac" -# STEP1: +# STEP0: # Now we set the UF_SMARTCARD_REQUIRED bit # This means we have a normal enabled account *without* a known password -testit "STEP1 samba-tool user create $USERNAME --smartcard-required" \ - $PYTHON ${samba_tool} user create $USERNAME --smartcard-required || +testit "STEP0 samba-tool user create ${USERNAME} --smartcard-required" \ + "${samba_tool}" user create "${USERNAME}" --smartcard-required || failed=$((failed + 1)) testit_expect_failure "STEP1 kinit with password" \ - $samba4kinit --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM || + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \ + "${OPTION_REQUEST_PAC}" || failed=$((failed + 1)) testit_expect_failure "STEP1 Test login with NTLM" \ "${smbclient}" "${unc}" -c 'ls' "-U${USERNAME}%${PASSWORD}" || @@ -78,60 +77,72 @@ testit_expect_failure "STEP1 Test wbinfo with password" \ "${wbinfo}" "--authenticate=$DOMAIN/$USERNAME%$PASSWORD" || failed=$((failed + 1)) -testit "STEP1 kinit with pkinit (name specified) " \ - $samba4kinit --request-pac --renewable $PKUSER $USERNAME@$REALM || +testit "STEP1 kinit with pkinit (name specified: ${USERNAME})" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" || failed=$((failed + 1)) + testit "STEP1 kinit renew ticket (name specified)" \ - $samba4kinit --request-pac -R || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || failed=$((failed + 1)) test_smbclient "STEP1 Test login with kerberos ccache (name specified)" \ 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || failed=$((failed + 1)) -testit_expect_failure "STEP1 kinit with pkinit (wrong name specified) " \ - $samba4kinit --request-pac --renewable $PKUSER not$USERNAME@$REALM || +# OK +testit_expect_failure "STEP1 kinit with pkinit (wrong name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "not${USERNAME}@${REALM}" || failed=$((failed + 1)) -testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2) " \ - $samba4kinit --request-pac --renewable $PKUSER $SERVER@$REALM || +testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${SERVER}@${REALM}" || failed=$((failed + 1)) testit "STEP1 kinit with pkinit (enterprise name specified)" \ - $samba4kinit --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${USERNAME}@${REALM}" || failed=$((failed + 1)) testit "STEP1 kinit renew ticket (enterprise name specified)" \ - $samba4kinit --request-pac -R || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || failed=$((failed + 1)) test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" \ 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || failed=$((failed + 1)) - -testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified) " \ - $samba4kinit --request-pac --renewable $PKUSER --enterprise not$USERNAME@$REALM || +testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "not${USERNAME}@${REALM}" || failed=$((failed + 1)) - -testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2) " \ - $samba4kinit --request-pac --renewable $PKUSER --enterprise $SERVER$@$REALM || +testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${SERVER}@${REALM}" || failed=$((failed + 1)) testit "STEP1 kinit with pkinit (enterprise name in cert)" \ - $samba4kinit --request-pac --renewable $PKUSER --pk-enterprise || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" || failed=$((failed + 1)) testit "STEP1 kinit renew ticket (enterprise name in cert)" \ - $samba4kinit --request-pac -R || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || failed=$((failed + 1)) test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" \ - 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || failed=$((failed + 1)) # STEP2: # We still have UF_SMARTCARD_REQUIRED, but with a known password -testit "STEP2 samba-tool user setpassword $USERNAME --newpassword" \ - $PYTHON ${samba_tool} user setpassword $USERNAME --newpassword=$PASSWORD || +testit "STEP2 samba-tool user setpassword ${USERNAME} --newpassword" \ + "${samba_tool}" user setpassword "${USERNAME}" \ + --newpassword="${PASSWORD}" || failed=$((failed + 1)) testit_expect_failure "STEP2 kinit with password" \ - $samba4kinit --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM || + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \ + "${OPTION_REQUEST_PAC}" || failed=$((failed + 1)) test_smbclient "STEP2 Test login with NTLM" \ 'ls' "$unc" -U"${USERNAME}%${PASSWORD}" || @@ -141,43 +152,49 @@ testit_expect_failure "STEP2 Test wbinfo with password" \ failed=$((failed + 1)) testit "STEP2 kinit with pkinit (name specified) " \ - $samba4kinit --request-pac --renewable $PKUSER $USERNAME@$REALM || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" || failed=$((failed + 1)) testit "STEP2 kinit renew ticket (name specified)" \ - $samba4kinit --request-pac -R || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || failed=$((failed + 1)) test_smbclient "STEP2 Test login with kerberos ccache (name specified)" \ 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || failed=$((failed + 1)) testit "STEP2 kinit with pkinit (enterprise name specified)" \ - $samba4kinit --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${USERNAME}@${REALM}" || failed=$((failed + 1)) testit "STEP2 kinit renew ticket (enterprise name specified)" \ - $samba4kinit --request-pac -R || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || failed=$((failed + 1)) test_smbclient "STEP2 Test login with kerberos ccache (enterprise name specified)" \ 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || failed=$((failed + 1)) testit "STEP2 kinit with pkinit (enterprise name in cert)" \ - $samba4kinit --request-pac --renewable $PKUSER --pk-enterprise || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" || failed=$((failed + 1)) testit "STEP2 kinit renew ticket (enterprise name in cert)" \ - $samba4kinit --request-pac -R || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || failed=$((failed + 1)) test_smbclient "STEP2 Test login with kerberos ccache (enterprise name in cert)" \ - 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || + 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || failed=$((failed + 1)) # STEP3: # The account is a normal account without the UF_SMARTCARD_REQUIRED bit set -testit "STEP3 samba-tool user setpassword $USERNAME --smartcard-required" \ - $PYTHON ${samba_tool} user setpassword $USERNAME --newpassword=$PASSWORD --clear-smartcard-required || +testit "STEP3 samba-tool user setpassword ${USERNAME} --clear-smartcard-required" \ + "${samba_tool}" user setpassword "${USERNAME}" \ + --newpassword="${PASSWORD}" --clear-smartcard-required || failed=$((failed + 1)) testit "STEP3 kinit with password" \ - $samba4kinit --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM || + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \ + "${OPTION_REQUEST_PAC}" || failed=$((failed + 1)) test_smbclient "STEP3 Test login with user kerberos ccache" \ 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || @@ -190,44 +207,49 @@ testit "STEP3 Test wbinfo with password" \ failed=$((failed + 1)) testit "STEP3 kinit with pkinit (name specified) " \ - $samba4kinit --request-pac --renewable $PKUSER $USERNAME@$REALM || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" || failed=$((failed + 1)) testit "STEP3 kinit renew ticket (name specified)" \ - $samba4kinit --request-pac -R || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || failed=$((failed + 1)) test_smbclient "STEP3 Test login with kerberos ccache (name specified)" \ - 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || failed=$((failed + 1)) testit "STEP3 kinit with pkinit (enterprise name specified)" \ - $samba4kinit --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${USERNAME}@${REALM}" || failed=$((failed + 1)) testit "STEP3 kinit renew ticket (enterprise name specified)" \ - $samba4kinit --request-pac -R || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || failed=$((failed + 1)) test_smbclient "STEP3 Test login with kerberos ccache (enterprise name specified)" \ - 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || failed=$((failed + 1)) testit "STEP3 kinit with pkinit (enterprise name in cert)" \ - $samba4kinit --request-pac --renewable $PKUSER --pk-enterprise || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" || failed=$((failed + 1)) testit "STEP3 kinit renew ticket (enterprise name in cert)" \ - $samba4kinit --request-pac -R || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || failed=$((failed + 1)) test_smbclient "STEP3 Test login with kerberos ccache (enterprise name in cert)" \ - 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || failed=$((failed + 1)) # STEP4: # Now we set the UF_SMARTCARD_REQUIRED bit # This means we have a normal enabled account *without* a known password testit "STEP4 samba-tool user setpassword $USERNAME --smartcard-required" \ - $PYTHON ${samba_tool} user setpassword $USERNAME --smartcard-required || + "${samba_tool}" user setpassword "${USERNAME}" --smartcard-required || failed=$((failed + 1)) testit_expect_failure "STEP4 kinit with password" \ - $samba4kinit --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM || + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \ + "${OPTION_REQUEST_PAC}" || failed=$((failed + 1)) testit_expect_failure "STEP4 Test login with NTLM" \ "${smbclient}" "${unc}" -c 'ls' -U"${USERNAME}%${PASSWORD}" || @@ -236,44 +258,49 @@ testit_expect_failure "STEP4 Test wbinfo with password" \ "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" || failed=$((failed + 1)) -testit "STEP4 kinit with pkinit (name specified) " \ - $samba4kinit --request-pac --renewable $PKUSER $USERNAME@$REALM || +testit "STEP4 kinit with pkinit (name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" || failed=$((failed + 1)) testit "STEP4 kinit renew ticket (name specified)" \ - $samba4kinit --request-pac -R || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || failed=$((failed + 1)) test_smbclient "STEP4 Test login with kerberos ccache (name specified)" \ 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || failed=$((failed + 1)) testit "STEP4 kinit with pkinit (enterprise name specified)" \ - $samba4kinit --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${USERNAME}@${REALM}" || failed=$((failed + 1)) testit "STEP4 kinit renew ticket (enterprise name specified)" \ - $samba4kinit --request-pac -R || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || failed=$((failed + 1)) test_smbclient "STEP4 Test login with kerberos ccache (enterprise name specified)" \ - 'ls' "$unc" --use-krb5-ccache="${KRB5CCNAME}" || + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || failed=$((failed + 1)) testit "STEP4 kinit with pkinit (enterprise name in cert)" \ - $samba4kinit --request-pac --renewable $PKUSER --pk-enterprise || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" || failed=$((failed + 1)) testit "STEP4 kinit renew ticket (enterprise name in cert)" \ - $samba4kinit --request-pac -R || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEW_TICKET}" || failed=$((failed + 1)) test_smbclient "STEP4 Test login with kerberos ccache (enterprise name in cert)" \ - 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || + 'ls' "${unc}" --use-krb5-ccache="${KRB5CCNAME}" || failed=$((failed + 1)) # STEP5: # disable the account testit "STEP5 samba-tool user disable $USERNAME" \ - $PYTHON ${samba_tool} user disable $USERNAME || + "${samba_tool}" user disable "${USERNAME}" || failed=$((failed + 1)) testit_expect_failure "STEP5 kinit with password" \ - $samba4kinit --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM || + kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \ + "${OPTION_REQUEST_PAC}" || failed=$((failed + 1)) testit_expect_failure "STEP5 Test login with NTLM" \ "${smbclient}" "${unc}" -c 'ls' -U"${USERNAME}%${PASSWORD}" || @@ -282,22 +309,25 @@ testit_expect_failure "STEP5 Test wbinfo with password" \ "${wbinfo}" --authenticate="${DOMAIN}/${USERNAME}%${PASSWORD}" || failed=$((failed + 1)) -testit_expect_failure "STEP5 kinit with pkinit (name specified) " \ - $samba4kinit --request-pac --renewable $PKUSER $USERNAME@$REALM || +testit_expect_failure "STEP5 kinit with pkinit (name specified)" \ + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${USERNAME}@${REALM}" || failed=$((failed + 1)) testit_expect_failure "STEP5 kinit with pkinit (enterprise name specified)" \ - $samba4kinit --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" \ + "${USERNAME}@${REALM}" || failed=$((failed + 1)) testit_expect_failure "STEP5 kinit with pkinit (enterprise name in cert)" \ - $samba4kinit --request-pac --renewable $PKUSER --pk-enterprise || + "${samba_kinit}" "${OPTION_REQUEST_PAC}" "${OPTION_RENEWABLE}" \ + "${X509_USER_IDENTITY}" "${OPTION_ENTERPRISE_NAME}" || failed=$((failed + 1)) # STEP6: # cleanup -testit "STEP6 samba-tool user delete $USERNAME " \ - $PYTHON ${samba_tool} user delete $USERNAME || +testit "STEP6 samba-tool user delete ${USERNAME}" \ + "${samba_tool}" user delete "${USERNAME}" || failed=$((failed + 1)) -rm -f $PASSFILE_PATH -rm -f $KRB5CCNAME_PATH -exit $failed +rm -f "${KRB5CCNAME_PATH}" +exit ${failed} |