+++ /dev/null
-#!/bin/sh
-# Blackbox tests for kinit and kerberos integration with smbclient etc
-# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
-# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
-
-if [ $# -lt 8 ]; then
- cat <<EOF
-Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX ENCTYPE SMBCLIENT CONFIGURATION
-EOF
- exit 1
-fi
-
-SERVER=$1
-USERNAME=$2
-PASSWORD=$3
-REALM=$4
-DOMAIN=$5
-PREFIX=$6
-ENCTYPE=$7
-smbclient=$8
-CONFIGURATION=${9}
-shift 9
-failed=0
-
-. "$(dirname "${0}")/subunit.sh"
-. "$(dirname "${0}")/common_test_fns.inc"
-
-samba_bindir="$BINDIR"
-samba_srcdir="$SRCDIR/source4"
-samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit)
-samba_kpasswd=$(system_or_builddir_binary kpasswd "${BINDIR}" samba4kpasswd)
-
-samba_tool="$samba_bindir/samba-tool"
-texpect="$samba_bindir/texpect"
-
-enableaccount="$samba_tool user enable"
-machineaccountccache="$samba_srcdir/scripting/bin/machineaccountccache"
-
-ldbmodify=$(system_or_builddir_binary ldbmodify "${BINDIR}")
-ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}")
-
-enctype="-e $ENCTYPE"
-unc="//$SERVER/tmp"
-
-TEST_USER="$(mktemp -u kinittestuserXXXXXX)"
-
-ADMIN_LDBMODIFY_CONFIG="-H ldap://$SERVER -U$USERNAME%$PASSWORD"
-export ADMIN_LDBMODIFY_CONFIG
-
-KRB5CCNAME_PATH="$PREFIX/tmpccache"
-KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
-samba_kinit_ccache="$samba_kinit -c $KRB5CCNAME"
-ADMIN_KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
-export KRB5CCNAME
-rm -rf $KRB5CCNAME_PATH
-
-testit "reset password policies beside of minimum password age of 0 days" \
- $VALGRIND $PYTHON $samba_tool domain passwordsettings set \
- $ADMIN_LDBMODIFY_CONFIG \
- --complexity=default \
- --history-length=default \
- --min-pwd-length=default \
- --min-pwd-age=0 \
- --max-pwd-age=default || \
- failed=$((failed + 1))
-
-echo $PASSWORD >$PREFIX/tmppassfile
-testit "kinit with password (initial)" \
- $samba_kinit_ccache $enctype --password-file=$PREFIX/tmppassfile \
- --request-pac $USERNAME@$REALM || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache" \
- 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-testit "kinit with password (enterprise style)" \
- $samba_kinit_ccache $enctype --enterprise --password-file=$PREFIX/tmppassfile \
- --request-pac $USERNAME@$REALM || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache" \
- 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-testit "kinit with password (windows style)" \
- $samba_kinit_ccache $enctype --renewable --windows \
- --password-file=$PREFIX/tmppassfile --request-pac $USERNAME@$REALM || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache" \
- 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-testit "kinit renew ticket" \
- $samba_kinit_ccache $enctype --request-pac -R
-
-test_smbclient "Test login with kerberos ccache" 'ls' "$unc" \
- --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-testit "check time with kerberos ccache" \
- $VALGRIND $PYTHON $samba_tool time $SERVER \
- $CONFIGURATION -k yes "$@" || \
- failed=$((failed + 1))
-
-USERPASS=testPass@12%
-echo $USERPASS >$PREFIX/tmpuserpassfile
-testit "add user with kerberos ccache" \
- $VALGRIND $PYTHON $samba_tool user create ${TEST_USER} $USERPASS \
- $CONFIGURATION -k yes "$@" || \
- failed=$((failed + 1))
-
-echo "Getting defaultNamingContext"
-BASEDN=$($ldbsearch $options --basedn='' -H ldap://$SERVER --scope=base \
- DUMMY=x defaultNamingContext | grep defaultNamingContext | awk '{print $2}')
-
-cat >$PREFIX/tmpldbmodify <<EOF
-dn: cn=${TEST_USER},cn=users,$BASEDN
-changetype: modify
-add: servicePrincipalName
-servicePrincipalName: host/${TEST_USER}
-replace: userPrincipalName
-userPrincipalName: nettest@$REALM
-EOF
-
-testit "modify servicePrincipalName and userPrincpalName" \
- $VALGRIND $ldbmodify -H ldap://$SERVER $PREFIX/tmpldbmodify -k yes \
- "$@" || failed=$((failed + 1))
-
-testit "set user password with kerberos ccache" \
- $VALGRIND $PYTHON $samba_tool user setpassword ${TEST_USER} \
- --newpassword=$USERPASS $CONFIGURATION -k yes "$@" || \
- failed=$((failed + 1))
-
-testit "enable user with kerberos cache" \
- $VALGRIND $PYTHON $enableaccount ${TEST_USER} -H ldap://$SERVER -k yes \
- "$@" || \
- failed=$((failed + 1))
-
-KRB5CCNAME_PATH="$PREFIX/tmpuserccache"
-KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
-samba_kinit_ccache="$samba_kinit -c $KRB5CCNAME"
-export KRB5CCNAME
-
-rm -f $KRB5CCNAME_PATH
-testit "kinit with user password (after enable of user and password change)" \
- $samba_kinit_ccache $enctype --password-file=$PREFIX/tmpuserpassfile \
- --request-pac ${TEST_USER}@$REALM || \
- failed=$((failed + 1))
-
-test_smbclient "Test login with user kerberos ccache" \
- 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-NEWUSERPASS=testPaSS@34%
-testit "change user password with 'samba-tool user password' (rpc)" \
- $VALGRIND $PYTHON $samba_tool user password \
- -W$DOMAIN -U${TEST_USER}%$USERPASS $CONFIGURATION -k no \
- --newpassword=$NEWUSERPASS "$@" || \
- failed=$((failed + 1))
-
-echo $NEWUSERPASS >$PREFIX/tmpuserpassfile
-rm -f $KRB5CCNAME_PATH
-testit "kinit with user password (after rpc password change)" \
- $samba_kinit_ccache $enctype --password-file=$PREFIX/tmpuserpassfile \
- --request-pac ${TEST_USER}@$REALM || \
- failed=$((failed + 1))
-
-test_smbclient "Test login with user kerberos ccache" \
- 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-rm -f $KRB5CCNAME_PATH
-testit "kinit with password (NT-Principal style) using UPN" \
- $samba_kinit_ccache $enctype --password-file=$PREFIX/tmpuserpassfile \
- --request-pac nettest@$REALM || failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache from enterprise UPN" \
- 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-rm -f $KRB5CCNAME_PATH
-testit "kinit with password (enterprise style) using UPN" \
- $samba_kinit_ccache $enctype --enterprise \
- --password-file=$PREFIX/tmpuserpassfile --request-pac \
- nettest@$REALM || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache from enterprise UPN" \
- 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-rm -f $KRB5CCNAME_PATH
-testit "kinit with password (windows style) using UPN" \
- $samba_kinit_ccache $enctype --renewable --windows \
- --password-file=$PREFIX/tmpuserpassfile --request-pac \
- nettest@$REALM || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache from windows UPN" \
- 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-cat >$PREFIX/tmpldbmodify <<EOF
-dn: cn=${TEST_USER},cn=users,$BASEDN
-changetype: modify
-replace: userPrincipalName
-userPrincipalName: nettest@$REALM.org
-EOF
-
-testit "modify userPrincipalName to be a different domain" \
- $VALGRIND $ldbmodify $ADMIN_LDBMODIFY_CONFIG \
- $PREFIX/tmpldbmodify $PREFIX/tmpldbmodify \
- -k yes "$@" || \
- failed=$((failed + 1))
-
-rm -f $KRB5CCNAME_PATH
-testit "kinit with password (enterprise style) using UPN" \
- $samba_kinit_ccache $enctype --enterprise \
- --password-file=$PREFIX/tmpuserpassfile --request-pac \
- nettest@$REALM.org || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache from enterprise UPN, different domain" \
- 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-USERPASS=$NEWUSERPASS
-NEWUSERPASS=testPaSS@56%
-echo $NEWUSERPASS >$PREFIX/tmpuserpassfile
-
-cat >$PREFIX/tmpkpasswdscript <<EOF
-expect Password
-password ${USERPASS}\n
-expect New password
-send ${NEWUSERPASS}\n
-expect Verify password
-send ${NEWUSERPASS}\n
-expect Success
-EOF
-
-testit "change user password with kpasswd" \
- $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd \
- ${TEST_USER}@$REALM || \
- failed=$((failed + 1))
-
-rm -f $KRB5CCNAME_PATH
-testit "kinit with user password (after kpasswd change)" \
- $samba_kinit_ccache $enctype --password-file=$PREFIX/tmpuserpassfile \
- --request-pac ${TEST_USER}@$REALM || \
- failed=$((failed + 1))
-
-NEWUSERPASS=testPaSS@78%
-echo $NEWUSERPASS >$PREFIX/tmpuserpassfile
-
-test_smbclient "Test login with user kerberos ccache (after kpasswd change)" \
- 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-cat >$PREFIX/tmpkpasswdscript <<EOF
-expect New password
-send ${NEWUSERPASS}\n
-expect Verify password
-send ${NEWUSERPASS}\n
-expect Success
-EOF
-
-testit "set user password with kpasswd" \
- $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd \
- --cache=$ADMIN_KRB5CCNAME \
- ${TEST_USER}@$REALM || \
- failed=$((failed + 1))
-
-rm -f $KRB5CCNAME_PATH
-testit "kinit with user password (after kpasswd set)" \
- $samba_kinit_ccache $enctype --password-file=$PREFIX/tmpuserpassfile \
- --request-pac ${TEST_USER}@$REALM || \
- failed=$((failed + 1))
-
-test_smbclient "Test login with user kerberos ccache (after kpasswd set)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=$((failed + 1))
-
-NEWUSERPASS=testPaSS@910%
-echo $NEWUSERPASS >$PREFIX/tmpuserpassfile
-
-cat >$PREFIX/tmpkpasswdscript <<EOF
-expect New password
-send ${NEWUSERPASS}\n
-expect Verify password
-send ${NEWUSERPASS}\n
-expect Success
-EOF
-
-testit "set user password with kpasswd and servicePrincipalName" \
- $texpect $PREFIX/tmpkpasswdscript $samba_kpasswd \
- --cache=$PREFIX/tmpccache host/${TEST_USER}@$REALM || \
- failed=$((failed + 1))
-
-testit "kinit with user password (after set with kpasswd and spn)" \
- $samba_kinit_ccache $enctype --password-file=$PREFIX/tmpuserpassfile \
- --request-pac ${TEST_USER}@$REALM || \
- failed=$((failed + 1))
-
-test_smbclient "Test login with user kerberos ccache (after set with kpasswd and spn)" \
- 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-cat >$PREFIX/tmpldbmodify <<EOF
-dn: cn=${TEST_USER},cn=users,$BASEDN
-changetype: modify
-replace: pwdLastSet
-pwdLastSet: 0
-EOF
-
-USERPASS=$NEWUSERPASS
-NEWUSERPASS=testPaSS@911%
-
-testit "modify pwdLastSet" \
- $VALGRIND $ldbmodify \
- $ADMIN_LDBMODIFY_CONFIG \
- $PREFIX/tmpldbmodify $PREFIX/tmpldbmodify \
- -k yes "$@" || \
- failed=$((failed + 1))
-
-cat >$PREFIX/tmppasswordchange <<EOF
-expect ${TEST_USER}@${REALM}'s Password:
-send ${USERPASS}\n
-expect Your password will expire at
-expect Changing password
-expect New password:
-send ${NEWUSERPASS}\n
-expect Repeat new password:
-send ${NEWUSERPASS}\n
-expect Success: Password changed
-EOF
-
-testit "kinit with user password for expired password" \
- $texpect $PREFIX/tmppasswordchange \
- $samba_kinit_ccache $enctype --request-pac ${TEST_USER}@$REALM || \
- failed=$((failed + 1))
-
-test_smbclient "Test login with user kerberos ccache" \
- 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-echo $NEWUSERPASS >$PREFIX/tmpuserpassfile
-testit "kinit with user password (after password change forced by expiration)" \
- $samba_kinit_ccache $enctype --password-file=$PREFIX/tmpuserpassfile \
- --request-pac ${TEST_USER}@$REALM || \
- failed=$((failed + 1))
-
-test_smbclient "Test login with user kerberos ccache" \
- 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-KRB5CCNAME_PATH="$PREFIX/tmpccache"
-KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
-samba_kinit_ccache="$samba_kinit -c $KRB5CCNAME"
-export KRB5CCNAME
-
-rm -rf $KRB5CCNAME_PATH
-
-lowerrealm=$(echo $REALM | tr '[A-Z]' '[a-z]')
-test_smbclient "Test login with user kerberos lowercase realm" \
- 'ls' "$unc" --use-kerberos=required \
- -U${TEST_USER}@$lowerrealm%$NEWUSERPASS || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos lowercase realm 2" \
- 'ls' "$unc" --use-kerberos=required -U${TEST_USER}@$REALM%$NEWUSERPASS \
- --realm=$lowerrealm || \
- failed=$((failed + 1))
-
-testit "del user with kerberos ccache" \
- $VALGRIND $PYTHON $samba_tool user delete ${TEST_USER} \
- $CONFIGURATION -k yes "$@" || \
- failed=$((failed + 1))
-
-rm -f $KRB5CCNAME_PATH
-testit "kinit with machineaccountccache script" \
- $PYTHON $machineaccountccache $CONFIGURATION $KRB5CCNAME || \
- failed=$((failed + 1))
-test_smbclient "Test machine account login with kerberos ccache" \
- 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-testit "reset password policies" \
- $VALGRIND $PYTHON $samba_tool domain passwordsettings set \
- $ADMIN_LDBMODIFY_CONFIG \
- --complexity=default \
- --history-length=default \
- --min-pwd-length=default \
- --min-pwd-age=default \
- --max-pwd-age=default || \
- failed=$((failed + 1))
-
-rm -f $PREFIX/tmpccache tmpccfile tmppassfile tmpuserpassfile tmpuserccache tmpkpasswdscript
-exit $failed
+++ /dev/null
-#!/bin/sh
-# Blackbox tests for kinit and kerberos integration with smbclient etc
-# Copyright (c) 2015-2016 Andreas Schneider <asn@samba.org>
-
-if [ $# -lt 8 ]; then
- cat <<EOF
-Usage: test_kinit_mit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT CONFIGURATION
-EOF
- exit 1
-fi
-
-SERVER=$1
-USERNAME=$2
-PASSWORD=$3
-REALM=$4
-DOMAIN=$5
-PREFIX=$6
-smbclient=$7
-CONFIGURATION="${8}"
-shift 8
-failed=0
-
-samba_bindir="$BINDIR"
-samba_srcdir="$SRCDIR/source4"
-samba_kinit=kinit
-samba_kdestroy=kdestroy
-samba_kpasswd=kpasswd
-samba_kvno=kvno
-
-samba_tool="$samba_bindir/samba-tool"
-samba_texpect="$samba_bindir/texpect"
-
-samba_enableaccount="$samba_tool user enable"
-machineaccountccache="$samba_srcdir/scripting/bin/machineaccountccache"
-
-. $(dirname $0)/subunit.sh
-. "$(dirname "${0}")/common_test_fns.inc"
-
-ldbmodify=$(system_or_builddir_binary ldbmodify "${BINDIR}")
-ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}")
-
-test_smbclient()
-{
- name="$1"
- cmd="$2"
- shift
- shift
- echo "test: $name"
- $VALGRIND $smbclient $CONFIGURATION //$SERVER/tmp -c "$cmd" "$@"
- status=$?
- if [ x$status = x0 ]; then
- echo "success: $name"
- else
- echo "failure: $name"
- fi
- return $status
-}
-
-TEST_USER="$(mktemp -u kinittestuserXXXXXX)"
-
-ADMIN_LDBMODIFY_CONFIG="-H ldap://$SERVER -U$USERNAME%$PASSWORD"
-export ADMIN_LDBMODIFY_CONFIG
-
-KRB5CCNAME_PATH="$PREFIX/tmpccache"
-KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
-ADMIN_KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
-export KRB5CCNAME
-rm -rf $KRB5CCNAME_PATH
-
-testit "reset password policies beside of minimum password age of 0 days" $VALGRIND $PYTHON $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=0 --max-pwd-age=default || failed=$((failed + 1))
-
-cat >$PREFIX/tmpkinitscript <<EOF
-expect Password for
-send ${PASSWORD}\n
-EOF
-
-###########################################################
-### Test kinit defaults
-###########################################################
-
-testit "kinit with password" \
- $samba_texpect $PREFIX/tmpkinitscript \
- $samba_kinit $USERNAME@$REALM || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache" \
- 'ls' --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-testit "kinit renew ticket" \
- $samba_kinit -R || \
- failed=$((failed + 1))
-test_smbclient "Test login with kerberos ccache" \
- 'ls' --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-$samba_kdestroy
-
-###########################################################
-### Test kinit with enterprice principal
-###########################################################
-
-testit "kinit with password (enterprise style)" \
- $samba_texpect $PREFIX/tmpkinitscript \
- $samba_kinit -E $USERNAME@$REALM || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache" \
- 'ls' --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-# This does not work with MIT Kerberos 1.14 or older
-testit "kinit renew ticket (enterprise style)" \
- $samba_kinit -R || \
- failed=$((failed + 1))
-test_smbclient "Test login with kerberos ccache" \
- 'ls' --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-$samba_kdestroy
-
-###########################################################
-### Tests with kinit default again
-###########################################################
-
-testit "kinit with password" \
- $samba_texpect $PREFIX/tmpkinitscript \
- $samba_kinit $USERNAME@$REALM || \
- failed=$((failed + 1))
-testit "check time with kerberos ccache" \
- $VALGRIND $PYTHON $samba_tool time $SERVER \
- $CONFIGURATION --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
- failed=$((failed + 1))
-
-USERPASS="testPass@12%"
-
-testit "add user with kerberos ccache" \
- $VALGRIND $PYTHON $samba_tool user create ${TEST_USER} $USERPASS \
- $CONFIGURATION --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
- failed=$((failed + 1))
-
-echo "Getting defaultNamingContext"
-BASEDN=$($ldbsearch $options --basedn='' -H ldap://$SERVER --scope=base \
- DUMMY=x defaultNamingContext | grep defaultNamingContext | awk '{print $2}')
-
-cat >$PREFIX/tmpldbmodify <<EOF
-dn: cn=${TEST_USER},cn=users,$BASEDN
-changetype: modify
-add: servicePrincipalName
-servicePrincipalName: host/${TEST_USER}
-replace: userPrincipalName
-userPrincipalName: nettest@$REALM
-EOF
-
-testit "modify servicePrincipalName and userPrincpalName" \
- $VALGRIND $ldbmodify -H ldap://$SERVER $PREFIX/tmpldbmodify \
- --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
- failed=$((failed + 1))
-
-testit "set user password with kerberos ccache" \
- $VALGRIND $PYTHON $samba_tool user setpassword ${TEST_USER} \
- --newpassword=$USERPASS $CONFIGURATION \
- --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
- failed=$((failed + 1))
-
-testit "enable user with kerberos cache" \
- $VALGRIND $PYTHON $samba_enableaccount ${TEST_USER} \
- -H ldap://$SERVER --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
- failed=$((failed + 1))
-
-###########################################################
-### Test kinit with canonicalization
-###########################################################
-
-upperusername=$(echo $USERNAME | tr '[a-z]' '[A-Z]')
-testit "kinit with canonicalize" \
- $samba_texpect $PREFIX/tmpkinitscript \
- $samba_kinit -C $upperusername@$REALM -S kadmin/changepw@$REALM || \
- failed=$((failed + 1))
-
-$samba_kdestroy
-
-###########################################################
-### Test kinit with user credentials
-###########################################################
-
-KRB5CCNAME_PATH="$PREFIX/tmpuserccache"
-KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
-export KRB5CCNAME
-
-rm -f $KRB5CCNAME_PATH
-
-cat >$PREFIX/tmpkinituserpassscript <<EOF
-expect Password for
-send ${USERPASS}\n
-EOF
-
-testit "kinit with user password" \
- $samba_texpect $PREFIX/tmpkinituserpassscript \
- $samba_kinit ${TEST_USER}@$REALM || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache" \
- 'ls' --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-### Change password
-
-NEWUSERPASS="testPaSS@34%"
-testit "change user password with 'samba-tool user password' (rpc)" \
- $VALGRIND $PYTHON $samba_tool user password \
- -W$DOMAIN -U${TEST_USER}%$USERPASS $CONFIGURATION --use-kerberos=off \
- --newpassword=$NEWUSERPASS "$@" || \
- failed=$((failed + 1))
-
-cat >$PREFIX/tmpkinituserpassscript <<EOF
-expect Password for
-send ${NEWUSERPASS}\n
-EOF
-
-testit "kinit with new user password" \
- $samba_texpect $PREFIX/tmpkinituserpassscript \
- $samba_kinit ${TEST_USER}@$REALM || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache" \
- 'ls' --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-$samba_kdestroy
-
-###########################################################
-### Test kinit with user credentials in special formats
-###########################################################
-
-testit "kinit with new (NT-Principal style) using UPN" \
- $samba_texpect $PREFIX/tmpkinituserpassscript \
- $samba_kinit nettest@$REALM || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache from NT UPN" \
- 'ls' --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-$samba_kdestroy
-
-testit "kinit with new (enterprise style) using UPN" \
- $samba_texpect $PREFIX/tmpkinituserpassscript \
- $samba_kinit -E nettest@$REALM || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache from enterprise UPN" \
- 'ls' --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-$samba_kdestroy
-
-###########################################################
-### Test kinit with user credentials and changed realm
-###########################################################
-
-cat >$PREFIX/tmpldbmodify <<EOF
-dn: cn=${TEST_USER},cn=users,$BASEDN
-changetype: modify
-replace: userPrincipalName
-userPrincipalName: nettest@$REALM.org
-EOF
-
-testit "modify userPrincipalName to be a different domain" \
- $VALGRIND $ldbmodify $ADMIN_LDBMODIFY_CONFIG \
- $PREFIX/tmpldbmodify $PREFIX/tmpldbmodify \
- --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
- failed=$((failed + 1))
-
-testit "kinit with new (enterprise style) using UPN" \
- $samba_texpect $PREFIX/tmpkinituserpassscript \
- $samba_kinit -E nettest@$REALM.org || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache from enterprise UPN" \
- 'ls' --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-$samba_kdestroy
-
-###########################################################
-### Test password change with kpasswd
-###########################################################
-
-testit "kinit with user password" \
- $samba_texpect $PREFIX/tmpkinituserpassscript \
- $samba_kinit ${TEST_USER}@$REALM || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache" \
- 'ls' --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-USERPASS=$NEWUSERPASS
-NEWUSERPASS=testPaSS@56%
-
-cat >$PREFIX/tmpkpasswdscript <<EOF
-expect Password for
-password ${USERPASS}\n
-expect Enter new password
-send ${NEWUSERPASS}\n
-expect Enter it again
-send ${NEWUSERPASS}\n
-expect Password changed
-EOF
-
-testit "change user password with kpasswd" \
- $samba_texpect $PREFIX/tmpkpasswdscript \
- $samba_kpasswd ${TEST_USER}@$REALM || \
- failed=$((failed + 1))
-
-$samba_kdestroy
-
-USERPASS=$NEWUSERPASS
-cat >$PREFIX/tmpkinituserpassscript <<EOF
-expect Password for
-send ${USERPASS}\n
-EOF
-
-testit "kinit with user password" \
- $samba_texpect $PREFIX/tmpkinituserpassscript \
- $samba_kinit ${TEST_USER}@$REALM || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache" \
- 'ls' --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-$samba_kdestroy
-
-###########################################################
-### TODO Test set password with kpasswd
-###########################################################
-
-# This is not implemented in kpasswd
-
-###########################################################
-### Test password expiry
-###########################################################
-
-cat >$PREFIX/tmpldbmodify <<EOF
-dn: cn=${TEST_USER},cn=users,$BASEDN
-changetype: modify
-replace: pwdLastSet
-pwdLastSet: 0
-EOF
-
-USERPASS=$NEWUSERPASS
-NEWUSERPASS=testPaSS@911%
-
-testit "modify pwdLastSet" \
- $VALGRIND $ldbmodify $ADMIN_LDBMODIFY_CONFIG \
- $PREFIX/tmpldbmodify $PREFIX/tmpldbmodify \
- --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
- failed=$((failed + 1))
-
-cat >$PREFIX/tmpkinituserpassscript <<EOF
-expect Password for
-send ${USERPASS}\n
-expect Password expired. You must change it now.
-expect Enter new password
-send ${NEWUSERPASS}\n
-expect Enter it again
-send ${NEWUSERPASS}\n
-EOF
-
-testit "kinit (MIT) with user password for expired password" \
- $samba_texpect $PREFIX/tmpkinituserpassscript \
- $samba_kinit ${TEST_USER}@$REALM || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache" \
- 'ls' --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-USERPASS=$NEWUSERPASS
-cat >$PREFIX/tmpkinituserpassscript <<EOF
-expect Password for
-send ${USERPASS}\n
-EOF
-
-testit "kinit with user password" \
- $samba_texpect $PREFIX/tmpkinituserpassscript \
- $samba_kinit ${TEST_USER}@$REALM || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos ccache" \
- 'ls' --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-###########################################################
-### Test login with lowercase realm
-###########################################################
-
-KRB5CCNAME_PATH="$PREFIX/tmpccache"
-KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
-export KRB5CCNAME
-
-rm -rf $KRB5CCNAME_PATH
-
-lowerrealm=$(echo $REALM | tr '[A-Z]' '[a-z]')
-test_smbclient "Test login with user kerberos lowercase realm" \
- 'ls' --use-kerberos=required \
- -U${TEST_USER}@$lowerrealm%$NEWUSERPASS || \
- failed=$((failed + 1))
-test_smbclient "Test login with user kerberos lowercase realm 2" \
- 'ls' --use-kerberos=required -U${TEST_USER}@$REALM%$NEWUSERPASS \
- --realm=$lowerrealm || \
- failed=$((failed + 1))
-
-testit "del user with kerberos ccache" \
- $VALGRIND $PYTHON $samba_tool user delete ${TEST_USER} \
- $CONFIGURATION --use-krb5-ccache="${KRB5CCNAME}" "$@" || \
- failed=$((failed + 1))
-
-###########################################################
-### Test login with machine account
-###########################################################
-
-rm -f $KRB5CCNAME_PATH
-testit "kinit with machineaccountccache script" \
- $PYTHON $machineaccountccache $CONFIGURATION $KRB5CCNAME || \
- failed=$((failed + 1))
-test_smbclient "Test machine account login with kerberos ccache" \
- 'ls' --use-krb5-ccache=$KRB5CCNAME || \
- failed=$((failed + 1))
-
-testit "reset password policies" \
- $VALGRIND $PYTHON $samba_tool domain passwordsettings set \
- $ADMIN_LDBMODIFY_CONFIG \
- --complexity=default \
- --history-length=default \
- --min-pwd-length=default \
- --min-pwd-age=default \
- --max-pwd-age=default || \
- failed=$((failed + 1))
-
-###########################################################
-### Test basic s4u2self request
-###########################################################
-
-# Use previous acquired machine creds to request a ticket for self.
-# We expect it to fail for now.
-MACHINE_ACCOUNT="$(hostname -s | tr [a-z] [A-Z])\$@$REALM"
-$samba_kvno -U$MACHINE_ACCOUNT $MACHINE_ACCOUNT
-# But we expect the KDC to be up and running still
-testit "kinit with machineaccountccache after s4u2self" \
- $machineaccountccache $CONFIGURATION $KRB5CCNAME || \
- failed=$((failed + 1))
-
-### Cleanup
-
-$samba_kdestroy
-
-rm -f $KRB5CCNAME_PATH
-rm -f $PREFIX/tmpkinituserpassscript
-rm -f $PREFIX/tmpkinitscript
-rm -f $PREFIX/tmpkpasswdscript
-exit $failed
git.samba.org / samba.git / commitdiff