search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
s3:smbd: call apply_new_nt_acl() already in mkdir_internals()
[samba4-gss.git] / testprogs / blackbox / test_kinit.sh
blobef82a3a49f05c9dfea15255207f92c1e723d4852
1 #!/bin/sh
2 # Blackbox tests for kinit and kerberos integration with smbclient etc
3 # Copyright (c) Andreas Schneider <asn@samba.org>
4 # Copyright (C) 2006-2007 Jelmer Vernooij <jelmer@samba.org>
5 # Copyright (C) 2006-2008 Andrew Bartlett <abartlet@samba.org>
6
7 if [ $# -lt 8 ]; then
8 cat <<EOF
9 Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX SMBCLIENT CONFIGURATION
10 EOF
11 exit 1
12 fi
13
14 SERVER=$1
15 USERNAME=$2
16 PASSWORD=$3
17 REALM=$4
18 DOMAIN=$5
19 PREFIX=$6
20 smbclient=$7
21 CONFIGURATION="${8}"
22 shift 8
23 failed=0
24
25 . "$(dirname "${0}")/subunit.sh"
26 . "$(dirname "${0}")/common_test_fns.inc"
27
28 samba_bindir="$BINDIR"
29 samba_srcdir="$SRCDIR/source4"
30 samba_kinit=$(system_or_builddir_binary kinit "${BINDIR}" samba4kinit)
31 samba_kpasswd=$(system_or_builddir_binary kpasswd "${BINDIR}" samba4kpasswd)
32 samba_kvno=$(system_or_builddir_binary kvno "${BINDIR}" samba4kvno)
33
34 samba_tool="${samba_bindir}/samba-tool"
35 samba_texpect="${samba_bindir}/texpect"
36
37 samba_enableaccount="${samba_tool} user enable"
38 machineaccountccache="${samba_srcdir}/scripting/bin/machineaccountccache"
39
40 ldbmodify=$(system_or_builddir_binary ldbmodify "${BINDIR}")
41 ldbsearch=$(system_or_builddir_binary ldbsearch "${BINDIR}")
42
43 kbase="$(basename "${samba_kinit}")"
44 if [ "${kbase}" = "samba4kinit" ]; then
45 # HEIMDAL
46 OPTION_RENEWABLE="--renewable"
47 OPTION_RENEW_TICKET="--renew"
48 OPTION_ENTERPRISE_NAME="--enterprise"
49 OPTION_CANONICALIZATION=""
50 OPTION_WINDOWS="--windows"
51 OPTION_SERVICE="-S"
52 else
53 # MIT
54 OPTION_RENEWABLE="-r 1h"
55 OPTION_RENEW_TICKET="-R"
56 OPTION_ENTERPRISE_NAME="-E"
57 OPTION_CANONICALIZATION="-C"
58 OPTION_WINDOWS=""
59 OPTION_SERVICE="-S"
60 fi
61
62 TEST_USER="$(mktemp -u kinittest-XXXXXX)"
63 UNC="//${SERVER}/tmp"
64
65 ADMIN_LDBMODIFY_CONFIG="-H ldap://${SERVER} -U${USERNAME}%${PASSWORD}"
66 export ADMIN_LDBMODIFY_CONFIG
67
68 KRB5CCNAME_PATH="${PREFIX}/tmpccache"
69 EXPLICIT_KRB5CCNAME="FILE:${KRB5CCNAME_PATH}"
70
71 INVALID_KRB5CCNAME_PATH="${KRB5CCNAME_PATH}.invalid"
72 INVALID_KRB5CCNAME="FILE:${INVALID_KRB5CCNAME_PATH}"
73 rm -rf "${INVALID_KRB5CCNAME_PATH}"
74
75 KRB5CCNAME=${EXPLICIT_KRB5CCNAME}
76 export KRB5CCNAME
77 rm -rf "${KRB5CCNAME_PATH}"
78
79 testit "reset password policies beside of minimum password age of 0 days" \
80 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain passwordsettings set \
81 "${ADMIN_LDBMODIFY_CONFIG}" \
82 --complexity=default \
83 --history-length=default \
84 --min-pwd-length=default \
85 --min-pwd-age=0 \
86 --max-pwd-age=default || \
87 failed=$((failed + 1))
88
89 ###########################################################
90 ### Test kinit defaults
91 ###########################################################
92
93 KRB5CCNAME=${EXPLICIT_KRB5CCNAME}
94 export KRB5CCNAME
95 rm -rf "${KRB5CCNAME_PATH}"
96
97 testit "kinit with password (initial)" \
98 kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" \
99 "${OPTION_RENEWABLE}" || \
100 failed=$((failed + 1))
101
102 KRB5CCNAME=${INVALID_KRB5CCNAME}
103 export KRB5CCNAME
104
105 test_smbclient "Test login with user kerberos ccache" \
106 "ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
107 failed=$((failed + 1))
108
109 KRB5CCNAME=${EXPLICIT_KRB5CCNAME}
110 export KRB5CCNAME
111
112 testit "kinit renew ticket (initial)" \
113 "${samba_kinit}" ${OPTION_RENEW_TICKET} || \
114 failed=$((failed + 1))
115
116 KRB5CCNAME=${INVALID_KRB5CCNAME}
117 export KRB5CCNAME
118
119 test_smbclient "Test login with kerberos ccache (initial)" \
120 "ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
121 failed=$((failed + 1))
122
123 rm -f "${KRB5CCNAME_PATH}"
124
125 ###########################################################
126 ### Test kinit with enterprise principal
127 ###########################################################
128
129 KRB5CCNAME=${EXPLICIT_KRB5CCNAME}
130 export KRB5CCNAME
131 rm -rf "${KRB5CCNAME_PATH}"
132
133 testit "kinit with password (enterprise style)" \
134 kerberos_kinit "${samba_kinit}" \
135 "${USERNAME}@${REALM}" "${PASSWORD}" "${OPTION_ENTERPRISE_NAME}" \
136 "${OPTION_RENEWABLE}" || \
137 failed=$((failed + 1))
138
139 test_smbclient "Test login with user kerberos ccache (enterprise style)" \
140 "ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
141 failed=$((failed + 1))
142
143 testit "kinit renew ticket (enterprise style)" \
144 "${samba_kinit}" ${OPTION_RENEW_TICKET} || \
145 failed=$((failed + 1))
146
147 test_smbclient "Test login with kerberos ccache (enterprise style)" \
148 "ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
149 failed=$((failed + 1))
150
151 rm -f "${KRB5CCNAME_PATH}"
152
153 ###########################################################
154 ### Tests with kinit windows
155 ###########################################################
156
157 # HEIMDAL ONLY
158 if [ "${kbase}" = "samba4kinit" ]; then
159 testit "kinit with password (windows style)" \
160 kerberos_kinit "${samba_kinit}" \
161 "${USERNAME}@${REALM}" "${PASSWORD}" \
162 "${OPTION_RENEWABLE}" "${OPTION_WINDOWS}" || \
163 failed=$((failed + 1))
164
165 test_smbclient "Test login with kerberos ccache (windows style)" \
166 "ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
167 failed=$((failed + 1))
168
169 testit "kinit renew ticket (windows style)" \
170 "${samba_kinit}" ${OPTION_RENEW_TICKET} || \
171 failed=$((failed + 1))
172
173 test_smbclient "Test login with kerberos ccache (windows style)" \
174 "ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
175 failed=$((failed + 1))
176
177 rm -f "${KRB5CCNAME_PATH}"
178 fi # HEIMDAL ONLY
179
180 ###########################################################
181 ### Tests with kinit default again
182 ###########################################################
183
184 KRB5CCNAME=${EXPLICIT_KRB5CCNAME}
185 export KRB5CCNAME
186 rm -rf "${KRB5CCNAME_PATH}"
187
188 testit "kinit with password (default)" \
189 kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" || \
190 failed=$((failed + 1))
191
192 KRB5CCNAME=${INVALID_KRB5CCNAME}
193 export KRB5CCNAME
194
195 testit "check time with kerberos ccache (default)" \
196 "${VALGRIND}" "${PYTHON}" "${samba_tool}" time "${SERVER}" \
197 "${CONFIGURATION}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" "$@" || \
198 failed=$((failed + 1))
199
200 USERPASS="testPass@12%"
201
202 testit "add user with kerberos ccache" \
203 "${VALGRIND}" "${PYTHON}" "${samba_tool}" user create \
204 "${TEST_USER}" "${USERPASS}" \
205 "${CONFIGURATION}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" "$@" || \
206 failed=$((failed + 1))
207
208 echo "Getting defaultNamingContext"
209 BASEDN=$(${ldbsearch} --basedn='' -H "ldap://${SERVER}" --scope=base \
210 DUMMY=x defaultNamingContext | awk '/defaultNamingContext/ {print $2}')
211
212
213 TEST_UPN="$(mktemp -u test-XXXXXX)@${REALM}"
214 cat >"${PREFIX}/tmpldbmodify" <<EOF
215 dn: cn=${TEST_USER},cn=users,${BASEDN}
216 changetype: modify
217 add: servicePrincipalName
218 servicePrincipalName: host/${TEST_USER}
219 replace: userPrincipalName
220 userPrincipalName: ${TEST_UPN}
221 EOF
222
223 testit "modify servicePrincipalName and userPrincpalName" \
224 "${VALGRIND}" "${ldbmodify}" -H "ldap://${SERVER}" "${PREFIX}/tmpldbmodify" \
225 --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" "$@" || \
226 failed=$((failed + 1))
227
228 testit "set user password with kerberos ccache" \
229 "${VALGRIND}" "${PYTHON}" "${samba_tool}" user setpassword "${TEST_USER}" \
230 --newpassword="${USERPASS}" "${CONFIGURATION}" \
231 --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" "$@" || \
232 failed=$((failed + 1))
233
234 testit "enable user with kerberos cache" \
235 "${VALGRIND}" "${PYTHON}" "${samba_enableaccount}" "${TEST_USER}" \
236 -H "ldap://$SERVER" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" "$@" || \
237 failed=$((failed + 1))
238
239 KRB5CCNAME=${EXPLICIT_KRB5CCNAME}
240 export KRB5CCNAME
241 rm -rf "${KRB5CCNAME_PATH}"
242
243 testit "kinit with new user password" \
244 kerberos_kinit "${samba_kinit}" "${TEST_USER}" "${USERPASS}" || \
245 failed=$((failed + 1))
246
247 test_smbclient "Test login with new user kerberos ccache" \
248 "ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
249 failed=$((failed + 1))
250
251 rm -f "${KRB5CCNAME_PATH}"
252
253 ###########################################################
254 ### Test kinit after changing password with samba-tool
255 ###########################################################
256
257 NEW_USERPASS="testPaSS@34%"
258 testit "change user password with 'samba-tool user password' (rpc)" \
259 "${VALGRIND}" "${PYTHON}" "${samba_tool}" user password \
260 -W"${DOMAIN}" -U"${TEST_USER}%${USERPASS}" "${CONFIGURATION}" \
261 --newpassword="${NEW_USERPASS}" \
262 --use-kerberos=off "$@" || \
263 failed=$((failed + 1))
264
265 testit "kinit with user password (after rpc password change)" \
266 kerberos_kinit "${samba_kinit}" \
267 "${TEST_USER}@${REALM}" "${NEW_USERPASS}" || \
268 failed=$((failed + 1))
269
270 test_smbclient "Test login with user kerberos (after rpc password change)" \
271 "ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
272 failed=$((failed + 1))
273
274 USERPASS="${NEW_USERPASS}"
275
276 rm -f "${KRB5CCNAME_PATH}"
277
278 ###########################################################
279 ### Test kinit with UPN
280 ###########################################################
281
282 testit "kinit with new (NT-Principal style) using UPN" \
283 kerberos_kinit "${samba_kinit}" "${TEST_UPN}" "${USERPASS}" || \
284 failed=$((failed + 1))
285
286 test_smbclient "Test login with user kerberos ccache from NT UPN" \
287 "ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
288 failed=$((failed + 1))
289
290 rm -f "${KRB5CCNAME_PATH}"
291
292 testit "kinit with new (enterprise style) using UPN" \
293 kerberos_kinit "${samba_kinit}" "${TEST_UPN}" "${USERPASS}" \
294 ${OPTION_ENTERPRISE_NAME} || \
295 failed=$((failed + 1))
296
297 test_smbclient "Test login with user kerberos ccache from enterprise UPN" \
298 "ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
299 failed=$((failed + 1))
300
301 rm -f "${KRB5CCNAME_PATH}"
302
303 # HEIMDAL ONLY
304 if [ "${kbase}" = "samba4kinit" ]; then
305 testit "kinit with new (windows style) using UPN" \
306 kerberos_kinit "${samba_kinit}" "${TEST_UPN}" "${USERPASS}" \
307 ${OPTION_WINDOWS} || \
308 failed=$((failed + 1))
309
310 test_smbclient "Test login with user kerberos ccache with (windows style) UPN" \
311 "ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
312 failed=$((failed + 1))
313
314 rm -f "${KRB5CCNAME_PATH}"
315 fi # HEIMDAL ONLY
316
317 ###########################################################
318 ### Tests with SPN
319 ###########################################################
320
321 DNSDOMAIN=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]')
322 testit "kinit with password (SPN)" \
323 kerberos_kinit "${samba_kinit}" \
324 "http/testupnspn.${DNSDOMAIN}" "${PASSWORD}" || \
325 failed=$((failed + 1))
326
327 test_smbclient "Test login with kerberos ccache (SPN)" \
328 "ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
329 failed=$((failed + 1))
330
331 rm -f "${KRB5CCNAME_PATH}"
332
333 ###########################################################
334 ### Test kinit with canonicalization
335 ###########################################################
336
337 upperusername=$(echo "${USERNAME}" | tr '[:lower:]' '[:upper:]')
338 testit "kinit with canonicalize and service" \
339 kerberos_kinit "${samba_kinit}" "${upperusername}@${REALM}" "${PASSWORD}" \
340 ${OPTION_CANONICALIZATION} \
341 ${OPTION_SERVICE} "kadmin/changepw@${REALM}" || \
342 failed=$((failed + 1))
343
344 rm -f "${KRB5CCNAME_PATH}"
345
346 ###########################################################
347 ### Test kinit with user credentials and changed realm
348 ###########################################################
349
350 testit "kinit with password (default)" \
351 kerberos_kinit "${samba_kinit}" "${USERNAME}@${REALM}" "${PASSWORD}" || \
352 failed=$((failed + 1))
353
354 cat >"${PREFIX}/tmpldbmodify" <<EOF
355 dn: cn=${TEST_USER},cn=users,$BASEDN
356 changetype: modify
357 replace: userPrincipalName
358 userPrincipalName: ${TEST_UPN}.org
359 EOF
360
361 testit "modify userPrincipalName to be a different domain" \
362 "${VALGRIND}" "${ldbmodify}" "${ADMIN_LDBMODIFY_CONFIG}" \
363 "${PREFIX}/tmpldbmodify" "${PREFIX}/tmpldbmodify" \
364 --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" "$@" || \
365 failed=$((failed + 1))
366
367 testit "kinit with new (enterprise style) using UPN" \
368 kerberos_kinit "${samba_kinit}" "${TEST_UPN}.org" "${USERPASS}" \
369 ${OPTION_ENTERPRISE_NAME} || failed=$((failed + 1))
370
371 test_smbclient "Test login with user kerberos ccache from enterprise UPN" \
372 "ls" "${UNC}" \
373 --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
374 failed=$((failed + 1))
375
376 rm -f "${KRB5CCNAME_PATH}"
377
378 ###########################################################
379 ### Test password change with kpasswd
380 ###########################################################
381
382 testit "kinit with user password" \
383 kerberos_kinit "${samba_kinit}" "${TEST_USER}@$REALM" "${USERPASS}" || \
384 failed=$((failed + 1))
385
386 test_smbclient "Test login with user kerberos ccache" \
387 "ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
388 failed=$((failed + 1))
389
390 NEWUSERPASS=testPaSS@56%
391
392 if [ "${kbase}" = "samba4kinit" ]; then
393 # HEIMDAL
394 cat >"${PREFIX}/tmpkpasswdscript" <<EOF
395 expect Password
396 password ${USERPASS}\n
397 expect New password
398 send ${NEWUSERPASS}\n
399 expect Verify password
400 send ${NEWUSERPASS}\n
401 expect Success
402 EOF
403
404 else
405 # MIT
406 cat >"${PREFIX}/tmpkpasswdscript" <<EOF
407 expect Password for
408 password ${USERPASS}\n
409 expect Enter new password
410 send ${NEWUSERPASS}\n
411 expect Enter it again
412 send ${NEWUSERPASS}\n
413 expect Password changed
414 EOF
415 fi
416
417 testit "change user password with kpasswd" \
418 "${samba_texpect}" "${PREFIX}/tmpkpasswdscript" \
419 "${samba_kpasswd}" "${TEST_USER}@$REALM" || \
420 failed=$((failed + 1))
421
422 rm -f "${KRB5CCNAME_PATH}"
423
424 USERPASS="${NEWUSERPASS}"
425
426 testit "kinit with user password (after kpasswd)" \
427 kerberos_kinit "${samba_kinit}" \
428 "${TEST_USER}@${REALM}" "${USERPASS}" || \
429 failed=$((failed + 1))
430
431 test_smbclient "Test login with user kerberos ccache (after kpasswd)" \
432 "ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
433 failed=$((failed + 1))
434
435 rm -f "${KRB5CCNAME_PATH}"
436
437 ###########################################################
438 ### TODO Test set password with kpasswd
439 ###########################################################
440
441 # This is not implemented in kpasswd
442
443 ###########################################################
444 ### Test password expiry
445 ###########################################################
446
447 cat >"${PREFIX}/tmpldbmodify" <<EOF
448 dn: cn=${TEST_USER},cn=users,${BASEDN}
449 changetype: modify
450 replace: pwdLastSet
451 pwdLastSet: 0
452 EOF
453
454 NEWUSERPASS=testPaSS@78%
455
456 testit "modify pwdLastSet" \
457 "${VALGRIND}" "${ldbmodify}" "${ADMIN_LDBMODIFY_CONFIG}" \
458 "${PREFIX}/tmpldbmodify" "${PREFIX}/tmpldbmodify" \
459 --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" "$@" || \
460 failed=$((failed + 1))
461
462 if [ "${kbase}" = "samba4kinit" ]; then
463 # HEIMDAL branch
464 cat >"${PREFIX}/tmpkinituserpassscript" <<EOF
465 expect ${TEST_USER}@$REALM's Password
466 send ${USERPASS}\n
467 expect Password has expired
468 expect New password
469 send ${NEWUSERPASS}\n
470 expect Repeat new password
471 send ${NEWUSERPASS}\n
472 EOF
473 else
474 # MIT branch
475 cat >"${PREFIX}/tmpkinituserpassscript" <<EOF
476 expect Password for
477 send ${USERPASS}\n
478 expect Password expired. You must change it now.
479 expect Enter new password
480 send ${NEWUSERPASS}\n
481 expect Enter it again
482 send ${NEWUSERPASS}\n
483 EOF
484
485 fi # END MIT ONLY
486
487 testit "kinit with user password for expired password" \
488 "${samba_texpect}" "$PREFIX/tmpkinituserpassscript" \
489 "${samba_kinit}" "${TEST_USER}@$REALM" || \
490 failed=$((failed + 1))
491
492 test_smbclient "Test login with user kerberos ccache" \
493 "ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
494 failed=$((failed + 1))
495
496 USERPASS="${NEWUSERPASS}"
497
498 testit "kinit with user password" \
499 kerberos_kinit "${samba_kinit}" \
500 "${TEST_USER}@${REALM}" "${USERPASS}" || \
501 failed=$((failed + 1))
502
503 test_smbclient "Test login with user kerberos ccache" \
504 "ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
505 failed=$((failed + 1))
506
507 ###########################################################
508 ### Test login with lowercase realm
509 ###########################################################
510
511 KRB5CCNAME="${EXPLICIT_KRB5CCNAME}"
512 export KRB5CCNAME
513
514 rm -rf "${KRB5CCNAME_PATH}"
515
516 testit "kinit with user password" \
517 kerberos_kinit "${samba_kinit}" "${TEST_USER}@${REALM}" "${USERPASS}" || \
518 failed=$((failed + 1))
519
520 lowerrealm=$(echo "${REALM}" | tr '[:upper:]' '[:lower:]')
521 test_smbclient "Test login with user kerberos lowercase realm" \
522 "ls" "${UNC}" --use-kerberos=required \
523 -U"${TEST_USER}@${lowerrealm}%${NEWUSERPASS}" || \
524 failed=$((failed + 1))
525
526 test_smbclient "Test login with user kerberos lowercase realm 2" \
527 "ls" "${UNC}" --use-kerberos=required \
528 -U"${TEST_USER}@${REALM}%${NEWUSERPASS}" --realm="${lowerrealm}" || \
529 failed=$((failed + 1))
530
531 testit "del user with kerberos ccache" \
532 "${VALGRIND}" "${PYTHON}" "${samba_tool}" user delete \
533 "${TEST_USER}" "${CONFIGURATION}" \
534 --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" "$@" || \
535 failed=$((failed + 1))
536
537 ###########################################################
538 ### Test login with machine account
539 ###########################################################
540
541 rm -f "${KRB5CCNAME_PATH}"
542
543 testit "kinit with machineaccountccache script" \
544 "${PYTHON}" "${machineaccountccache}" "${CONFIGURATION}" \
545 "${EXPLICIT_KRB5CCNAME}" || \
546 failed=$((failed + 1))
547
548 test_smbclient "Test machine account login with kerberos ccache" \
549 "ls" "${UNC}" --use-krb5-ccache="${EXPLICIT_KRB5CCNAME}" || \
550 failed=$((failed + 1))
551
552 testit "reset password policies" \
553 "${VALGRIND}" "${PYTHON}" "${samba_tool}" domain passwordsettings set \
554 "${ADMIN_LDBMODIFY_CONFIG}" \
555 --complexity=default \
556 --history-length=default \
557 --min-pwd-length=default \
558 --min-pwd-age=default \
559 --max-pwd-age=default || \
560 failed=$((failed + 1))
561
562 ###########################################################
563 ### Test basic s4u2self request
564 ###########################################################
565
566 # MIT ONLY
567 if [ "${kbase}" = "kinit" ]; then
568
569 # Use previous acquired machine creds to request a ticket for self.
570 # We expect it to fail for now.
571 MACHINE_ACCOUNT="$(hostname -s | tr '[:lower:]' '[:upper:]')\$@${REALM}"
572
573 ${samba_kvno} -U"${MACHINE_ACCOUNT}" "${MACHINE_ACCOUNT}"
574
575 # But we expect the KDC to be up and running still
576 testit "kinit with machineaccountccache after s4u2self" \
577 "${machineaccountccache}" "${CONFIGURATION}" "${EXPLICIT_KRB5CCNAME}" || \
578 failed=$((failed + 1))
579
580 fi # END MIT ONLY
581
582 testit_expect_failure \
583 "Check INVALID_KRB5CCNAME_PATH[${INVALID_KRB5CCNAME_PATH}] was not created" \
584 test -e "${INVALID_KRB5CCNAME_PATH}" || \
585 failed=$((failed + 1))
586
587 ### Cleanup
588
589 rm -f "${KRB5CCNAME_PATH}"
590 rm -f "${PREFIX}/tmpkinituserpassscript"
591 rm -f "${PREFIX}/tmpkinitscript"
592 rm -f "${PREFIX}/tmpkpasswdscript"
593
594 exit $failed
GSS-enabled samba4