1#!/bin/sh 2# 3# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan 4# (Royal Institute of Technology, Stockholm, Sweden). 5# All rights reserved. 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 11# 1. Redistributions of source code must retain the above copyright 12# notice, this list of conditions and the following disclaimer. 13# 14# 2. Redistributions in binary form must reproduce the above copyright 15# notice, this list of conditions and the following disclaimer in the 16# documentation and/or other materials provided with the distribution. 17# 18# 3. Neither the name of the Institute nor the names of its contributors 19# may be used to endorse or promote products derived from this software 20# without specific prior written permission. 21# 22# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32# SUCH DAMAGE. 33 34top_builddir="@top_builddir@" 35env_setup="@env_setup@" 36objdir="@objdir@" 37 38. ${env_setup} 39 40KRB5_CONFIG="${1-${objdir}/krb5.conf}" 41export KRB5_CONFIG 42 43testfailed="echo test failed; cat messages.log; exit 1" 44 45# If there is no useful db support compiled in, disable test 46${have_db} || exit 77 47 48R=TEST.H5L.SE 49RH=TEST-HTTP.H5L.SE 50R2=TEST2.H5L.SE 51R3=TEST3.H5L.SE 52R4=TEST4.H5L.SE 53R5=SOME-REALM5.FR 54R6=SOME-REALM6.US 55R7=SOME-REALM7.UK 56R8=SOME-REALM8.UK 57 58H1=H1.$R 59H2=H2.$R 60H3=H3.$H2 61H4=H4.$H2 62 63r=`echo "$R" | tr '[A-Z]' '[a-z]'` 64h1=`echo "${H1}" | tr '[A-Z]' '[a-z]'` 65h2=`echo "${H2}" | tr '[A-Z]' '[a-z]'` 66h3=`echo "${H3}" | tr '[A-Z]' '[a-z]'` 67h4=`echo "${H4}" | tr '[A-Z]' '[a-z]'` 68 69port=@port@ 70pwport=@pwport@ 71 72kadmin="${kadmin} -l -r $R" 73kadmin5="${kadmin} -l -r $R5" 74kdc="${kdc} --addresses=localhost -P $port" 75kpasswdd="${kpasswdd} --addresses=localhost -p $pwport" 76 77server=host/datan.test.h5l.se 78server2=host/computer.example.com 79serverip=host/10.11.12.13 80serveripname=host/ip.test.h5l.org 81serveripname2=host/10.11.12.14 82alias1=host/datan.example.com 83alias2=host/datan 84aliaskeytab=host/datan 85cache="FILE:${objdir}/cache.krb5" 86ocache="FILE:${objdir}/ocache.krb5" 87o2cache="FILE:${objdir}/o2cache.krb5" 88icache="FILE:${objdir}/icache.krb5" 89keytabfile=${objdir}/server.keytab 90keytab="FILE:${keytabfile}" 91ps="proxy-service@${R}" 92aesenctype="aes256-cts-hmac-sha1-96" 93 94kinit="${kinit} -c $cache ${afs_no_afslog}" 95klist="${klist} -c $cache" 96kgetcred="${kgetcred} -c $cache" 97kgetcred_imp="${kgetcred} -c $cache --out-cache=${ocache}" 98kdestroy="${kdestroy} -c $cache ${afs_no_unlog}" 99kimpersonate="${kimpersonate} -k ${keytab} --ccache=${ocache}" 100test_set_kvno0="${test_set_kvno0} -c $cache" 101 102rm -f ${keytabfile} 103rm -f current-db* 104rm -f out-* 105rm -f mkey.file* 106 107> messages.log 108 109echo Creating database 110${kadmin} \ 111 init \ 112 --realm-max-ticket-life=1day \ 113 --realm-max-renewable-life=1month \ 114 ${R} || exit 1 115 116${kadmin} \ 117 init \ 118 --realm-max-ticket-life=1day \ 119 --realm-max-renewable-life=1month \ 120 ${R2} || exit 1 121 122${kadmin} \ 123 init \ 124 --realm-max-ticket-life=1day \ 125 --realm-max-renewable-life=1month \ 126 ${R3} || exit 1 127 128${kadmin} \ 129 init \ 130 --realm-max-ticket-life=1day \ 131 --realm-max-renewable-life=1month \ 132 ${R4} || exit 1 133 134${kadmin5} \ 135 init \ 136 --realm-max-ticket-life=1day \ 137 --realm-max-renewable-life=1month \ 138 ${R5} || exit 1 139 140${kadmin} \ 141 init \ 142 --realm-max-ticket-life=1day \ 143 --realm-max-renewable-life=1month \ 144 ${R6} || exit 1 145 146${kadmin} \ 147 init \ 148 --realm-max-ticket-life=1day \ 149 --realm-max-renewable-life=1month \ 150 ${R7} || exit 1 151 152${kadmin} \ 153 init \ 154 --realm-max-ticket-life=1day \ 155 --realm-max-renewable-life=1month \ 156 ${R8} || exit 1 157 158${kadmin} \ 159 init \ 160 --realm-max-ticket-life=1day \ 161 --realm-max-renewable-life=1month \ 162 ${H1} || exit 1 163 164${kadmin} \ 165 init \ 166 --realm-max-ticket-life=1day \ 167 --realm-max-renewable-life=1month \ 168 ${H2} || exit 1 169 170${kadmin} \ 171 init \ 172 --realm-max-ticket-life=1day \ 173 --realm-max-renewable-life=1month \ 174 ${H3} || exit 1 175 176${kadmin} \ 177 init \ 178 --realm-max-ticket-life=1day \ 179 --realm-max-renewable-life=1month \ 180 ${H4} || exit 1 181 182${kadmin} \ 183 init \ 184 --realm-max-ticket-life=1day \ 185 --realm-max-renewable-life=1month \ 186 ${RH} || exit 1 187 188${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 189${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 190${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 191${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 192 193${kadmin} add -p foo --use-defaults foo@${R} || exit 1 194${kadmin} add -p foo --use-defaults foo/host.${r}@${R} || exit 1 195${kadmin} add -p foo --use-defaults foo@${R2} || exit 1 196${kadmin} add -p foo --use-defaults foo@${R3} || exit 1 197${kadmin} add -p foo --use-defaults foo@${R4} || exit 1 198${kadmin5} add -p foo --use-defaults foo@${R5} || exit 1 199${kadmin} add -p foo --use-defaults foo@${R6} || exit 1 200${kadmin} add -p foo --use-defaults foo@${R7} || exit 1 201${kadmin} add -p foo --use-defaults foo@${R8} || exit 1 202${kadmin} add -p foo --use-defaults foo@${H1} || exit 1 203${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} || exit 1 204${kadmin} add -p foo --use-defaults foo@${H2} || exit 1 205${kadmin} add -p foo --use-defaults foo/host.${h2}@${H2} || exit 1 206${kadmin} add -p foo --use-defaults foo@${H3} || exit 1 207${kadmin} add -p foo --use-defaults foo/host.${h3}@${H3} || exit 1 208${kadmin} add -p foo --use-defaults foo@${H4} || exit 1 209${kadmin} add -p foo --use-defaults foo/host.${h4}@${H4} || exit 1 210${kadmin} add -p bar --use-defaults bar@${R} || exit 1 211${kadmin} add -p foo --use-defaults remove@${R} || exit 1 212${kadmin} add -p nop --use-defaults ${server}@${R} || exit 1 213${kadmin} cpw -p bla --keepold ${server}@${R} || exit 1 214${kadmin} cpw -p kaka --keepold ${server}@${R} || exit 1 215${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1 216${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1 217${kadmin} add -p kaka --use-defaults foo/des3-only@${R} || exit 1 218${kadmin} add -p kaka --use-defaults bar/des3-only@${R} || exit 1 219${kadmin} add -p kaka --use-defaults foo/aes-only@${R} || exit 1 220 221${kadmin} add -p sens --use-defaults --attributes=disallow-forwardable sensitive@${R} || exit 1 222${kadmin} add -p foo --use-defaults ${ps} || exit 1 223${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1 224${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1 225${kadmin} ext -k ${keytab} ${server}@${R} || exit 1 226${kadmin} ext -k ${keytab} ${ps} || exit 1 227 228${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1 229${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1 230${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1 231${kadmin} ext -k ${keytab} ${serverip}@${R} || exit 1 232${kadmin} add -p kaka --use-defaults ${serveripname}@${R} || exit 1 233${kadmin} ext -k ${keytab} ${serveripname}@${R} || exit 1 234${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R} 235${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1 236 237${kadmin} add -p kaka --use-defaults ${alias1}@${R} || exit 1 238${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1 239${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R} 240 241${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1 242${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1 243 244${kadmin} add -p cross1 --use-defaults krbtgt/${R3}@${R2} || exit 1 245${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R3} || exit 1 246 247${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R2} || exit 1 248${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R4} || exit 1 249 250${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R3} || exit 1 251${kadmin} add -p cross2 --use-defaults krbtgt/${R3}@${R4} || exit 1 252 253${kadmin} add -p cross1 --use-defaults krbtgt/${R5}@${R} || exit 1 254${kadmin5} add -p cross2 --use-defaults krbtgt/${R}@${R5} || exit 1 255 256${kadmin5} add -p cross1 --use-defaults krbtgt/${R6}@${R5} || exit 1 257${kadmin} add -p cross2 --use-defaults krbtgt/${R5}@${R6} || exit 1 258 259${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} || exit 1 260${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} || exit 1 261 262${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} || exit 1 263${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} || exit 1 264 265${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} || exit 1 266${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} || exit 1 267 268${kadmin} add -p cross1 --use-defaults krbtgt/${H2}@${R} || exit 1 269${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H2} || exit 1 270 271${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H2} || exit 1 272${kadmin} add -p cross2 --use-defaults krbtgt/${H2}@${H3} || exit 1 273 274${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H4} || exit 1 275${kadmin} add -p cross2 --use-defaults krbtgt/${H4}@${H3} || exit 1 276 277${kadmin} add -p foo --use-defaults pw-expire@${R} || exit 1 278${kadmin} modify --pw-expiration-time=+1day pw-expire@${R} || exit 1 279 280${kadmin} add -p foo --use-defaults pw-expired@${R} || exit 1 281${kadmin} modify --pw-expiration-time=2012-06-12 pw-expired@${R} || exit 1 282 283${kadmin} add -p foo --use-defaults account-expired@${R} || exit 1 284${kadmin} modify --expiration-time=2012-06-12 account-expired@${R} || exit 1 285 286${kadmin} add -p foo --use-defaults foo@${RH} || exit 1 287 288echo "Check parser" 289${kadmin} add -p foo --use-defaults -- -p || exit 1 290${kadmin} delete -- -p || exit 1 291 292echo "Doing database check" 293${kadmin} check ${R} || exit 1 294${kadmin} check ${R2} || exit 1 295${kadmin} check ${R3} || exit 1 296${kadmin} check ${R4} || exit 1 297${kadmin5} check ${R5} || exit 1 298${kadmin} check ${R6} || exit 1 299${kadmin} check ${R7} || exit 1 300${kadmin} check ${R8} || exit 1 301${kadmin} check ${H1} || exit 1 302${kadmin} check ${H2} || exit 1 303${kadmin} check ${H3} || exit 1 304${kadmin} check ${H4} || exit 1 305 306echo "Extracting enctypes" 307${ktutil} -k ${keytab} list > tempfile || exit 1 308${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \ 309 ${EGREP} -v "$server" | # we did cpw for this one 310 awk '$1 !~ /1/ { exit 1 }' || exit 1 311${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \ 312 ${EGREP} "$server" | head -1 | 313 awk '$1 !~ /3/ { exit 1 }' || exit 1 314 315 316${kadmin} get foo@${R} > tempfile || exit 1 317enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g'` 318 319enctype_sans_aes=`echo $enctypes | sed 's/aes[^ ]*//g'` 320enctype_sans_des3=`echo $enctypes | sed 's/des3-cbc-sha1//g'` 321 322echo "deleting all but des enctypes on kt-des3 in keytab" 323${kadmin} ext -k ${keytab} kt-des3@${R} || exit 1 324for a in ${enctype_sans_des3} ; do 325 ${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a 326done 327 328echo "checking globbing keys rules" 329${kadmin} get foo/des3-only@${R} > tempfile || exit 1 330enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'` 331if [ X"$enctypes" != Xdes3-cbc-sha1 ] ; then 332 echo "des3 only is not only des3: $enctypes" 333 exit 1 334fi 335 336${kadmin} get foo/aes-only@${R} > tempfile || exit 1 337enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://' | sed 's/\[[0-9]*\]//g' | sed 's/ //g'` 338if [ X"$enctypes" != Xaes256-cts-hmac-sha1-96 ] ; then 339 echo "aes only is not only aes: $enctypes" 340 exit 1 341fi 342 343 344echo foo > ${objdir}/foopassword 345echo notfoo > ${objdir}/notfoopassword 346 347echo Starting kdc ; > messages.log 348env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${objdir}/malloc-log \ 349${kdc} --detach --testing || 350 { echo "kdc failed to start"; exit 1; } 351kdcpid=`getpid kdc` 352 353echo Starting kpasswdd; > messages.log 354env ${HEIM_MALLOC_DEBUG} ${kpasswdd} --detach || 355 { echo "kpasswdd failed to start"; exit 1; } 356kpasswddpid=`getpid kpasswdd` 357 358 359trap "kill -9 ${kdcpid} ${kpasswddpid}; echo signal killing kdc kpasswdd; exit 1;" EXIT 360 361ec=0 362 363echo "Getting client initial tickets with wrong password"; > messages.log 364${kinit} --password-file=${objdir}/notfoopassword \ 365 foo@${R} 2>kinit-log.tmp && \ 366 { ec=1 ; eval "${testfailed}"; } 367grep 'Password incorrect' kinit-log.tmp > /dev/null || \ 368 { ec=1 ; eval "${testfailed}"; } 369echo "Getting client initial tickets"; > messages.log 370${kinit} --password-file=${objdir}/foopassword foo@$R || \ 371 { ec=1 ; eval "${testfailed}"; } 372echo "Doing krbtgt key rollover"; > messages.log 373${kadmin} cpw -r --keepold krbtgt/${R}@${R} || exit 1 374echo "Getting tickets"; > messages.log 375${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 376echo "Listing tickets"; > messages.log 377${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; } 378${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 379 { ec=1 ; eval "${testfailed}"; } 380${kdestroy} 381 382echo "Getting client initial tickets (http transport)"; > messages.log 383${kinit} --password-file=${objdir}/foopassword foo@${RH} || \ 384 { ec=1 ; eval "${testfailed}"; } 385${kdestroy} 386 387echo "Testing capaths logic" 388${kinit} --password-file=${objdir}/foopassword \ 389 -e ${aesenctype} -e ${aesenctype} \ 390 foo@$R || \ 391 { ec=1 ; eval "${testfailed}"; } 392 393echo "Getting x-realm tickets with capaths for $R -> $R2" 394${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; } 395echo "Getting x-realm tickets with capaths for $R -> $R3" 396${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; } 397echo "Getting x-realm tickets with capaths for $R -> $R4" 398${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; } 399echo "Getting x-realm tickets with capaths for $R -> $R5" 400${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; } 401echo "Getting x-realm tickets with capaths for $R -> $R6" 402${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; } 403echo "Getting x-realm tickets with capaths for $R -> $R7" 404${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; } 405echo "Should not get x-realm tickets with capaths for $R -> $R8" 406${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; } 407${kdestroy} 408 409echo "Testing capaths logic (reverse order)" 410${kinit} --password-file=${objdir}/foopassword \ 411 -e ${aesenctype} -e ${aesenctype} \ 412 foo@$R || \ 413 { ec=1 ; eval "${testfailed}"; } 414 415echo "Getting x-realm tickets with capaths for $R -> $R4" 416${kgetcred} foo@${R4} || { ec=1 ; eval "${testfailed}"; } 417echo "Getting x-realm tickets with capaths for $R -> $R3" 418${kgetcred} foo@${R3} || { ec=1 ; eval "${testfailed}"; } 419echo "Getting x-realm tickets with capaths for $R -> $R2" 420${kgetcred} foo@${R2} || { ec=1 ; eval "${testfailed}"; } 421echo "Getting x-realm tickets with capaths for $R -> $R7" 422${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; } 423echo "Getting x-realm tickets with capaths for $R -> $R6" 424${kgetcred} foo@${R6} || { ec=1 ; eval "${testfailed}"; } 425echo "Getting x-realm tickets with capaths for $R -> $R5" 426${kgetcred} foo@${R5} || { ec=1 ; eval "${testfailed}"; } 427${kdestroy} 428 429echo "Testing hierarchical referral logic" 430${kinit} --password-file=${objdir}/foopassword \ 431 -e ${aesenctype} -e ${aesenctype} \ 432 foo@${H3} || \ 433 { ec=1 ; eval "${testfailed}"; } 434 435echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H1" 436${kgetcred} --hostbased --canonicalize foo host.${h1} || { ec=1 ; eval "${testfailed}"; } 437fgrep "cross-realm ${H3} -> ${H1} via [${H2}, ${R}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } 438echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $R" 439${kgetcred} --hostbased --canonicalize foo host.${r} || { ec=1 ; eval "${testfailed}"; } 440fgrep "cross-realm ${H3} -> ${R} via [${H2}]" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } 441echo "Getting x-realm tickets with hierarchical referrals for $H3 -> $H2" 442${kgetcred} --hostbased --canonicalize foo host.${h2} || { ec=1 ; eval "${testfailed}"; } 443fgrep "cross-realm ${H3} -> ${H2}" messages.log > /dev/null || { ec=1 ; eval "${testfailed}"; } 444${kdestroy} 445 446echo "Testing multi-hop [capaths] referral logic" 447${kinit} --password-file=${objdir}/foopassword \ 448 -e ${aesenctype} -e ${aesenctype} \ 449 foo@${H4} || \ 450 { ec=1 ; eval "${testfailed}"; } 451 452echo "Getting x-realm tickets with [capaths] referrals for $H4 -> $H1" 453${kgetcred} --hostbased --canonicalize foo/host.${h1}@${H4} || { ec=1 ; eval "${testfailed}"; } 454${kdestroy} 455 456echo "Testing forwardable/renewable flag copying in TGS-REQ" 457${kinit} -f --renewable -r 5d --password-file=${objdir}/foopassword foo@$R || \ 458 { ec=1 ; eval "${testfailed}"; } 459${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 460${klist} -f | grep ${server} | grep FRA > /dev/null || \ 461 { ec=1 ; eval "${testfailed}"; } 462 463echo "Testing strip of forwardable when the server is disallowed in TGS-REQ" 464${kgetcred} sensitive@${R} || { ec=1 ; eval "${testfailed}"; } 465${klist} -f | grep sensitive | grep FRA > /dev/null && \ 466 { ec=1 ; eval "${testfailed}"; } 467 468echo "Specific enctype"; > messages.log 469${kinit} --password-file=${objdir}/foopassword \ 470 -e ${aesenctype} -e ${aesenctype} \ 471 foo@$R || \ 472 { ec=1 ; eval "${testfailed}"; } 473 474for a in $enctypes; do 475 echo "Getting client initial tickets ($a)"; > messages.log 476 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 477 echo "Getting tickets"; > messages.log 478 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 479 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; } 480 ${kdestroy} 481done 482 483 484echo "Getting client initial tickets"; > messages.log 485${kinit} --password-file=${objdir}/foopassword foo@$R || \ 486 { ec=1 ; eval "${testfailed}"; } 487for a in $enctypes; do 488 echo "Getting tickets ($a)"; > messages.log 489 ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 490 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 491 { ec=1 ; eval "${testfailed}"; } 492 ${kdestroy} --credential=${server}@${R} 493done 494${kdestroy} 495 496echo "Getting client authenticated anonymous initial tickets"; > messages.log 497${kinit} -n --password-file=${objdir}/foopassword foo@$R || \ 498 { ec=1 ; eval "${testfailed}"; } 499for a in $enctypes; do 500 echo "Getting tickets ($a)"; > messages.log 501 ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 502 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 503 { ec=1 ; eval "${testfailed}"; } 504 ${kdestroy} --credential=${server}@${R} 505done 506${kdestroy} 507 508echo "Getting client anonymous service tickets"; > messages.log 509${kinit} --password-file=${objdir}/foopassword foo@$R || \ 510 { ec=1 ; eval "${testfailed}"; } 511for a in $enctypes; do 512 echo "Getting tickets ($a)"; > messages.log 513 ${kgetcred} -n -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 514 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 515 { ec=1 ; eval "${testfailed}"; } 516 ${kdestroy} --credential=${server}@${R} 517done 518${kdestroy} 519 520echo "Getting client initial tickets for cross realm case"; > messages.log 521${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 522for a in $enctypes; do 523 echo "Getting cross realm tickets ($a)"; > messages.log 524 ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } 525 echo " checking we we got back right ticket" 526 ${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } 527 echo " checking if ticket is useful" 528 ${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \ 529 { ec=1 ; eval "${testfailed}"; } 530 ${kdestroy} --credential=${server2}@${R2} 531done 532${kdestroy} 533 534echo "Trying x-realm TGT with kvno 0 case"; 535${kinit} --password-file=${objdir}/foopassword foo@$R || 536 { ec=1 ; eval "${testfailed}"; } 537${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; } 538echo "Getting cross realm tickets"; > messages.log 539${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } 540${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; } 541echo "Getting service ticket"; > messages.log 542${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } 543${kdestroy} 544 545echo "Trying x-realm TGT with kvno 0 case with key rollover"; 546${kinit} --password-file=${objdir}/foopassword foo@$R || 547 { ec=1 ; eval "${testfailed}"; } 548${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; } 549echo "Getting cross realm tickets"; > messages.log 550${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } 551echo "Rolling over cross realm keys"; > messages.log 552${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; } 553${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } 554${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; } 555${test_set_kvno0} || { ec=1 ; eval "${testfailed}"; } 556echo "Getting service ticket"; > messages.log 557echo "Start tracing kdc, then hit return" 558${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } 559${kdestroy} 560 561echo "Trying x-realm TGT with no kvno case"; 562${kinit} --password-file=${objdir}/foopassword foo@$R || 563 { ec=1 ; eval "${testfailed}"; } 564${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; } 565echo "Getting cross realm tickets"; > messages.log 566${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } 567${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; } 568echo "Getting service ticket"; > messages.log 569${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } 570${kdestroy} 571 572echo "Trying x-realm TGT with no kvno case with key rollover"; 573${kinit} --password-file=${objdir}/foopassword foo@$R || 574 { ec=1 ; eval "${testfailed}"; } 575${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; } 576echo "Getting cross realm tickets"; > messages.log 577${kgetcred} krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } 578echo "Rolling over cross realm keys"; > messages.log 579${kadmin} cpw -r --keepold krbtgt/${R}@${R} || { ec=1 ; eval "${testfailed}"; } 580${kadmin} cpw -r --keepold krbtgt/${R2}@${R} || { ec=1 ; eval "${testfailed}"; } 581${kadmin} cpw -r --keepold krbtgt/${R}@${R2} || { ec=1 ; eval "${testfailed}"; } 582${test_set_kvno0} -n || { ec=1 ; eval "${testfailed}"; } 583echo "Getting service ticket"; > messages.log 584echo "Start tracing kdc, then hit return" 585${kgetcred} ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } 586${kdestroy} 587 588echo "try all permutations"; > messages.log 589for a in $enctypes; do 590 echo "Getting client initial tickets ($a)"; > messages.log 591 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || \ 592 { ec=1 ; eval "${testfailed}"; } 593 for b in $enctypes; do 594 echo "Getting tickets ($a -> $b)"; > messages.log 595 ${kgetcred} -e $b ${server}@${R} || \ 596 { ec=1 ; eval "${testfailed}"; } 597 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 598 { ec=1 ; eval "${testfailed}"; } 599 ${kdestroy} --credential=${server}@${R} 600 done 601 ${kdestroy} 602done 603 604echo "Getting client initial tickets ip based name"; > messages.log 605${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 606echo "Getting ip based name tickets"; > messages.log 607${kgetcred} ${serverip}@${R} || { ec=1 ; eval "${testfailed}"; } 608echo " checking we we got back right ticket" 609${klist} | grep ${serverip}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } 610echo " checking if ticket is useful" 611${test_ap_req} ${serverip}@${R} ${keytab} ${cache} || \ 612 { ec=1 ; eval "${testfailed}"; } 613${kdestroy} 614 615echo "Getting client initial tickets ip based name (alias)"; > messages.log 616${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 617for a in ${serveripname} ${serveripname2} ; do 618 echo "Getting ip based name tickets (alias) $a"; > messages.log 619 ${kgetcred} ${a}@${R} || { ec=1 ; eval "${testfailed}"; } 620 echo " checking we we got back right ticket" 621 ${klist} | grep ${a}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } 622 echo " checking if ticket is useful" 623 ${test_ap_req} --server-any ${a}@${R} ${keytab} ${cache} || \ 624 { ec=1 ; eval "${testfailed}"; } 625done 626${kdestroy} 627 628echo "Getting server initial tickets"; > messages.log 629${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; } 630echo "Listing tickets"; > messages.log 631${klist} | grep "Principal: ${server}" > /dev/null || \ 632 { ec=1 ; eval "${testfailed}"; } 633${kdestroy} 634 635echo "Getting key for key that are a subset in keytab compared to kdb" 636${kinit} --keytab=${keytab} kt-des3@${R} 637${klist} | grep "Principal: kt-des3" > /dev/null || \ 638 { ec=1 ; eval "${testfailed}"; } 639${kdestroy} 640 641echo "initial tickets for deleted user test case"; > messages.log 642${kinit} --password-file=${objdir}/foopassword remove@$R || \ 643 { ec=1 ; eval "${testfailed}"; } 644${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; } 645echo "try getting ticket with deleted user"; > messages.log 646${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; } 647${kdestroy} 648 649echo "cross realm case (deleted user)"; > messages.log 650${kinit} --password-file=${objdir}/foopassword remove2@$R2 || \ 651 { ec=1 ; eval "${testfailed}"; } 652${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \ 653 { ec=1 ; eval "${testfailed}"; } 654${kadmin} delete remove2@${R2} || exit 1 655${kgetcred} ${server}@${R} 2> /dev/null || \ 656 { ec=1 ; eval "${testfailed}"; } 657${kdestroy} 658 659echo "rename user"; > messages.log 660${kadmin} add -p foo --use-defaults rename@${R} || exit 1 661${kinit} --password-file=${objdir}/foopassword rename@${R} || \ 662 { ec=1 ; eval "${testfailed}"; } 663${kadmin} rename rename@${R} rename2@${R} || exit 1 664${kinit} --password-file=${objdir}/foopassword rename2@${R} || \ 665 { ec=1 ; eval "${testfailed}"; } 666${kdestroy} 667${kadmin} delete rename2@${R} || exit 1 668 669echo "rename user to another realm"; > messages.log 670${kadmin} add -p foo --use-defaults rename@${R} || exit 1 671${kinit} --password-file=${objdir}/foopassword rename@${R} || \ 672 { ec=1 ; eval "${testfailed}"; } 673${kadmin} rename rename@${R} rename@${R2} || exit 1 674${kinit} --password-file=${objdir}/foopassword rename@${R2} || \ 675 { ec=1 ; eval "${testfailed}"; } 676${kdestroy} 677${kadmin} delete rename@${R2} || exit 1 678 679echo deleting all but aes enctypes on krbtgt 680${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1 681 682echo deleting all but des enctypes on server-des3 683${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1 684${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1 685 686echo "try all permutations (only aes)"; > messages.log 687for a in $enctypes; do 688 echo "Getting client initial tickets ($a)"; > messages.log 689 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\ 690 { ec=1 ; eval "${testfailed}"; } 691 for b in $enctypes; do 692 echo "Getting tickets ($a -> $b)"; > messages.log 693 ${kgetcred} -e $b ${server}@${R} || \ 694 { ec=1 ; eval "${testfailed}"; } 695 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 696 { ec=1 ; eval "${testfailed}"; } 697 698 echo "Getting tickets ($a -> $b) (server des3 only)"; > messages.log 699 ${kgetcred} ${server}-des3@${R} || \ 700 { ec=1 ; eval "${testfailed}"; } 701 ${test_ap_req} ${server}-des3@${R} ${keytab} ${cache} || \ 702 { ec=1 ; eval "${testfailed}"; } 703 704 ${kdestroy} --credential=${server}@${R} 705 ${kdestroy} --credential=${server}-des3@${R} 706 done 707 ${kdestroy} 708done 709 710echo deleting all enctypes on krbtgt 711${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ 712 { ec=1 ; eval "${testfailed}"; } 713echo "try initial ticket w/o and keys on krbtgt" 714${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev/null && \ 715 { ec=1 ; eval "${testfailed}"; } 716echo "adding random aes key" 717${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ 718 { ec=1 ; eval "${testfailed}"; } 719echo "try initial ticket with random aes key on krbtgt" 720${kinit} --password-file=${objdir}/foopassword foo@${R} || \ 721 { ec=1 ; eval "${testfailed}"; } 722${kdestroy} 723 724rsa=yes 725ecdsa=yes 726pkinit=no 727if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then 728 rsa=no 729fi 730if ${hxtool} info | grep 'rand: not available' > /dev/null ; then 731 rsa=no 732fi 733if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then 734 pkinit=yes 735fi 736 737if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then 738 ecdsa=no 739fi 740 741 742# If we support pkinit and have RSA, lets try that 743if test "$pkinit" = yes -a "$rsa" = yes ; then 744 745 echo "try anonymous pkinit"; > messages.log 746 ${kinit} --renewable -n @${R} || \ 747 { ec=1 ; eval "${testfailed}"; } 748 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 749 ${kinit} --renew || { ec=1 ; eval "${testfailed}"; } 750 ${kdestroy} 751 752 for type in "" "--pk-use-enckey"; do 753 echo "Trying pk-init (principal in certificate) $type"; > messages.log 754 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key bar@${R} || \ 755 { ec=1 ; eval "${testfailed}"; } 756 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 757 ${kdestroy} 758 759 echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log 760 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key foo@${R} || \ 761 { ec=1 ; eval "${testfailed}"; } 762 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 763 ${kdestroy} 764 765 echo "Trying pk-init (password protected key) $type"; > messages.log 766 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \ 767 { ec=1 ; eval "${testfailed}"; } 768 ${kgetcred} ${server}@${R} || \ 769 { ec=1 ; eval "${testfailed}"; } 770 ${kdestroy} 771 772 echo "Trying pk-init (proxy cert) $type"; > messages.log 773 ${kinit} $type -C FILE:${hx509_data}/pkinit-proxy-chain.crt,${hx509_data}/pkinit-proxy.key foo@${R} || \ 774 { ec=1 ; eval "${testfailed}"; } 775 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 776 ${kdestroy} 777 778 done 779 780 if test "$ecdsa" = yes > /dev/null ; then 781 echo "Trying pk-init (ec certificate)" 782 > messages.log 783 ${kinit} -C FILE:${hx509_data}/pkinit-ec.crt,${hx509_data}/pkinit-ec.key bar@${R} || \ 784 { ec=1 ; eval "${testfailed}"; } 785 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 786 ${kdestroy} 787 grep 'PK-INIT using ecdh' messages.log > /dev/null || \ 788 { ec=1 ; eval "${testfailed}"; } 789 fi 790 791else 792 echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log 793fi 794 795echo "test impersonate using rc4 based tgt"; > messages.log 796${kinit} -e arcfour-hmac-md5 --forwardable --password-file=${objdir}/foopassword ${ps} || \ 797 { ec=1 ; eval "${testfailed}"; } 798${kgetcred_imp} --impersonate=bar@${R} ${ps} || \ 799 { ec=1 ; eval "${testfailed}"; } 800${test_ap_req} ${ps} ${keytab} ${ocache} || \ 801 { ec=1 ; eval "${testfailed}"; } 802 803echo "tickets for impersonate test case"; > messages.log 804${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \ 805 { ec=1 ; eval "${testfailed}"; } 806${kgetcred_imp} --impersonate=bar@${R} ${ps} || \ 807 { ec=1 ; eval "${testfailed}"; } 808${test_ap_req} ${ps} ${keytab} ${ocache} || \ 809 { ec=1 ; eval "${testfailed}"; } 810echo " negative check" 811${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \ 812 { ec=1 ; eval "${testfailed}"; } 813 814echo "test impersonate unknown client"; > messages.log 815${kgetcred_imp} --forward --impersonate=unknown@${R} ${ps} && \ 816 { ec=1 ; eval "${testfailed}"; } 817 818echo "test impersonate account-expired client"; > messages.log 819${kgetcred_imp} --forward --impersonate=account-expired@${R} ${ps} && \ 820 { ec=1 ; eval "${testfailed}"; } 821 822echo "test impersonate pw-expired client"; > messages.log 823${kgetcred_imp} --forward --impersonate=pw-expired@${R} ${ps} || \ 824 { ec=1 ; eval "${testfailed}"; } 825 826echo "test delegate sensitive client"; > messages.log 827${kgetcred_imp} --forward --impersonate=sensitive@${R} ${ps} || \ 828 { ec=1 ; eval "${testfailed}"; } 829${kgetcred} \ 830 --out-cache=${o2cache} \ 831 --delegation-credential-cache=${ocache} \ 832 ${server}@${R} && \ 833 { ec=1 ; eval "${testfailed}"; } 834 835echo "test constrained delegation"; > messages.log 836${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \ 837 { ec=1 ; eval "${testfailed}"; } 838${kgetcred} \ 839 --out-cache=${o2cache} \ 840 --delegation-credential-cache=${ocache} \ 841 ${server}@${R} || \ 842 { ec=1 ; eval "${testfailed}"; } 843echo " try using the credential" 844${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \ 845 { ec=1 ; eval "${testfailed}"; } 846echo " negative check" 847${kgetcred} \ 848 --out-cache=${o2cache} \ 849 --delegation-credential-cache=${ocache} \ 850 bar@${R} 2>/dev/null && \ 851 { ec=1 ; eval "${testfailed}"; } 852 853echo "test constrained delegation impersonation (non forward)"; > messages.log 854rm -f ocache.krb5 855${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \ 856 { ec=1 ; eval "${testfailed}"; } 857${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ 858 { ec=1 ; eval "${testfailed}"; } 859 860echo "test constrained delegation impersonation (missing KRB5SignedPath)"; > messages.log 861rm -f ocache.krb5 862${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \ 863 { ec=1 ; eval "${testfailed}"; } 864${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ 865 { ec=1 ; eval "${testfailed}"; } 866 867${kdestroy} 868 869echo "check renewing" > messages.log 870${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \ 871 { ec=1 ; eval "${testfailed}"; } 872echo "kinit -R" 873${kinit} -R || \ 874 { ec=1 ; eval "${testfailed}"; } 875echo "check renewing MIT interface" > messages.log 876${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \ 877 { ec=1 ; eval "${testfailed}"; } 878echo "test_renew" 879env KRB5CCNAME=${cache} ${test_renew} || \ 880 { ec=1 ; eval "${testfailed}"; } 881${kdestroy} 882 883echo "checking server aliases"; > messages.log 884${kinit} --password-file=${objdir}/foopassword foo@$R || \ 885 { ec=1 ; eval "${testfailed}"; } 886echo "Getting tickets"; > messages.log 887${kgetcred} ${alias1}@${R} || { ec=1 ; eval "${testfailed}"; } 888${kgetcred} ${alias2}@${R} || { ec=1 ; eval "${testfailed}"; } 889echo " verify entry in keytab" 890${test_ap_req} ${alias1}@${R} ${keytab} ${cache} || \ 891 { ec=1 ; eval "${testfailed}"; } 892echo " verify entry in keytab with any" 893${test_ap_req} --server-any ${alias1}@${R} ${keytab} ${cache} || \ 894 { ec=1 ; eval "${testfailed}"; } 895echo " verify failure with alias entry" 896${test_ap_req} ${alias2}@${R} ${keytab} ${cache} 2>/dev/null && \ 897 { ec=1 ; eval "${testfailed}"; } 898echo " verify alias entry in keytab with any" 899${test_ap_req} --server-any ${alias2}@${R} ${keytab} ${cache} || \ 900 { ec=1 ; eval "${testfailed}"; } 901${kdestroy} 902 903echo "testing removal of keytab" 904${ktutil} -k ${keytab} destroy || { ec=1 ; eval "${testfailed}"; } 905test -f ${keytabfile} && { ec=1 ; eval "${testfailed}"; } 906 907echo "Checking client pw expire"; > messages.log 908${kinit} --password-file=${objdir}/foopassword \ 909 pw-expire@${R} 2>kinit-log.tmp|| \ 910 { ec=1 ; eval "${testfailed}"; } 911grep 'Your password will expire' kinit-log.tmp > /dev/null || \ 912 { ec=1 ; eval "${testfailed}"; } 913echo " kinit passes" 914${test_gic} --client=pw-expire@${R} --password=foo > kinit-log.tmp 2>/dev/null 915${EGREP} "^e type: 6" kinit-log.tmp > /dev/null || \ 916 { ec=1 ; eval "${testfailed}"; } 917echo " test_gic passes" 918${kdestroy} 919 920echo "Checking password expiration" ; > messages.log 921 922kinitpty=${objdir}/foopassword.rkpty 923cat > ${kinitpty} <<EOF 924expect Password 925password foo\n 926expect Password has expired 927expect New password 928password Foobar11\n 929expect password 930password Foobar11\n 931expect Success: Password changed 932EOF 933 934echo "Checking client pw expire"; > messages.log 935${rkpty} ${kinitpty} ${kinit} pw-expired@${R}|| \ 936 { ec=1 ; eval "${testfailed}"; } 937 938${kdestroy} 939 940 941echo "killing kdc (${kdcpid}) kpasswdd (${kpasswddpid})" 942sh ${leaks_kill} kdc $kdcpid || exit 1 943sh ${leaks_kill} kpasswdd $kpasswddpid || exit 1 944 945trap "" EXIT 946 947exit $ec 948