Age | Commit message (Collapse) | Author | Files | Lines |
|
a 'keytab' is a particular format known to administrators, whereas
'keys' is a bit too vague
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
The test suite has been changed to reflect the move from export to "domain dumpkeys" to reflect the object-action model
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Changed test suite to reflect the changes from setpassword to "domain setpassword" to fit the object-action model
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
The test suite needs to change from setpassword to "user setpassword" to reflect the new cmd syntax
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
|
|
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Wed Jun 1 10:37:50 CEST 2011 on sn-devel-104
|
|
Autobuild-User: Matthieu Patou <mat@samba.org>
Autobuild-Date: Sat May 21 09:50:34 CEST 2011 on sn-devel-104
|
|
Just have BINDIR, and have it default to ./bin
Andrew Bartlett
|
|
|
|
this fixes the blackbox tests for a top level build
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
metze
|
|
Autobuild-User: Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date: Sat Nov 27 04:32:11 CET 2010 on sn-devel-104
|
|
This tests that the handling of lowercase realms works in our KDC and
libraries.
Andrew Bartlett
|
|
Autobuild-User: Kai Blin <kai@samba.org>
Autobuild-Date: Thu Oct 28 07:25:16 UTC 2010 on sn-devel-104
|
|
too many Ts
Autobuild-User: Andrew Tridgell <tridge@samba.org>
Autobuild-Date: Fri Oct 15 10:14:27 UTC 2010 on sn-devel-104
|
|
passing -W breaks -k yes
|
|
metze
|
|
|
|
This :local tells selftest.pl to use the local smb.conf for the test
environment, not the generic client smb.conf
This then makes the rest work properly - otherwise, it may attempt to
connect to the wrong KDC for example.
The only problem is that we can't test the 'net join' with this set,
so this is removed from the test. The member server test environment
checks this anyway.
Andrew Bartlett
|
|
By using a CCACHE obtained while the old password was still valid, we
can tell if the server still accepts incoming Kerberos connections
with the old password.
Andrew Bartlett
|
|
Changing the machine account password should not prevent connections
with a current, valid CCACHE. This is because when the password is
changed, the server-side keytab keeps one old password around.
Andrew Bartlett
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This patch is for testing the chgdcpass script which is mostly a call to
update_machine_account_password.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
|
This is a short-term workarround for broken scripts,
which use "exit $failed", without initializing failed.
We need a discussion on the mailing list how to handle this
in a nicer way.
This should fix some random failures in the blackbox tests.
metze
|
|
|
|
"minPwdAge" != 0
|
|
This allows us to run the PKINIT tests only against the main DC (for
which the certificates were generated), while testing the available
encryption types in each functional level.
In particular, we need to assert that AES encryption is available in
the 2008 functional level.
Andrew Bartlett
|
|
syntax
|
|
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
|
|
metze
|
|
|
|
|
|
|
|
This allows the integration of external tools that can't be linked
into C or python, but need to authenticate as the local machine
account.
The machineaccountccache script demonstrates this, and debugging has
been improved in cli_credentials_set_secrets() by passing back and
error string.
Andrew Bartlett
|
|
metze
|
|
metze
|
|
Need to pass correct config file to tests
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
Signed-off-by: Andrew Tridgell <tridge@samba.org>
|
|
This reverts commit d4389a230b6aea5a0b2a98e255b14a59c8248b0b.
This revert changed the behaviour which I didn't expect. Thanks abartlet to
point this out!
|
|
The "enableaccount" script works only on local LDB anymore - therefore remove
this parameter.
|
|
attributes and classes
metze
|
|
The added tests include basic validation that the script runs and accepts all
custom arguments. The tests also verify changes to the password complexity,
minimum password length, and minimum password length settings.
|
|
The testit_expect_failure() function is like the testit() function, with
reversed error detection logic. This reversal only affects the pass/fail logic
and logging - the original return code from the command is still returned to the
calling script.
|
|
This extends the PKINIT code in Heimdal to ask the HDB layer if the
User Principal Name name in the certificate is an alias (perhaps just
by case change) of the name given in the AS-REQ. (This was a TODO in
the Heimdal KDC)
The testsuite is extended to test this behaviour, and the other PKINIT
certficate (using the standard method to specify a principal name in a
certificate) is updated to use a Administrator (not administrator).
(This fixes the kinit test).
Andrew Bartlett
|
|
While it is hard to prove it is correct, at least the new
'nettestuser' principal and the Administrator principal are correct.
We had to fix the case of 'Administrator' in the selftest code to
match the DB, as the keytab lookup is case sensitive.
Andrew Bartlett
|
|
The previous code only allowed an KRB5_NT_ENTERPRISE name (an e-mail
list user principal name) in an AS-REQ. Evidence from the wild
(Win2k8 reportadely) indicates that this is instead valid for all
types of requests.
While this is now handled in heimdal/kdc/misc.c, a flag is now defined
in Heimdal's hdb so that we can take over this handling in future (once we start
using a system Heimdal, and if we find out there is more to be done
here).
Andrew Bartlett
|
|
In particular, ensure that we can acutally change the password under
these circumstances.
Andrew Bartlett
|