1178825Sdfr#!/bin/sh 2178825Sdfr# 3178825Sdfr# Copyright (c) 2006 - 2007 Kungliga Tekniska H�gskolan 4178825Sdfr# (Royal Institute of Technology, Stockholm, Sweden). 5178825Sdfr# All rights reserved. 6178825Sdfr# 7178825Sdfr# Redistribution and use in source and binary forms, with or without 8178825Sdfr# modification, are permitted provided that the following conditions 9178825Sdfr# are met: 10178825Sdfr# 11178825Sdfr# 1. Redistributions of source code must retain the above copyright 12178825Sdfr# notice, this list of conditions and the following disclaimer. 13178825Sdfr# 14178825Sdfr# 2. Redistributions in binary form must reproduce the above copyright 15178825Sdfr# notice, this list of conditions and the following disclaimer in the 16178825Sdfr# documentation and/or other materials provided with the distribution. 17178825Sdfr# 18178825Sdfr# 3. Neither the name of the Institute nor the names of its contributors 19178825Sdfr# may be used to endorse or promote products derived from this software 20178825Sdfr# without specific prior written permission. 21178825Sdfr# 22178825Sdfr# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23178825Sdfr# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24178825Sdfr# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25178825Sdfr# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26178825Sdfr# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27178825Sdfr# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28178825Sdfr# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29178825Sdfr# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30178825Sdfr# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31178825Sdfr# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32178825Sdfr# SUCH DAMAGE. 33178825Sdfr# 34178825Sdfr# $Id: check-kdc.in 22019 2007-10-24 20:47:59Z lha $ 35178825Sdfr# 36178825Sdfr 37178825Sdfrsrcdir="@srcdir@" 38178825Sdfrobjdir="@objdir@" 39178825SdfrEGREP="@EGREP@" 40178825Sdfr 41178825Sdfrtestfailed="echo test failed; cat messages.log; exit 1" 42178825Sdfr 43178825Sdfr# If there is no useful db support compile in, disable test 44178825Sdfr../db/have-db || exit 77 45178825Sdfr 46178825SdfrR=TEST.H5L.SE 47178825SdfrR2=TEST2.H5L.SE 48178825Sdfr 49178825Sdfrport=@port@ 50178825Sdfr 51178825Sdfrkadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R" 52178825Sdfrkdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" 53178825Sdfr 54178825Sdfrserver=host/datan.test.h5l.se 55178825Sdfrserver2=host/computer.example.com 56178825Sdfrcache="FILE:${objdir}/cache.krb5" 57178825Sdfrocache="FILE:${objdir}/ocache.krb5" 58178825Sdfro2cache="FILE:${objdir}/o2cache.krb5" 59178825Sdfricache="FILE:${objdir}/icache.krb5" 60178825Sdfrkeytabfile=${objdir}/server.keytab 61178825Sdfrkeytab="FILE:${keytabfile}" 62178825Sdfrps="proxy-service@${R}" 63178825Sdfraesenctype="aes256-cts-hmac-sha1-96" 64178825Sdfr 65178825Sdfrkinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog" 66178825Sdfrklist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache" 67178825Sdfrkgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache" 68178825Sdfrkgetcred_imp="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache --out-cache=${ocache}" 69178825Sdfrkdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog" 70178825Sdfrktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil" 71178825Sdfrhxtool="${TESTS_ENVIRONMENT} ../../lib/hx509/hxtool" 72178825Sdfrkimpersonate="${TESTS_ENVIRONMENT} ../../kuser/kimpersonate -k ${keytab} --ccache=${ocache}" 73178825Sdfrtest_renew="${TESTS_ENVIRONMENT} ../../lib/krb5/test_renew" 74178825Sdfr 75178825SdfrKRB5_CONFIG="${objdir}/krb5.conf" 76178825Sdfrexport KRB5_CONFIG 77178825Sdfr 78178825Sdfrrm -f ${keytabfile} 79178825Sdfrrm -f current-db* 80178825Sdfrrm -f out-* 81178825Sdfrrm -f mkey.file* 82178825Sdfr 83178825Sdfr> messages.log 84178825Sdfr 85178825Sdfrecho Creating database 86178825Sdfr${kadmin} \ 87178825Sdfr init \ 88178825Sdfr --realm-max-ticket-life=1day \ 89178825Sdfr --realm-max-renewable-life=1month \ 90178825Sdfr ${R} || exit 1 91178825Sdfr 92178825Sdfr${kadmin} \ 93178825Sdfr init \ 94178825Sdfr --realm-max-ticket-life=1day \ 95178825Sdfr --realm-max-renewable-life=1month \ 96178825Sdfr ${R2} || exit 1 97178825Sdfr 98178825Sdfr${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 99178825Sdfr${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 100178825Sdfr${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 101178825Sdfr${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 102178825Sdfr 103178825Sdfr${kadmin} add -p foo --use-defaults foo@${R} || exit 1 104178825Sdfr${kadmin} add -p bar --use-defaults bar@${R} || exit 1 105178825Sdfr${kadmin} add -p foo --use-defaults remove@${R} || exit 1 106178825Sdfr${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1 107178825Sdfr${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1 108178825Sdfr${kadmin} add -p foo --use-defaults ${ps} || exit 1 109178825Sdfr${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1 110178825Sdfr${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1 111178825Sdfr${kadmin} ext -k ${keytab} ${server}@${R} || exit 1 112178825Sdfr${kadmin} ext -k ${keytab} ${ps} || exit 1 113178825Sdfr 114178825Sdfr${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1 115178825Sdfr${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1 116178825Sdfr${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1 117178825Sdfr 118178825Sdfr${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1 119178825Sdfr${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1 120178825Sdfr 121178825Sdfr${kadmin} add -p foo --use-defaults -- -p || exit 1 122178825Sdfr${kadmin} delete -- -p || exit 1 123178825Sdfr 124178825Sdfrecho "Doing database check" 125178825Sdfr${kadmin} check ${R} || exit 1 126178825Sdfr${kadmin} check ${R2} || exit 1 127178825Sdfr 128178825Sdfrecho "Extracting enctypes" 129178825Sdfr${ktutil} -k ${keytab} list > tempfile || exit 1 130178825Sdfr${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \ 131178825Sdfr awk '$1 !~ /1/ { exit 1 }' || exit 1 132178825Sdfr 133178825Sdfr${kadmin} get foo@${R} > tempfile || exit 1 134178825Sdfrenctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://'` 135178825Sdfr 136178825Sdfrenctype_sans_aes=`echo $enctypes | sed 's/aes[^ ]*//g'` 137178825Sdfrenctype_sans_des3=`echo $enctypes | sed 's/des3-cbc-sha1//g'` 138178825Sdfr 139178825Sdfrecho foo > ${objdir}/foopassword 140178825Sdfr 141178825Sdfrecho Starting kdc 142178825Sdfr${kdc} & 143178825Sdfrkdcpid=$! 144178825Sdfr 145178825Sdfrsh ${srcdir}/wait-kdc.sh 146178825Sdfrif [ "$?" != 0 ] ; then 147178825Sdfr kill ${kdcpid} 148178825Sdfr exit 1 149178825Sdfrfi 150178825Sdfr 151178825Sdfrtrap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT 152178825Sdfr 153178825Sdfrec=0 154178825Sdfr 155178825Sdfrecho "Getting client initial tickets"; > messages.log 156178825Sdfr${kinit} --password-file=${objdir}/foopassword foo@$R || \ 157178825Sdfr { ec=1 ; eval "${testfailed}"; } 158178825Sdfrecho "Getting tickets"; > messages.log 159178825Sdfr${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 160178825Sdfrecho "Listing tickets"; > messages.log 161178825Sdfr${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; } 162178825Sdfr./ap-req ${server}@${R} ${keytab} ${cache} || \ 163178825Sdfr { ec=1 ; eval "${testfailed}"; } 164178825Sdfr${kdestroy} 165178825Sdfr 166178825Sdfrecho "Specific enctype"; > messages.log 167178825Sdfr${kinit} --password-file=${objdir}/foopassword \ 168178825Sdfr -e ${aesenctype} -e ${aesenctype} \ 169178825Sdfr foo@$R || \ 170178825Sdfr { ec=1 ; eval "${testfailed}"; } 171178825Sdfr 172178825Sdfrfor a in $enctypes; do 173178825Sdfr echo "Getting client initial tickets ($a)"; > messages.log 174178825Sdfr ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 175178825Sdfr echo "Getting tickets"; > messages.log 176178825Sdfr ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 177178825Sdfr ./ap-req ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; } 178178825Sdfr ${kdestroy} 179178825Sdfrdone 180178825Sdfr 181178825Sdfr 182178825Sdfrecho "Getting client initial tickets"; > messages.log 183178825Sdfr${kinit} --password-file=${objdir}/foopassword foo@$R || \ 184178825Sdfr { ec=1 ; eval "${testfailed}"; } 185178825Sdfrfor a in $enctypes; do 186178825Sdfr echo "Getting tickets ($a)"; > messages.log 187178825Sdfr ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 188178825Sdfr ./ap-req ${server}@${R} ${keytab} ${cache} || \ 189178825Sdfr { ec=1 ; eval "${testfailed}"; } 190178825Sdfr ${kdestroy} --credential=${server}@${R} 191178825Sdfrdone 192178825Sdfr${kdestroy} 193178825Sdfr 194178825Sdfrecho "Getting client initial tickets for cross realm case"; > messages.log 195178825Sdfr${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 196178825Sdfrfor a in $enctypes; do 197178825Sdfr echo "Getting cross realm tickets ($a)"; > messages.log 198178825Sdfr ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } 199178825Sdfr ./ap-req ${server2}@${R2} ${keytab} ${cache} || \ 200178825Sdfr { ec=1 ; eval "${testfailed}"; } 201178825Sdfr ${kdestroy} --credential=${server2}@${R2} 202178825Sdfrdone 203178825Sdfr${kdestroy} 204178825Sdfr 205178825Sdfrecho "try all permutations"; > messages.log 206178825Sdfrfor a in $enctypes; do 207178825Sdfr echo "Getting client initial tickets ($a)"; > messages.log 208178825Sdfr ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || \ 209178825Sdfr { ec=1 ; eval "${testfailed}"; } 210178825Sdfr for b in $enctypes; do 211178825Sdfr echo "Getting tickets ($a -> $b)"; > messages.log 212178825Sdfr ${kgetcred} -e $b ${server}@${R} || \ 213178825Sdfr { ec=1 ; eval "${testfailed}"; } 214178825Sdfr ./ap-req ${server}@${R} ${keytab} ${cache} || \ 215178825Sdfr { ec=1 ; eval "${testfailed}"; } 216178825Sdfr ${kdestroy} --credential=${server}@${R} 217178825Sdfr done 218178825Sdfr ${kdestroy} 219178825Sdfrdone 220178825Sdfr 221178825Sdfrecho "Getting server initial tickets"; > messages.log 222178825Sdfr${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; } 223178825Sdfrecho "Listing tickets"; > messages.log 224178825Sdfr${klist} | grep "Principal: ${server}" > /dev/null || \ 225178825Sdfr { ec=1 ; eval "${testfailed}"; } 226178825Sdfr${kdestroy} 227178825Sdfr 228178825Sdfrecho "initial tickets for deleted user test case"; > messages.log 229178825Sdfr${kinit} --password-file=${objdir}/foopassword remove@$R || \ 230178825Sdfr { ec=1 ; eval "${testfailed}"; } 231178825Sdfr${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; } 232178825Sdfrecho "try getting ticket with deleted user"; > messages.log 233178825Sdfr${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; } 234178825Sdfr${kdestroy} 235178825Sdfr 236178825Sdfrecho "cross realm case (removed user)"; > messages.log 237178825Sdfr${kinit} --password-file=${objdir}/foopassword remove2@$R2 || \ 238178825Sdfr { ec=1 ; eval "${testfailed}"; } 239178825Sdfr${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \ 240178825Sdfr { ec=1 ; eval "${testfailed}"; } 241178825Sdfr${kadmin} delete remove2@${R2} || exit 1 242178825Sdfr${kgetcred} ${server}@${R} 2> /dev/null || \ 243178825Sdfr { ec=1 ; eval "${testfailed}"; } 244178825Sdfr${kdestroy} 245178825Sdfr 246178825Sdfrecho "rename user"; > messages.log 247178825Sdfr${kadmin} add -p foo --use-defaults rename@${R} || exit 1 248178825Sdfr${kinit} --password-file=${objdir}/foopassword rename@${R} || \ 249178825Sdfr { ec=1 ; eval "${testfailed}"; } 250178825Sdfr${kadmin} rename rename@${R} rename2@${R} || exit 1 251178825Sdfr${kinit} --password-file=${objdir}/foopassword rename2@${R} || \ 252178825Sdfr { ec=1 ; eval "${testfailed}"; } 253178825Sdfr${kdestroy} 254178825Sdfr${kadmin} delete rename2@${R} || exit 1 255178825Sdfr 256178825Sdfrecho "rename user to another realm"; > messages.log 257178825Sdfr${kadmin} add -p foo --use-defaults rename@${R} || exit 1 258178825Sdfr${kinit} --password-file=${objdir}/foopassword rename@${R} || \ 259178825Sdfr { ec=1 ; eval "${testfailed}"; } 260178825Sdfr${kadmin} rename rename@${R} rename@${R2} || exit 1 261178825Sdfr${kinit} --password-file=${objdir}/foopassword rename@${R2} || \ 262178825Sdfr { ec=1 ; eval "${testfailed}"; } 263178825Sdfr${kdestroy} 264178825Sdfr${kadmin} delete rename@${R2} || exit 1 265178825Sdfr 266178825Sdfrecho deleting all but aes enctypes on krbtgt 267178825Sdfr${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1 268178825Sdfr 269178825Sdfrecho deleting all but des enctypes on server-des3 270178825Sdfr${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1 271178825Sdfr${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1 272178825Sdfr 273178825Sdfrecho "try all permutations (only aes)"; > messages.log 274178825Sdfrfor a in $enctypes; do 275178825Sdfr echo "Getting client initial tickets ($a)"; > messages.log 276178825Sdfr ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\ 277178825Sdfr { ec=1 ; eval "${testfailed}"; } 278178825Sdfr for b in $enctypes; do 279178825Sdfr echo "Getting tickets ($a -> $b)"; > messages.log 280178825Sdfr ${kgetcred} -e $b ${server}@${R} || \ 281178825Sdfr { ec=1 ; eval "${testfailed}"; } 282178825Sdfr ./ap-req ${server}@${R} ${keytab} ${cache} || \ 283178825Sdfr { ec=1 ; eval "${testfailed}"; } 284178825Sdfr 285178825Sdfr echo "Getting tickets ($a -> $b) (server des3 only)"; > messages.log 286178825Sdfr ${kgetcred} ${server}-des3@${R} || \ 287178825Sdfr { ec=1 ; eval "${testfailed}"; } 288178825Sdfr ./ap-req ${server}-des3@${R} ${keytab} ${cache} || \ 289178825Sdfr { ec=1 ; eval "${testfailed}"; } 290178825Sdfr 291178825Sdfr ${kdestroy} --credential=${server}@${R} 292178825Sdfr ${kdestroy} --credential=${server}-des3@${R} 293178825Sdfr done 294178825Sdfr ${kdestroy} 295178825Sdfrdone 296178825Sdfr 297178825Sdfrecho deleting all enctypes on krbtgt 298178825Sdfr${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ 299178825Sdfr { ec=1 ; eval "${testfailed}"; } 300178825Sdfrecho "try initial ticket w/o and keys on krbtgt" 301178825Sdfr${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev/null && \ 302178825Sdfr { ec=1 ; eval "${testfailed}"; } 303178825Sdfrecho "adding random aes key" 304178825Sdfr${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ 305178825Sdfr { ec=1 ; eval "${testfailed}"; } 306178825Sdfrecho "try initial ticket with random aes key on krbtgt" 307178825Sdfr${kinit} --password-file=${objdir}/foopassword foo@${R} || \ 308178825Sdfr { ec=1 ; eval "${testfailed}"; } 309178825Sdfr 310178825Sdfrrsa=yes 311178825Sdfrpkinit=no 312178825Sdfrif ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then 313178825Sdfr rsa=no 314178825Sdfrfi 315178825Sdfrif ${hxtool} info | grep 'rand: not available' > /dev/null ; then 316178825Sdfr rsa=no 317178825Sdfrfi 318178825Sdfrif ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then 319178825Sdfr pkinit=yes 320178825Sdfrfi 321178825Sdfr 322178825Sdfr# If we support pkinit and have RSA, lets try that 323178825Sdfrif test "$pkinit" = yes -a "$rsa" = yes ; then 324178825Sdfr 325178825Sdfr for type in "" "--pk-use-enckey"; do 326178825Sdfr echo "Trying pk-init (principal in certificate) $type"; > messages.log 327178825Sdfr base="${srcdir}/../../lib/hx509/data" 328178825Sdfr ${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit.key bar@${R} || \ 329178825Sdfr { ec=1 ; eval "${testfailed}"; } 330178825Sdfr ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 331178825Sdfr ${kdestroy} 332178825Sdfr 333178825Sdfr echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log 334178825Sdfr ${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit.key foo@${R} || \ 335178825Sdfr { ec=1 ; eval "${testfailed}"; } 336178825Sdfr ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 337178825Sdfr ${kdestroy} 338178825Sdfr 339178825Sdfr echo "Trying pk-init (password protected key) $type"; > messages.log 340178825Sdfr ${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \ 341178825Sdfr { ec=1 ; eval "${testfailed}"; } 342178825Sdfr ${kgetcred} ${server}@${R} || \ 343178825Sdfr { ec=1 ; eval "${testfailed}"; } 344178825Sdfr ${kdestroy} 345178825Sdfr 346178825Sdfr echo "Trying pk-init (proxy cert) $type"; > messages.log 347178825Sdfr base="${srcdir}/../../lib/hx509/data" 348178825Sdfr ${kinit} $type -C FILE:${base}/pkinit-proxy-chain.crt,${base}/pkinit-proxy.key foo@${R} || \ 349178825Sdfr { ec=1 ; eval "${testfailed}"; } 350178825Sdfr ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 351178825Sdfr ${kdestroy} 352178825Sdfr 353178825Sdfr done 354178825Sdfrelse 355178825Sdfr echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log 356178825Sdfrfi 357178825Sdfr 358178825Sdfrecho "tickets for impersonate test case"; > messages.log 359178825Sdfr${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \ 360178825Sdfr { ec=1 ; eval "${testfailed}"; } 361178825Sdfr${kgetcred_imp} --impersonate=bar@${R} ${ps} || \ 362178825Sdfr { ec=1 ; eval "${testfailed}"; } 363178825Sdfr./ap-req ${ps} ${keytab} ${ocache} || \ 364178825Sdfr { ec=1 ; eval "${testfailed}"; } 365178825Sdfr${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \ 366178825Sdfr { ec=1 ; eval "${testfailed}"; } 367178825Sdfrecho test constrained delegation 368178825Sdfr${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \ 369178825Sdfr { ec=1 ; eval "${testfailed}"; } 370178825Sdfr${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} || \ 371178825Sdfr { ec=1 ; eval "${testfailed}"; } 372178825Sdfr./ap-req ${server}@${R} ${keytab} ${o2cache} || \ 373178825Sdfr { ec=1 ; eval "${testfailed}"; } 374178825Sdfr${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} bar@${R} 2>/dev/null && \ 375178825Sdfr { ec=1 ; eval "${testfailed}"; } 376178825Sdfr 377178825Sdfrecho "test constrained delegation impersonation (non forward)"; > messages.log 378178825Sdfrrm -f ocache.krb5 379178825Sdfr${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \ 380178825Sdfr { ec=1 ; eval "${testfailed}"; } 381178825Sdfr${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ 382178825Sdfr { ec=1 ; eval "${testfailed}"; } 383178825Sdfr 384178825Sdfrecho "test constrained delegation impersonation (missing KRB5SignedPath)"; > messages.log 385178825Sdfrrm -f ocache.krb5 386178825Sdfr${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \ 387178825Sdfr { ec=1 ; eval "${testfailed}"; } 388178825Sdfr${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ 389178825Sdfr { ec=1 ; eval "${testfailed}"; } 390178825Sdfr 391178825Sdfr${kdestroy} 392178825Sdfr 393178825Sdfrecho "check renewing" > messages.log 394178825Sdfr${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \ 395178825Sdfr { ec=1 ; eval "${testfailed}"; } 396178825Sdfrecho "kinit -R" 397178825Sdfr${kinit} -R || \ 398178825Sdfr { ec=1 ; eval "${testfailed}"; } 399178825Sdfrecho "check renewing MIT interface" > messages.log 400178825Sdfr${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \ 401178825Sdfr { ec=1 ; eval "${testfailed}"; } 402178825Sdfrecho "test_renew" 403178825Sdfrenv KRB5CCNAME=${cache} ${test_renew} || \ 404178825Sdfr { ec=1 ; eval "${testfailed}"; } 405178825Sdfr${kdestroy} 406178825Sdfr 407178825Sdfr 408178825Sdfrecho "killing kdc (${kdcpid})" 409178825Sdfrkill $kdcpid || exit 1 410178825Sdfr 411178825Sdfrtrap "" EXIT 412178825Sdfr 413178825Sdfrexit $ec 414