|
Packit |
fd8b60 |
# Standalone Kerberos test.
|
|
Packit |
fd8b60 |
# This is a DejaGnu test script.
|
|
Packit |
fd8b60 |
# This script tests that the Kerberos tools can talk to each other.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# This mostly just calls procedures in testsuite/config/default.exp.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Set up the Kerberos files and environment.
|
|
Packit |
fd8b60 |
if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} {
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Initialize the Kerberos database. The argument tells
|
|
Packit |
fd8b60 |
# setup_kerberos_db that it is being called from here.
|
|
Packit |
fd8b60 |
if ![setup_kerberos_db 1] {
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# We are about to start up a couple of daemon processes. We do all
|
|
Packit |
fd8b60 |
# the rest of the tests inside a proc, so that we can easily kill the
|
|
Packit |
fd8b60 |
# processes when the procedure ends.
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc dump_and_reload {} {
|
|
Packit |
fd8b60 |
global KDB5_UTIL
|
|
Packit |
fd8b60 |
global tmppwd
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set dumpfile $tmppwd/dump-file
|
|
Packit |
fd8b60 |
set dumpokfile $dumpfile.dump_ok
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set test1name "kdb5_util dump"
|
|
Packit |
fd8b60 |
set test2name "kdb5_util load"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if [file exists $dumpfile] { file delete $dumpfile }
|
|
Packit |
fd8b60 |
if [file exists $dumpokfile] { file delete $dumpokfile }
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
spawn $KDB5_UTIL dump $dumpfile
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
-re "..*" {
|
|
Packit |
fd8b60 |
fail $test1name
|
|
Packit |
fd8b60 |
untested $test2name
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
fail $test1name
|
|
Packit |
fd8b60 |
untested $test2name
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof { }
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if ![check_exit_status $test1name] {
|
|
Packit |
fd8b60 |
untested $test2name
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if ![file exists $dumpfile]||![file exists $dumpokfile] {
|
|
Packit |
fd8b60 |
fail $test1name
|
|
Packit |
fd8b60 |
untested $test2name
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
pass $test1name
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
spawn $KDB5_UTIL load $dumpfile
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
-re "..*" {
|
|
Packit |
fd8b60 |
fail $test2name
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
fail $test2name
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof { }
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
if [check_exit_status $test2name] {
|
|
Packit |
fd8b60 |
pass $test2name
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc kinit_wrong_pw { name badpass } {
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
global KINIT
|
|
Packit |
fd8b60 |
global spawn_id
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Use kinit to get a ticket.
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
# For now always get forwardable tickets. Later when we need to make
|
|
Packit |
fd8b60 |
# tests that distiguish between forwardable tickets and otherwise
|
|
Packit |
fd8b60 |
# we should but another option to this proc. --proven
|
|
Packit |
fd8b60 |
#
|
|
Packit |
fd8b60 |
spawn $KINIT -5 -f $name@$REALMNAME
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
"Password for $name@$REALMNAME:" {
|
|
Packit |
fd8b60 |
verbose "kinit started"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
fail "kinit bad pw"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
fail "kinit bad pw"
|
|
Packit |
fd8b60 |
return 0
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
send "$badpass\r"
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
"Password incorrect while getting initial credentials" {
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
fail "kinit bad pw"
|
|
Packit |
fd8b60 |
# kill it?
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
fail "kinit bad pw"
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set status_list [wait -i $spawn_id]
|
|
Packit |
fd8b60 |
catch "close -i $spawn_id"
|
|
Packit |
fd8b60 |
verbose -log "exit status: $status_list"
|
|
Packit |
fd8b60 |
if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 0 } {
|
|
Packit |
fd8b60 |
pass "kinit bad pw"
|
|
Packit |
fd8b60 |
} else {
|
|
Packit |
fd8b60 |
fail "kinit bad pw"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
proc doit { } {
|
|
Packit |
fd8b60 |
global REALMNAME
|
|
Packit |
fd8b60 |
global KLIST
|
|
Packit |
fd8b60 |
global KDESTROY
|
|
Packit |
fd8b60 |
global KEY
|
|
Packit |
fd8b60 |
global KADMIN_LOCAL
|
|
Packit |
fd8b60 |
global KTUTIL
|
|
Packit |
fd8b60 |
global hostname
|
|
Packit |
fd8b60 |
global tmppwd
|
|
Packit |
fd8b60 |
global spawn_id
|
|
Packit |
fd8b60 |
global supported_enctypes
|
|
Packit |
fd8b60 |
global KRBIV
|
|
Packit |
fd8b60 |
global portbase
|
|
Packit |
fd8b60 |
global mode
|
|
Packit |
fd8b60 |
global tmppwd
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
setup_kerberos_env kdc
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Start up the kerberos and kadmind daemons.
|
|
Packit |
fd8b60 |
if ![start_kerberos_daemons 1] {
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Use kadmin to add an host key.
|
|
Packit |
fd8b60 |
if ![add_random_key host/$hostname 1] {
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
spawn $KADMIN_LOCAL -q "addpol fred"
|
|
Packit |
fd8b60 |
catch expect_after
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
fail "kadmin.local addpol fred"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
pass "kadmin.local addpol fred"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set k_stat [wait -i $spawn_id]
|
|
Packit |
fd8b60 |
verbose "wait -i $spawn_id returned $k_stat (kadmin addpol)"
|
|
Packit |
fd8b60 |
catch "close -i $spawn_id"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Use ksrvutil to create a keytab entry.
|
|
Packit |
fd8b60 |
if ![setup_keytab 1] {
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test dump and load. Continue on, whatever the result.
|
|
Packit |
fd8b60 |
dump_and_reload
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
spawn $KADMIN_LOCAL -q "getpols"
|
|
Packit |
fd8b60 |
expect {
|
|
Packit |
fd8b60 |
fred {
|
|
Packit |
fd8b60 |
pass "kadmin.local getpols"
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
timeout {
|
|
Packit |
fd8b60 |
fail "kadmin.local getpols"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
eof {
|
|
Packit |
fd8b60 |
fail "kadmin.local getpols"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
set k_stat [wait -i $spawn_id]
|
|
Packit |
fd8b60 |
verbose "wait -i $spawn_id returned $k_stat (kadmin addpol)"
|
|
Packit |
fd8b60 |
catch "close -i $spawn_id"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test use of wrong password.
|
|
Packit |
fd8b60 |
kinit_wrong_pw krbtest/admin wrongpassword
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
setup_kerberos_env client
|
|
Packit |
fd8b60 |
# Use kinit to get a ticket.
|
|
Packit |
fd8b60 |
if ![kinit krbtest/admin adminpass$KEY 1] {
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if ![kinit_renew krbtest/admin adminpass$KEY 1] {
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Make sure that klist can see the ticket.
|
|
Packit |
fd8b60 |
if ![do_klist "krbtest/admin@$REALMNAME" "krbtgt/$REALMNAME@$REALMNAME" "klist"] {
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Get a ticket to later use with FAST
|
|
Packit |
fd8b60 |
if ![kinit krbtest/fast adminpass$KEY 1] {
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Use fast to get a ticket
|
|
Packit |
fd8b60 |
if ![kinit_fast krbtest/fast adminpass$KEY 1] {
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Destroy the ticket.
|
|
Packit |
fd8b60 |
spawn $KDESTROY -5
|
|
Packit |
fd8b60 |
if ![check_exit_status "kdestroy"] {
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
pass "kdestroy"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Double check that the ticket was destroyed.
|
|
Packit |
fd8b60 |
if ![do_klist_err "klist after destroy"] { return }
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if ![add_random_key WELLKNOWN/ANONYMOUS 0] {
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# If we have anonymous then test it
|
|
Packit |
fd8b60 |
if [file exists "$tmppwd/../../../plugins/preauth/pkinit.so" ] {
|
|
Packit |
fd8b60 |
kinit_anonymous "WELLKNOWN/ANONYMOUS"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if ![add_random_key foo/bar 1] {
|
|
Packit |
fd8b60 |
return
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set keytab $tmppwd/fookeytab
|
|
Packit |
fd8b60 |
catch "exec rm -f $keytab"
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
modify_principal foo/bar -kvno 252
|
|
Packit |
fd8b60 |
foreach vno {253 254 255 256 257 258} {
|
|
Packit |
fd8b60 |
xst $tmppwd/fookeytab foo/bar
|
|
Packit |
fd8b60 |
do_klist_kt $tmppwd/fookeytab "klist keytab foo/bar vno $vno"
|
|
Packit |
fd8b60 |
kinit_kt "foo/bar" $tmppwd/fookeytab 1 "kt kvno $vno"
|
|
Packit |
fd8b60 |
do_klist "foo/bar" "krbtgt/$REALMNAME@$REALMNAME" "klist kt foo/bar vno $vno"
|
|
Packit |
fd8b60 |
do_kdestroy "kdestroy foo/bar vno $vno"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
catch "exec rm -f $keytab"
|
|
Packit |
fd8b60 |
# Check that kadmin.local can actually read the correct kvno, even
|
|
Packit |
fd8b60 |
# if we don't expect kadmin to be able to.
|
|
Packit |
fd8b60 |
setup_kerberos_env kdc
|
|
Packit |
fd8b60 |
spawn $KADMIN_LOCAL -r $REALMNAME
|
|
Packit |
fd8b60 |
set ok 1
|
|
Packit |
fd8b60 |
expect_after {
|
|
Packit |
fd8b60 |
timeout { fail "kadmin.local correct high kvno" ; set ok 0 }
|
|
Packit |
fd8b60 |
eof { fail "kadmin.local correct high kvno" ; set ok 0 }
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
expect "kadmin.local: "
|
|
Packit |
fd8b60 |
send "getprinc foo/bar\r"
|
|
Packit |
fd8b60 |
# exec sleep 10
|
|
Packit |
fd8b60 |
expect "Key: vno $vno,"
|
|
Packit |
fd8b60 |
send "quit\r"
|
|
Packit |
fd8b60 |
expect eof
|
|
Packit |
fd8b60 |
if [check_exit_status "kadmin.local examine foo/bar for high kvno"] {
|
|
Packit |
fd8b60 |
if $ok {
|
|
Packit |
fd8b60 |
pass "kadmin.local correct high kvno"
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
}
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
set status [catch doit msg]
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
stop_kerberos_daemons
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
if { $status != 0 } {
|
|
Packit |
fd8b60 |
send_error "ERROR: error in standalone.exp\n"
|
|
Packit |
fd8b60 |
send_error "$msg\n"
|
|
Packit |
fd8b60 |
exit 1
|
|
Packit |
fd8b60 |
}
|