diff options
author | Andrew Bartlett <abartlet@samba.org> | 2010-06-24 09:42:40 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2010-06-29 16:59:31 +1000 |
commit | 48c8896f2ede1c441a1448c2e45106a317b64832 (patch) | |
tree | 120c1f56df8e1be144e50b2a5590439ac3f9c505 /testprogs/blackbox | |
parent | d76e4852ebf6ebaaa0e59b481c4b17ac15310aec (diff) | |
download | samba-48c8896f2ede1c441a1448c2e45106a317b64832.tar.gz samba-48c8896f2ede1c441a1448c2e45106a317b64832.tar.bz2 samba-48c8896f2ede1c441a1448c2e45106a317b64832.zip |
s4:selftest Split out PKINIT tests from test_kinit.sh and test enc types
This allows us to run the PKINIT tests only against the main DC (for
which the certificates were generated), while testing the available
encryption types in each functional level.
In particular, we need to assert that AES encryption is available in
the 2008 functional level.
Andrew Bartlett
Diffstat (limited to 'testprogs/blackbox')
-rwxr-xr-x | testprogs/blackbox/test_kinit.sh | 28 | ||||
-rwxr-xr-x | testprogs/blackbox/test_pkinit.sh | 65 |
2 files changed, 79 insertions, 14 deletions
diff --git a/testprogs/blackbox/test_kinit.sh b/testprogs/blackbox/test_kinit.sh index 504d4f4250..0373452042 100755 --- a/testprogs/blackbox/test_kinit.sh +++ b/testprogs/blackbox/test_kinit.sh @@ -16,7 +16,8 @@ PASSWORD=$3 REALM=$4 DOMAIN=$5 PREFIX=$6 -shift 6 +ENCTYPE=$7 +shift 7 failed=0 samba4bindir="$BUILDDIR/bin" @@ -48,18 +49,17 @@ test_smbclient() { return $status } +enctype="-e $ENCTYPE" + KRB5CCNAME="$PREFIX/tmpccache" export KRB5CCNAME echo $PASSWORD > ./tmppassfile -#testit "kinit with keytab" $samba4kinit --keytab=$PREFIX/dc/private/secrets.keytab $SERVER\$@$REALM || failed=`expr $failed + 1` -testit "kinit with password" $samba4kinit --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1` -testit "kinit with password (enterprise style)" $samba4kinit --enterprise --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1` -testit "kinit with password (windows style)" $samba4kinit --windows --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1` -testit "kinit with pkinit (name specified)" $samba4kinit --request-pac --renewable --pk-user=FILE:$PREFIX/dc/private/tls/admincert.pem,$PREFIX/dc/private/tls/adminkey.pem $USERNAME@$REALM || failed=`expr $failed + 1` -testit "kinit with pkinit (enterprise name specified)" $samba4kinit --request-pac --renewable --pk-user=FILE:$PREFIX/dc/private/tls/admincert.pem,$PREFIX/dc/private/tls/adminkey.pem --enterprise $USERNAME@$REALM || failed=`expr $failed + 1` -testit "kinit with pkinit (enterprise name in cert)" $samba4kinit --request-pac --renewable --pk-user=FILE:$PREFIX/dc/private/tls/admincertupn.pem,$PREFIX/dc/private/tls/adminkey.pem --pk-enterprise || failed=`expr $failed + 1` -testit "kinit renew ticket" $samba4kinit --request-pac -R +#testit "kinit with keytab" $samba4kinit $enctype --keytab=$PREFIX/dc/private/secrets.keytab $SERVER\$@$REALM || failed=`expr $failed + 1` +testit "kinit with password" $samba4kinit $enctype --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1` +testit "kinit with password (enterprise style)" $samba4kinit $enctype --enterprise --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1` +testit "kinit with password (windows style)" $samba4kinit $enctype --renewable --windows --password-file=./tmppassfile --request-pac $USERNAME@$REALM || failed=`expr $failed + 1` +testit "kinit renew ticket" $samba4kinit $enctype --request-pac -R test_smbclient "Test login with kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1` @@ -89,7 +89,7 @@ testit "enable user with kerberos cache" $VALGRIND $enableaccount nettestuser -H KRB5CCNAME="$PREFIX/tmpuserccache" export KRB5CCNAME -testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1` +testit "kinit with user password" $samba4kinit $enctype --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1` test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1` @@ -97,7 +97,7 @@ NEWUSERPASS=testPaSS@34% testit "change user password with 'net password change' (rpc)" $VALGRIND $net password change -W$DOMAIN -U$DOMAIN\\nettestuser%$USERPASS $CONFIGURATION -k no $NEWUSERPASS $@ || failed=`expr $failed + 1` echo $NEWUSERPASS > ./tmpuserpassfile -testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1` +testit "kinit with user password" $samba4kinit $enctype --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1` test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1` @@ -118,7 +118,7 @@ EOF testit "change user password with kpasswd" $rkpty ./tmpkpasswdscript $samba4kpasswd nettestuser@$REALM || failed=`expr $failed + 1` -testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1` +testit "kinit with user password" $samba4kinit $enctype --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1` NEWUSERPASS=testPaSS@78% echo $NEWUSERPASS > ./tmpuserpassfile @@ -135,7 +135,7 @@ EOF testit "set user password with kpasswd" $rkpty ./tmpkpasswdscript $samba4kpasswd --cache=$PREFIX/tmpccache nettestuser@$REALM || failed=`expr $failed + 1` -testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1` +testit "kinit with user password" $samba4kinit $enctype --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1` test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1` @@ -152,7 +152,7 @@ EOF testit "set user password with kpasswd and servicePrincipalName" $rkpty ./tmpkpasswdscript $samba4kpasswd --cache=$PREFIX/tmpccache host/nettestuser@$REALM || failed=`expr $failed + 1` -testit "kinit with user password" $samba4kinit --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1` +testit "kinit with user password" $samba4kinit $enctype --password-file=./tmpuserpassfile --request-pac nettestuser@$REALM || failed=`expr $failed + 1` test_smbclient "Test login with user kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1` diff --git a/testprogs/blackbox/test_pkinit.sh b/testprogs/blackbox/test_pkinit.sh new file mode 100755 index 0000000000..e901f0f0db --- /dev/null +++ b/testprogs/blackbox/test_pkinit.sh @@ -0,0 +1,65 @@ +#!/bin/sh +# Blackbox tests for kinit and kerberos integration with smbclient etc +# Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org> +# Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org> + +if [ $# -lt 5 ]; then +cat <<EOF +Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX +EOF +exit 1; +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +ENCTYPE=$7 +shift 7 +failed=0 + +samba4bindir="$BUILDDIR/bin" +smbclient="$samba4bindir/smbclient$EXEEXT" +samba4kinit="$samba4bindir/samba4kinit$EXEEXT" +net="$samba4bindir/net$EXEEXT" +ldbmodify="$samba4bindir/ldbmodify$EXEEXT" +ldbsearch="$samba4bindir/ldbsearch$EXEEXT" +rkpty="$samba4bindir/rkpty$EXEEXT" +samba4kpasswd="$samba4bindir/samba4kpasswd$EXEEXT" +enableaccount="$samba4bindir/net enableaccount" +machineaccountccache="$BUILDDIR/scripting/bin/machineaccountccache" + +. `dirname $0`/subunit.sh + +test_smbclient() { + name="$1" + cmd="$2" + shift + shift + echo "test: $name" + $VALGRIND $smbclient $CONFIGURATION //$SERVER/tmp -c "$cmd" -W "$DOMAIN" $@ + status=$? + if [ x$status = x0 ]; then + echo "success: $name" + else + echo "failure: $name" + fi + return $status +} + +enctype="-e $ENCTYPE" + +KRB5CCNAME="$PREFIX/tmpccache" +export KRB5CCNAME + +testit "kinit with pkinit (name specified)" $samba4kinit $enctype --request-pac --renewable --pk-user=FILE:$PREFIX/dc/private/tls/admincert.pem,$PREFIX/dc/private/tls/adminkey.pem $USERNAME@$REALM || failed=`expr $failed + 1` +testit "kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable --pk-user=FILE:$PREFIX/dc/private/tls/admincert.pem,$PREFIX/dc/private/tls/adminkey.pem --enterprise $USERNAME@$REALM || failed=`expr $failed + 1` +testit "kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable --pk-user=FILE:$PREFIX/dc/private/tls/admincertupn.pem,$PREFIX/dc/private/tls/adminkey.pem --pk-enterprise || failed=`expr $failed + 1` +testit "kinit renew ticket" $samba4kinit --request-pac -R + +test_smbclient "Test login with kerberos ccache" 'ls' -k yes || failed=`expr $failed + 1` + +rm -f $PREFIX/tmpccache +exit $failed |