1#!/bin/sh 2# 3# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan 4# (Royal Institute of Technology, Stockholm, Sweden). 5# All rights reserved. 6# 7# Portions Copyright (c) 2009 Apple Inc. All rights reserved. 8# 9# Redistribution and use in source and binary forms, with or without 10# modification, are permitted provided that the following conditions 11# are met: 12# 13# 1. Redistributions of source code must retain the above copyright 14# notice, this list of conditions and the following disclaimer. 15# 16# 2. Redistributions in binary form must reproduce the above copyright 17# notice, this list of conditions and the following disclaimer in the 18# documentation and/or other materials provided with the distribution. 19# 20# 3. Neither the name of the Institute nor the names of its contributors 21# may be used to endorse or promote products derived from this software 22# without specific prior written permission. 23# 24# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 25# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 26# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 27# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 28# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 29# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 30# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 31# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 32# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 33# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34# SUCH DAMAGE. 35 36env_setup="@env_setup@" 37confdir="@confdir@" 38testdir="@testdir@" 39 40. ${env_setup} 41 42KRB5_CONFIG="${1-${confdir}/krb5.conf}" 43export KRB5_CONFIG 44 45logfile=${testdir}/messages.log 46 47testfailed="echo test failed; cat ${logfile}; exit 1" 48 49# If there is no useful db support compile in, disable test 50${have_db} || exit 77 51 52mkdir -p "${testdir}" 53rm -rf "${testdir}/"* 54 55R=TEST.H5L.SE 56R2=TEST2.H5L.SE 57R3=TEST-HTTP.H5L.SE 58 59port=@port@ 60 61kadmin="${kadmin} -l -r $R" 62kdc="${kdc} --addresses=localhost -P $port" 63 64server=host/datan.test.h5l.se 65server2=host/computer.example.com 66serverip=host/10.11.12.13 67serveripname=host/ip.test.h5l.org 68serveripname2=host/10.11.12.14 69alias1=host/datan.example.com 70alias2=host/datan 71aliaskeytab=host/datan 72cache="FILE:${testdir}/cache.krb5" 73ocache="FILE:${testdir}/ocache.krb5" 74o2cache="FILE:${testdir}/o2cache.krb5" 75icache="FILE:${testdir}/icache.krb5" 76keytabfile=${testdir}/server.keytab 77keytab="FILE:${keytabfile}" 78ps="proxy-service@${R}" 79aesenctype="aes256-cts-hmac-sha1-96" 80 81kinit="${kinit} -c $cache ${afs_no_afslog}" 82klistA="${klist} -A" 83klist="${klist} -c $cache" 84kgetcred="${kgetcred} -c $cache" 85kgetcred_imp="${kgetcred} --out-cache=${ocache}" 86kdestroy="${kdestroy} -c $cache ${afs_no_unlog}" 87kimpersonate="${kimpersonate} -k ${keytab} --ccache=${ocache}" 88 89rm -f ${testdir}/${keytabfile} 90rm -f ${testdir}/current-db* 91rm -f ${testdir}/out-* 92rm -f ${testdir}/mkey.file* 93 94> ${logfile} 95 96echo Creating database 97${kadmin} \ 98 init \ 99 --realm-max-ticket-life=1day \ 100 --realm-max-renewable-life=1month \ 101 ${R} || exit 1 102 103${kadmin} \ 104 init \ 105 --realm-max-ticket-life=1day \ 106 --realm-max-renewable-life=1month \ 107 ${R2} || exit 1 108 109${kadmin} \ 110 init \ 111 --realm-max-ticket-life=1day \ 112 --realm-max-renewable-life=1month \ 113 ${R3} || exit 1 114 115${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 116${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 117${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 118${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 119 120${kadmin} add -p foo --use-defaults foo@${R} || exit 1 121${kadmin} add -p bar --use-defaults bar@${R} || exit 1 122${kadmin} add -p foo --use-defaults remove@${R} || exit 1 123${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1 124${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1 125${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1 126${kadmin} add -p foo --use-defaults ${ps} || exit 1 127${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1 128${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1 129${kadmin} ext -k ${keytab} ${server}@${R} || exit 1 130${kadmin} ext -k ${keytab} ${ps} || exit 1 131 132${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1 133${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1 134${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1 135${kadmin} ext -k ${keytab} ${serverip}@${R} || exit 1 136${kadmin} add -p kaka --use-defaults ${serveripname}@${R} || exit 1 137${kadmin} ext -k ${keytab} ${serveripname}@${R} || exit 1 138${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R} 139${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1 140 141${kadmin} add -p kaka --use-defaults ${alias1}@${R} || exit 1 142${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1 143${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R} 144 145${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1 146${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1 147 148${kadmin} add -p foo --use-defaults pw-expire@${R} || exit 1 149${kadmin} modify --pw-expiration-time=+1day pw-expire@${R} || exit 1 150 151${kadmin} add -p foo --use-defaults foo@${R3} || exit 1 152 153echo "Check parser" 154${kadmin} add -p foo --use-defaults -- -p || exit 1 155${kadmin} delete -- -p || exit 1 156 157echo "Doing database check" 158${kadmin} check ${R} || exit 1 159${kadmin} check ${R2} || exit 1 160 161echo "Extracting enctypes" 162${ktutil} -k ${keytab} list > ${testdir}/tempfile || exit 1 163${EGREP} -v '^FILE:' ${testdir}/tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \ 164 awk '$1 !~ /1/ { exit 1 }' || exit 1 165 166${kadmin} get foo@${R} > tempfile || exit 1 167enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g'` 168 169enctype_sans_aes=`echo $enctypes | sed 's/aes256[^ ]*//g'` 170enctype_sans_des3=`echo $enctypes | sed 's/des3-cbc-sha1//g'` 171 172echo "deleting all but des enctypes on kt-des3 in keytab" 173${kadmin} ext -k ${keytab} kt-des3@${R} || exit 1 174for a in ${enctype_sans_des3} ; do 175 ${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a 176done 177 178echo foo > ${testdir}/foopassword 179 180echo Starting kdc 181env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${testdir}/malloc-log \ 182${kdc} & 183kdcpid=$! 184 185sh ${wait_kdc} KDC ${logfile} 186if [ "$?" != 0 ] ; then 187 kill -9 ${kdcpid} 188 exit 1 189fi 190 191trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT 192 193ec=0 194 195echo "Getting client initial tickets"; > ${logfile} 196${kinit} --password-file=${testdir}/foopassword foo@$R || \ 197 { ec=1 ; eval "${testfailed}"; } 198echo "Doing krbtgt key rollover"; > messages.log 199${kadmin} cpw -r --keepold krbtgt/${R}@${R} || exit 1 200echo "Getting tickets"; > messages.log 201${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 202echo "Listing tickets"; > ${logfile} 203${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; } 204${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 205 { ec=1 ; eval "${testfailed}"; } 206${kdestroy} 207 208echo "Getting client initial tickets (http transport)"; > ${logfile} 209${kinit} --password-file=${testdir}/foopassword foo@${R3} || \ 210 { ec=1 ; eval "${testfailed}"; } 211${kdestroy} 212 213echo "Specific enctype"; > ${logfile} 214${kinit} --password-file=${testdir}/foopassword \ 215 -e ${aesenctype} -e ${aesenctype} \ 216 foo@$R || \ 217 { ec=1 ; eval "${testfailed}"; } 218 219for a in $enctypes; do 220 echo "Getting client initial tickets ($a)"; > ${logfile} 221 ${kinit} --enctype=$a --password-file=${testdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 222 echo "Getting tickets"; > ${logfile} 223 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 224 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; } 225 ${kdestroy} 226done 227 228 229echo "Interactive kinit" 230 kinitpty=${testdir}/foopassword.rkpty 231cat > ${kinitpty} <<EOF 232expect Password 233password foo\n 234EOF 235 ${rkpty} ${kinitpty} ${kinit} foo@${R} >/dev/null|| { ec=1 ; eval "${testfailed}"; } 236${kdestroy} 237 238echo "Getting client initial tickets"; > ${logfile} 239${kinit} --password-file=${testdir}/foopassword foo@$R || \ 240 { ec=1 ; eval "${testfailed}"; } 241for a in $enctypes; do 242 echo "Getting tickets ($a)"; > ${logfile} 243 ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 244 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 245 { ec=1 ; eval "${testfailed}"; } 246 ${kdestroy} --credential=${server}@${R} 247done 248${kdestroy} 249 250echo "Getting client initial tickets for cross realm case"; > ${logfile} 251${kinit} --password-file=${testdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 252for a in $enctypes; do 253 echo "Getting cross realm tickets ($a)"; > ${logfile} 254 ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } 255 echo " checking we we got back right ticket" 256 ${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } 257 echo " checking if ticket is useful" 258 ${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \ 259 { ec=1 ; eval "${testfailed}"; } 260 ${kdestroy} --credential=${server2}@${R2} 261done 262${kdestroy} 263 264echo "try all permutations"; > ${logfile} 265for a in $enctypes; do 266 echo "Getting client initial tickets ($a)"; > ${logfile} 267 ${kinit} --enctype=$a --password-file=${testdir}/foopassword foo@$R || \ 268 { ec=1 ; eval "${testfailed}"; } 269 for b in $enctypes; do 270 echo "Getting tickets ($a -> $b)"; > ${logfile} 271 ${kgetcred} -e $b ${server}@${R} || \ 272 { ec=1 ; eval "${testfailed}"; } 273 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 274 { ec=1 ; eval "${testfailed}"; } 275 ${kdestroy} --credential=${server}@${R} 276 done 277 ${kdestroy} 278done 279 280echo "Getting client initial tickets ip based name"; > ${logfile} 281${kinit} --password-file=${testdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 282echo "Getting ip based name tickets"; > ${logfile} 283${kgetcred} ${serverip}@${R} || { ec=1 ; eval "${testfailed}"; } 284echo " checking we we got back right ticket" 285${klist} | grep ${serverip}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } 286echo " checking if ticket is useful" 287${test_ap_req} ${serverip}@${R} ${keytab} ${cache} || \ 288 { ec=1 ; eval "${testfailed}"; } 289${kdestroy} 290 291echo "Getting client initial tickets ip based name (alias)"; > ${logfile} 292${kinit} --password-file=${testdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 293for a in ${serveripname} ${serveripname2} ; do 294 echo "Getting ip based name tickets (alias) $a"; > ${logfile} 295 ${kgetcred} ${a}@${R} || { ec=1 ; eval "${testfailed}"; } 296 echo " checking we we got back right ticket" 297 ${klist} | grep ${a}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } 298 echo " checking if ticket is useful" 299 ${test_ap_req} --server-any ${a}@${R} ${keytab} ${cache} || \ 300 { ec=1 ; eval "${testfailed}"; } 301done 302${kdestroy} 303 304echo "Getting server initial tickets"; > ${logfile} 305${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; } 306echo "Listing tickets"; > ${logfile} 307${klist} | grep "Principal: ${server}" > /dev/null || \ 308 { ec=1 ; eval "${testfailed}"; } 309${kdestroy} 310 311echo "Getting key for key that are a subset in keytab compared to kdb" 312${kinit} --keytab=${keytab} kt-des3@${R} || { ec=1; eval "${testfailed}"; } 313${klist} | grep "Principal: kt-des3" > /dev/null || \ 314 { ec=1 ; eval "${testfailed}"; } 315${kdestroy} 316 317echo "initial tickets for deleted user test case"; > ${logfile} 318${kinit} --password-file=${testdir}/foopassword remove@$R || \ 319 { ec=1 ; eval "${testfailed}"; } 320${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; } 321echo "try getting ticket with deleted user"; > ${logfile} 322${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; } 323${kdestroy} 324 325echo "cross realm case (deleted user)"; > ${logfile} 326${kinit} --password-file=${testdir}/foopassword remove2@$R2 || \ 327 { ec=1 ; eval "${testfailed}"; } 328${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \ 329 { ec=1 ; eval "${testfailed}"; } 330${kadmin} delete remove2@${R2} || exit 1 331${kgetcred} ${server}@${R} 2> /dev/null || \ 332 { ec=1 ; eval "${testfailed}"; } 333${kdestroy} 334 335echo "rename user"; > ${logfile} 336${kadmin} add -p foo --use-defaults rename@${R} || exit 1 337${kinit} --password-file=${testdir}/foopassword rename@${R} || \ 338 { ec=1 ; eval "${testfailed}"; } 339${kadmin} rename rename@${R} rename2@${R} || exit 1 340${kinit} --password-file=${testdir}/foopassword rename2@${R} || \ 341 { ec=1 ; eval "${testfailed}"; } 342${kdestroy} 343${kadmin} delete rename2@${R} || exit 1 344 345echo "rename user to another realm"; > ${logfile} 346${kadmin} add -p foo --use-defaults rename@${R} || exit 1 347${kinit} --password-file=${testdir}/foopassword rename@${R} || \ 348 { ec=1 ; eval "${testfailed}"; } 349${kadmin} rename rename@${R} rename@${R2} || exit 1 350${kinit} --password-file=${testdir}/foopassword rename@${R2} || \ 351 { ec=1 ; eval "${testfailed}"; } 352${kdestroy} 353${kadmin} delete rename@${R2} || exit 1 354 355echo deleting all but aes enctypes on krbtgt 356${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1 357 358echo deleting all but des enctypes on server-des3 359${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1 360${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1 361 362echo "try all permutations (only aes)"; > ${logfile} 363for a in $enctypes; do 364 echo "Getting client initial tickets ($a)"; > ${logfile} 365 ${kinit} --enctype=$a --password-file=${testdir}/foopassword foo@${R} ||\ 366 { ec=1 ; eval "${testfailed}"; } 367 for b in $enctypes; do 368 echo "Getting tickets ($a -> $b)"; > ${logfile} 369 ${kgetcred} -e $b ${server}@${R} || \ 370 { ec=1 ; eval "${testfailed}"; } 371 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 372 { ec=1 ; eval "${testfailed}"; } 373 374 echo "Getting tickets ($a -> $b) (server des3 only)"; > ${logfile} 375 ${kgetcred} ${server}-des3@${R} || \ 376 { ec=1 ; eval "${testfailed}"; } 377 ${test_ap_req} ${server}-des3@${R} ${keytab} ${cache} || \ 378 { ec=1 ; eval "${testfailed}"; } 379 380 ${kdestroy} --credential=${server}@${R} 381 ${kdestroy} --credential=${server}-des3@${R} 382 done 383 ${kdestroy} 384done 385 386echo deleting all enctypes on krbtgt 387${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ 388 { ec=1 ; eval "${testfailed}"; } 389echo "try initial ticket w/o and keys on krbtgt" 390${kinit} --password-file=${testdir}/foopassword foo@${R} 2>/dev/null && \ 391 { ec=1 ; eval "${testfailed}"; } 392echo "adding random aes key" 393${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ 394 { ec=1 ; eval "${testfailed}"; } 395echo "try initial ticket with random aes key on krbtgt" 396${kinit} --password-file=${testdir}/foopassword foo@${R} || \ 397 { ec=1 ; eval "${testfailed}"; } 398${kdestroy} 399 400rsa=yes 401ecdsa=yes 402pkinit=no 403if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then 404 rsa=no 405fi 406if ${hxtool} info | grep 'rand: not available' > /dev/null ; then 407 rsa=no 408fi 409if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then 410 pkinit=yes 411fi 412 413if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then 414 ecdsa=no 415fi 416 417 418# If we support pkinit and have RSA, lets try that 419if test "$pkinit" = yes -a "$rsa" = yes ; then 420 421 echo "try anonymous pkinit"; > ${logfile} 422 ${kinit} --anonymous ${R} || \ 423 { ec=1 ; eval "${testfailed}"; } 424 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 425 ${kdestroy} 426 427 for type in "" "--pk-use-enckey"; do 428 echo "Trying pk-init (principal in certificate) $type"; > ${logfile} 429 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key bar@${R} || \ 430 { ec=1 ; eval "${testfailed}"; } 431 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 432 ${kdestroy} 433 434 echo "Trying pk-init (principal in pki-mapping) $type"; > ${logfile} 435 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key foo@${R} || \ 436 { ec=1 ; eval "${testfailed}"; } 437 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 438 ${kdestroy} 439 440 echo "Trying pk-init (password protected key) $type"; > ${logfile} 441 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit-pw.key --password-file=${testdir}/foopassword foo@${R} || \ 442 { ec=1 ; eval "${testfailed}"; } 443 ${kgetcred} ${server}@${R} || \ 444 { ec=1 ; eval "${testfailed}"; } 445 ${kdestroy} 446 447 echo "Trying pk-init (proxy cert) $type"; > ${logfile} 448 ${kinit} $type -C FILE:${hx509_data}/pkinit-proxy-chain.crt,${hx509_data}/pkinit-proxy.key foo@${R} || \ 449 { ec=1 ; eval "${testfailed}"; } 450 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 451 ${kdestroy} 452 453 done 454 455 if test "$ecdsa" = yes > /dev/null ; then 456 echo "Trying pk-init (ec certificate)" 457 > ${logfile} 458 ${kinit} -C FILE:${hx509_data}/pkinit-ec.crt,${hx509_data}/pkinit-ec.key bar@${R} || \ 459 { ec=1 ; eval "${testfailed}"; } 460 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 461 ${kdestroy} 462 grep 'PK-INIT using ecdh' ${logfile} > /dev/null || \ 463 { ec=1 ; eval "${testfailed}"; } 464 fi 465 466else 467 echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > ${logfile} 468fi 469 470#echo "tickets for impersonate test case"; > ${logfile} 471#${kinit} --forwardable --password-file=${testdir}/foopassword ${ps} || \ 472# { ec=1 ; eval "${testfailed}"; } 473#${kgetcred_imp} --impersonate=bar@${R} ${ps} || \ 474# { ec=1 ; eval "${testfailed}"; } 475#${test_ap_req} ${ps} ${keytab} ${ocache} || \ 476# { ec=1 ; eval "${testfailed}"; } 477#echo " negative check" 478#${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \ 479# { ec=1 ; eval "${testfailed}"; } 480# 481#echo "test constrained delegation"; > ${logfile} 482#${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \ 483# { ec=1 ; eval "${testfailed}"; } 484#${kgetcred} \ 485# --out-cache=${o2cache} \ 486# --delegation-credential-cache=${ocache} \ 487# ${server}@${R} || \ 488# { ec=1 ; eval "${testfailed}"; } 489#echo " try using the credential" 490#${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \ 491# { ec=1 ; eval "${testfailed}"; } 492#echo " negative check" 493#${kgetcred} \ 494# --out-cache=${o2cache} \ 495# --delegation-credential-cache=${ocache} \ 496# bar@${R} 2>/dev/null && \ 497# { ec=1 ; eval "${testfailed}"; } 498# 499#echo "test constrained delegation impersonation (non forward)"; > ${logfile} 500#rm -f ocache.krb5 501#${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \ 502# { ec=1 ; eval "${testfailed}"; } 503#${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ 504# { ec=1 ; eval "${testfailed}"; } 505# 506#echo "test constrained delegation impersonation (missing KRB5SignedPath)"; > ${logfile} 507#rm -f ocache.krb5 508#${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \ 509# { ec=1 ; eval "${testfailed}"; } 510#${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ 511# { ec=1 ; eval "${testfailed}"; } 512# 513#${kdestroy} 514 515echo "check renewing" > ${logfile} 516${kinit} --renewable --password-file=${testdir}/foopassword foo@$R || \ 517 { ec=1 ; eval "${testfailed}"; } 518echo "kinit -R" 519${kinit} -R || \ 520 { ec=1 ; eval "${testfailed}"; } 521echo "check renewing MIT interface" > ${logfile} 522${kinit} --renewable --password-file=${testdir}/foopassword foo@$R || \ 523 { ec=1 ; eval "${testfailed}"; } 524echo "test_renew" 525env KRB5CCNAME=${cache} ${test_renew} || \ 526 { ec=1 ; eval "${testfailed}"; } 527${kdestroy} 528 529echo "checking server aliases"; > ${logfile} 530${kinit} --password-file=${testdir}/foopassword foo@$R || \ 531 { ec=1 ; eval "${testfailed}"; } 532echo "Getting tickets"; > ${logfile} 533${kgetcred} ${alias1}@${R} || { ec=1 ; eval "${testfailed}"; } 534${kgetcred} ${alias2}@${R} || { ec=1 ; eval "${testfailed}"; } 535echo " verify entry in keytab" 536${test_ap_req} ${alias1}@${R} ${keytab} ${cache} || \ 537 { ec=1 ; eval "${testfailed}"; } 538echo " verify entry in keytab with any" 539${test_ap_req} --server-any ${alias1}@${R} ${keytab} ${cache} || \ 540 { ec=1 ; eval "${testfailed}"; } 541echo " verify failure with alias entry" 542${test_ap_req} ${alias2}@${R} ${keytab} ${cache} 2>/dev/null && \ 543 { ec=1 ; eval "${testfailed}"; } 544echo " verify alias entry in keytab with any" 545${test_ap_req} --server-any ${alias2}@${R} ${keytab} ${cache} || \ 546 { ec=1 ; eval "${testfailed}"; } 547${kdestroy} 548 549echo "testing removal of keytab" 550${ktutil} -k ${keytab} destroy || { ec=1 ; eval "${testfailed}"; } 551test -f ${keytabfile} && { ec=1 ; eval "${testfailed}"; } 552 553echo "Getting client pw expire"; > ${logfile} 554${kinit} --password-file=${testdir}/foopassword \ 555 pw-expire@${R} 2>${testdir}/kinit-log.tmp|| \ 556 { ec=1 ; eval "${testfailed}"; } 557grep 'Your password will expire' ${testdir}/kinit-log.tmp > /dev/null || \ 558 { ec=1 ; eval "${testfailed}"; } 559echo " kinit passes" 560${test_gic} --client=pw-expire@${R} --password=foo \ 561 --last-request > ${testdir}/kinit-log.tmp 2>/dev/null 562${EGREP} "^e type: 6" ${testdir}/kinit-log.tmp > /dev/null || \ 563 { ec=1 ; eval "${testfailed}"; } 564echo " test_gic passes" 565${kdestroy} 566 567echo "testing klist -A with KRB5CCNAME set" 568${kinit} --password-file=${testdir}/foopassword foo@$R || \ 569 { ec=1 ; eval "${testfailed}"; } 570export KRB5CCNAME=${cache} 571${klistA} > ${testdir}/klist-log.tmp 572grep 'Issued' ${testdir}/klist-log.tmp &> /dev/null || \ 573 { ec=1 ; eval "${testfailed}"; } 574 575echo "checking klist --json" 576python -c 'import subprocess, json; json.loads(subprocess.check_output(["/usr/bin/klist", "--json"]))' || \ 577 { ec=1 ; eval "${testfailed}"; } 578 579echo "checking klist --json -l" 580python -c 'import subprocess, json; json.loads(subprocess.check_output(["/usr/bin/klist", "--list", "--json"]))' || \ 581 { ec=1 ; eval "${testfailed}"; } 582 583echo "checking klist --json -a" 584python -c 'import subprocess, json; json.loads(subprocess.check_output(["/usr/bin/klist", "-a", "--json"]))' || \ 585 { ec=1 ; eval "${testfailed}"; } 586 587echo "checking klist --json --verbose -a" 588python -c 'import subprocess, json; json.loads(subprocess.check_output(["/usr/bin/klist", "-a", "--list", "--json"]))' || \ 589 { ec=1 ; eval "${testfailed}"; } 590 591${kdestroy} 592 593echo "checking klist --json" 594python -c 'import subprocess, json; json.loads(subprocess.check_output(["/usr/bin/klist", "--json"]))' || \ 595 { ec=1 ; eval "${testfailed}"; } 596 597echo "checking klist --json -l" 598python -c 'import subprocess, json; json.loads(subprocess.check_output(["/usr/bin/klist", "--list", "--json"]))' || \ 599 { ec=1 ; eval "${testfailed}"; } 600 601 602echo "testing sendto" 603${test_sendto} --realm=${R} || \ 604 { ec=1 ; eval "${testfailed}"; } 605 606echo "testing sendto (use-large)" 607${test_sendto} --use-large --realm=${R} || \ 608 { ec=1 ; eval "${testfailed}"; } 609 610 611rm ${testdir}/kinit-log.tmp ${testdir}/klist-log.tmp 612 613echo "killing kdc (${kdcpid})" 614sh ${leaks_kill} kdc $kdcpid || exit 1 615 616trap "" EXIT 617 618exit $ec 619