The branch, master has been updated via 67294a23b97 testprogs: A PKINIT PAC test which runs against Heimdal and MIT Kerberos via 06da77a365f testprogs: Manually reformat test_pkinit_pac.sh via 970f1100863 testprogs: Reformat test_pkinit_pac.sh with shfmt via f0f47eedf74 testprogs: Rename test_pkinit_pac_heimdal.sh via 6a125b0ac9f testprogs: A PKINIT test which runs against Heimdal and MIT Kerberos via c27f17df379 testprogs: Remove the usage of enctype in test_pkinit_simple.sh via 3aa7df568bc testprogs: Change from $foo to "${foo}" variable style via e1728858577 testprogs: Manually reformat testit commands in test_pkinit_simple.sh via a0deaed6290 testprogs: Fix calculating failed in test_pkinit_simple.sh via ff0b3a9ee6f testprogs: Format test_pkinit_simple.sh with shfmt via 9baac4a8177 testprogs: Rename test_pkinit_heimdal.sh via 4d0ea9e3b0a testprogs: Fix kerberos_kinit with additional options via b39176f795b selftest: Setup PKINIT for MIT Kerberos via 28f57a757b6 s4:kdc: Add Smart Card and file based PKINIT support via e2b9df1cbcd s4:tests: Run Heimdal PKINIT tests only against ad_dc env via 5636c59a6d0 s4:kdc: If we set the kerberos debug level to 10 write a trace file via 7b226a66ac6 s4:kdc: Remove trailing white spaces in kdc-service-mit.c via bd590c03963 s4:kdc: Improve debug message of samba_kdc_fetch_server() from 206909d52b7 s4: dns: Add customizable dns port option
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 67294a23b97e3fae3c20861a8313f860b89a2859 Author: Andreas Schneider <a...@samba.org> Date: Tue Jan 25 19:35:06 2022 +0100 testprogs: A PKINIT PAC test which runs against Heimdal and MIT Kerberos There is no need to specify the enctype and it isn't supported by MIT Kerberos anyway. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Fri Mar 25 21:54:11 UTC 2022 on sn-devel-184 commit 06da77a365f3389ae15aadbc007ab4a7eaaac032 Author: Andreas Schneider <a...@samba.org> Date: Fri Mar 18 11:05:23 2022 +0100 testprogs: Manually reformat test_pkinit_pac.sh Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 970f1100863fda4e743023a9d2387f8aaee6c87e Author: Andreas Schneider <a...@samba.org> Date: Fri Mar 18 11:04:19 2022 +0100 testprogs: Reformat test_pkinit_pac.sh with shfmt Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f0f47eedf74f17d0079fa6f22602a79617194d66 Author: Andreas Schneider <a...@samba.org> Date: Thu Mar 17 14:33:52 2022 +0100 testprogs: Rename test_pkinit_pac_heimdal.sh Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6a125b0ac9fc5b9845a58e6ae4a17263de8396b4 Author: Andreas Schneider <a...@samba.org> Date: Thu Mar 24 13:04:54 2022 +1300 testprogs: A PKINIT test which runs against Heimdal and MIT Kerberos There is no need to specify the enctype and it isn't supported with MIT Kerberos. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c27f17df379e7c38975f93e3a919516d5b0a07fe Author: Andreas Schneider <a...@samba.org> Date: Thu Mar 24 13:50:49 2022 +0100 testprogs: Remove the usage of enctype in test_pkinit_simple.sh This is not needed anymore and the default is AES in the meantime. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3aa7df568bca6f8e493a9d20635092f66a2c14f5 Author: Andrew Bartlett <abart...@samba.org> Date: Thu Mar 24 12:53:28 2022 +1300 testprogs: Change from $foo to "${foo}" variable style This is selected from and to improve the understanding of: testprogs: A PKINIT test which runs against Heimdal and MIT Kerberos There is no need to specify the enctype and it isn't supported with MIT Kerberos. Signed-off-by: Andreas Schneider <a...@samba.org> Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit e17288585773ccbe498fa9f745598b8137c94aad Author: Andreas Schneider <a...@samba.org> Date: Fri Mar 18 10:26:46 2022 +0100 testprogs: Manually reformat testit commands in test_pkinit_simple.sh Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a0deaed62908e39cdd0086c2b712ce335ace644e Author: Andreas Schneider <a...@samba.org> Date: Fri Mar 18 10:21:20 2022 +0100 testprogs: Fix calculating failed in test_pkinit_simple.sh We only want to increase it if a test is failing. If something is expected to fail, we should not count that as failed. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ff0b3a9ee6f4a38725640335bf94df140858fb00 Author: Andreas Schneider <a...@samba.org> Date: Fri Mar 18 10:20:27 2022 +0100 testprogs: Format test_pkinit_simple.sh with shfmt Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9baac4a8177a6ecb06c31c43f5540a5103b766ee Author: Andreas Schneider <a...@samba.org> Date: Thu Mar 17 14:28:26 2022 +0100 testprogs: Rename test_pkinit_heimdal.sh We want one common test which works against Heimdal and MIT Kerberos. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4d0ea9e3b0aad7fda5dc2acc31d38a9162624d75 Author: Andreas Schneider <a...@samba.org> Date: Thu Mar 17 13:57:21 2022 +0100 testprogs: Fix kerberos_kinit with additional options The additional options need to come before we specify the principal Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b39176f795b8ae7942ce277d3b48276018f7da9a Author: Andreas Schneider <a...@samba.org> Date: Mon Jan 24 19:47:16 2022 +0100 selftest: Setup PKINIT for MIT Kerberos Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 28f57a757b65a734c13f55501dc2f92efacad7dd Author: Andreas Schneider <a...@samba.org> Date: Wed Jan 19 12:49:45 2022 +0100 s4:kdc: Add Smart Card and file based PKINIT support Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e2b9df1cbcdf87ba0c791b31999e6863f84ebe1a Author: Andreas Schneider <a...@samba.org> Date: Tue Jan 25 19:39:56 2022 +0100 s4:tests: Run Heimdal PKINIT tests only against ad_dc env There is not difference kerberos-wise between those two envs. This reverts 661e1a229e85f566c5fc5d43ea03fbb29847439a. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5636c59a6d06a2ee092c64a736ad333bf9eac9aa Author: Andreas Schneider <a...@samba.org> Date: Thu Jan 20 08:46:55 2022 +0100 s4:kdc: If we set the kerberos debug level to 10 write a trace file Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7b226a66ac6aae266692b08c62a93829746238a8 Author: Andreas Schneider <a...@samba.org> Date: Thu Feb 24 12:18:18 2022 +0100 s4:kdc: Remove trailing white spaces in kdc-service-mit.c Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit bd590c039636998d1f572d5bf55bcfc76b198ab0 Author: Andreas Schneider <a...@samba.org> Date: Tue Jan 18 09:24:44 2022 +0100 s4:kdc: Improve debug message of samba_kdc_fetch_server() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: selftest/knownfail_mit_kdc | 7 - selftest/skip_mit_kdc_pre_1_20 | 2 + selftest/target/Samba.pm | 25 +- selftest/wscript | 3 + source4/kdc/db-glue.c | 16 +- source4/kdc/kdc-service-mit.c | 18 +- source4/kdc/sdb_to_kdb.c | 13 +- source4/selftest/tests.py | 25 +- testprogs/blackbox/common_test_fns.inc | 4 +- testprogs/blackbox/test_pkinit_heimdal.sh | 175 -------------- testprogs/blackbox/test_pkinit_pac.sh | 63 +++++ testprogs/blackbox/test_pkinit_pac_heimdal.sh | 50 ---- testprogs/blackbox/test_pkinit_simple.sh | 333 ++++++++++++++++++++++++++ 13 files changed, 493 insertions(+), 241 deletions(-) create mode 100644 selftest/skip_mit_kdc_pre_1_20 delete mode 100755 testprogs/blackbox/test_pkinit_heimdal.sh create mode 100755 testprogs/blackbox/test_pkinit_pac.sh delete mode 100755 testprogs/blackbox/test_pkinit_pac_heimdal.sh create mode 100755 testprogs/blackbox/test_pkinit_simple.sh Changeset truncated at 500 lines: diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index a3f3e51e367..9b55627bbc8 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -262,18 +262,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ # ^netr-bdc-arcfour.verify-sig-arcfour ^netr-bdc-arcfour.verify-sig-arcfour -^samba4.blackbox.pkinit_pac.STEP1 remote.pac verification.ad_dc:local -^samba4.blackbox.pkinit_pac.STEP1 remote.pac verification.ad_dc_ntvfs:local ^samba4.blackbox.pkinit_pac.netr-bdc-aes.verify-sig-aes.ad_dc:local -^samba4.blackbox.pkinit_pac.netr-bdc-aes.verify-sig-aes.ad_dc_ntvfs:local ^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2proxy-aes.ad_dc:local -^samba4.blackbox.pkinit_pac.netr-mem-aes.s4u2proxy-aes.ad_dc_ntvfs:local ^samba4.blackbox.pkinit_pac.netr-mem-aes.verify-sig-aes.ad_dc:local -^samba4.blackbox.pkinit_pac.netr-mem-aes.verify-sig-aes.ad_dc_ntvfs:local ^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc:local -^samba4.blackbox.pkinit_pac.netr-mem-arcfour.s4u2proxy-arcfour.ad_dc_ntvfs:local ^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc:local -^samba4.blackbox.pkinit_pac.netr-mem-arcfour.verify-sig-arcfour.ad_dc_ntvfs:local ^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2000dc ^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2003dc ^samba4.rpc.pac on ncacn_np.netr-mem-aes.s4u2proxy-aes.fl2008dc diff --git a/selftest/skip_mit_kdc_pre_1_20 b/selftest/skip_mit_kdc_pre_1_20 new file mode 100644 index 00000000000..aa6c418662d --- /dev/null +++ b/selftest/skip_mit_kdc_pre_1_20 @@ -0,0 +1,2 @@ +^samba4.blackbox.pkinit_simple +^samba4.blackbox.pkinit_pac diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm index 4245db2703a..2131e4a39ca 100644 --- a/selftest/target/Samba.pm +++ b/selftest/target/Samba.pm @@ -361,7 +361,14 @@ sub mk_krb5_conf($$) } if (defined($ctx->{tlsdir})) { - print KRB5CONF " + if (defined($ENV{MITKRB5})) { + print KRB5CONF " + pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem + pkinit_kdc_hostname = $ctx->{hostname}.$ctx->{dnsname} + +"; + } else { + print KRB5CONF " [appdefaults] pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem @@ -372,6 +379,7 @@ sub mk_krb5_conf($$) pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem "; + } } print KRB5CONF " @@ -464,16 +472,31 @@ sub mk_mitkdc_conf($$) $ctx->{realm} = { master_key_type = aes256-cts default_principal_flags = +preauth + pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem + pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem + pkinit_eku_checking = scLogin + pkinit_indicator = pkinit + pkinit_allow_upn = true } $ctx->{dnsname} = { master_key_type = aes256-cts default_principal_flags = +preauth + pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem + pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem + pkinit_eku_checking = scLogin + pkinit_indicator = pkinit + pkinit_allow_upn = true } $ctx->{domain} = { master_key_type = aes256-cts default_principal_flags = +preauth + pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem + pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem + pkinit_eku_checking = scLogin + pkinit_indicator = pkinit + pkinit_allow_upn = true } [dbmodules] diff --git a/selftest/wscript b/selftest/wscript index c92b37bd5e1..a8b6d45cd1d 100644 --- a/selftest/wscript +++ b/selftest/wscript @@ -258,6 +258,9 @@ def cmd_testonly(opt): if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'): env.OPTIONS += " --mitkrb5 --exclude=${srcdir}/selftest/skip_mit_kdc" + if CONFIG_GET(opt, 'HAVE_MIT_KRB5_PRE_1_20'): + env.OPTIONS += " --mitkrb5 --exclude=${srcdir}/selftest/skip_mit_kdc_pre_1_20" + env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\ "knownfail_mit_kdc" diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index dbe9276350c..ea329b7edab 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -2381,7 +2381,21 @@ static krb5_error_code samba_kdc_fetch_server(krb5_context context, flags, kvno, realm_dn, msg, entry); if (ret != 0) { - krb5_warnx(context, "samba_kdc_fetch: message2entry failed"); + char *client_name = NULL; + krb5_error_code code; + + code = krb5_unparse_name(context, principal, &client_name); + if (code == 0) { + krb5_warnx(context, + "samba_kdc_fetch: message2entry failed for " + "%s", + client_name); + } else { + krb5_warnx(context, + "samba_kdc_fetch: message2entry and " + "krb5_unparse_name failed"); + } + SAFE_FREE(client_name); } return ret; diff --git a/source4/kdc/kdc-service-mit.c b/source4/kdc/kdc-service-mit.c index 5d4180aa7cc..f9aaedefc23 100644 --- a/source4/kdc/kdc-service-mit.c +++ b/source4/kdc/kdc-service-mit.c @@ -146,6 +146,7 @@ NTSTATUS mitkdc_task_init(struct task_server *task) kadm5_ret_t ret; kadm5_config_params config; void *server_handle; + int dbglvl = 0; task_server_set_title(task, "task[mitkdc_parent]"); @@ -188,6 +189,21 @@ NTSTATUS mitkdc_task_init(struct task_server *task) setenv("KRB5_KDC_PROFILE", kdc_config, 0); TALLOC_FREE(kdc_config); + dbglvl = debuglevel_get_class(DBGC_KERBEROS); + if (dbglvl >= 10) { + char *kdc_trace_file = talloc_asprintf(task, + "%s/mit_kdc_trace.log", + get_dyn_LOGFILEBASE()); + if (kdc_trace_file == NULL) { + task_server_terminate(task, + "KDC: no memory", + false); + return NT_STATUS_NO_MEMORY; + } + + setenv("KRB5_TRACE", kdc_trace_file, 1); + } + /* start it as a child process */ kdc_cmd = lpcfg_mit_kdc_command(task->lp_ctx); @@ -357,7 +373,7 @@ NTSTATUS server_service_mitkdc_init(TALLOC_CTX *mem_ctx) { static const struct service_details details = { .inhibit_fork_on_accept = true, - /* + /* * Need to prevent pre-forking on kdc. * The task_init function is run on the master process only * and the irpc process name is registered in it's event loop. diff --git a/source4/kdc/sdb_to_kdb.c b/source4/kdc/sdb_to_kdb.c index 9d7729ebee7..c24fd738ad3 100644 --- a/source4/kdc/sdb_to_kdb.c +++ b/source4/kdc/sdb_to_kdb.c @@ -65,9 +65,16 @@ static int SDBFlags_to_kflags(const struct SDBFlags *s, if (s->change_pw) { *k |= KRB5_KDB_PWCHANGE_SERVICE; } +#if 0 + /* + * Do not set KRB5_KDB_REQUIRES_HW_AUTH as this would tell the client + * to enforce hardware authentication. It prevents the use of files + * based public key authentication which we use for testing. + */ if (s->require_hwauth) { *k |= KRB5_KDB_REQUIRES_HW_AUTH; } +#endif if (s->ok_as_delegate) { *k |= KRB5_KDB_OK_AS_DELEGATE; } @@ -290,7 +297,11 @@ int sdb_entry_to_krb5_db_entry(krb5_context context, /* FIXME: TODO HDB Extensions */ - if (s->keys.len > 0) { + /* + * Don't copy keys (allow password auth) if s->flags.require_hwauth is + * set which translates to UF_SMARTCARD_REQUIRED. + */ + if (s->keys.len > 0 && s->flags.require_hwauth == 0) { k->key_data = malloc(s->keys.len * sizeof(krb5_key_data)); if (k->key_data == NULL) { free_krb5_db_entry(context, k); diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 45fbc960c31..165a933d110 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -555,9 +555,6 @@ plantestsuite("samba4.blackbox.test_primary_group", "ad_dc:local", [os.path.join plantestsuite("samba4.blackbox.test_old_enctypes", "fl2003dc:local", [os.path.join(bbdir, "test_old_enctypes.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$NETBIOSNAME', '$PREFIX_ABS']) if have_heimdal_support: - for env in ["ad_dc_ntvfs", "ad_dc"]: - plantestsuite("samba4.blackbox.pkinit", "%s:local" % env, [os.path.join(bbdir, "test_pkinit_heimdal.sh"), '$SERVER', 'pkinit', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX/%s' % env, "aes256-cts-hmac-sha1-96", smbclient3, configuration]) - plantestsuite("samba4.blackbox.pkinit_pac", "%s:local" % env, [os.path.join(bbdir, "test_pkinit_pac_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX/%s' % env, "aes256-cts-hmac-sha1-96", configuration]) plantestsuite("samba4.blackbox.kinit", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kinit_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", smbclient4, configuration]) plantestsuite("samba4.blackbox.kinit", "fl2000dc:local", [os.path.join(bbdir, "test_kinit_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', "arcfour-hmac-md5", smbclient3, configuration]) plantestsuite("samba4.blackbox.kinit", "fl2008r2dc:local", [os.path.join(bbdir, "test_kinit_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', "aes256-cts-hmac-sha1-96", smbclient3, configuration]) @@ -577,6 +574,28 @@ else: plantestsuite("samba4.blackbox.export.keytab", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_mit.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4]) plantestsuite("samba4.blackbox.kpasswd", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"]) +plantestsuite("samba4.blackbox.pkinit_simple", + "ad_dc:local", + [os.path.join(bbdir, "test_pkinit_simple.sh"), + '$SERVER', + 'pkinit', + '$PASSWORD', + '$REALM', + '$DOMAIN', + '$PREFIX/ad_dc', + smbclient3, + configuration]) +plantestsuite("samba4.blackbox.pkinit_pac", + "ad_dc:local", + [os.path.join(bbdir, "test_pkinit_pac.sh"), + '$SERVER', + '$USERNAME', + '$PASSWORD', + '$REALM', + '$DOMAIN', + '$PREFIX/ad_dc', + configuration]) + plantestsuite("samba.blackbox.client_kerberos", "ad_dc", [os.path.join(bbdir, "test_client_kerberos.sh"), '$DOMAIN', '$REALM', '$USERNAME', '$PASSWORD', '$SERVER', '$PREFIX_ABS', '$SMB_CONF_PATH']) env="ad_member:local" diff --git a/testprogs/blackbox/common_test_fns.inc b/testprogs/blackbox/common_test_fns.inc index 1c988f439a7..0b685dbd019 100755 --- a/testprogs/blackbox/common_test_fns.inc +++ b/testprogs/blackbox/common_test_fns.inc @@ -98,11 +98,11 @@ kerberos_kinit() { if [ "${kbase}" = "samba4kinit" ]; then kpassfile=$(mktemp) echo $password > ${kpassfile} - $kinit_tool -c ${KRB5CCNAME} --password-file=${kpassfile} $principal $@ + $kinit_tool -c ${KRB5CCNAME} --password-file=${kpassfile} $@ $principal status=$? rm -f ${kpassfile} else - echo $password | $kinit_tool $principal $@ + echo $password | $kinit_tool $@ $principal status=$? fi return $status diff --git a/testprogs/blackbox/test_pkinit_heimdal.sh b/testprogs/blackbox/test_pkinit_heimdal.sh deleted file mode 100755 index 08ebc7497c4..00000000000 --- a/testprogs/blackbox/test_pkinit_heimdal.sh +++ /dev/null @@ -1,175 +0,0 @@ -#!/bin/sh -# Blackbox tests for kinit and kerberos integration with smbclient etc -# Copyright (C) 2006-2007 Jelmer Vernooij <jel...@samba.org> -# Copyright (C) 2006-2008 Andrew Bartlett <abart...@samba.org> - -if [ $# -lt 5 ]; then -cat <<EOF -Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX ENCTYPE SMBCLINET -EOF -exit 1; -fi - -SERVER=$1 -USERNAME=$2 -PASSWORD=$3 -REALM=$4 -DOMAIN=$5 -PREFIX=$6 -ENCTYPE=$7 -smbclient=$8 -shift 8 -failed=0 - -samba4bindir="$BINDIR" -samba4srcdir="$SRCDIR/source4" -samba4kinit_binary=kinit -if test -x $BINDIR/samba4kinit; then - samba4kinit_binary=$BINDIR/samba4kinit -fi - -samba_tool="$samba4bindir/samba-tool" -wbinfo="$samba4bindir/wbinfo" -samba4kpasswd=kpasswd -if test -x $BINDIR/samba4kpasswd; then - samba4passwd=$BINDIR/samba4kpasswd -fi - -ldbmodify="ldbmodify" -if [ -x "$samba4bindir/ldbmodify" ]; then - ldbmodify="$samba4bindir/ldbmodify" -fi - -ldbsearch="ldbsearch" -if [ -x "$samba4bindir/ldbsearch" ]; then - ldbsearch="$samba4bindir/ldbsearch" -fi - -. `dirname $0`/subunit.sh -. `dirname $0`/common_test_fns.inc - -enctype="-e $ENCTYPE" -unc="//$SERVER/tmp" - -KRB5CCNAME_PATH="$PREFIX/tmpccache" -KRB5CCNAME="FILE:$KRB5CCNAME_PATH" -samba4kinit="$samba4kinit_binary -c $KRB5CCNAME" -export KRB5CCNAME -rm -f $KRB5CCNAME_PATH -PASSFILE_PATH="$PREFIX/tmppassfile" -rm -f $PASSFILE_PATH -echo $PASSWORD > $PASSFILE_PATH - -USER_PRINCIPAL_NAME=`echo "${USERNAME}@${REALM}" | tr A-Z a-z` -PKUSER="--pk-user=FILE:$PREFIX/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,$PREFIX/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem" - -# STEP1: -# Now we set the UF_SMARTCARD_REQUIRED bit -# This means we have a normal enabled account *without* a known password -testit "STEP1 samba-tool user create $USERNAME --smartcard-required" $PYTHON ${samba_tool} user create $USERNAME --smartcard-required || failed=`expr $failed + 1` - -testit_expect_failure "STEP1 kinit with password" $samba4kinit $enctype --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM && failed=`expr $failed + 1` -testit_expect_failure "STEP1 Test login with NTLM" $smbclient "$unc" -c 'ls' -U$USERNAME%$PASSWORD && failed=`expr $failed + 1` -testit_expect_failure "STEP1 Test wbinfo with password" $wbinfo --authenticate=$DOMAIN/$USERNAME%$PASSWORD && failed=`expr $failed + 1` - -testit "STEP1 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME@$REALM || failed=`expr $failed + 1` -testit "STEP1 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` -test_smbclient "STEP1 Test login with kerberos ccache (name specified)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` - -testit_expect_failure "STEP1 kinit with pkinit (wrong name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER not$USERNAME@$REALM || failed=`expr $failed + 1` - -testit_expect_failure "STEP1 kinit with pkinit (wrong name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER $SERVER@$REALM || failed=`expr $failed + 1` - -testit "STEP1 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1` -testit "STEP1 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` -test_smbclient "STEP1 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` - -testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise not$USERNAME@$REALM || failed=`expr $failed + 1` - -testit_expect_failure "STEP1 kinit with pkinit (wrong enterprise name specified 2) " $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $SERVER$@$REALM || failed=`expr $failed + 1` - -testit "STEP1 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1` -testit "STEP1 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` -test_smbclient "STEP1 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` - -# STEP2: -# We still have UF_SMARTCARD_REQUIRED, but with a known password -testit "STEP2 samba-tool user setpassword $USERNAME --newpassword" $PYTHON ${samba_tool} user setpassword $USERNAME --newpassword=$PASSWORD || failed=`expr $failed + 1` - -testit_expect_failure "STEP2 kinit with password" $samba4kinit $enctype --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM && failed=`expr $failed + 1` -test_smbclient "STEP2 Test login with NTLM" 'ls' "$unc" -U$USERNAME%$PASSWORD || failed=`expr $failed + 1` -testit_expect_failure "STEP2 Test wbinfo with password" $wbinfo --authenticate=$DOMAIN/$USERNAME%$PASSWORD && failed=`expr $failed + 1` - -testit "STEP2 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME@$REALM || failed=`expr $failed + 1` -testit "STEP2 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` -test_smbclient "STEP2 Test login with kerberos ccache (name specified)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` - -testit "STEP2 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1` -testit "STEP2 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` -test_smbclient "STEP2 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` - -testit "STEP2 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1` -testit "STEP2 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` -test_smbclient "STEP2 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` - -# STEP3: -# The account is a normal account without the UF_SMARTCARD_REQUIRED bit set -testit "STEP3 samba-tool user setpassword $USERNAME --smartcard-required" $PYTHON ${samba_tool} user setpassword $USERNAME --newpassword=$PASSWORD --clear-smartcard-required || failed=`expr $failed + 1` - -testit "STEP3 kinit with password" $samba4kinit $enctype --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM || failed=`expr $failed + 1` -test_smbclient "STEP3 Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` -test_smbclient "STEP3 Test login with NTLM" 'ls' "$unc" -U$USERNAME%$PASSWORD || failed=`expr $failed + 1` -testit "STEP3 Test wbinfo with password" $wbinfo --authenticate=$DOMAIN/$USERNAME%$PASSWORD || failed=`expr $failed + 1` - -testit "STEP3 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME@$REALM || failed=`expr $failed + 1` -testit "STEP3 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` -test_smbclient "STEP3 Test login with kerberos ccache (name specified)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` - -testit "STEP3 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1` -testit "STEP3 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` -test_smbclient "STEP3 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` - -testit "STEP3 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1` -testit "STEP3 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` -test_smbclient "STEP3 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` - -# STEP4: -# Now we set the UF_SMARTCARD_REQUIRED bit -# This means we have a normal enabled account *without* a known password -testit "STEP4 samba-tool user setpassword $USERNAME --smartcard-required" $PYTHON ${samba_tool} user setpassword $USERNAME --smartcard-required || failed=`expr $failed + 1` - -testit_expect_failure "STEP4 kinit with password" $samba4kinit $enctype --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM && failed=`expr $failed + 1` -testit_expect_failure "STEP4 Test login with NTLM" $smbclient "$unc" -c 'ls' -U$USERNAME%$PASSWORD && failed=`expr $failed + 1` -testit_expect_failure "STEP4 Test wbinfo with password" $wbinfo --authenticate=$DOMAIN/$USERNAME%$PASSWORD && failed=`expr $failed + 1` - -testit "STEP4 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME@$REALM || failed=`expr $failed + 1` -testit "STEP4 kinit renew ticket (name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` -test_smbclient "STEP4 Test login with kerberos ccache (name specified)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` - -testit "STEP4 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM || failed=`expr $failed + 1` -testit "STEP4 kinit renew ticket (enterprise name specified)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` -test_smbclient "STEP4 Test login with kerberos ccache (enterprise name specified)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` - -testit "STEP4 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise || failed=`expr $failed + 1` -testit "STEP4 kinit renew ticket (enterprise name in cert)" $samba4kinit --request-pac -R || failed=`expr $failed + 1` -test_smbclient "STEP4 Test login with kerberos ccache (enterprise name in cert)" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1` - -# STEP5: -# disable the account -testit "STEP5 samba-tool user disable $USERNAME" $PYTHON ${samba_tool} user disable $USERNAME || failed=`expr $failed + 1` - -testit_expect_failure "STEP5 kinit with password" $samba4kinit $enctype --password-file=$PASSFILE_PATH --request-pac $USERNAME@$REALM && failed=`expr $failed + 1` -testit_expect_failure "STEP5 Test login with NTLM" $smbclient "$unc" -c 'ls' -U$USERNAME%$PASSWORD && failed=`expr $failed + 1` -testit_expect_failure "STEP5 Test wbinfo with password" $wbinfo --authenticate=$DOMAIN/$USERNAME%$PASSWORD && failed=`expr $failed + 1` - -testit_expect_failure "STEP5 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME@$REALM && failed=`expr $failed + 1` -testit_expect_failure "STEP5 kinit with pkinit (enterprise name specified)" $samba4kinit $enctype --request-pac --renewable $PKUSER --enterprise $USERNAME@$REALM && failed=`expr $failed + 1` -testit_expect_failure "STEP5 kinit with pkinit (enterprise name in cert)" $samba4kinit $enctype --request-pac --renewable $PKUSER --pk-enterprise && failed=`expr $failed + 1` - -# STEP6: -# cleanup -testit "STEP6 samba-tool user delete $USERNAME " $PYTHON ${samba_tool} user delete $USERNAME || failed=`expr $failed + 2` - -rm -f $PASSFILE_PATH -rm -f $KRB5CCNAME_PATH -exit $failed diff --git a/testprogs/blackbox/test_pkinit_pac.sh b/testprogs/blackbox/test_pkinit_pac.sh new file mode 100755 index 00000000000..8047517fde1 --- /dev/null +++ b/testprogs/blackbox/test_pkinit_pac.sh @@ -0,0 +1,63 @@ +#!/bin/sh +# Blackbox tests for pkinit and pac verification +# +# Copyright (C) 2006-2008 Stefan Metzmacher +# Copyright (C) 2022 Andreas Schneider + +if [ $# -lt 6 ]; then + cat <<EOF +Usage: test_pkinit_pac.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX +EOF + exit 1 +fi + +SERVER=$1 +USERNAME=$2 +PASSWORD=$3 +REALM=$4 +DOMAIN=$5 +PREFIX=$6 +shift 6 +failed=0 + +samba_bindir="$BINDIR" + +samba_kinit="$(command -v kinit)" +if [ -x "${samba_bindir}/samba4kinit" ]; then + samba_kinit="${samba_bindir}/samba4kinit" +fi +samba_smbtorture="${samba_bindir}/smbtorture --basedir=$SELFTEST_TMPDIR" + +. "$(dirname "$0")"/subunit.sh +. "$(dirname "$0")"/common_test_fns.inc + +KRB5CCNAME_PATH="$PREFIX/tmpccache" +rm -f "${KRB5CCNAME_PATH}" +KRB5CCNAME="FILE:$KRB5CCNAME_PATH" +export KRB5CCNAME + +USER_PRINCIPAL_NAME="$(echo "${USERNAME}@${REALM}" | tr "[:upper:]" "[:lower:]")" + +kbase="$(basename "${samba_kinit}")" +if [ "${kbase}" = "samba4kinit" ]; then + # HEIMDAL -- Samba Shared Repository