3 # Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan
4 # (Royal Institute of Technology, Stockholm, Sweden).
7 # Redistribution and use in source and binary forms, with or without
8 # modification, are permitted provided that the following conditions
11 # 1. Redistributions of source code must retain the above copyright
12 # notice, this list of conditions and the following disclaimer.
14 # 2. Redistributions in binary form must reproduce the above copyright
15 # notice, this list of conditions and the following disclaimer in the
16 # documentation and/or other materials provided with the distribution.
18 # 3. Neither the name of the Institute nor the names of its contributors
19 # may be used to endorse or promote products derived from this software
20 # without specific prior written permission.
22 # THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25 # ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34 # $Heimdal: check-kdc.in 22019 2007-10-24 20:47:59Z lha $
42 testfailed
="echo test failed; cat messages.log; exit 1"
44 # If there is no useful db support compile in, disable test
45 ..
/db
/have-db ||
exit 77
52 kadmin
="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
53 kdc
="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
55 server
=host
/datan.
test.h5l.se
56 server2
=host
/computer.example.com
57 cache
="FILE:${objdir}/cache.krb5"
58 ocache
="FILE:${objdir}/ocache.krb5"
59 o2cache
="FILE:${objdir}/o2cache.krb5"
60 icache
="FILE:${objdir}/icache.krb5"
61 keytabfile
=${objdir}/server.keytab
62 keytab
="FILE:${keytabfile}"
63 ps
="proxy-service@${R}"
64 aesenctype
="aes256-cts-hmac-sha1-96"
66 kinit
="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog"
67 klist
="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
68 kgetcred
="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
69 kgetcred_imp
="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache --out-cache=${ocache}"
70 kdestroy
="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog"
71 ktutil
="${TESTS_ENVIRONMENT} ../../admin/ktutil"
72 hxtool
="${TESTS_ENVIRONMENT} ../../lib/hx509/hxtool"
73 kimpersonate
="${TESTS_ENVIRONMENT} ../../kuser/kimpersonate -k ${keytab} --ccache=${ocache}"
74 test_renew
="${TESTS_ENVIRONMENT} ../../lib/krb5/test_renew"
76 KRB5_CONFIG
="${objdir}/krb5.conf"
86 echo Creating database
89 --realm-max-ticket-life=1day \
90 --realm-max-renewable-life=1month \
95 --realm-max-ticket-life=1day \
96 --realm-max-renewable-life=1month \
99 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
100 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
101 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
102 ${kadmin} cpw -r krbtgt/${R}@${R} ||
exit 1
104 ${kadmin} add
-p foo
--use-defaults foo@
${R} ||
exit 1
105 ${kadmin} add
-p bar
--use-defaults bar@
${R} ||
exit 1
106 ${kadmin} add
-p foo
--use-defaults remove@
${R} ||
exit 1
107 ${kadmin} add -p kaka --use-defaults ${server}@${R} ||
exit 1
108 ${kadmin} add -p kaka --use-defaults ${server}-des3@${R} ||
exit 1
109 ${kadmin} add
-p foo
--use-defaults ${ps} ||
exit 1
110 ${kadmin} modify
--attributes=+trusted-for-delegation
${ps} ||
exit 1
111 ${kadmin} modify --constrained-delegation=${server} ${ps} ||
exit 1
112 ${kadmin} ext -k ${keytab} ${server}@${R} ||
exit 1
113 ${kadmin} ext -k ${keytab} ${ps} ||
exit 1
115 ${kadmin} add -p kaka --use-defaults ${server2}@${R2} ||
exit 1
116 ${kadmin} ext -k ${keytab} ${server2}@${R2} ||
exit 1
117 ${kadmin} add
-p foo
--use-defaults remove2@
${R2} ||
exit 1
119 ${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} ||
exit 1
120 ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} ||
exit 1
122 ${kadmin} add
-p foo
--use-defaults -- -p ||
exit 1
123 ${kadmin} delete
-- -p ||
exit 1
125 echo "Doing database check"
126 ${kadmin} check
${R} ||
exit 1
127 ${kadmin} check
${R2} ||
exit 1
129 echo "Extracting enctypes"
130 ${ktutil} -k ${keytab} list
> tempfile ||
exit 1
131 ${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \
132 awk '$1 !~ /1/ { exit 1 }' ||
exit 1
134 ${kadmin} get foo@
${R} > tempfile ||
exit 1
135 enctypes
=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://'`
137 enctype_sans_aes
=`echo $enctypes | sed 's/aes[^ ]*//g'`
138 enctype_sans_des3
=`echo $enctypes | sed 's/des3-cbc-sha1//g'`
140 echo foo
> ${objdir}/foopassword
146 sh
${srcdir}/wait-kdc.sh
147 if [ "$?" != 0 ] ; then
152 trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
156 echo "Getting client initial tickets"; > messages.log
157 ${kinit} --password-file=${objdir}/foopassword foo@
$R || \
158 { ec
=1 ; eval "${testfailed}"; }
159 echo "Getting tickets"; > messages.log
160 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
161 echo "Listing tickets"; > messages.log
162 ${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; }
163 .
/ap-req
${server}@${R} ${keytab} ${cache} || \
164 { ec
=1 ; eval "${testfailed}"; }
167 echo "Specific enctype"; > messages.log
168 ${kinit} --password-file=${objdir}/foopassword \
169 -e ${aesenctype} -e ${aesenctype} \
171 { ec
=1 ; eval "${testfailed}"; }
173 for a
in $enctypes; do
174 echo "Getting client initial tickets ($a)"; > messages.log
175 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
176 echo "Getting tickets"; > messages.log
177 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
178 .
/ap-req
${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; }
183 echo "Getting client initial tickets"; > messages.log
184 ${kinit} --password-file=${objdir}/foopassword foo@
$R || \
185 { ec
=1 ; eval "${testfailed}"; }
186 for a
in $enctypes; do
187 echo "Getting tickets ($a)"; > messages.log
188 ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
189 .
/ap-req
${server}@${R} ${keytab} ${cache} || \
190 { ec
=1 ; eval "${testfailed}"; }
191 ${kdestroy} --credential=${server}@${R}
195 echo "Getting client initial tickets for cross realm case"; > messages.log
196 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
197 for a
in $enctypes; do
198 echo "Getting cross realm tickets ($a)"; > messages.log
199 ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
200 .
/ap-req
${server2}@${R2} ${keytab} ${cache} || \
201 { ec
=1 ; eval "${testfailed}"; }
202 ${kdestroy} --credential=${server2}@${R2}
206 echo "try all permutations"; > messages.log
207 for a
in $enctypes; do
208 echo "Getting client initial tickets ($a)"; > messages.log
209 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@
$R || \
210 { ec
=1 ; eval "${testfailed}"; }
211 for b
in $enctypes; do
212 echo "Getting tickets ($a -> $b)"; > messages.log
213 ${kgetcred} -e $b ${server}@${R} || \
214 { ec
=1 ; eval "${testfailed}"; }
215 .
/ap-req
${server}@${R} ${keytab} ${cache} || \
216 { ec
=1 ; eval "${testfailed}"; }
217 ${kdestroy} --credential=${server}@${R}
222 echo "Getting server initial tickets"; > messages.log
223 ${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; }
224 echo "Listing tickets"; > messages.log
225 ${klist} |
grep "Principal: ${server}" > /dev
/null || \
226 { ec
=1 ; eval "${testfailed}"; }
229 echo "initial tickets for deleted user test case"; > messages.log
230 ${kinit} --password-file=${objdir}/foopassword remove@
$R || \
231 { ec
=1 ; eval "${testfailed}"; }
232 ${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; }
233 echo "try getting ticket with deleted user"; > messages.log
234 ${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; }
237 echo "cross realm case (removed user)"; > messages.log
238 ${kinit} --password-file=${objdir}/foopassword remove2@
$R2 || \
239 { ec
=1 ; eval "${testfailed}"; }
240 ${kgetcred} krbtgt/${R}@${R2} 2> /dev
/null || \
241 { ec
=1 ; eval "${testfailed}"; }
242 ${kadmin} delete remove2@
${R2} ||
exit 1
243 ${kgetcred} ${server}@${R} 2> /dev
/null || \
244 { ec
=1 ; eval "${testfailed}"; }
247 echo "rename user"; > messages.log
248 ${kadmin} add
-p foo
--use-defaults rename@
${R} ||
exit 1
249 ${kinit} --password-file=${objdir}/foopassword rename@${R} || \
250 { ec
=1 ; eval "${testfailed}"; }
251 ${kadmin} rename rename@${R} rename2@${R} ||
exit 1
252 ${kinit} --password-file=${objdir}/foopassword rename2@${R} || \
253 { ec
=1 ; eval "${testfailed}"; }
255 ${kadmin} delete rename2@
${R} ||
exit 1
257 echo "rename user to another realm"; > messages.log
258 ${kadmin} add
-p foo
--use-defaults rename@
${R} ||
exit 1
259 ${kinit} --password-file=${objdir}/foopassword rename@${R} || \
260 { ec
=1 ; eval "${testfailed}"; }
261 ${kadmin} rename rename@${R} rename@${R2} ||
exit 1
262 ${kinit} --password-file=${objdir}/foopassword rename@${R2} || \
263 { ec
=1 ; eval "${testfailed}"; }
265 ${kadmin} delete rename@
${R2} ||
exit 1
267 echo deleting all but aes enctypes on krbtgt
268 ${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} ||
exit 1
270 echo deleting all but des enctypes on server-des3
271 ${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} ||
exit 1
272 ${kadmin} ext -k ${keytab} ${server}-des3@${R} ||
exit 1
274 echo "try all permutations (only aes)"; > messages.log
275 for a
in $enctypes; do
276 echo "Getting client initial tickets ($a)"; > messages.log
277 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\
278 { ec
=1 ; eval "${testfailed}"; }
279 for b
in $enctypes; do
280 echo "Getting tickets ($a -> $b)"; > messages.log
281 ${kgetcred} -e $b ${server}@${R} || \
282 { ec
=1 ; eval "${testfailed}"; }
283 .
/ap-req
${server}@${R} ${keytab} ${cache} || \
284 { ec
=1 ; eval "${testfailed}"; }
286 echo "Getting tickets ($a -> $b) (server des3 only)"; > messages.log
287 ${kgetcred} ${server}-des3@${R} || \
288 { ec
=1 ; eval "${testfailed}"; }
289 .
/ap-req
${server}-des3@${R} ${keytab} ${cache} || \
290 { ec
=1 ; eval "${testfailed}"; }
292 ${kdestroy} --credential=${server}@${R}
293 ${kdestroy} --credential=${server}-des3@${R}
298 echo deleting all enctypes on krbtgt
299 ${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
300 { ec
=1 ; eval "${testfailed}"; }
301 echo "try initial ticket w/o and keys on krbtgt"
302 ${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev
/null
&& \
303 { ec
=1 ; eval "${testfailed}"; }
304 echo "adding random aes key"
305 ${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \
306 { ec
=1 ; eval "${testfailed}"; }
307 echo "try initial ticket with random aes key on krbtgt"
308 ${kinit} --password-file=${objdir}/foopassword foo@${R} || \
309 { ec
=1 ; eval "${testfailed}"; }
313 if ${hxtool} info |
grep 'rsa: hx509 null RSA' > /dev
/null
; then
316 if ${hxtool} info |
grep 'rand: not available' > /dev
/null
; then
319 if ${kinit} --help 2>&1 |
grep "CA certificates" > /dev
/null
; then
323 # If we support pkinit and have RSA, lets try that
324 if test "$pkinit" = yes -a "$rsa" = yes ; then
326 for type in "" "--pk-use-enckey"; do
327 echo "Trying pk-init (principal in certificate) $type"; > messages.log
328 base
="${srcdir}/../../lib/hx509/data"
329 ${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit.key bar@${R} || \
330 { ec
=1 ; eval "${testfailed}"; }
331 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
334 echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log
335 ${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit.key foo@${R} || \
336 { ec
=1 ; eval "${testfailed}"; }
337 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
340 echo "Trying pk-init (password protected key) $type"; > messages.log
341 ${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \
342 { ec
=1 ; eval "${testfailed}"; }
343 ${kgetcred} ${server}@${R} || \
344 { ec
=1 ; eval "${testfailed}"; }
347 echo "Trying pk-init (proxy cert) $type"; > messages.log
348 base
="${srcdir}/../../lib/hx509/data"
349 ${kinit} $type -C FILE:${base}/pkinit-proxy-chain.crt,${base}/pkinit-proxy.key foo@${R} || \
350 { ec
=1 ; eval "${testfailed}"; }
351 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
356 echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log
359 echo "tickets for impersonate test case"; > messages.log
360 ${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \
361 { ec
=1 ; eval "${testfailed}"; }
362 ${kgetcred_imp} --impersonate=bar@${R} ${ps} || \
363 { ec
=1 ; eval "${testfailed}"; }
364 .
/ap-req
${ps} ${keytab} ${ocache} || \
365 { ec
=1 ; eval "${testfailed}"; }
366 ${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev
/null
&& \
367 { ec
=1 ; eval "${testfailed}"; }
368 echo test constrained delegation
369 ${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
370 { ec
=1 ; eval "${testfailed}"; }
371 ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} || \
372 { ec
=1 ; eval "${testfailed}"; }
373 .
/ap-req
${server}@${R} ${keytab} ${o2cache} || \
374 { ec
=1 ; eval "${testfailed}"; }
375 ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} bar@${R} 2>/dev
/null
&& \
376 { ec
=1 ; eval "${testfailed}"; }
378 echo "test constrained delegation impersonation (non forward)"; > messages.log
380 ${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \
381 { ec
=1 ; eval "${testfailed}"; }
382 ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev
/null
2>/dev
/null
&& \
383 { ec
=1 ; eval "${testfailed}"; }
385 echo "test constrained delegation impersonation (missing KRB5SignedPath)"; > messages.log
387 ${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \
388 { ec
=1 ; eval "${testfailed}"; }
389 ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev
/null
2>/dev
/null
&& \
390 { ec
=1 ; eval "${testfailed}"; }
394 echo "check renewing" > messages.log
395 ${kinit} --renewable --password-file=${objdir}/foopassword foo@
$R || \
396 { ec
=1 ; eval "${testfailed}"; }
399 { ec
=1 ; eval "${testfailed}"; }
400 echo "check renewing MIT interface" > messages.log
401 ${kinit} --renewable --password-file=${objdir}/foopassword foo@
$R || \
402 { ec
=1 ; eval "${testfailed}"; }
404 env KRB5CCNAME
=${cache} ${test_renew} || \
405 { ec
=1 ; eval "${testfailed}"; }
409 echo "killing kdc (${kdcpid})"
410 kill $kdcpid ||
exit 1
