|
Packit |
fd8b60 |
from k5test import *
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
for realm in multipass_realms(create_host=False):
|
|
Packit |
fd8b60 |
# Check that kinit fails appropriately with the wrong password.
|
|
Packit |
fd8b60 |
mark('kinit wrong password failure')
|
|
Packit |
fd8b60 |
msg = 'Password incorrect while getting initial credentials'
|
|
Packit |
fd8b60 |
realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg=msg)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Check that we can kinit as a different principal.
|
|
Packit |
fd8b60 |
mark('kinit with specified principal')
|
|
Packit |
fd8b60 |
realm.kinit(realm.admin_princ, password('admin'))
|
|
Packit |
fd8b60 |
realm.klist(realm.admin_princ)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test FAST kinit.
|
|
Packit |
fd8b60 |
mark('FAST kinit')
|
|
Packit |
fd8b60 |
fastpw = password('fast')
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'ank', '-pw', fastpw, '+requires_preauth',
|
|
Packit |
fd8b60 |
'user/fast'])
|
|
Packit |
fd8b60 |
realm.kinit('user/fast', fastpw)
|
|
Packit |
fd8b60 |
realm.kinit('user/fast', fastpw, flags=['-T', realm.ccache])
|
|
Packit |
fd8b60 |
realm.klist('user/fast@%s' % realm.realm)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test kinit against kdb keytab
|
|
Packit |
fd8b60 |
realm.run([kinit, "-k", "-t", "KDB:", realm.user_princ])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test that we can get initial creds with an empty password via the
|
|
Packit |
fd8b60 |
# API. We have to disable the "empty" pwqual module to create a
|
|
Packit |
fd8b60 |
# principal with an empty password. (Regression test for #7642.)
|
|
Packit |
fd8b60 |
mark('initial creds with empty password')
|
|
Packit |
fd8b60 |
conf={'plugins': {'pwqual': {'disable': 'empty'}}}
|
|
Packit |
fd8b60 |
realm = K5Realm(create_user=False, create_host=False, krb5_conf=conf)
|
|
Packit |
fd8b60 |
realm.run([kadminl, 'addprinc', '-pw', '', 'user'])
|
|
Packit |
fd8b60 |
realm.run(['./icred', 'user', ''])
|
|
Packit |
fd8b60 |
realm.run(['./icred', '-s', 'user', ''])
|
|
Packit |
fd8b60 |
realm.stop()
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
realm = K5Realm(create_host=False)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Regression test for #8454 (responder callback isn't used when
|
|
Packit |
fd8b60 |
# preauth is not required).
|
|
Packit |
fd8b60 |
mark('#8454 regression test')
|
|
Packit |
fd8b60 |
realm.run(['./responder', '-r', 'password=%s' % password('user'),
|
|
Packit |
fd8b60 |
realm.user_princ])
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Test that WRONG_REALM responses aren't treated as referrals unless
|
|
Packit |
fd8b60 |
# they contain a crealm field pointing to a different realm.
|
|
Packit |
fd8b60 |
# (Regression test for #8060.)
|
|
Packit |
fd8b60 |
mark('#8060 regression test')
|
|
Packit |
fd8b60 |
realm.run([kinit, '-C', 'notfoundprinc'], expected_code=1,
|
|
Packit |
fd8b60 |
expected_msg='not found in Kerberos database')
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
# Spot-check KRB5_TRACE output
|
|
Packit |
fd8b60 |
mark('KRB5_TRACE spot check')
|
|
Packit |
fd8b60 |
expected_trace = ('Sending initial UDP request',
|
|
Packit |
fd8b60 |
'Received answer',
|
|
Packit |
fd8b60 |
'Selected etype info',
|
|
Packit |
fd8b60 |
'AS key obtained',
|
|
Packit |
fd8b60 |
'Decrypted AS reply',
|
|
Packit |
fd8b60 |
'FAST negotiation: available',
|
|
Packit |
fd8b60 |
'Storing user@KRBTEST.COM')
|
|
Packit |
fd8b60 |
realm.kinit(realm.user_princ, password('user'), expected_trace=expected_trace)
|
|
Packit |
fd8b60 |
|
|
Packit |
fd8b60 |
success('FAST kinit, trace logging')
|