etc/services - sync with NetBSD-8
[minix.git] / crypto / external / bsd / heimdal / dist / tests / kdc / check-kdc.in
blob3f370598e71303c8a0d41dbf29e06a8948220184
1 #!/bin/sh
3 # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
5 # All rights reserved.
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
9 # are met:
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32 # SUCH DAMAGE.
34 top_builddir="@top_builddir@"
35 env_setup="@env_setup@"
36 objdir="@objdir@"
38 . ${env_setup}
40 KRB5_CONFIG="${1-${objdir}/krb5.conf}"
41 export KRB5_CONFIG
43 testfailed="echo test failed; cat messages.log; exit 1"
45 # If there is no useful db support compile in, disable test
46 ${have_db} || exit 77
48 R=TEST.H5L.SE
49 R2=TEST2.H5L.SE
50 R3=TEST-HTTP.H5L.SE
52 port=@port@
54 kadmin="${kadmin} -l -r $R"
55 kdc="${kdc} --addresses=localhost -P $port"
57 server=host/datan.test.h5l.se
58 server2=host/computer.example.com
59 serverip=host/10.11.12.13
60 serveripname=host/ip.test.h5l.org
61 serveripname2=host/10.11.12.14
62 alias1=host/datan.example.com
63 alias2=host/datan
64 aliaskeytab=host/datan
65 cache="FILE:${objdir}/cache.krb5"
66 ocache="FILE:${objdir}/ocache.krb5"
67 o2cache="FILE:${objdir}/o2cache.krb5"
68 icache="FILE:${objdir}/icache.krb5"
69 keytabfile=${objdir}/server.keytab
70 keytab="FILE:${keytabfile}"
71 ps="proxy-service@${R}"
72 aesenctype="aes256-cts-hmac-sha1-96"
74 kinit="${kinit} -c $cache ${afs_no_afslog}"
75 klist="${klist} -c $cache"
76 kgetcred="${kgetcred} -c $cache"
77 kgetcred_imp="${kgetcred} -c $cache --out-cache=${ocache}"
78 kdestroy="${kdestroy} -c $cache ${afs_no_unlog}"
79 kimpersonate="${kimpersonate} -k ${keytab} --ccache=${ocache}"
81 rm -f ${keytabfile}
82 rm -f current-db*
83 rm -f out-*
84 rm -f mkey.file*
86 > messages.log
88 echo Creating database
89 ${kadmin} \
90 init \
91 --realm-max-ticket-life=1day \
92 --realm-max-renewable-life=1month \
93 ${R} || exit 1
95 ${kadmin} \
96 init \
97 --realm-max-ticket-life=1day \
98 --realm-max-renewable-life=1month \
99 ${R2} || exit 1
101 ${kadmin} \
102 init \
103 --realm-max-ticket-life=1day \
104 --realm-max-renewable-life=1month \
105 ${R3} || exit 1
107 ${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
108 ${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
109 ${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
110 ${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
112 ${kadmin} add -p foo --use-defaults foo@${R} || exit 1
113 ${kadmin} add -p bar --use-defaults bar@${R} || exit 1
114 ${kadmin} add -p foo --use-defaults remove@${R} || exit 1
115 ${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
116 ${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1
117 ${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1
118 ${kadmin} add -p foo --use-defaults ${ps} || exit 1
119 ${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1
120 ${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1
121 ${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
122 ${kadmin} ext -k ${keytab} ${ps} || exit 1
124 ${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1
125 ${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1
126 ${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1
127 ${kadmin} ext -k ${keytab} ${serverip}@${R} || exit 1
128 ${kadmin} add -p kaka --use-defaults ${serveripname}@${R} || exit 1
129 ${kadmin} ext -k ${keytab} ${serveripname}@${R} || exit 1
130 ${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R}
131 ${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1
133 ${kadmin} add -p kaka --use-defaults ${alias1}@${R} || exit 1
134 ${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1
135 ${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R}
137 ${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
138 ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1
140 ${kadmin} add -p foo --use-defaults pw-expire@${R} || exit 1
141 ${kadmin} modify --pw-expiration-time=+1day pw-expire@${R} || exit 1
143 ${kadmin} add -p foo --use-defaults foo@${R3} || exit 1
145 echo "Check parser"
146 ${kadmin} add -p foo --use-defaults -- -p || exit 1
147 ${kadmin} delete -- -p || exit 1
149 echo "Doing database check"
150 ${kadmin} check ${R} || exit 1
151 ${kadmin} check ${R2} || exit 1
153 echo "Extracting enctypes"
154 ${ktutil} -k ${keytab} list > tempfile || exit 1
155 ${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \
156 awk '$1 !~ /1/ { exit 1 }' || exit 1
158 ${kadmin} get foo@${R} > tempfile || exit 1
159 enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://'`
161 enctype_sans_aes=`echo $enctypes | sed 's/aes[^ ]*//g'`
162 enctype_sans_des3=`echo $enctypes | sed 's/des3-cbc-sha1//g'`
164 echo "deleting all but des enctypes on kt-des3 in keytab"
165 ${kadmin} ext -k ${keytab} kt-des3@${R} || exit 1
166 for a in ${enctype_sans_des3} ; do
167 ${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a
168 done
170 echo foo > ${objdir}/foopassword
172 echo Starting kdc
173 env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${objdir}/malloc-log \
174 ${kdc} &
175 kdcpid=$!
177 sh ${wait_kdc}
178 if [ "$?" != 0 ] ; then
179 kill -9 ${kdcpid}
180 exit 1
183 trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
185 ec=0
187 echo "Getting client initial tickets"; > messages.log
188 ${kinit} --password-file=${objdir}/foopassword foo@$R || \
189 { ec=1 ; eval "${testfailed}"; }
190 echo "Getting tickets"; > messages.log
191 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
192 echo "Listing tickets"; > messages.log
193 ${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
194 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
195 { ec=1 ; eval "${testfailed}"; }
196 ${kdestroy}
198 echo "Getting client initial tickets (http transport)"; > messages.log
199 ${kinit} --password-file=${objdir}/foopassword foo@${R3} || \
200 { ec=1 ; eval "${testfailed}"; }
201 ${kdestroy}
203 echo "Testing forwardable/renewable flag copying in TGS-REQ"
204 ${kinit} -f --renewable -r 5d --password-file=${objdir}/foopassword foo@$R || \
205 { ec=1 ; eval "${testfailed}"; }
206 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
207 ${klist} -f | grep ${server} | grep FRA > /dev/null || \
208 { ec=1 ; eval "${testfailed}"; }
211 echo "Specific enctype"; > messages.log
212 ${kinit} --password-file=${objdir}/foopassword \
213 -e ${aesenctype} -e ${aesenctype} \
214 foo@$R || \
215 { ec=1 ; eval "${testfailed}"; }
217 for a in $enctypes; do
218 echo "Getting client initial tickets ($a)"; > messages.log
219 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
220 echo "Getting tickets"; > messages.log
221 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
222 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; }
223 ${kdestroy}
224 done
227 echo "Getting client initial tickets"; > messages.log
228 ${kinit} --password-file=${objdir}/foopassword foo@$R || \
229 { ec=1 ; eval "${testfailed}"; }
230 for a in $enctypes; do
231 echo "Getting tickets ($a)"; > messages.log
232 ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
233 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
234 { ec=1 ; eval "${testfailed}"; }
235 ${kdestroy} --credential=${server}@${R}
236 done
237 ${kdestroy}
239 echo "Getting client initial tickets for cross realm case"; > messages.log
240 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
241 for a in $enctypes; do
242 echo "Getting cross realm tickets ($a)"; > messages.log
243 ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
244 echo " checking we we got back right ticket"
245 ${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
246 echo " checking if ticket is useful"
247 ${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \
248 { ec=1 ; eval "${testfailed}"; }
249 ${kdestroy} --credential=${server2}@${R2}
250 done
251 ${kdestroy}
253 echo "try all permutations"; > messages.log
254 for a in $enctypes; do
255 echo "Getting client initial tickets ($a)"; > messages.log
256 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || \
257 { ec=1 ; eval "${testfailed}"; }
258 for b in $enctypes; do
259 echo "Getting tickets ($a -> $b)"; > messages.log
260 ${kgetcred} -e $b ${server}@${R} || \
261 { ec=1 ; eval "${testfailed}"; }
262 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
263 { ec=1 ; eval "${testfailed}"; }
264 ${kdestroy} --credential=${server}@${R}
265 done
266 ${kdestroy}
267 done
269 echo "Getting client initial tickets ip based name"; > messages.log
270 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
271 echo "Getting ip based name tickets"; > messages.log
272 ${kgetcred} ${serverip}@${R} || { ec=1 ; eval "${testfailed}"; }
273 echo " checking we we got back right ticket"
274 ${klist} | grep ${serverip}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
275 echo " checking if ticket is useful"
276 ${test_ap_req} ${serverip}@${R} ${keytab} ${cache} || \
277 { ec=1 ; eval "${testfailed}"; }
278 ${kdestroy}
280 echo "Getting client initial tickets ip based name (alias)"; > messages.log
281 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
282 for a in ${serveripname} ${serveripname2} ; do
283 echo "Getting ip based name tickets (alias) $a"; > messages.log
284 ${kgetcred} ${a}@${R} || { ec=1 ; eval "${testfailed}"; }
285 echo " checking we we got back right ticket"
286 ${klist} | grep ${a}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
287 echo " checking if ticket is useful"
288 ${test_ap_req} --server-any ${a}@${R} ${keytab} ${cache} || \
289 { ec=1 ; eval "${testfailed}"; }
290 done
291 ${kdestroy}
293 echo "Getting server initial tickets"; > messages.log
294 ${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; }
295 echo "Listing tickets"; > messages.log
296 ${klist} | grep "Principal: ${server}" > /dev/null || \
297 { ec=1 ; eval "${testfailed}"; }
298 ${kdestroy}
300 echo "Getting key for key that are a subset in keytab compared to kdb"
301 ${kinit} --keytab=${keytab} kt-des3@${R}
302 ${klist} | grep "Principal: kt-des3" > /dev/null || \
303 { ec=1 ; eval "${testfailed}"; }
304 ${kdestroy}
306 echo "initial tickets for deleted user test case"; > messages.log
307 ${kinit} --password-file=${objdir}/foopassword remove@$R || \
308 { ec=1 ; eval "${testfailed}"; }
309 ${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; }
310 echo "try getting ticket with deleted user"; > messages.log
311 ${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; }
312 ${kdestroy}
314 echo "cross realm case (deleted user)"; > messages.log
315 ${kinit} --password-file=${objdir}/foopassword remove2@$R2 || \
316 { ec=1 ; eval "${testfailed}"; }
317 ${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \
318 { ec=1 ; eval "${testfailed}"; }
319 ${kadmin} delete remove2@${R2} || exit 1
320 ${kgetcred} ${server}@${R} 2> /dev/null || \
321 { ec=1 ; eval "${testfailed}"; }
322 ${kdestroy}
324 echo "rename user"; > messages.log
325 ${kadmin} add -p foo --use-defaults rename@${R} || exit 1
326 ${kinit} --password-file=${objdir}/foopassword rename@${R} || \
327 { ec=1 ; eval "${testfailed}"; }
328 ${kadmin} rename rename@${R} rename2@${R} || exit 1
329 ${kinit} --password-file=${objdir}/foopassword rename2@${R} || \
330 { ec=1 ; eval "${testfailed}"; }
331 ${kdestroy}
332 ${kadmin} delete rename2@${R} || exit 1
334 echo "rename user to another realm"; > messages.log
335 ${kadmin} add -p foo --use-defaults rename@${R} || exit 1
336 ${kinit} --password-file=${objdir}/foopassword rename@${R} || \
337 { ec=1 ; eval "${testfailed}"; }
338 ${kadmin} rename rename@${R} rename@${R2} || exit 1
339 ${kinit} --password-file=${objdir}/foopassword rename@${R2} || \
340 { ec=1 ; eval "${testfailed}"; }
341 ${kdestroy}
342 ${kadmin} delete rename@${R2} || exit 1
344 echo deleting all but aes enctypes on krbtgt
345 ${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1
347 echo deleting all but des enctypes on server-des3
348 ${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1
349 ${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1
351 echo "try all permutations (only aes)"; > messages.log
352 for a in $enctypes; do
353 echo "Getting client initial tickets ($a)"; > messages.log
354 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\
355 { ec=1 ; eval "${testfailed}"; }
356 for b in $enctypes; do
357 echo "Getting tickets ($a -> $b)"; > messages.log
358 ${kgetcred} -e $b ${server}@${R} || \
359 { ec=1 ; eval "${testfailed}"; }
360 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \
361 { ec=1 ; eval "${testfailed}"; }
363 echo "Getting tickets ($a -> $b) (server des3 only)"; > messages.log
364 ${kgetcred} ${server}-des3@${R} || \
365 { ec=1 ; eval "${testfailed}"; }
366 ${test_ap_req} ${server}-des3@${R} ${keytab} ${cache} || \
367 { ec=1 ; eval "${testfailed}"; }
369 ${kdestroy} --credential=${server}@${R}
370 ${kdestroy} --credential=${server}-des3@${R}
371 done
372 ${kdestroy}
373 done
375 echo deleting all enctypes on krbtgt
376 ${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
377 { ec=1 ; eval "${testfailed}"; }
378 echo "try initial ticket w/o and keys on krbtgt"
379 ${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev/null && \
380 { ec=1 ; eval "${testfailed}"; }
381 echo "adding random aes key"
382 ${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
383 { ec=1 ; eval "${testfailed}"; }
384 echo "try initial ticket with random aes key on krbtgt"
385 ${kinit} --password-file=${objdir}/foopassword foo@${R} || \
386 { ec=1 ; eval "${testfailed}"; }
387 ${kdestroy}
389 rsa=yes
390 ecdsa=yes
391 pkinit=no
392 if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then
393 rsa=no
395 if ${hxtool} info | grep 'rand: not available' > /dev/null ; then
396 rsa=no
398 if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then
399 pkinit=yes
402 if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then
403 ecdsa=no
407 # If we support pkinit and have RSA, lets try that
408 if test "$pkinit" = yes -a "$rsa" = yes ; then
410 echo "try anonymous pkinit"; > messages.log
411 ${kinit} --anonymous ${R} || \
412 { ec=1 ; eval "${testfailed}"; }
413 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
414 ${kdestroy}
416 for type in "" "--pk-use-enckey"; do
417 echo "Trying pk-init (principal in certificate) $type"; > messages.log
418 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key bar@${R} || \
419 { ec=1 ; eval "${testfailed}"; }
420 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
421 ${kdestroy}
423 echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log
424 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key foo@${R} || \
425 { ec=1 ; eval "${testfailed}"; }
426 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
427 ${kdestroy}
429 echo "Trying pk-init (password protected key) $type"; > messages.log
430 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \
431 { ec=1 ; eval "${testfailed}"; }
432 ${kgetcred} ${server}@${R} || \
433 { ec=1 ; eval "${testfailed}"; }
434 ${kdestroy}
436 echo "Trying pk-init (proxy cert) $type"; > messages.log
437 ${kinit} $type -C FILE:${hx509_data}/pkinit-proxy-chain.crt,${hx509_data}/pkinit-proxy.key foo@${R} || \
438 { ec=1 ; eval "${testfailed}"; }
439 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
440 ${kdestroy}
442 done
444 if test "$ecdsa" = yes > /dev/null ; then
445 echo "Trying pk-init (ec certificate)"
446 > messages.log
447 ${kinit} -C FILE:${hx509_data}/pkinit-ec.crt,${hx509_data}/pkinit-ec.key bar@${R} || \
448 { ec=1 ; eval "${testfailed}"; }
449 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
450 ${kdestroy}
451 grep 'PK-INIT using ecdh' messages.log > /dev/null || \
452 { ec=1 ; eval "${testfailed}"; }
455 else
456 echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log
459 echo "tickets for impersonate test case"; > messages.log
460 ${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \
461 { ec=1 ; eval "${testfailed}"; }
462 ${kgetcred_imp} --impersonate=bar@${R} ${ps} || \
463 { ec=1 ; eval "${testfailed}"; }
464 ${test_ap_req} ${ps} ${keytab} ${ocache} || \
465 { ec=1 ; eval "${testfailed}"; }
466 echo " negative check"
467 ${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \
468 { ec=1 ; eval "${testfailed}"; }
470 echo "test constrained delegation"; > messages.log
471 ${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
472 { ec=1 ; eval "${testfailed}"; }
473 ${kgetcred} \
474 --out-cache=${o2cache} \
475 --delegation-credential-cache=${ocache} \
476 ${server}@${R} || \
477 { ec=1 ; eval "${testfailed}"; }
478 echo " try using the credential"
479 ${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
480 { ec=1 ; eval "${testfailed}"; }
481 echo " negative check"
482 ${kgetcred} \
483 --out-cache=${o2cache} \
484 --delegation-credential-cache=${ocache} \
485 bar@${R} 2>/dev/null && \
486 { ec=1 ; eval "${testfailed}"; }
488 echo "test constrained delegation impersonation (non forward)"; > messages.log
489 rm -f ocache.krb5
490 ${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \
491 { ec=1 ; eval "${testfailed}"; }
492 ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \
493 { ec=1 ; eval "${testfailed}"; }
495 echo "test constrained delegation impersonation (missing KRB5SignedPath)"; > messages.log
496 rm -f ocache.krb5
497 ${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \
498 { ec=1 ; eval "${testfailed}"; }
499 ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \
500 { ec=1 ; eval "${testfailed}"; }
502 ${kdestroy}
504 echo "check renewing" > messages.log
505 ${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \
506 { ec=1 ; eval "${testfailed}"; }
507 echo "kinit -R"
508 ${kinit} -R || \
509 { ec=1 ; eval "${testfailed}"; }
510 echo "check renewing MIT interface" > messages.log
511 ${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \
512 { ec=1 ; eval "${testfailed}"; }
513 echo "test_renew"
514 env KRB5CCNAME=${cache} ${test_renew} || \
515 { ec=1 ; eval "${testfailed}"; }
516 ${kdestroy}
518 echo "checking server aliases"; > messages.log
519 ${kinit} --password-file=${objdir}/foopassword foo@$R || \
520 { ec=1 ; eval "${testfailed}"; }
521 echo "Getting tickets"; > messages.log
522 ${kgetcred} ${alias1}@${R} || { ec=1 ; eval "${testfailed}"; }
523 ${kgetcred} ${alias2}@${R} || { ec=1 ; eval "${testfailed}"; }
524 echo " verify entry in keytab"
525 ${test_ap_req} ${alias1}@${R} ${keytab} ${cache} || \
526 { ec=1 ; eval "${testfailed}"; }
527 echo " verify entry in keytab with any"
528 ${test_ap_req} --server-any ${alias1}@${R} ${keytab} ${cache} || \
529 { ec=1 ; eval "${testfailed}"; }
530 echo " verify failure with alias entry"
531 ${test_ap_req} ${alias2}@${R} ${keytab} ${cache} 2>/dev/null && \
532 { ec=1 ; eval "${testfailed}"; }
533 echo " verify alias entry in keytab with any"
534 ${test_ap_req} --server-any ${alias2}@${R} ${keytab} ${cache} || \
535 { ec=1 ; eval "${testfailed}"; }
536 ${kdestroy}
538 echo "testing removal of keytab"
539 ${ktutil} -k ${keytab} destroy || { ec=1 ; eval "${testfailed}"; }
540 test -f ${keytabfile} && { ec=1 ; eval "${testfailed}"; }
542 echo "Getting client pw expire"; > messages.log
543 ${kinit} --password-file=${objdir}/foopassword \
544 pw-expire@${R} 2>kinit-log.tmp|| \
545 { ec=1 ; eval "${testfailed}"; }
546 grep 'Your password will expire' kinit-log.tmp > /dev/null || \
547 { ec=1 ; eval "${testfailed}"; }
548 echo " kinit passes"
549 ${test_gic} --client=pw-expire@${R} --password=foo > kinit-log.tmp 2>/dev/null
550 ${EGREP} "^e type: 6" kinit-log.tmp > /dev/null || \
551 { ec=1 ; eval "${testfailed}"; }
552 echo " test_gic passes"
553 ${kdestroy}
555 echo "killing kdc (${kdcpid})"
556 sh ${leaks_kill} kdc $kdcpid || exit 1
558 trap "" EXIT
560 exit $ec