#!/bin/sh # # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan # (Royal Institute of Technology, Stockholm, Sweden). # All rights reserved. # # Portions Copyright (c) 2009 Apple Inc. All rights reserved. # # Redistribution and use in source and binary forms, with or without # modification, are permitted provided that the following conditions # are met: # # 1. Redistributions of source code must retain the above copyright # notice, this list of conditions and the following disclaimer. # # 2. Redistributions in binary form must reproduce the above copyright # notice, this list of conditions and the following disclaimer in the # documentation and/or other materials provided with the distribution. # # 3. Neither the name of the Institute nor the names of its contributors # may be used to endorse or promote products derived from this software # without specific prior written permission. # # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF # SUCH DAMAGE. env_setup="@env_setup@" confdir="@confdir@" testdir="@testdir@" . ${env_setup} KRB5_CONFIG="${1-${confdir}/krb5.conf}" export KRB5_CONFIG logfile=${testdir}/messages.log testfailed="echo test failed; cat ${logfile}; exit 1" # If there is no useful db support compile in, disable test ${have_db} || exit 77 mkdir -p "${testdir}" rm -rf "${testdir}/"* R=TEST.H5L.SE R2=TEST2.H5L.SE R3=TEST-HTTP.H5L.SE port=@port@ kadmin="${kadmin} -l -r $R" kdc="${kdc} --addresses=localhost -P $port" server=host/datan.test.h5l.se server2=host/computer.example.com serverip=host/10.11.12.13 serveripname=host/ip.test.h5l.org serveripname2=host/10.11.12.14 alias1=host/datan.example.com alias2=host/datan aliaskeytab=host/datan cache="FILE:${testdir}/cache.krb5" ocache="FILE:${testdir}/ocache.krb5" o2cache="FILE:${testdir}/o2cache.krb5" icache="FILE:${testdir}/icache.krb5" keytabfile=${testdir}/server.keytab keytab="FILE:${keytabfile}" ps="proxy-service@${R}" aesenctype="aes256-cts-hmac-sha1-96" kinit="${kinit} -c $cache ${afs_no_afslog}" klistA="${klist} -A" klist="${klist} -c $cache" kgetcred="${kgetcred} -c $cache" kgetcred_imp="${kgetcred} --out-cache=${ocache}" kdestroy="${kdestroy} -c $cache ${afs_no_unlog}" kimpersonate="${kimpersonate} -k ${keytab} --ccache=${ocache}" rm -f ${testdir}/${keytabfile} rm -f ${testdir}/current-db* rm -f ${testdir}/out-* rm -f ${testdir}/mkey.file* > ${logfile} echo Creating database ${kadmin} \ init \ --realm-max-ticket-life=1day \ --realm-max-renewable-life=1month \ ${R} || exit 1 ${kadmin} \ init \ --realm-max-ticket-life=1day \ --realm-max-renewable-life=1month \ ${R2} || exit 1 ${kadmin} \ init \ --realm-max-ticket-life=1day \ --realm-max-renewable-life=1month \ ${R3} || exit 1 ${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 ${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 ${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 ${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 ${kadmin} add -p foo --use-defaults foo@${R} || exit 1 ${kadmin} add -p bar --use-defaults bar@${R} || exit 1 ${kadmin} add -p foo --use-defaults remove@${R} || exit 1 ${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1 ${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1 ${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1 ${kadmin} add -p foo --use-defaults ${ps} || exit 1 ${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1 ${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1 ${kadmin} ext -k ${keytab} ${server}@${R} || exit 1 ${kadmin} ext -k ${keytab} ${ps} || exit 1 ${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1 ${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1 ${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1 ${kadmin} ext -k ${keytab} ${serverip}@${R} || exit 1 ${kadmin} add -p kaka --use-defaults ${serveripname}@${R} || exit 1 ${kadmin} ext -k ${keytab} ${serveripname}@${R} || exit 1 ${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R} ${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1 ${kadmin} add -p kaka --use-defaults ${alias1}@${R} || exit 1 ${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1 ${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R} ${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1 ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1 ${kadmin} add -p foo --use-defaults pw-expire@${R} || exit 1 ${kadmin} modify --pw-expiration-time=+1day pw-expire@${R} || exit 1 ${kadmin} add -p foo --use-defaults foo@${R3} || exit 1 echo "Check parser" ${kadmin} add -p foo --use-defaults -- -p || exit 1 ${kadmin} delete -- -p || exit 1 echo "Doing database check" ${kadmin} check ${R} || exit 1 ${kadmin} check ${R2} || exit 1 echo "Extracting enctypes" ${ktutil} -k ${keytab} list > ${testdir}/tempfile || exit 1 ${EGREP} -v '^FILE:' ${testdir}/tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \ awk '$1 !~ /1/ { exit 1 }' || exit 1 ${kadmin} get foo@${R} > tempfile || exit 1 enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g'` enctype_sans_aes=`echo $enctypes | sed 's/aes256[^ ]*//g'` enctype_sans_des3=`echo $enctypes | sed 's/des3-cbc-sha1//g'` echo "deleting all but des3 enctypes on kt-des3 in keytab" ${kadmin} ext -k ${keytab} kt-des3@${R} || exit 1 for a in ${enctype_sans_des3} ; do ${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a done echo foo > ${testdir}/foopassword echo Starting kdc env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${testdir}/malloc-log \ ${kdc} & kdcpid=$! sh ${wait_kdc} KDC ${logfile} if [ "$?" != 0 ] ; then kill -9 ${kdcpid} exit 1 fi trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT ec=0 echo "Getting client initial tickets"; > ${logfile} ${kinit} --password-file=${testdir}/foopassword foo@$R || \ { ec=1 ; eval "${testfailed}"; } echo "Doing krbtgt key rollover"; > messages.log ${kadmin} cpw -r --keepold krbtgt/${R}@${R} || exit 1 echo "Getting tickets"; > messages.log ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } echo "Listing tickets"; > ${logfile} ${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; } ${klist} -s > /dev/null || { ec=1 ; eval "${testfailed}"; } ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} echo "Getting client initial tickets (http transport)"; > ${logfile} ${kinit} --password-file=${testdir}/foopassword foo@${R3} || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} echo "Specific enctype"; > ${logfile} ${kinit} --password-file=${testdir}/foopassword \ -e ${aesenctype} -e ${aesenctype} \ foo@$R || \ { ec=1 ; eval "${testfailed}"; } for a in $enctypes; do echo "Getting client initial tickets ($a)"; > ${logfile} ${kinit} --enctype=$a --password-file=${testdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } echo "Getting tickets"; > ${logfile} ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } ${test_ap_req} ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; } ${kdestroy} done echo "Interactive kinit" kinitpty=${testdir}/foopassword.rkpty cat > ${kinitpty} </dev/null|| { ec=1 ; eval "${testfailed}"; } ${kdestroy} echo "Getting client initial tickets"; > ${logfile} ${kinit} --password-file=${testdir}/foopassword foo@$R || \ { ec=1 ; eval "${testfailed}"; } for a in $enctypes; do echo "Getting tickets ($a)"; > ${logfile} ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; } ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} --credential=${server}@${R} done ${kdestroy} echo "Getting client initial tickets for cross realm case"; > ${logfile} ${kinit} --password-file=${testdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } for a in $enctypes; do echo "Getting cross realm tickets ($a)"; > ${logfile} ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } echo " checking we we got back right ticket" ${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } echo " checking if ticket is useful" ${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} --credential=${server2}@${R2} done ${kdestroy} echo "try all permutations"; > ${logfile} for a in $enctypes; do echo "Getting client initial tickets ($a)"; > ${logfile} ${kinit} --enctype=$a --password-file=${testdir}/foopassword foo@$R || \ { ec=1 ; eval "${testfailed}"; } for b in $enctypes; do echo "Getting tickets ($a -> $b)"; > ${logfile} ${kgetcred} -e $b ${server}@${R} || \ { ec=1 ; eval "${testfailed}"; } ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} --credential=${server}@${R} done ${kdestroy} done echo "Getting client initial tickets ip based name"; > ${logfile} ${kinit} --password-file=${testdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } echo "Getting ip based name tickets"; > ${logfile} ${kgetcred} ${serverip}@${R} || { ec=1 ; eval "${testfailed}"; } echo " checking we we got back right ticket" ${klist} | grep ${serverip}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } echo " checking if ticket is useful" ${test_ap_req} ${serverip}@${R} ${keytab} ${cache} || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} echo "Getting client initial tickets ip based name (alias)"; > ${logfile} ${kinit} --password-file=${testdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } for a in ${serveripname} ${serveripname2} ; do echo "Getting ip based name tickets (alias) $a"; > ${logfile} ${kgetcred} ${a}@${R} || { ec=1 ; eval "${testfailed}"; } echo " checking we we got back right ticket" ${klist} | grep ${a}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } echo " checking if ticket is useful" ${test_ap_req} --server-any ${a}@${R} ${keytab} ${cache} || \ { ec=1 ; eval "${testfailed}"; } done ${kdestroy} echo "Getting server initial tickets"; > ${logfile} ${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; } echo "Listing tickets"; > ${logfile} ${klist} | grep "Principal: ${server}" > /dev/null || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} echo "Getting key for key that are a subset in keytab compared to kdb" ${kinit} --keytab=${keytab} kt-des3@${R} || { ec=1; eval "${testfailed}"; } ${klist} | grep "Principal: kt-des3" > /dev/null || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} echo "initial tickets for deleted user test case"; > ${logfile} ${kinit} --password-file=${testdir}/foopassword remove@$R || \ { ec=1 ; eval "${testfailed}"; } ${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; } echo "try getting ticket with deleted user"; > ${logfile} ${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; } ${kdestroy} echo "cross realm case (deleted user)"; > ${logfile} ${kinit} --password-file=${testdir}/foopassword remove2@$R2 || \ { ec=1 ; eval "${testfailed}"; } ${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \ { ec=1 ; eval "${testfailed}"; } ${kadmin} delete remove2@${R2} || exit 1 ${kgetcred} ${server}@${R} 2> /dev/null || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} echo "rename user"; > ${logfile} ${kadmin} add -p foo --use-defaults rename@${R} || exit 1 ${kinit} --password-file=${testdir}/foopassword rename@${R} || \ { ec=1 ; eval "${testfailed}"; } ${kadmin} rename rename@${R} rename2@${R} || exit 1 ${kinit} --password-file=${testdir}/foopassword rename2@${R} || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} ${kadmin} delete rename2@${R} || exit 1 echo "rename user to another realm"; > ${logfile} ${kadmin} add -p foo --use-defaults rename@${R} || exit 1 ${kinit} --password-file=${testdir}/foopassword rename@${R} || \ { ec=1 ; eval "${testfailed}"; } ${kadmin} rename rename@${R} rename@${R2} || exit 1 ${kinit} --password-file=${testdir}/foopassword rename@${R2} || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} ${kadmin} delete rename@${R2} || exit 1 echo deleting all but aes enctypes on krbtgt ${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1 echo deleting all but des enctypes on server-des3 ${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1 ${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1 echo "try all permutations (only aes)"; > ${logfile} for a in $enctypes; do echo "Getting client initial tickets ($a)"; > ${logfile} ${kinit} --enctype=$a --password-file=${testdir}/foopassword foo@${R} ||\ { ec=1 ; eval "${testfailed}"; } for b in $enctypes; do echo "Getting tickets ($a -> $b)"; > ${logfile} ${kgetcred} -e $b ${server}@${R} || \ { ec=1 ; eval "${testfailed}"; } ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ { ec=1 ; eval "${testfailed}"; } echo "Getting tickets ($a -> $b) (server des3 only)"; > ${logfile} ${kgetcred} ${server}-des3@${R} || \ { ec=1 ; eval "${testfailed}"; } ${test_ap_req} ${server}-des3@${R} ${keytab} ${cache} || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} --credential=${server}@${R} ${kdestroy} --credential=${server}-des3@${R} done ${kdestroy} done echo deleting all enctypes on krbtgt ${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ { ec=1 ; eval "${testfailed}"; } echo "try initial ticket w/o and keys on krbtgt" ${kinit} --password-file=${testdir}/foopassword foo@${R} 2>/dev/null && \ { ec=1 ; eval "${testfailed}"; } echo "adding random aes key" ${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ { ec=1 ; eval "${testfailed}"; } echo "try initial ticket with random aes key on krbtgt" ${kinit} --password-file=${testdir}/foopassword foo@${R} || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} rsa=yes ecdsa=yes pkinit=no if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then rsa=no fi if ${hxtool} info | grep 'rand: not available' > /dev/null ; then rsa=no fi if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then pkinit=yes fi if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then ecdsa=no fi # If we support pkinit and have RSA, lets try that if test "$pkinit" = yes -a "$rsa" = yes ; then echo "try anonymous pkinit"; > ${logfile} ${kinit} --anonymous ${R} || \ { ec=1 ; eval "${testfailed}"; } ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } ${kdestroy} for type in "" "--pk-use-enckey"; do echo "Trying pk-init (principal in certificate) $type"; > ${logfile} ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key bar@${R} || \ { ec=1 ; eval "${testfailed}"; } ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } ${kdestroy} echo "Trying pk-init (principal in pki-mapping) $type"; > ${logfile} ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key foo@${R} || \ { ec=1 ; eval "${testfailed}"; } ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } ${kdestroy} echo "Trying pk-init (password protected key) $type"; > ${logfile} ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit-pw.key --password-file=${testdir}/foopassword foo@${R} || \ { ec=1 ; eval "${testfailed}"; } ${kgetcred} ${server}@${R} || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} echo "Trying pk-init (proxy cert) $type"; > ${logfile} ${kinit} $type -C FILE:${hx509_data}/pkinit-proxy-chain.crt,${hx509_data}/pkinit-proxy.key foo@${R} || \ { ec=1 ; eval "${testfailed}"; } ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } ${kdestroy} done if test "$ecdsa" = yes > /dev/null ; then echo "Trying pk-init (ec certificate)" > ${logfile} ${kinit} -C FILE:${hx509_data}/pkinit-ec.crt,${hx509_data}/pkinit-ec.key bar@${R} || \ { ec=1 ; eval "${testfailed}"; } ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } ${kdestroy} grep 'PK-INIT using ecdh' ${logfile} > /dev/null || \ { ec=1 ; eval "${testfailed}"; } fi else echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > ${logfile} fi #echo "tickets for impersonate test case"; > ${logfile} #${kinit} --forwardable --password-file=${testdir}/foopassword ${ps} || \ # { ec=1 ; eval "${testfailed}"; } #${kgetcred_imp} --impersonate=bar@${R} ${ps} || \ # { ec=1 ; eval "${testfailed}"; } #${test_ap_req} ${ps} ${keytab} ${ocache} || \ # { ec=1 ; eval "${testfailed}"; } #echo " negative check" #${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \ # { ec=1 ; eval "${testfailed}"; } # #echo "test constrained delegation"; > ${logfile} #${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \ # { ec=1 ; eval "${testfailed}"; } #${kgetcred} \ # --out-cache=${o2cache} \ # --delegation-credential-cache=${ocache} \ # ${server}@${R} || \ # { ec=1 ; eval "${testfailed}"; } #echo " try using the credential" #${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \ # { ec=1 ; eval "${testfailed}"; } #echo " negative check" #${kgetcred} \ # --out-cache=${o2cache} \ # --delegation-credential-cache=${ocache} \ # bar@${R} 2>/dev/null && \ # { ec=1 ; eval "${testfailed}"; } # #echo "test constrained delegation impersonation (non forward)"; > ${logfile} #rm -f ocache.krb5 #${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \ # { ec=1 ; eval "${testfailed}"; } #${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ # { ec=1 ; eval "${testfailed}"; } # #echo "test constrained delegation impersonation (missing KRB5SignedPath)"; > ${logfile} #rm -f ocache.krb5 #${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \ # { ec=1 ; eval "${testfailed}"; } #${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ # { ec=1 ; eval "${testfailed}"; } # #${kdestroy} echo "check renewing" > ${logfile} ${kinit} --renewable --password-file=${testdir}/foopassword foo@$R || \ { ec=1 ; eval "${testfailed}"; } echo "kinit -R" ${kinit} -R || \ { ec=1 ; eval "${testfailed}"; } echo "check renewing MIT interface" > ${logfile} ${kinit} --renewable --password-file=${testdir}/foopassword foo@$R || \ { ec=1 ; eval "${testfailed}"; } echo "test_renew" env KRB5CCNAME=${cache} ${test_renew} || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} echo "checking server aliases"; > ${logfile} ${kinit} --password-file=${testdir}/foopassword foo@$R || \ { ec=1 ; eval "${testfailed}"; } echo "Getting tickets"; > ${logfile} ${kgetcred} ${alias1}@${R} || { ec=1 ; eval "${testfailed}"; } ${kgetcred} ${alias2}@${R} || { ec=1 ; eval "${testfailed}"; } echo " verify entry in keytab" ${test_ap_req} ${alias1}@${R} ${keytab} ${cache} || \ { ec=1 ; eval "${testfailed}"; } echo " verify entry in keytab with any" ${test_ap_req} --server-any ${alias1}@${R} ${keytab} ${cache} || \ { ec=1 ; eval "${testfailed}"; } echo " verify failure with alias entry" ${test_ap_req} ${alias2}@${R} ${keytab} ${cache} 2>/dev/null && \ { ec=1 ; eval "${testfailed}"; } echo " verify alias entry in keytab with any" ${test_ap_req} --server-any ${alias2}@${R} ${keytab} ${cache} || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} echo "testing removal of keytab" ${ktutil} -k ${keytab} destroy || { ec=1 ; eval "${testfailed}"; } test -f ${keytabfile} && { ec=1 ; eval "${testfailed}"; } echo "Getting client pw expire"; > ${logfile} ${kinit} --password-file=${testdir}/foopassword \ pw-expire@${R} 2>${testdir}/kinit-log.tmp|| \ { ec=1 ; eval "${testfailed}"; } grep 'Your password will expire' ${testdir}/kinit-log.tmp > /dev/null || \ { ec=1 ; eval "${testfailed}"; } echo " kinit passes" ${test_gic} --client=pw-expire@${R} --password=foo \ --last-request > ${testdir}/kinit-log.tmp 2>/dev/null ${EGREP} "^e type: 6" ${testdir}/kinit-log.tmp > /dev/null || \ { ec=1 ; eval "${testfailed}"; } echo " test_gic passes" ${kdestroy} echo "testing klist -A with KRB5CCNAME set" ${kinit} --password-file=${testdir}/foopassword foo@$R || \ { ec=1 ; eval "${testfailed}"; } export KRB5CCNAME=${cache} ${klistA} > ${testdir}/klist-log.tmp grep 'Issued' ${testdir}/klist-log.tmp &> /dev/null || \ { ec=1 ; eval "${testfailed}"; } echo "checking klist --json" KCC="${kcc_binary}" export KCC echo "checking klist --json" python -c 'import subprocess, json, os; json.loads(subprocess.check_output([os.environ["KCC"], "list", "--json"]))' || \ { ec=1 ; eval "${testfailed}"; } echo "checking klist --json --list" python -c 'import subprocess, json, os; json.loads(subprocess.check_output([os.environ["KCC"], "list", "--list", "--json"]))' || \ { ec=1 ; eval "${testfailed}"; } echo "checking klist --json -a" python -c 'import subprocess, json, os; json.loads(subprocess.check_output([os.environ["KCC"], "list", "-a", "--json"]))' || \ { ec=1 ; eval "${testfailed}"; } echo "checking klist --json --verbose -a" python -c 'import subprocess, json, os; json.loads(subprocess.check_output([os.environ["KCC"], "list", "-a", "--verbose", "--json"]))' || \ { ec=1 ; eval "${testfailed}"; } echo "checking klist --json -A" python -c 'import subprocess, json, os; json.loads(subprocess.check_output([os.environ["KCC"], "list", "-a", "--verbose", "--json"]))' || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} echo "checking klist --json" python -c 'import subprocess, json, os; json.loads(subprocess.check_output([os.environ["KCC"], "list", "--json"]))' || \ { ec=1 ; eval "${testfailed}"; } echo "checking klist --json -l" python -c 'import subprocess, json, os; json.loads(subprocess.check_output([os.environ["KCC"], "list", "--list", "--json"]))' || \ { ec=1 ; eval "${testfailed}"; } echo "checking klist --json --verbose" python -c 'import subprocess, json, os; json.loads(subprocess.check_output([os.environ["KCC"], "list", "--verbose", "--json"]))' || \ { ec=1 ; eval "${testfailed}"; } echo "testing sendto" ${test_sendto} --realm=${R} || \ { ec=1 ; eval "${testfailed}"; } echo "testing sendto (use-large)" ${test_sendto} --use-large --realm=${R} || \ { ec=1 ; eval "${testfailed}"; } rm ${testdir}/kinit-log.tmp ${testdir}/klist-log.tmp echo "killing kdc (${kdcpid})" sh ${leaks_kill} kdc $kdcpid || exit 1 trap "" EXIT exit $ec