if [ $# -lt 4 ]; then
cat <<EOF
-Usage: test_net.sh DC_SERVER DC_USERNAME DC_PASSWORD PREFIX_ABS
+Usage: test_net.sh DC_SERVER DC_USERNAME DC_PASSWORD BASEDIR
EOF
exit 1;
fi
testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
# Test with kerberos method = secrets and keytab
-dedicated_keytab_file="$PREFIX_ABS/test_net_ads_dedicated_krb5.keytab"
+dedicated_keytab_file="$BASEDIR/$WORKDIR/test_net_ads_dedicated_krb5.keytab"
testit "join (dedicated keytab)" $VALGRIND $net_tool ads join -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
testit "testjoin (dedicated keytab)" $VALGRIND $net_tool ads testjoin -P --use-kerberos=required || failed=`expr $failed + 1`
lc_realm=$(echo $REALM | tr '[:upper:]' '[:lower:]')
fqdn="$netbios.$lc_realm"
+testit_expect_failure "metze keytab.list.init" $VALGRIND $net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+testit_expect_failure "metze spn.list.init" $VALGRIND $net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
krb_princ="primary/instance@$REALM"
testit "test (dedicated keytab) add a fully qualified krb5 principal" $VALGRIND $net_tool ads keytab add $krb_princ -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
testit "test (dedicated keytab) at least one fully qualified krb5 principal that was added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1`
machinename="machine123"
-testit "test (dedicated keytab) add a kerberos prinicple created from machinename to keytab" $VALGRIND $net_tool ads keytab add $machinename'$' -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+testit "test (dedicated keytab) add a kerberos principal created from machinename to keytab" $VALGRIND $net_tool ads keytab add $machinename'$' -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
search_str="$machinename\$@$REALM"
found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
testit "test (dedicated keytab) at least one krb5 principal created from $machinename added is present in keytab" test $found -gt 1 || failed=`expr $failed + 1`
windows_spn="$spn_service/$spn_host/"
testit_expect_failure "test (dedicated keytab) fail to parse windows spn with missing servicename" $VALGRIND $net_tool ads keytab add $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+testit_expect_failure "metze keytab.list.before" $VALGRIND $net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+testit_expect_failure "metze spn.list.before" $VALGRIND $net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+#testit_expect_failure "metze list" $VALGRIND $net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file"
+#test: samba4.blackbox.net_ads.metze list(ad_dc:client)
+#time: 2022-10-27 11:25:19.908812Z
+#failure: samba4.blackbox.net_ads.metze list(ad_dc:client) [
+#Exception: Exception: Vno Type Principal
+# 1 aes256-cts-hmac-sha1-96 primary/instance@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes128-cts-hmac-sha1-96 primary/instance@ADDOM.SAMBA.EXAMPLE.COM
+# 1 arcfour-hmac-md5 primary/instance@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes256-cts-hmac-sha1-96 machine123$@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes128-cts-hmac-sha1-96 machine123$@ADDOM.SAMBA.EXAMPLE.COM
+# 1 arcfour-hmac-md5 machine123$@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes256-cts-hmac-sha1-96 nfs/197972f406.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes256-cts-hmac-sha1-96 nfs/197972F406@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes128-cts-hmac-sha1-96 nfs/197972f406.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes128-cts-hmac-sha1-96 nfs/197972F406@ADDOM.SAMBA.EXAMPLE.COM
+# 1 arcfour-hmac-md5 nfs/197972f406.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
+# 1 arcfour-hmac-md5 nfs/197972F406@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes256-cts-hmac-sha1-96 random_srv/somehost.subdomain.domain@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes128-cts-hmac-sha1-96 random_srv/somehost.subdomain.domain@ADDOM.SAMBA.EXAMPLE.COM
+# 1 arcfour-hmac-md5 random_srv/somehost.subdomain.domain@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes256-cts-hmac-sha1-96 writetoad/197972f406.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes256-cts-hmac-sha1-96 writetoad/197972F406@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes128-cts-hmac-sha1-96 writetoad/197972f406.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes128-cts-hmac-sha1-96 writetoad/197972F406@ADDOM.SAMBA.EXAMPLE.COM
+# 1 arcfour-hmac-md5 writetoad/197972f406.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
+# 1 arcfour-hmac-md5 writetoad/197972F406@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes256-cts-hmac-sha1-96 host/197972f406.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes256-cts-hmac-sha1-96 host/197972F406@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes128-cts-hmac-sha1-96 host/197972f406.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes128-cts-hmac-sha1-96 host/197972F406@ADDOM.SAMBA.EXAMPLE.COM
+# 1 arcfour-hmac-md5 host/197972f406.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
+# 1 arcfour-hmac-md5 host/197972F406@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes256-cts-hmac-sha1-96 restrictedkrbhost/197972f406.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes256-cts-hmac-sha1-96 restrictedkrbhost/197972F406@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes128-cts-hmac-sha1-96 restrictedkrbhost/197972f406.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes128-cts-hmac-sha1-96 restrictedkrbhost/197972F406@ADDOM.SAMBA.EXAMPLE.COM
+# 1 arcfour-hmac-md5 restrictedkrbhost/197972f406.addom.samba.example.com@ADDOM.SAMBA.EXAMPLE.COM
+# 1 arcfour-hmac-md5 restrictedkrbhost/197972F406@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes256-cts-hmac-sha1-96 197972F406$@ADDOM.SAMBA.EXAMPLE.COM
+# 1 aes128-cts-hmac-sha1-96 197972F406$@ADDOM.SAMBA.EXAMPLE.COM
+# 1 arcfour-hmac-md5 197972F406$@ADDOM.SAMBA.EXAMPLE.COM
+
+krb_princ="primary/instance@$REALM"
+testit "test (dedicated keytab) delete a fully qualified krb5 principal" $VALGRIND $net_tool ads keytab delete $krb_princ -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $krb_princ | wc -l`
+
+testit "test (dedicated keytab) fully qualified krb5 principal was deleted and is no longer present in keytab" test $found -eq 0 || failed=`expr $failed + 1`
+
+machinename="machine123"
+testit "test (dedicated keytab) delete a kerberos principle created from machinename from keytab" $VALGRIND $net_tool ads keytab delete $machinename'$' -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+search_str="$machinename\$@$REALM"
+found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
+testit "test (dedicated keytab) krb5 principal created from $machinename was deleted and is no longer present in keytab" test $found -eq 0 || failed=`expr $failed + 1`
+
+service="nfs"
+testit "test (dedicated keytab) delete a $service service to keytab" $VALGRIND $net_tool ads keytab delete $service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+search_str="$service"
+found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
+testit "test (dedicated keytab) krb5 principal created from service was deleted and is no longer present in keytab" test $found -eq 0 || failed=`expr $failed + 1`
+
+spn_service="random_srv"
+spn_host="somehost.subdomain.domain"
+spn_port="12345"
+
+windows_spn="$spn_service/$spn_host"
+testit "test (dedicated keytab) delete a $windows_spn windows style SPN from keytab" $VALGRIND $net_tool ads keytab delete $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+search_str="$spn_service/$spn_host@$REALM"
+found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
+testit "test (dedicated keytab) krb5 principal created from windown SPN was deleted and is no longer present in keytab" test $found -eq 0 || failed=`expr $failed + 1`
+
+windows_spn="$spn_service/$spn_host:$spn_port"
+testit "test (dedicated keytab) delete a $windows_spn windows style SPN to keytab" $VALGRIND $net_tool ads keytab delete $windows_spn -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+search_str="$spn_service/$spn_host@$REALM"
+found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
+testit "test (dedicated keytab) krb5 principal created from windown SPN (with port) was deleted and is no longer present in keytab" test $found -eq 0 || failed=`expr $failed + 1`
+
+# keytab add shouldn't have written spn to AD
+found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $service | wc -l)
+testit "test (dedicated keytab) spn is not written to AD (using keytab add)" test $found -eq 0 || failed=`expr $failed + 1`
+
+ad_service="writetoad"
+testit "test (dedicated keytab) delete a $ad_service service from keytab (used add_update_ads)" $VALGRIND $net_tool ads keytab delete $ad_service -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+
+search_str="$ad_service"
+found=`$net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" | grep $search_str | wc -l`
+testit "test (dedicated keytab) spn is written to AD (using keytab add_update_ads) was deleted and is no longer present in keytab" test $found -eq 0 || failed=`expr $failed + 1`
+# still in ad
+found=$($net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD | grep $ad_service | wc -l)
+testit "test (dedicated keytab) spn is written to AD (using keytab add_update_ads) is still in ad after deletion from keytab" test $found -eq 2 || failed=`expr $failed + 1`
+
+testit_expect_failure "metze keytab.list.after" $VALGRIND $net_tool ads keytab list -U$DC_USERNAME%$DC_PASSWORD --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
+testit_expect_failure "metze spn.list.after" $VALGRIND $net_tool ads setspn list -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
+
+echo "rm -rf $BASEDIR/$WORKDIR"
+
+exit $failed
+
testit "changetrustpw (dedicated keytab)" $VALGRIND $net_tool ads changetrustpw || failed=`expr $failed + 1`
testit "leave (dedicated keytab)" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1`
testit_grep "dns alias addl" $dns_alias2 $VALGRIND $net_tool ads search -P samaccountname=$netbios\$ msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
# Test binary msDS-AdditionalDnsHostName like ones added by Windows DC
-short_alias_file="$PREFIX_ABS/short_alias_file"
+short_alias_file="$BASEDIR/$WORKDIR/short_alias_file"
printf 'short_alias\0$' > $short_alias_file
-cat > $PREFIX_ABS/tmpldbmodify <<EOF
+cat > $BASEDIR/$WORKDIR/tmpldbmodify <<EOF
dn: CN=$HOSTNAME,$computers_dn
changetype: modify
add: msDS-AdditionalDnsHostName
msDS-AdditionalDnsHostName:< file://$short_alias_file
EOF
-testit "add binary msDS-AdditionalDnsHostName" $VALGRIND $ldbmodify -k yes -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM $PREFIX_ABS/tmpldbmodify || failed=`expr $failed + 1`
+testit "add binary msDS-AdditionalDnsHostName" $VALGRIND $ldbmodify -k yes -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM $BASEDIR/$WORKDIR/tmpldbmodify || failed=`expr $failed + 1`
testit_grep "addl short alias" short_alias $ldbsearch --show-binary -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "CN=$HOSTNAME,CN=Computers,$base_dn" msDS-AdditionalDnsHostName || failed=`expr $failed + 1`
-rm -f $PREFIX_ABS/tmpldbmodify $short_alias_file
+rm -f $BASEDIR/$WORKDIR/tmpldbmodify $short_alias_file
-dedicated_keytab_file="$PREFIX_ABS/test_dns_aliases_dedicated_krb5.keytab"
+dedicated_keytab_file="$BASEDIR/$WORKDIR/test_dns_aliases_dedicated_krb5.keytab"
testit "dns alias create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`
testit_grep "checkupn" "userPrincipalName: host/test-$HOSTNAME@$REALM" $ldbsearch -U$DC_USERNAME%$DC_PASSWORD -H ldap://$SERVER.$REALM --scope=base -b "CN=$HOSTNAME,CN=Computers,$base_dn" || failed=`expr $failed + 1`
-dedicated_keytab_file="$PREFIX_ABS/test_net_create_dedicated_krb5.keytab"
+dedicated_keytab_file="$BASEDIR/$WORKDIR/test_net_create_dedicated_krb5.keytab"
testit "create_keytab" $VALGRIND $net_tool ads keytab create --option="kerberosmethod=dedicatedkeytab" --option="dedicatedkeytabfile=$dedicated_keytab_file" || failed=`expr $failed + 1`