xref: /minix3/crypto/external/bsd/heimdal/dist/tests/gss/check-context.in (revision ebfedea0ce5bbe81e252ddf32d732e40fb633fae)
1*ebfedea0SLionel Sambuc#!/bin/sh
2*ebfedea0SLionel Sambuc#
3*ebfedea0SLionel Sambuc# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan
4*ebfedea0SLionel Sambuc# (Royal Institute of Technology, Stockholm, Sweden).
5*ebfedea0SLionel Sambuc# All rights reserved.
6*ebfedea0SLionel Sambuc#
7*ebfedea0SLionel Sambuc# Redistribution and use in source and binary forms, with or without
8*ebfedea0SLionel Sambuc# modification, are permitted provided that the following conditions
9*ebfedea0SLionel Sambuc# are met:
10*ebfedea0SLionel Sambuc#
11*ebfedea0SLionel Sambuc# 1. Redistributions of source code must retain the above copyright
12*ebfedea0SLionel Sambuc#    notice, this list of conditions and the following disclaimer.
13*ebfedea0SLionel Sambuc#
14*ebfedea0SLionel Sambuc# 2. Redistributions in binary form must reproduce the above copyright
15*ebfedea0SLionel Sambuc#    notice, this list of conditions and the following disclaimer in the
16*ebfedea0SLionel Sambuc#    documentation and/or other materials provided with the distribution.
17*ebfedea0SLionel Sambuc#
18*ebfedea0SLionel Sambuc# 3. Neither the name of the Institute nor the names of its contributors
19*ebfedea0SLionel Sambuc#    may be used to endorse or promote products derived from this software
20*ebfedea0SLionel Sambuc#    without specific prior written permission.
21*ebfedea0SLionel Sambuc#
22*ebfedea0SLionel Sambuc# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
23*ebfedea0SLionel Sambuc# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
24*ebfedea0SLionel Sambuc# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
25*ebfedea0SLionel Sambuc# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
26*ebfedea0SLionel Sambuc# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
27*ebfedea0SLionel Sambuc# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
28*ebfedea0SLionel Sambuc# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
29*ebfedea0SLionel Sambuc# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
30*ebfedea0SLionel Sambuc# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
31*ebfedea0SLionel Sambuc# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
32*ebfedea0SLionel Sambuc# SUCH DAMAGE.
33*ebfedea0SLionel Sambuc#
34*ebfedea0SLionel Sambuc# Id
35*ebfedea0SLionel Sambuc#
36*ebfedea0SLionel Sambuc
37*ebfedea0SLionel Sambucsrcdir="@srcdir@"
38*ebfedea0SLionel Sambucobjdir="@objdir@"
39*ebfedea0SLionel Sambuc
40*ebfedea0SLionel Sambuc# If there is no useful db support compile in, disable test
41*ebfedea0SLionel Sambuc../db/have-db || exit 77
42*ebfedea0SLionel Sambuc
43*ebfedea0SLionel SambucR=TEST.H5L.SE
44*ebfedea0SLionel Sambuc
45*ebfedea0SLionel Sambucport=@port@
46*ebfedea0SLionel Sambuc
47*ebfedea0SLionel Sambuckeytabfile=${objdir}/server.keytab
48*ebfedea0SLionel Sambuckeytab="FILE:${keytabfile}"
49*ebfedea0SLionel Sambucnokeytab="FILE:no-such-keytab"
50*ebfedea0SLionel Sambuccache="FILE:krb5ccfile"
51*ebfedea0SLionel Sambuc
52*ebfedea0SLionel Sambuckinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}"
53*ebfedea0SLionel Sambucklist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache"
54*ebfedea0SLionel Sambuckgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
55*ebfedea0SLionel Sambuckadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
56*ebfedea0SLionel Sambuckdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port"
57*ebfedea0SLionel Sambucktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil"
58*ebfedea0SLionel Sambuc
59*ebfedea0SLionel Sambuccontext="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context"
60*ebfedea0SLionel Sambuc
61*ebfedea0SLionel SambucKRB5_CONFIG="${objdir}/krb5.conf"
62*ebfedea0SLionel Sambucexport KRB5_CONFIG
63*ebfedea0SLionel Sambuc
64*ebfedea0SLionel SambucKRB5CCNAME=${cache}
65*ebfedea0SLionel Sambucexport KRB5CCNAME
66*ebfedea0SLionel Sambuc
67*ebfedea0SLionel Sambucrm -f ${keytabfile}
68*ebfedea0SLionel Sambucrm -f current-db*
69*ebfedea0SLionel Sambucrm -f out-*
70*ebfedea0SLionel Sambucrm -f mkey.file*
71*ebfedea0SLionel Sambuc
72*ebfedea0SLionel Sambuc> messages.log
73*ebfedea0SLionel Sambuc
74*ebfedea0SLionel Sambucecho Creating database
75*ebfedea0SLionel Sambuc${kadmin} \
76*ebfedea0SLionel Sambuc    init \
77*ebfedea0SLionel Sambuc    --realm-max-ticket-life=1day \
78*ebfedea0SLionel Sambuc    --realm-max-renewable-life=1month \
79*ebfedea0SLionel Sambuc    ${R} || exit 1
80*ebfedea0SLionel Sambuc
81*ebfedea0SLionel Sambuc# add both lucid and lucid.test.h5l.se to simulate aliases
82*ebfedea0SLionel Sambuc${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1
83*ebfedea0SLionel Sambuc${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1
84*ebfedea0SLionel Sambuc${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1
85*ebfedea0SLionel Sambuc${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1
86*ebfedea0SLionel Sambuc
87*ebfedea0SLionel Sambuc${kadmin} add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R} || exit 1
88*ebfedea0SLionel Sambuc${kadmin} mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R} || exit 1
89*ebfedea0SLionel Sambuc${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} || exit 1
90*ebfedea0SLionel Sambuc
91*ebfedea0SLionel Sambuc
92*ebfedea0SLionel Sambuc${kadmin} add -p p1 --use-defaults host/short@${R} || exit 1
93*ebfedea0SLionel Sambuc${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} || exit 1
94*ebfedea0SLionel Sambuc# XXX ext should ext aliases too
95*ebfedea0SLionel Sambuc${kadmin} ext -k ${keytab} host/short@${R} || exit 1
96*ebfedea0SLionel Sambuc${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1
97*ebfedea0SLionel Sambuc
98*ebfedea0SLionel Sambuc${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
99*ebfedea0SLionel Sambuc
100*ebfedea0SLionel Sambuc${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
101*ebfedea0SLionel Sambuc
102*ebfedea0SLionel Sambuc# Create a server principal with no AES
103*ebfedea0SLionel Sambuc${kadmin} add -p p1 --use-defaults host/no-aes.test.h5l.se@${R} || exit 1
104*ebfedea0SLionel Sambuc${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1
105*ebfedea0SLionel Sambuc${kadmin} del_enctype host/no-aes.test.h5l.se@${R} \
106*ebfedea0SLionel Sambuc    aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 || exit 1
107*ebfedea0SLionel Sambuc${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} || exit 1
108*ebfedea0SLionel Sambuc
109*ebfedea0SLionel Sambucecho "Doing database check"
110*ebfedea0SLionel Sambuc${kadmin} check ${R} || exit 1
111*ebfedea0SLionel Sambuc
112*ebfedea0SLionel Sambucecho u1 > ${objdir}/foopassword
113*ebfedea0SLionel Sambuc
114*ebfedea0SLionel Sambucecho Starting kdc
115*ebfedea0SLionel Sambuc${kdc} &
116*ebfedea0SLionel Sambuckdcpid=$!
117*ebfedea0SLionel Sambuc
118*ebfedea0SLionel Sambucsh ${srcdir}/../kdc/wait-kdc.sh
119*ebfedea0SLionel Sambucif [ "$?" != 0 ] ; then
120*ebfedea0SLionel Sambuc    kill ${kdcpid}
121*ebfedea0SLionel Sambuc    exit 1
122*ebfedea0SLionel Sambucfi
123*ebfedea0SLionel Sambuc
124*ebfedea0SLionel Sambuctrap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
125*ebfedea0SLionel Sambuc
126*ebfedea0SLionel Sambuctestfailed="echo test failed; cat messages.log; exit 1"
127*ebfedea0SLionel Sambuc
128*ebfedea0SLionel Sambucecho "Getting client initial tickets" ; > messages.log
129*ebfedea0SLionel Sambuc${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || \
130*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
131*ebfedea0SLionel Sambuc
132*ebfedea0SLionel Sambucecho "======test unreadable/non existant keytab and its error message" ; > messages.log
133*ebfedea0SLionel Sambuc${context} --mech-type=krb5 host@lucid.test.h5l.se || \
134*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
135*ebfedea0SLionel Sambuc
136*ebfedea0SLionel Sambucmv ${keytabfile} ${keytabfile}.no
137*ebfedea0SLionel Sambuc
138*ebfedea0SLionel Sambucecho "checking non existant keytabfile (krb5)" ; > messages.log
139*ebfedea0SLionel Sambuc${context} --mech-type=krb5 host@lucid.test.h5l.se  > test_context.log 2>&1 && \
140*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
141*ebfedea0SLionel Sambucgrep ${keytabfile} test_context.log > /dev/null || \
142*ebfedea0SLionel Sambuc	{ echo "string missing failed"; cat test_context.log ; eval "$testfailed"; }
143*ebfedea0SLionel Sambucecho "checking non existant keytabfile (spengo)" ; > messages.log
144*ebfedea0SLionel Sambuc${context} --mech-type=spnego host@lucid.test.h5l.se > test_context.log 2>&1 && \
145*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
146*ebfedea0SLionel Sambucgrep ${keytabfile} test_context.log > /dev/null || \
147*ebfedea0SLionel Sambuc	{ echo "string missing failed"; cat test_context.log ; eval "$testfailed"; }
148*ebfedea0SLionel Sambuc
149*ebfedea0SLionel Sambucmv ${keytabfile}.no ${keytabfile}
150*ebfedea0SLionel Sambuc
151*ebfedea0SLionel Sambucecho "======test naming combinations"
152*ebfedea0SLionel Sambucecho "plain"  ; > messages.log
153*ebfedea0SLionel Sambuc${context} --name-type=hostbased-service host@lucid.test.h5l.se || \
154*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
155*ebfedea0SLionel Sambucecho "plain (krb5)" ; > messages.log
156*ebfedea0SLionel Sambuc${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \
157*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
158*ebfedea0SLionel Sambucecho "plain (krb5 realmless)" ; > messages.log
159*ebfedea0SLionel Sambuc${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \
160*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
161*ebfedea0SLionel Sambucecho "dns canon on (long name) OFF, need dns_wrapper" ; > messages.log
162*ebfedea0SLionel Sambuc#${context} --dns-canon host@lucid.test.h5l.se || \
163*ebfedea0SLionel Sambuc#	{ eval "$testfailed"; }
164*ebfedea0SLionel Sambucecho "dns canon off (long name)" ; > messages.log
165*ebfedea0SLionel Sambuc${context} --no-dns-canon host@lucid.test.h5l.se || \
166*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
167*ebfedea0SLionel Sambucecho "dns canon off (short name)" ; > messages.log
168*ebfedea0SLionel Sambuc${context} --no-dns-canon host@lucid || \
169*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
170*ebfedea0SLionel Sambucecho "dns canon off (short name, krb5)" ; > messages.log
171*ebfedea0SLionel Sambuc${context}  --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \
172*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
173*ebfedea0SLionel Sambucecho "dns canon off (short name, krb5)" ; > messages.log
174*ebfedea0SLionel Sambuc${context}  --no-dns-canon --name-type=krb5-principal-name host/lucid || \
175*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
176*ebfedea0SLionel Sambuc
177*ebfedea0SLionel Sambucecho "======test context building"
178*ebfedea0SLionel Sambucfor mech in krb5 krb5iov spnego spnegoiov; do
179*ebfedea0SLionel Sambuc	if [ "$mech" = "krb5iov" ] ; then
180*ebfedea0SLionel Sambuc	    mech="krb5"
181*ebfedea0SLionel Sambuc	    iov="--iov"
182*ebfedea0SLionel Sambuc	fi
183*ebfedea0SLionel Sambuc	if [ "$mech" = "spnegoiov" ] ; then
184*ebfedea0SLionel Sambuc	    mech="spnego"
185*ebfedea0SLionel Sambuc	    iov="--iov"
186*ebfedea0SLionel Sambuc	fi
187*ebfedea0SLionel Sambuc
188*ebfedea0SLionel Sambuc	echo "${mech} no-mutual ${iov}" ; > messages.log
189*ebfedea0SLionel Sambuc	${context} --mech-type=${mech} \
190*ebfedea0SLionel Sambuc	    --wrapunwrap ${iov} \
191*ebfedea0SLionel Sambuc	    --name-type=hostbased-service host@lucid.test.h5l.se || \
192*ebfedea0SLionel Sambuc		{ eval "$testfailed"; }
193*ebfedea0SLionel Sambuc
194*ebfedea0SLionel Sambuc	echo "${mech} mutual ${iov}" ; > messages.log
195*ebfedea0SLionel Sambuc	${context} --mech-type=${mech} \
196*ebfedea0SLionel Sambuc	    --mutual \
197*ebfedea0SLionel Sambuc	    --wrapunwrap ${iov} \
198*ebfedea0SLionel Sambuc	    --name-type=hostbased-service host@lucid.test.h5l.se || \
199*ebfedea0SLionel Sambuc		{ eval "$testfailed"; }
200*ebfedea0SLionel Sambuc
201*ebfedea0SLionel Sambuc	echo "${mech} delegate ${iov}" ; > messages.log
202*ebfedea0SLionel Sambuc	${context} --mech-type=${mech} \
203*ebfedea0SLionel Sambuc	    --delegate \
204*ebfedea0SLionel Sambuc	    --wrapunwrap ${iov} \
205*ebfedea0SLionel Sambuc	    --name-type=hostbased-service host@lucid.test.h5l.se || \
206*ebfedea0SLionel Sambuc		{ eval "$testfailed"; }
207*ebfedea0SLionel Sambuc
208*ebfedea0SLionel Sambuc	echo "${mech} mutual delegate ${iov}" ; > messages.log
209*ebfedea0SLionel Sambuc	${context} --mech-type=${mech} \
210*ebfedea0SLionel Sambuc	    --mutual --delegate \
211*ebfedea0SLionel Sambuc	    --wrapunwrap ${iov} \
212*ebfedea0SLionel Sambuc	    --name-type=hostbased-service host@lucid.test.h5l.se || \
213*ebfedea0SLionel Sambuc		{ eval "$testfailed"; }
214*ebfedea0SLionel Sambucdone
215*ebfedea0SLionel Sambuc
216*ebfedea0SLionel Sambucecho "======dce-style"
217*ebfedea0SLionel Sambucfor mech in krb5 krb5iov spnego; do
218*ebfedea0SLionel Sambuc	iov=""
219*ebfedea0SLionel Sambuc	if [ "$mech" = "krb5iov" ] ; then
220*ebfedea0SLionel Sambuc	    mech="krb5"
221*ebfedea0SLionel Sambuc	    iov="--iov"
222*ebfedea0SLionel Sambuc	fi
223*ebfedea0SLionel Sambuc	if [ "$mech" = "spnegoiov" ] ; then
224*ebfedea0SLionel Sambuc	    mech="spnego"
225*ebfedea0SLionel Sambuc	    iov="--iov"
226*ebfedea0SLionel Sambuc	fi
227*ebfedea0SLionel Sambuc
228*ebfedea0SLionel Sambuc	echo "${mech}: dce-style ${iov}" ; > messages.log
229*ebfedea0SLionel Sambuc	${context} \
230*ebfedea0SLionel Sambuc	    --mech-type=${mech} \
231*ebfedea0SLionel Sambuc	    --mutual \
232*ebfedea0SLionel Sambuc	    --dce-style \
233*ebfedea0SLionel Sambuc	    --wrapunwrap ${iov} \
234*ebfedea0SLionel Sambuc	    --name-type=hostbased-service host@lucid.test.h5l.se || \
235*ebfedea0SLionel Sambuc	    { eval "$testfailed"; }
236*ebfedea0SLionel Sambuc
237*ebfedea0SLionel Sambucdone
238*ebfedea0SLionel Sambuc
239*ebfedea0SLionel Sambucecho "test gsskrb5_register_acceptor_identity (both positive and negative)"
240*ebfedea0SLionel Sambuc
241*ebfedea0SLionel Sambuccp ${keytabfile} ${keytabfile}.new
242*ebfedea0SLionel Sambucfor mech in krb5 spnego; do
243*ebfedea0SLionel Sambuc	echo "${mech}: acceptor_identity positive" ; > messages.log
244*ebfedea0SLionel Sambuc	${context} --gsskrb5-acceptor-identity=${keytabfile}.new \
245*ebfedea0SLionel Sambuc		--mech-type=$mech host@lucid.test.h5l.se || \
246*ebfedea0SLionel Sambuc		{ eval "$testfailed"; }
247*ebfedea0SLionel Sambuc
248*ebfedea0SLionel Sambuc	echo "${mech}: acceptor_identity positive (prefix)" ; > messages.log
249*ebfedea0SLionel Sambuc	${context} --gsskrb5-acceptor-identity=FILE:${keytabfile}.new \
250*ebfedea0SLionel Sambuc		--mech-type=$mech host@lucid.test.h5l.se || \
251*ebfedea0SLionel Sambuc		{ eval "$testfailed"; }
252*ebfedea0SLionel Sambuc
253*ebfedea0SLionel Sambuc	echo "${mech}: acceptor_identity negative" ; > messages.log
254*ebfedea0SLionel Sambuc	${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \
255*ebfedea0SLionel Sambuc		--mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \
256*ebfedea0SLionel Sambuc		{ eval "$testfailed"; }
257*ebfedea0SLionel Sambucdone
258*ebfedea0SLionel Sambuc
259*ebfedea0SLionel Sambucrm ${keytabfile}.new
260*ebfedea0SLionel Sambuc
261*ebfedea0SLionel Sambuc
262*ebfedea0SLionel Sambuc#echo "sasl-digest-md5"
263*ebfedea0SLionel Sambuc#${context}  --mech-type=sasl-digest-md5 \
264*ebfedea0SLionel Sambuc#    --name-type=hostbased-service \
265*ebfedea0SLionel Sambuc#    host@lucid.test.h5l.se || \
266*ebfedea0SLionel Sambuc#	{ eval "$testfailed"; }
267*ebfedea0SLionel Sambuc
268*ebfedea0SLionel Sambuc
269*ebfedea0SLionel Sambucecho "====== gss-api session key check"
270*ebfedea0SLionel Sambuc
271*ebfedea0SLionel Sambuc# this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96
272*ebfedea0SLionel Sambuccoolenctype="aes256-cts-hmac-sha1-96"
273*ebfedea0SLionel Sambuclimit_enctype="des3-cbc-sha1"
274*ebfedea0SLionel Sambuc
275*ebfedea0SLionel Sambucecho "Getting client initial tickets" ; > messages.log
276*ebfedea0SLionel Sambuc${kinit} --password-file=${objdir}/foopassword user1@${R} || \
277*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
278*ebfedea0SLionel Sambuc
279*ebfedea0SLionel Sambuc
280*ebfedea0SLionel Sambucecho "Building context on cred w/o aes, but still ${coolenctype} session key" ; > messages.log
281*ebfedea0SLionel Sambuc${context} \
282*ebfedea0SLionel Sambuc    --mech-type=krb5 \
283*ebfedea0SLionel Sambuc    --mutual-auth \
284*ebfedea0SLionel Sambuc    --session-enctype=${coolenctype} \
285*ebfedea0SLionel Sambuc    --name-type=hostbased-service host@no-aes.test.h5l.se || \
286*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
287*ebfedea0SLionel Sambuc
288*ebfedea0SLionel Sambucecho "Building context on cred, check if its limited still" ; > messages.log
289*ebfedea0SLionel Sambuc${context} \
290*ebfedea0SLionel Sambuc    --mech-type=krb5 \
291*ebfedea0SLionel Sambuc    --client-name=user1@${R} \
292*ebfedea0SLionel Sambuc    --limit-enctype="${limit_enctype}" \
293*ebfedea0SLionel Sambuc    --mutual-auth \
294*ebfedea0SLionel Sambuc    --name-type=hostbased-service host@no-aes.test.h5l.se || \
295*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
296*ebfedea0SLionel Sambuc
297*ebfedea0SLionel Sambuc
298*ebfedea0SLionel Sambucecho "====== ok-as-delegate"
299*ebfedea0SLionel Sambuc
300*ebfedea0SLionel Sambucecho "Getting client initial tickets" ; > messages.log
301*ebfedea0SLionel Sambuc${kinit} --forwardable \
302*ebfedea0SLionel Sambuc    --password-file=${objdir}/foopassword user1@${R} || \
303*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
304*ebfedea0SLionel Sambuc
305*ebfedea0SLionel Sambucecho "ok-as-delegate not used" ; > messages.log
306*ebfedea0SLionel Sambuc${context} \
307*ebfedea0SLionel Sambuc    --mech-type=krb5 \
308*ebfedea0SLionel Sambuc    --delegate \
309*ebfedea0SLionel Sambuc    --name-type=hostbased-service host@lucid.test.h5l.se || \
310*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
311*ebfedea0SLionel Sambuc
312*ebfedea0SLionel Sambucecho "host without ok-as-delegate with policy-delegate" ; > messages.log
313*ebfedea0SLionel Sambuc${context} \
314*ebfedea0SLionel Sambuc    --mech-type=krb5 \
315*ebfedea0SLionel Sambuc    --policy-delegate \
316*ebfedea0SLionel Sambuc    --server-no-delegate \
317*ebfedea0SLionel Sambuc    --name-type=hostbased-service host@lucid.test.h5l.se || \
318*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
319*ebfedea0SLionel Sambuc
320*ebfedea0SLionel Sambucecho "ok-as-delegate used by policy" ; > messages.log
321*ebfedea0SLionel Sambuc${context} \
322*ebfedea0SLionel Sambuc    --mech-type=krb5 \
323*ebfedea0SLionel Sambuc    --policy-delegate \
324*ebfedea0SLionel Sambuc    --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
325*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
326*ebfedea0SLionel Sambuc
327*ebfedea0SLionel Sambucecho "Getting client initial tickets with --ok-as-delgate" ; > messages.log
328*ebfedea0SLionel Sambuc${kinit} --ok-as-delegate  --forwardable \
329*ebfedea0SLionel Sambuc    --password-file=${objdir}/foopassword user1@${R} || \
330*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
331*ebfedea0SLionel Sambuc
332*ebfedea0SLionel Sambucecho "policy delegate to non delegate host" ; > messages.log
333*ebfedea0SLionel Sambuc${context} \
334*ebfedea0SLionel Sambuc    --mech-type=krb5 \
335*ebfedea0SLionel Sambuc    --policy-delegate \
336*ebfedea0SLionel Sambuc    --server-no-delegate \
337*ebfedea0SLionel Sambuc    --name-type=hostbased-service host@lucid.test.h5l.se || \
338*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
339*ebfedea0SLionel Sambuc
340*ebfedea0SLionel Sambucecho "ok-as-delegate" ; > messages.log
341*ebfedea0SLionel Sambuc${context} \
342*ebfedea0SLionel Sambuc    --mech-type=krb5 \
343*ebfedea0SLionel Sambuc    --delegate \
344*ebfedea0SLionel Sambuc    --name-type=hostbased-service host@lucid.test.h5l.se || \
345*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
346*ebfedea0SLionel Sambuc
347*ebfedea0SLionel Sambucecho "======export/import cred"
348*ebfedea0SLionel Sambuc
349*ebfedea0SLionel Sambucecho "export-import cred (krb5)" ; > messages.log
350*ebfedea0SLionel Sambuc${context} \
351*ebfedea0SLionel Sambuc    --mech-type=krb5 \
352*ebfedea0SLionel Sambuc    --delegate \
353*ebfedea0SLionel Sambuc    --export-import-cred \
354*ebfedea0SLionel Sambuc    --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
355*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
356*ebfedea0SLionel Sambuc
357*ebfedea0SLionel Sambucecho "export-import cred (spnego)" ; > messages.log
358*ebfedea0SLionel Sambuc${context} \
359*ebfedea0SLionel Sambuc    --mech-type=spnego \
360*ebfedea0SLionel Sambuc    --delegate \
361*ebfedea0SLionel Sambuc    --export-import-cred \
362*ebfedea0SLionel Sambuc    --name-type=hostbased-service host@ok-delegate.test.h5l.se || \
363*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
364*ebfedea0SLionel Sambuc
365*ebfedea0SLionel Sambuc
366*ebfedea0SLionel Sambucecho "======time diffs between client and server"
367*ebfedea0SLionel Sambuc
368*ebfedea0SLionel Sambucecho "Getting client initial ticket" ; > messages.log
369*ebfedea0SLionel Sambuc${kinit} --password-file=${objdir}/foopassword user1@${R} || \
370*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
371*ebfedea0SLionel Sambuc
372*ebfedea0SLionel Sambucecho "No time offset" ; > messages.log
373*ebfedea0SLionel Sambuc${context} \
374*ebfedea0SLionel Sambuc    --mech-type=krb5 \
375*ebfedea0SLionel Sambuc    --name-type=hostbased-service host@lucid.test.h5l.se || \
376*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
377*ebfedea0SLionel Sambuc
378*ebfedea0SLionel Sambucecho "Getting client initial ticket" ; > messages.log
379*ebfedea0SLionel Sambuc${kinit} --password-file=${objdir}/foopassword user1@${R} || \
380*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
381*ebfedea0SLionel Sambuc
382*ebfedea0SLionel Sambucecho "Server time offset" ; > messages.log
383*ebfedea0SLionel Sambuc${context} \
384*ebfedea0SLionel Sambuc    --mech-type=krb5 \
385*ebfedea0SLionel Sambuc    --mutual-auth \
386*ebfedea0SLionel Sambuc    --server-time-offset=3600 \
387*ebfedea0SLionel Sambuc    --max-loops=3 \
388*ebfedea0SLionel Sambuc    --name-type=hostbased-service host@lucid.test.h5l.se || \
389*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
390*ebfedea0SLionel Sambuc
391*ebfedea0SLionel Sambucecho "Server time offset (cached ?)" ; > messages.log
392*ebfedea0SLionel Sambuc${context} \
393*ebfedea0SLionel Sambuc    --mech-type=krb5 \
394*ebfedea0SLionel Sambuc    --mutual-auth \
395*ebfedea0SLionel Sambuc    --server-time-offset=3600 \
396*ebfedea0SLionel Sambuc    --max-loops=2 \
397*ebfedea0SLionel Sambuc    --name-type=hostbased-service host@lucid.test.h5l.se || \
398*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
399*ebfedea0SLionel Sambuc
400*ebfedea0SLionel Sambucecho "Getting client initial ticket" ; > messages.log
401*ebfedea0SLionel Sambuc${kinit} --password-file=${objdir}/foopassword user1@${R} || \
402*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
403*ebfedea0SLionel Sambuc# Pre-poplute the cache since tgs-req will fail since our time is wrong
404*ebfedea0SLionel Sambuc${kgetcred} host/lucid.test.h5l.se@${R} || \
405*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
406*ebfedea0SLionel Sambuc
407*ebfedea0SLionel Sambucecho "Client time offset" ; > messages.log
408*ebfedea0SLionel Sambuc${context} \
409*ebfedea0SLionel Sambuc    --mech-type=krb5 \
410*ebfedea0SLionel Sambuc    --mutual-auth \
411*ebfedea0SLionel Sambuc    --client-time-offset=3600 \
412*ebfedea0SLionel Sambuc    --name-type=hostbased-service host@lucid.test.h5l.se || \
413*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
414*ebfedea0SLionel Sambuc
415*ebfedea0SLionel Sambucecho "Getting client initial tickets (use-referrals)" ; > messages.log
416*ebfedea0SLionel Sambuc${kinit} \
417*ebfedea0SLionel Sambuc    --password-file=${objdir}/foopassword \
418*ebfedea0SLionel Sambuc    --use-referrals user1@${R} || \
419*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
420*ebfedea0SLionel Sambuc
421*ebfedea0SLionel Sambuc# XXX these tests really need to use somethat that resolve to something
422*ebfedea0SLionel Sambuc${context} \
423*ebfedea0SLionel Sambuc    --mech-type=krb5 \
424*ebfedea0SLionel Sambuc    host@short || \
425*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
426*ebfedea0SLionel Sambuc
427*ebfedea0SLionel Sambuc${context} \
428*ebfedea0SLionel Sambuc    --mech-type=krb5 \
429*ebfedea0SLionel Sambuc    --name-type=krb5-principal-name host/short || \
430*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
431*ebfedea0SLionel Sambuc
432*ebfedea0SLionel Sambuc${context} \
433*ebfedea0SLionel Sambuc    --mech-type=krb5 \
434*ebfedea0SLionel Sambuc    host@long.test.h5l.se || \
435*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
436*ebfedea0SLionel Sambuc
437*ebfedea0SLionel Sambuc${context} \
438*ebfedea0SLionel Sambuc    --mech-type=krb5 \
439*ebfedea0SLionel Sambuc    --name-type=krb5-principal-name \
440*ebfedea0SLionel Sambuc    host/long.test.h5l.se || \
441*ebfedea0SLionel Sambuc	{ eval "$testfailed"; }
442*ebfedea0SLionel Sambuc
443*ebfedea0SLionel Sambuctrap "" EXIT
444*ebfedea0SLionel Sambuc
445*ebfedea0SLionel Sambucecho "killing kdc (${kdcpid})"
446*ebfedea0SLionel Sambuckill ${kdcpid} 2> /dev/null
447*ebfedea0SLionel Sambuc
448*ebfedea0SLionel Sambucexit 0
449*ebfedea0SLionel Sambuc
450