diff options
author | Andreas Schneider <asn@samba.org> | 2023-03-15 13:14:16 +0100 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2023-04-06 13:45:35 +0000 |
commit | d9a9cb0396a819148b5e22154bee07dab1d1c0fa (patch) | |
tree | f6839499e63c397247cb46683f3202357a17ca51 /testprogs/blackbox | |
parent | deb9d1f65656057fc0d24a8418592e1c61e612e8 (diff) | |
download | samba-d9a9cb0396a819148b5e22154bee07dab1d1c0fa.tar.gz |
testprogs: Merge export keytab tests into a single script for MIT and Heimdal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15336
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'testprogs/blackbox')
-rwxr-xr-x | testprogs/blackbox/test_kinit_export_keytab.sh | 263 |
1 files changed, 263 insertions, 0 deletions
diff --git a/testprogs/blackbox/test_kinit_export_keytab.sh b/testprogs/blackbox/test_kinit_export_keytab.sh new file mode 100755 index 00000000000..25cdeed67ad --- /dev/null +++ b/testprogs/blackbox/test_kinit_export_keytab.sh @@ -0,0 +1,263 @@ +#!/bin/sh +# +# Blackbox tests for an exported keytab with kinit +# +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> +# Copyright (C) Andreas Schneider <asn@cryptomilk.org> + +if [ $# -lt 7 ]; then + cat <<EOF +Usage: test_extract_keytab.sh SERVER USERNAME REALM DOMAIN PREFIX SMBCLIENT CONFIGURATION +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +REALM=$3 +DOMAIN=$4 +PREFIX=$5 +smbclient=$6 +CONFIGURATION=${7} +shift 7 +failed=0 + +. "$(dirname "${0}")/subunit.sh" +. "$(dirname "${0}")/common_test_fns.inc" + +samba_bindir="${BINDIR}" +samba_tool="$samba_bindir/samba-tool" +samba_newuser="$samba_tool user create" +samba_ktutil="${BINDIR}/samba4ktutil" + +samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit) + +DNSDOMAIN=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]') +SERVER_FQDN="${SERVER}.$(echo "${REALM}" | tr '[:upper:]' '[:lower:]')" +SMBCLIENT_UNC="//${SERVER}/tmp" + +TEST_USER="$(mktemp -u keytabtest-XXXXXX)" +TEST_PASSWORD=testPaSS@01% + +EXPECTED_NKEYS=3 +# MIT +kbase="$(basename "${samba_kinit}")" +if [ "${kbase}" != "samba4kinit" ]; then + krb5_version="$(krb5-config --version | cut -d ' ' -f 4)" + krb5_major_version="$(echo "${krb5_version}" | awk -F. '{ print $1; }')" + krb5_minor_version="$(echo "${krb5_version}" | awk -F. '{ print $2; }')" + + # MIT Kerberos < 1.18 has support for DES keys + if [ "${krb5_major_version}" -eq 1 ] && [ "${krb5_minor_version}" -lt 18 ]; then + EXPECTED_NKEYS=5 + fi +fi # MIT + +if [ "${kbase}" = "samba4kinit" ]; then + # HEIMDAL + OPTION_RENEWABLE="--renewable" + OPTION_RENEW_TICKET="--renew" + OPTION_ENTERPRISE_NAME="--enterprise" + OPTION_CANONICALIZATION="" + OPTION_WINDOWS="--windows" + OPTION_SERVICE="-S" + OPTION_USE_KEYTAB="-k" + OPTION_KEYTAB_FILENAME="-t" + + KEYTAB_GREP="[aes|arcfour]" +else + # MIT + OPTION_RENEWABLE="-r 1h" + OPTION_RENEW_TICKET="-R" + OPTION_ENTERPRISE_NAME="-E" + OPTION_CANONICALIZATION="-C" + OPTION_WINDOWS="" + OPTION_SERVICE="-S" + OPTION_USE_KEYTAB="-k" + OPTION_KEYTAB_FILENAME="-t" + + KEYTAB_GREP="[DES|AES|ArcFour]" +fi + +test_keytab() +{ + testname="$1" + keytab="$2" + principal="$3" + expected_nkeys="$4" + + subunit_start_test "$testname" + + if [ ! -r "${keytab}" ]; then + echo "Could not read keytab: ${keytab}" | \ + subunit_fail_test "${testname}" + return 1 + fi + + output=$($VALGRIND "${samba_ktutil}" "${keytab}" 2>&1) + status=$? + if [ ${status} -ne 0 ]; then + echo "${output}" | subunit_fail_test "${testname}" + return $status + fi + + NKEYS=$(echo "${output}" | grep -i "${principal}" | \ + grep -c -e "${KEYTAB_GREP}") + if [ "${NKEYS}" -ne "${expected_nkeys}" ]; then + echo "Unexpected number of keys passed ${NKEYS} != ${expected_nkeys}" | \ + subunit_fail_test "${testname}" + return 1 + fi + + subunit_pass_test "${testname}" + return 0 +} + +testit "create local user ${TEST_USER}" \ + "${VALGRIND}" "${PYTHON}" "${samba_newuser}" "${TEST_USER}" "${TEST_PASSWORD}" \ + "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +testit "dump keytab from domain" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \ + "${PREFIX}/tmpkeytab-all" \ + "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +test_keytab "read keytab from domain" \ + "${PREFIX}/tmpkeytab-all" "${SERVER}\\\$" "${EXPECTED_NKEYS}" || \ + failed=$((failed + 1)) + +testit "dump keytab from domain (2nd time)" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \ + "${PREFIX}/tmpkeytab-all" "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +test_keytab "read keytab from domain (2nd time)" \ + "${PREFIX}/tmpkeytab-all" "${SERVER}\\\$" "${EXPECTED_NKEYS}" || \ + failed=$((failed + 1)) + +testit "dump keytab from domain for cifs service principal" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \ + "${PREFIX}/tmpkeytab-server" --principal="cifs/$SERVER_FQDN" \ + "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +test_keytab "read keytab from domain for cifs service principal" \ + "${PREFIX}/tmpkeytab-server" "cifs/${SERVER_FQDN}" \ + "${EXPECTED_NKEYS}" || \ + failed=$((failed + 1)) + +testit "dump keytab from domain for cifs service principal (2nd time)" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \ + "$PREFIX/tmpkeytab-server" --principal="cifs/$SERVER_FQDN" \ + "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +test_keytab "read keytab from domain for cifs service principal (2nd time)" \ + "${PREFIX}/tmpkeytab-server" "cifs/${SERVER_FQDN}" \ + "${EXPECTED_NKEYS}" || \ + failed=$((failed + 1)) + +testit "dump keytab from domain for user principal" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \ + "${PREFIX}/tmpkeytab-user-princ" --principal="${TEST_USER}" \ + "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +test_keytab "read keytab from domain for user principal" \ + "${PREFIX}/tmpkeytab-user-princ" "${TEST_USER}@${REALM}" \ + "${EXPECTED_NKEYS}" || \ + failed=$((failed + 1)) + +testit "dump keytab from domain for user principal (2nd time)" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \ + "${PREFIX}/tmpkeytab-user-princ-2" --principal="${TEST_USER}@${REALM}" \ + "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +test_keytab "read keytab from domain for user principal (2nd time)" \ + "${PREFIX}/tmpkeytab-user-princ-2" "${TEST_USER}@${REALM}" \ + "${EXPECTED_NKEYS}" || \ + failed=$((failed + 1)) + +testit "dump keytab from domain for user principal with SPN as UPN" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain exportkeytab \ + "${PREFIX}/tmpkeytab-spn-upn" \ + --principal="http/testupnspn.${DNSDOMAIN}" "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +test_keytab "read keytab from domain for user principal with SPN as UPN" \ + "${PREFIX}/tmpkeytab-spn-upn" "http/testupnspn.${DNSDOMAIN}@${REALM}" \ + "${EXPECTED_NKEYS}" + +KRB5CCNAME_PATH="${PREFIX}/tmpuserccache" +KRB5CCNAME="FILE:${PREFIX}/tmpuserccache" +export KRB5CCNAME + +testit "kinit with keytab as user" \ + "${VALGRIND}" "${samba_kinit}" \ + "${OPTION_USE_KEYTAB}" \ + "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-all" \ + "${TEST_USER}@${REALM}" || \ + failed=$((failed + 1)) + +test_smbclient "Test login with user kerberos ccache" \ + "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +testit "kinit with keytab as user (one princ)" \ + "${VALGRIND}" "$samba_kinit" \ + "${OPTION_USE_KEYTAB}" \ + "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-user-princ" \ + "${TEST_USER}@$REALM" || \ + failed=$((failed + 1)) + +test_smbclient "Test login with user kerberos ccache (one princ)" \ + "ls" "${SMBCLIENT_UNC}" --use-krb5-ccache="${KRB5CCNAME}" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" + +KRB5CCNAME_PATH="${PREFIX}/tmpadminccache" +KRB5CCNAME="FILE:${PREFIX}/tmpadminccache" +export KRB5CCNAME + +testit "kinit with keytab as ${USERNAME}" \ + "${VALGRIND}" "${samba_kinit}" \ + "${OPTION_USE_KEYTAB}" \ + "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-all" \ + "${USERNAME}@${REALM}" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" + +KRB5CCNAME_PATH="${PREFIX}/tmpserverccache" +KRB5CCNAME="FILE:${PREFIX}/tmpserverccache" +export KRB5CCNAME + +testit "kinit with SPN from keytab" \ + "${VALGRIND}" "${samba_kinit}" \ + "${OPTION_USE_KEYTAB}" \ + "${OPTION_KEYTAB_FILENAME}" "${PREFIX}/tmpkeytab-spn-upn" \ + "http/testupnspn.${DNSDOMAIN}" || \ + failed=$((failed + 1)) + +# cleanup +testit "delete user ${TEST_USER}" \ + "${VALGRIND}" "${PYTHON}" "${samba_tool}" user delete "${TEST_USER}" \ + --use-krb5-ccache="${KRB5CCNAME}" "${CONFIGURATION}" "$@" || \ + failed=$((failed + 1)) + +rm -f "${KRB5CCNAME_PATH}" +rm -f "${PREFIX}/tmpadminccache" \ + "${PREFIX}/tmpuserccache" \ + "${PREFIX}/tmpkeytab" \ + "${PREFIX}/tmpkeytab-user-princ" \ + "${PREFIX}/tmpkeytab-user-princ-2" \ + "${PREFIX}/tmpkeytab-server" \ + "${PREFIX}/tmpkeytab-spn-upn" \ + "${PREFIX}/tmpkeytab-all" + +exit $failed |