1*ebfedea0SLionel Sambuc#!/bin/sh 2*ebfedea0SLionel Sambuc# 3*ebfedea0SLionel Sambuc# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan 4*ebfedea0SLionel Sambuc# (Royal Institute of Technology, Stockholm, Sweden). 5*ebfedea0SLionel Sambuc# All rights reserved. 6*ebfedea0SLionel Sambuc# 7*ebfedea0SLionel Sambuc# Redistribution and use in source and binary forms, with or without 8*ebfedea0SLionel Sambuc# modification, are permitted provided that the following conditions 9*ebfedea0SLionel Sambuc# are met: 10*ebfedea0SLionel Sambuc# 11*ebfedea0SLionel Sambuc# 1. Redistributions of source code must retain the above copyright 12*ebfedea0SLionel Sambuc# notice, this list of conditions and the following disclaimer. 13*ebfedea0SLionel Sambuc# 14*ebfedea0SLionel Sambuc# 2. Redistributions in binary form must reproduce the above copyright 15*ebfedea0SLionel Sambuc# notice, this list of conditions and the following disclaimer in the 16*ebfedea0SLionel Sambuc# documentation and/or other materials provided with the distribution. 17*ebfedea0SLionel Sambuc# 18*ebfedea0SLionel Sambuc# 3. Neither the name of the Institute nor the names of its contributors 19*ebfedea0SLionel Sambuc# may be used to endorse or promote products derived from this software 20*ebfedea0SLionel Sambuc# without specific prior written permission. 21*ebfedea0SLionel Sambuc# 22*ebfedea0SLionel Sambuc# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23*ebfedea0SLionel Sambuc# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24*ebfedea0SLionel Sambuc# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25*ebfedea0SLionel Sambuc# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26*ebfedea0SLionel Sambuc# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27*ebfedea0SLionel Sambuc# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28*ebfedea0SLionel Sambuc# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29*ebfedea0SLionel Sambuc# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30*ebfedea0SLionel Sambuc# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31*ebfedea0SLionel Sambuc# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32*ebfedea0SLionel Sambuc# SUCH DAMAGE. 33*ebfedea0SLionel Sambuc# 34*ebfedea0SLionel Sambuc# Id 35*ebfedea0SLionel Sambuc# 36*ebfedea0SLionel Sambuc 37*ebfedea0SLionel Sambucsrcdir="@srcdir@" 38*ebfedea0SLionel Sambucobjdir="@objdir@" 39*ebfedea0SLionel Sambuc 40*ebfedea0SLionel Sambuc# If there is no useful db support compile in, disable test 41*ebfedea0SLionel Sambuc../db/have-db || exit 77 42*ebfedea0SLionel Sambuc 43*ebfedea0SLionel SambucR=TEST.H5L.SE 44*ebfedea0SLionel Sambuc 45*ebfedea0SLionel Sambucport=@port@ 46*ebfedea0SLionel Sambuc 47*ebfedea0SLionel Sambuckeytabfile=${objdir}/server.keytab 48*ebfedea0SLionel Sambuckeytab="FILE:${keytabfile}" 49*ebfedea0SLionel Sambucnokeytab="FILE:no-such-keytab" 50*ebfedea0SLionel Sambuccache="FILE:krb5ccfile" 51*ebfedea0SLionel Sambuc 52*ebfedea0SLionel Sambuckinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}" 53*ebfedea0SLionel Sambucklist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache" 54*ebfedea0SLionel Sambuckgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache" 55*ebfedea0SLionel Sambuckadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R" 56*ebfedea0SLionel Sambuckdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" 57*ebfedea0SLionel Sambucktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil" 58*ebfedea0SLionel Sambuc 59*ebfedea0SLionel Sambuccontext="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context" 60*ebfedea0SLionel Sambuc 61*ebfedea0SLionel SambucKRB5_CONFIG="${objdir}/krb5.conf" 62*ebfedea0SLionel Sambucexport KRB5_CONFIG 63*ebfedea0SLionel Sambuc 64*ebfedea0SLionel SambucKRB5CCNAME=${cache} 65*ebfedea0SLionel Sambucexport KRB5CCNAME 66*ebfedea0SLionel Sambuc 67*ebfedea0SLionel Sambucrm -f ${keytabfile} 68*ebfedea0SLionel Sambucrm -f current-db* 69*ebfedea0SLionel Sambucrm -f out-* 70*ebfedea0SLionel Sambucrm -f mkey.file* 71*ebfedea0SLionel Sambuc 72*ebfedea0SLionel Sambuc> messages.log 73*ebfedea0SLionel Sambuc 74*ebfedea0SLionel Sambucecho Creating database 75*ebfedea0SLionel Sambuc${kadmin} \ 76*ebfedea0SLionel Sambuc init \ 77*ebfedea0SLionel Sambuc --realm-max-ticket-life=1day \ 78*ebfedea0SLionel Sambuc --realm-max-renewable-life=1month \ 79*ebfedea0SLionel Sambuc ${R} || exit 1 80*ebfedea0SLionel Sambuc 81*ebfedea0SLionel Sambuc# add both lucid and lucid.test.h5l.se to simulate aliases 82*ebfedea0SLionel Sambuc${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1 83*ebfedea0SLionel Sambuc${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1 84*ebfedea0SLionel Sambuc${kadmin} add -p p1 --use-defaults host/lucid@${R} || exit 1 85*ebfedea0SLionel Sambuc${kadmin} ext -k ${keytab} host/lucid@${R} || exit 1 86*ebfedea0SLionel Sambuc 87*ebfedea0SLionel Sambuc${kadmin} add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R} || exit 1 88*ebfedea0SLionel Sambuc${kadmin} mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R} || exit 1 89*ebfedea0SLionel Sambuc${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} || exit 1 90*ebfedea0SLionel Sambuc 91*ebfedea0SLionel Sambuc 92*ebfedea0SLionel Sambuc${kadmin} add -p p1 --use-defaults host/short@${R} || exit 1 93*ebfedea0SLionel Sambuc${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} || exit 1 94*ebfedea0SLionel Sambuc# XXX ext should ext aliases too 95*ebfedea0SLionel Sambuc${kadmin} ext -k ${keytab} host/short@${R} || exit 1 96*ebfedea0SLionel Sambuc${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1 97*ebfedea0SLionel Sambuc 98*ebfedea0SLionel Sambuc${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1 99*ebfedea0SLionel Sambuc 100*ebfedea0SLionel Sambuc${kadmin} add -p u1 --use-defaults user1@${R} || exit 1 101*ebfedea0SLionel Sambuc 102*ebfedea0SLionel Sambuc# Create a server principal with no AES 103*ebfedea0SLionel Sambuc${kadmin} add -p p1 --use-defaults host/no-aes.test.h5l.se@${R} || exit 1 104*ebfedea0SLionel Sambuc${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1 105*ebfedea0SLionel Sambuc${kadmin} del_enctype host/no-aes.test.h5l.se@${R} \ 106*ebfedea0SLionel Sambuc aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 || exit 1 107*ebfedea0SLionel Sambuc${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} || exit 1 108*ebfedea0SLionel Sambuc 109*ebfedea0SLionel Sambucecho "Doing database check" 110*ebfedea0SLionel Sambuc${kadmin} check ${R} || exit 1 111*ebfedea0SLionel Sambuc 112*ebfedea0SLionel Sambucecho u1 > ${objdir}/foopassword 113*ebfedea0SLionel Sambuc 114*ebfedea0SLionel Sambucecho Starting kdc 115*ebfedea0SLionel Sambuc${kdc} & 116*ebfedea0SLionel Sambuckdcpid=$! 117*ebfedea0SLionel Sambuc 118*ebfedea0SLionel Sambucsh ${srcdir}/../kdc/wait-kdc.sh 119*ebfedea0SLionel Sambucif [ "$?" != 0 ] ; then 120*ebfedea0SLionel Sambuc kill ${kdcpid} 121*ebfedea0SLionel Sambuc exit 1 122*ebfedea0SLionel Sambucfi 123*ebfedea0SLionel Sambuc 124*ebfedea0SLionel Sambuctrap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT 125*ebfedea0SLionel Sambuc 126*ebfedea0SLionel Sambuctestfailed="echo test failed; cat messages.log; exit 1" 127*ebfedea0SLionel Sambuc 128*ebfedea0SLionel Sambucecho "Getting client initial tickets" ; > messages.log 129*ebfedea0SLionel Sambuc${kinit} --password-file=${objdir}/foopassword --forwardable user1@${R} || \ 130*ebfedea0SLionel Sambuc { eval "$testfailed"; } 131*ebfedea0SLionel Sambuc 132*ebfedea0SLionel Sambucecho "======test unreadable/non existant keytab and its error message" ; > messages.log 133*ebfedea0SLionel Sambuc${context} --mech-type=krb5 host@lucid.test.h5l.se || \ 134*ebfedea0SLionel Sambuc { eval "$testfailed"; } 135*ebfedea0SLionel Sambuc 136*ebfedea0SLionel Sambucmv ${keytabfile} ${keytabfile}.no 137*ebfedea0SLionel Sambuc 138*ebfedea0SLionel Sambucecho "checking non existant keytabfile (krb5)" ; > messages.log 139*ebfedea0SLionel Sambuc${context} --mech-type=krb5 host@lucid.test.h5l.se > test_context.log 2>&1 && \ 140*ebfedea0SLionel Sambuc { eval "$testfailed"; } 141*ebfedea0SLionel Sambucgrep ${keytabfile} test_context.log > /dev/null || \ 142*ebfedea0SLionel Sambuc { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; } 143*ebfedea0SLionel Sambucecho "checking non existant keytabfile (spengo)" ; > messages.log 144*ebfedea0SLionel Sambuc${context} --mech-type=spnego host@lucid.test.h5l.se > test_context.log 2>&1 && \ 145*ebfedea0SLionel Sambuc { eval "$testfailed"; } 146*ebfedea0SLionel Sambucgrep ${keytabfile} test_context.log > /dev/null || \ 147*ebfedea0SLionel Sambuc { echo "string missing failed"; cat test_context.log ; eval "$testfailed"; } 148*ebfedea0SLionel Sambuc 149*ebfedea0SLionel Sambucmv ${keytabfile}.no ${keytabfile} 150*ebfedea0SLionel Sambuc 151*ebfedea0SLionel Sambucecho "======test naming combinations" 152*ebfedea0SLionel Sambucecho "plain" ; > messages.log 153*ebfedea0SLionel Sambuc${context} --name-type=hostbased-service host@lucid.test.h5l.se || \ 154*ebfedea0SLionel Sambuc { eval "$testfailed"; } 155*ebfedea0SLionel Sambucecho "plain (krb5)" ; > messages.log 156*ebfedea0SLionel Sambuc${context} --name-type=krb5-principal-name host/lucid.test.h5l.se@${R} || \ 157*ebfedea0SLionel Sambuc { eval "$testfailed"; } 158*ebfedea0SLionel Sambucecho "plain (krb5 realmless)" ; > messages.log 159*ebfedea0SLionel Sambuc${context} --name-type=krb5-principal-name host/lucid.test.h5l.se || \ 160*ebfedea0SLionel Sambuc { eval "$testfailed"; } 161*ebfedea0SLionel Sambucecho "dns canon on (long name) OFF, need dns_wrapper" ; > messages.log 162*ebfedea0SLionel Sambuc#${context} --dns-canon host@lucid.test.h5l.se || \ 163*ebfedea0SLionel Sambuc# { eval "$testfailed"; } 164*ebfedea0SLionel Sambucecho "dns canon off (long name)" ; > messages.log 165*ebfedea0SLionel Sambuc${context} --no-dns-canon host@lucid.test.h5l.se || \ 166*ebfedea0SLionel Sambuc { eval "$testfailed"; } 167*ebfedea0SLionel Sambucecho "dns canon off (short name)" ; > messages.log 168*ebfedea0SLionel Sambuc${context} --no-dns-canon host@lucid || \ 169*ebfedea0SLionel Sambuc { eval "$testfailed"; } 170*ebfedea0SLionel Sambucecho "dns canon off (short name, krb5)" ; > messages.log 171*ebfedea0SLionel Sambuc${context} --no-dns-canon --name-type=krb5-principal-name host/lucid@${R} || \ 172*ebfedea0SLionel Sambuc { eval "$testfailed"; } 173*ebfedea0SLionel Sambucecho "dns canon off (short name, krb5)" ; > messages.log 174*ebfedea0SLionel Sambuc${context} --no-dns-canon --name-type=krb5-principal-name host/lucid || \ 175*ebfedea0SLionel Sambuc { eval "$testfailed"; } 176*ebfedea0SLionel Sambuc 177*ebfedea0SLionel Sambucecho "======test context building" 178*ebfedea0SLionel Sambucfor mech in krb5 krb5iov spnego spnegoiov; do 179*ebfedea0SLionel Sambuc if [ "$mech" = "krb5iov" ] ; then 180*ebfedea0SLionel Sambuc mech="krb5" 181*ebfedea0SLionel Sambuc iov="--iov" 182*ebfedea0SLionel Sambuc fi 183*ebfedea0SLionel Sambuc if [ "$mech" = "spnegoiov" ] ; then 184*ebfedea0SLionel Sambuc mech="spnego" 185*ebfedea0SLionel Sambuc iov="--iov" 186*ebfedea0SLionel Sambuc fi 187*ebfedea0SLionel Sambuc 188*ebfedea0SLionel Sambuc echo "${mech} no-mutual ${iov}" ; > messages.log 189*ebfedea0SLionel Sambuc ${context} --mech-type=${mech} \ 190*ebfedea0SLionel Sambuc --wrapunwrap ${iov} \ 191*ebfedea0SLionel Sambuc --name-type=hostbased-service host@lucid.test.h5l.se || \ 192*ebfedea0SLionel Sambuc { eval "$testfailed"; } 193*ebfedea0SLionel Sambuc 194*ebfedea0SLionel Sambuc echo "${mech} mutual ${iov}" ; > messages.log 195*ebfedea0SLionel Sambuc ${context} --mech-type=${mech} \ 196*ebfedea0SLionel Sambuc --mutual \ 197*ebfedea0SLionel Sambuc --wrapunwrap ${iov} \ 198*ebfedea0SLionel Sambuc --name-type=hostbased-service host@lucid.test.h5l.se || \ 199*ebfedea0SLionel Sambuc { eval "$testfailed"; } 200*ebfedea0SLionel Sambuc 201*ebfedea0SLionel Sambuc echo "${mech} delegate ${iov}" ; > messages.log 202*ebfedea0SLionel Sambuc ${context} --mech-type=${mech} \ 203*ebfedea0SLionel Sambuc --delegate \ 204*ebfedea0SLionel Sambuc --wrapunwrap ${iov} \ 205*ebfedea0SLionel Sambuc --name-type=hostbased-service host@lucid.test.h5l.se || \ 206*ebfedea0SLionel Sambuc { eval "$testfailed"; } 207*ebfedea0SLionel Sambuc 208*ebfedea0SLionel Sambuc echo "${mech} mutual delegate ${iov}" ; > messages.log 209*ebfedea0SLionel Sambuc ${context} --mech-type=${mech} \ 210*ebfedea0SLionel Sambuc --mutual --delegate \ 211*ebfedea0SLionel Sambuc --wrapunwrap ${iov} \ 212*ebfedea0SLionel Sambuc --name-type=hostbased-service host@lucid.test.h5l.se || \ 213*ebfedea0SLionel Sambuc { eval "$testfailed"; } 214*ebfedea0SLionel Sambucdone 215*ebfedea0SLionel Sambuc 216*ebfedea0SLionel Sambucecho "======dce-style" 217*ebfedea0SLionel Sambucfor mech in krb5 krb5iov spnego; do 218*ebfedea0SLionel Sambuc iov="" 219*ebfedea0SLionel Sambuc if [ "$mech" = "krb5iov" ] ; then 220*ebfedea0SLionel Sambuc mech="krb5" 221*ebfedea0SLionel Sambuc iov="--iov" 222*ebfedea0SLionel Sambuc fi 223*ebfedea0SLionel Sambuc if [ "$mech" = "spnegoiov" ] ; then 224*ebfedea0SLionel Sambuc mech="spnego" 225*ebfedea0SLionel Sambuc iov="--iov" 226*ebfedea0SLionel Sambuc fi 227*ebfedea0SLionel Sambuc 228*ebfedea0SLionel Sambuc echo "${mech}: dce-style ${iov}" ; > messages.log 229*ebfedea0SLionel Sambuc ${context} \ 230*ebfedea0SLionel Sambuc --mech-type=${mech} \ 231*ebfedea0SLionel Sambuc --mutual \ 232*ebfedea0SLionel Sambuc --dce-style \ 233*ebfedea0SLionel Sambuc --wrapunwrap ${iov} \ 234*ebfedea0SLionel Sambuc --name-type=hostbased-service host@lucid.test.h5l.se || \ 235*ebfedea0SLionel Sambuc { eval "$testfailed"; } 236*ebfedea0SLionel Sambuc 237*ebfedea0SLionel Sambucdone 238*ebfedea0SLionel Sambuc 239*ebfedea0SLionel Sambucecho "test gsskrb5_register_acceptor_identity (both positive and negative)" 240*ebfedea0SLionel Sambuc 241*ebfedea0SLionel Sambuccp ${keytabfile} ${keytabfile}.new 242*ebfedea0SLionel Sambucfor mech in krb5 spnego; do 243*ebfedea0SLionel Sambuc echo "${mech}: acceptor_identity positive" ; > messages.log 244*ebfedea0SLionel Sambuc ${context} --gsskrb5-acceptor-identity=${keytabfile}.new \ 245*ebfedea0SLionel Sambuc --mech-type=$mech host@lucid.test.h5l.se || \ 246*ebfedea0SLionel Sambuc { eval "$testfailed"; } 247*ebfedea0SLionel Sambuc 248*ebfedea0SLionel Sambuc echo "${mech}: acceptor_identity positive (prefix)" ; > messages.log 249*ebfedea0SLionel Sambuc ${context} --gsskrb5-acceptor-identity=FILE:${keytabfile}.new \ 250*ebfedea0SLionel Sambuc --mech-type=$mech host@lucid.test.h5l.se || \ 251*ebfedea0SLionel Sambuc { eval "$testfailed"; } 252*ebfedea0SLionel Sambuc 253*ebfedea0SLionel Sambuc echo "${mech}: acceptor_identity negative" ; > messages.log 254*ebfedea0SLionel Sambuc ${context} --gsskrb5-acceptor-identity=${keytabfile}.foo \ 255*ebfedea0SLionel Sambuc --mech-type=$mech host@lucid.test.h5l.se 2>/dev/null && \ 256*ebfedea0SLionel Sambuc { eval "$testfailed"; } 257*ebfedea0SLionel Sambucdone 258*ebfedea0SLionel Sambuc 259*ebfedea0SLionel Sambucrm ${keytabfile}.new 260*ebfedea0SLionel Sambuc 261*ebfedea0SLionel Sambuc 262*ebfedea0SLionel Sambuc#echo "sasl-digest-md5" 263*ebfedea0SLionel Sambuc#${context} --mech-type=sasl-digest-md5 \ 264*ebfedea0SLionel Sambuc# --name-type=hostbased-service \ 265*ebfedea0SLionel Sambuc# host@lucid.test.h5l.se || \ 266*ebfedea0SLionel Sambuc# { eval "$testfailed"; } 267*ebfedea0SLionel Sambuc 268*ebfedea0SLionel Sambuc 269*ebfedea0SLionel Sambucecho "====== gss-api session key check" 270*ebfedea0SLionel Sambuc 271*ebfedea0SLionel Sambuc# this will break when oneone invents a cooler enctype then aes256-cts-hmac-sha1-96 272*ebfedea0SLionel Sambuccoolenctype="aes256-cts-hmac-sha1-96" 273*ebfedea0SLionel Sambuclimit_enctype="des3-cbc-sha1" 274*ebfedea0SLionel Sambuc 275*ebfedea0SLionel Sambucecho "Getting client initial tickets" ; > messages.log 276*ebfedea0SLionel Sambuc${kinit} --password-file=${objdir}/foopassword user1@${R} || \ 277*ebfedea0SLionel Sambuc { eval "$testfailed"; } 278*ebfedea0SLionel Sambuc 279*ebfedea0SLionel Sambuc 280*ebfedea0SLionel Sambucecho "Building context on cred w/o aes, but still ${coolenctype} session key" ; > messages.log 281*ebfedea0SLionel Sambuc${context} \ 282*ebfedea0SLionel Sambuc --mech-type=krb5 \ 283*ebfedea0SLionel Sambuc --mutual-auth \ 284*ebfedea0SLionel Sambuc --session-enctype=${coolenctype} \ 285*ebfedea0SLionel Sambuc --name-type=hostbased-service host@no-aes.test.h5l.se || \ 286*ebfedea0SLionel Sambuc { eval "$testfailed"; } 287*ebfedea0SLionel Sambuc 288*ebfedea0SLionel Sambucecho "Building context on cred, check if its limited still" ; > messages.log 289*ebfedea0SLionel Sambuc${context} \ 290*ebfedea0SLionel Sambuc --mech-type=krb5 \ 291*ebfedea0SLionel Sambuc --client-name=user1@${R} \ 292*ebfedea0SLionel Sambuc --limit-enctype="${limit_enctype}" \ 293*ebfedea0SLionel Sambuc --mutual-auth \ 294*ebfedea0SLionel Sambuc --name-type=hostbased-service host@no-aes.test.h5l.se || \ 295*ebfedea0SLionel Sambuc { eval "$testfailed"; } 296*ebfedea0SLionel Sambuc 297*ebfedea0SLionel Sambuc 298*ebfedea0SLionel Sambucecho "====== ok-as-delegate" 299*ebfedea0SLionel Sambuc 300*ebfedea0SLionel Sambucecho "Getting client initial tickets" ; > messages.log 301*ebfedea0SLionel Sambuc${kinit} --forwardable \ 302*ebfedea0SLionel Sambuc --password-file=${objdir}/foopassword user1@${R} || \ 303*ebfedea0SLionel Sambuc { eval "$testfailed"; } 304*ebfedea0SLionel Sambuc 305*ebfedea0SLionel Sambucecho "ok-as-delegate not used" ; > messages.log 306*ebfedea0SLionel Sambuc${context} \ 307*ebfedea0SLionel Sambuc --mech-type=krb5 \ 308*ebfedea0SLionel Sambuc --delegate \ 309*ebfedea0SLionel Sambuc --name-type=hostbased-service host@lucid.test.h5l.se || \ 310*ebfedea0SLionel Sambuc { eval "$testfailed"; } 311*ebfedea0SLionel Sambuc 312*ebfedea0SLionel Sambucecho "host without ok-as-delegate with policy-delegate" ; > messages.log 313*ebfedea0SLionel Sambuc${context} \ 314*ebfedea0SLionel Sambuc --mech-type=krb5 \ 315*ebfedea0SLionel Sambuc --policy-delegate \ 316*ebfedea0SLionel Sambuc --server-no-delegate \ 317*ebfedea0SLionel Sambuc --name-type=hostbased-service host@lucid.test.h5l.se || \ 318*ebfedea0SLionel Sambuc { eval "$testfailed"; } 319*ebfedea0SLionel Sambuc 320*ebfedea0SLionel Sambucecho "ok-as-delegate used by policy" ; > messages.log 321*ebfedea0SLionel Sambuc${context} \ 322*ebfedea0SLionel Sambuc --mech-type=krb5 \ 323*ebfedea0SLionel Sambuc --policy-delegate \ 324*ebfedea0SLionel Sambuc --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ 325*ebfedea0SLionel Sambuc { eval "$testfailed"; } 326*ebfedea0SLionel Sambuc 327*ebfedea0SLionel Sambucecho "Getting client initial tickets with --ok-as-delgate" ; > messages.log 328*ebfedea0SLionel Sambuc${kinit} --ok-as-delegate --forwardable \ 329*ebfedea0SLionel Sambuc --password-file=${objdir}/foopassword user1@${R} || \ 330*ebfedea0SLionel Sambuc { eval "$testfailed"; } 331*ebfedea0SLionel Sambuc 332*ebfedea0SLionel Sambucecho "policy delegate to non delegate host" ; > messages.log 333*ebfedea0SLionel Sambuc${context} \ 334*ebfedea0SLionel Sambuc --mech-type=krb5 \ 335*ebfedea0SLionel Sambuc --policy-delegate \ 336*ebfedea0SLionel Sambuc --server-no-delegate \ 337*ebfedea0SLionel Sambuc --name-type=hostbased-service host@lucid.test.h5l.se || \ 338*ebfedea0SLionel Sambuc { eval "$testfailed"; } 339*ebfedea0SLionel Sambuc 340*ebfedea0SLionel Sambucecho "ok-as-delegate" ; > messages.log 341*ebfedea0SLionel Sambuc${context} \ 342*ebfedea0SLionel Sambuc --mech-type=krb5 \ 343*ebfedea0SLionel Sambuc --delegate \ 344*ebfedea0SLionel Sambuc --name-type=hostbased-service host@lucid.test.h5l.se || \ 345*ebfedea0SLionel Sambuc { eval "$testfailed"; } 346*ebfedea0SLionel Sambuc 347*ebfedea0SLionel Sambucecho "======export/import cred" 348*ebfedea0SLionel Sambuc 349*ebfedea0SLionel Sambucecho "export-import cred (krb5)" ; > messages.log 350*ebfedea0SLionel Sambuc${context} \ 351*ebfedea0SLionel Sambuc --mech-type=krb5 \ 352*ebfedea0SLionel Sambuc --delegate \ 353*ebfedea0SLionel Sambuc --export-import-cred \ 354*ebfedea0SLionel Sambuc --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ 355*ebfedea0SLionel Sambuc { eval "$testfailed"; } 356*ebfedea0SLionel Sambuc 357*ebfedea0SLionel Sambucecho "export-import cred (spnego)" ; > messages.log 358*ebfedea0SLionel Sambuc${context} \ 359*ebfedea0SLionel Sambuc --mech-type=spnego \ 360*ebfedea0SLionel Sambuc --delegate \ 361*ebfedea0SLionel Sambuc --export-import-cred \ 362*ebfedea0SLionel Sambuc --name-type=hostbased-service host@ok-delegate.test.h5l.se || \ 363*ebfedea0SLionel Sambuc { eval "$testfailed"; } 364*ebfedea0SLionel Sambuc 365*ebfedea0SLionel Sambuc 366*ebfedea0SLionel Sambucecho "======time diffs between client and server" 367*ebfedea0SLionel Sambuc 368*ebfedea0SLionel Sambucecho "Getting client initial ticket" ; > messages.log 369*ebfedea0SLionel Sambuc${kinit} --password-file=${objdir}/foopassword user1@${R} || \ 370*ebfedea0SLionel Sambuc { eval "$testfailed"; } 371*ebfedea0SLionel Sambuc 372*ebfedea0SLionel Sambucecho "No time offset" ; > messages.log 373*ebfedea0SLionel Sambuc${context} \ 374*ebfedea0SLionel Sambuc --mech-type=krb5 \ 375*ebfedea0SLionel Sambuc --name-type=hostbased-service host@lucid.test.h5l.se || \ 376*ebfedea0SLionel Sambuc { eval "$testfailed"; } 377*ebfedea0SLionel Sambuc 378*ebfedea0SLionel Sambucecho "Getting client initial ticket" ; > messages.log 379*ebfedea0SLionel Sambuc${kinit} --password-file=${objdir}/foopassword user1@${R} || \ 380*ebfedea0SLionel Sambuc { eval "$testfailed"; } 381*ebfedea0SLionel Sambuc 382*ebfedea0SLionel Sambucecho "Server time offset" ; > messages.log 383*ebfedea0SLionel Sambuc${context} \ 384*ebfedea0SLionel Sambuc --mech-type=krb5 \ 385*ebfedea0SLionel Sambuc --mutual-auth \ 386*ebfedea0SLionel Sambuc --server-time-offset=3600 \ 387*ebfedea0SLionel Sambuc --max-loops=3 \ 388*ebfedea0SLionel Sambuc --name-type=hostbased-service host@lucid.test.h5l.se || \ 389*ebfedea0SLionel Sambuc { eval "$testfailed"; } 390*ebfedea0SLionel Sambuc 391*ebfedea0SLionel Sambucecho "Server time offset (cached ?)" ; > messages.log 392*ebfedea0SLionel Sambuc${context} \ 393*ebfedea0SLionel Sambuc --mech-type=krb5 \ 394*ebfedea0SLionel Sambuc --mutual-auth \ 395*ebfedea0SLionel Sambuc --server-time-offset=3600 \ 396*ebfedea0SLionel Sambuc --max-loops=2 \ 397*ebfedea0SLionel Sambuc --name-type=hostbased-service host@lucid.test.h5l.se || \ 398*ebfedea0SLionel Sambuc { eval "$testfailed"; } 399*ebfedea0SLionel Sambuc 400*ebfedea0SLionel Sambucecho "Getting client initial ticket" ; > messages.log 401*ebfedea0SLionel Sambuc${kinit} --password-file=${objdir}/foopassword user1@${R} || \ 402*ebfedea0SLionel Sambuc { eval "$testfailed"; } 403*ebfedea0SLionel Sambuc# Pre-poplute the cache since tgs-req will fail since our time is wrong 404*ebfedea0SLionel Sambuc${kgetcred} host/lucid.test.h5l.se@${R} || \ 405*ebfedea0SLionel Sambuc { eval "$testfailed"; } 406*ebfedea0SLionel Sambuc 407*ebfedea0SLionel Sambucecho "Client time offset" ; > messages.log 408*ebfedea0SLionel Sambuc${context} \ 409*ebfedea0SLionel Sambuc --mech-type=krb5 \ 410*ebfedea0SLionel Sambuc --mutual-auth \ 411*ebfedea0SLionel Sambuc --client-time-offset=3600 \ 412*ebfedea0SLionel Sambuc --name-type=hostbased-service host@lucid.test.h5l.se || \ 413*ebfedea0SLionel Sambuc { eval "$testfailed"; } 414*ebfedea0SLionel Sambuc 415*ebfedea0SLionel Sambucecho "Getting client initial tickets (use-referrals)" ; > messages.log 416*ebfedea0SLionel Sambuc${kinit} \ 417*ebfedea0SLionel Sambuc --password-file=${objdir}/foopassword \ 418*ebfedea0SLionel Sambuc --use-referrals user1@${R} || \ 419*ebfedea0SLionel Sambuc { eval "$testfailed"; } 420*ebfedea0SLionel Sambuc 421*ebfedea0SLionel Sambuc# XXX these tests really need to use somethat that resolve to something 422*ebfedea0SLionel Sambuc${context} \ 423*ebfedea0SLionel Sambuc --mech-type=krb5 \ 424*ebfedea0SLionel Sambuc host@short || \ 425*ebfedea0SLionel Sambuc { eval "$testfailed"; } 426*ebfedea0SLionel Sambuc 427*ebfedea0SLionel Sambuc${context} \ 428*ebfedea0SLionel Sambuc --mech-type=krb5 \ 429*ebfedea0SLionel Sambuc --name-type=krb5-principal-name host/short || \ 430*ebfedea0SLionel Sambuc { eval "$testfailed"; } 431*ebfedea0SLionel Sambuc 432*ebfedea0SLionel Sambuc${context} \ 433*ebfedea0SLionel Sambuc --mech-type=krb5 \ 434*ebfedea0SLionel Sambuc host@long.test.h5l.se || \ 435*ebfedea0SLionel Sambuc { eval "$testfailed"; } 436*ebfedea0SLionel Sambuc 437*ebfedea0SLionel Sambuc${context} \ 438*ebfedea0SLionel Sambuc --mech-type=krb5 \ 439*ebfedea0SLionel Sambuc --name-type=krb5-principal-name \ 440*ebfedea0SLionel Sambuc host/long.test.h5l.se || \ 441*ebfedea0SLionel Sambuc { eval "$testfailed"; } 442*ebfedea0SLionel Sambuc 443*ebfedea0SLionel Sambuctrap "" EXIT 444*ebfedea0SLionel Sambuc 445*ebfedea0SLionel Sambucecho "killing kdc (${kdcpid})" 446*ebfedea0SLionel Sambuckill ${kdcpid} 2> /dev/null 447*ebfedea0SLionel Sambuc 448*ebfedea0SLionel Sambucexit 0 449*ebfedea0SLionel Sambuc 450