diff options
Diffstat (limited to 'tests/kdc')
| -rw-r--r-- | tests/kdc/Makefile.am | 159 | ||||
| -rw-r--r-- | tests/kdc/Makefile.in | 971 | ||||
| -rw-r--r-- | tests/kdc/ap-req.c | 221 | ||||
| -rw-r--r-- | tests/kdc/check-digest.in | 295 | ||||
| -rw-r--r-- | tests/kdc/check-iprop.in | 248 | ||||
| -rw-r--r-- | tests/kdc/check-kadmin.in | 151 | ||||
| -rw-r--r-- | tests/kdc/check-kdc.in | 413 | ||||
| -rw-r--r-- | tests/kdc/check-keys.in | 101 | ||||
| -rw-r--r-- | tests/kdc/check-pkinit.in | 273 | ||||
| -rw-r--r-- | tests/kdc/check-referral.in | 200 | ||||
| -rw-r--r-- | tests/kdc/check-uu.in | 138 | ||||
| -rw-r--r-- | tests/kdc/donotexists.txt | 1 | ||||
| -rw-r--r-- | tests/kdc/heimdal.acl | 3 | ||||
| -rw-r--r-- | tests/kdc/iprop-acl | 1 | ||||
| -rw-r--r-- | tests/kdc/krb5-pkinit.conf.in | 33 | ||||
| -rw-r--r-- | tests/kdc/krb5.conf.in | 56 | ||||
| -rw-r--r-- | tests/kdc/krb5.conf.keys.in | 13 | ||||
| -rw-r--r-- | tests/kdc/ntlm-user-file.txt | 2 | ||||
| -rw-r--r-- | tests/kdc/pki-mapping | 3 | ||||
| -rw-r--r-- | tests/kdc/uuserver.txt | 4 | ||||
| -rw-r--r-- | tests/kdc/wait-kdc.sh | 66 |
21 files changed, 3352 insertions, 0 deletions
diff --git a/tests/kdc/Makefile.am b/tests/kdc/Makefile.am new file mode 100644 index 000000000000..b22386ae8610 --- /dev/null +++ b/tests/kdc/Makefile.am @@ -0,0 +1,159 @@ +# $Id: Makefile.am 22447 2008-01-15 06:05:17Z lha $ + +include $(top_srcdir)/Makefile.am.common + +noinst_DATA = \ + krb5.conf \ + krb5-pkinit.conf \ + krb5-pkinit-win.conf \ + krb5-slave.conf + +check_PROGRAMS = ap-req +check_SCRIPTS = $(SCRIPT_TESTS) + +SCRIPT_TESTS = \ + check-digest \ + check-kadmin \ + check-kdc \ + check-keys \ + check-pkinit \ + check-iprop \ + check-referral \ + check-uu + +TESTS = $(SCRIPT_TESTS) + +port = 49188 +admport = 49189 + +if HAVE_DLOPEN +do_dlopen = -e 's,[@]DLOPEN[@],true,g' +else +do_dlopen = -e 's,[@]DLOPEN[@],false,g' +endif + +do_subst = sed $(do_dlopen) \ + -e 's,[@]srcdir[@],$(srcdir),g' \ + -e 's,[@]port[@],$(port),g' \ + -e 's,[@]admport[@],$(admport),g' \ + -e 's,[@]objdir[@],$(top_builddir)/tests/kdc,g' \ + -e 's,[@]EGREP[@],$(EGREP),g' + +LDADD = ../../lib/krb5/libkrb5.la $(LIB_roken) + +check-kdc: check-kdc.in Makefile + $(do_subst) < $(srcdir)/check-kdc.in > check-kdc.tmp + chmod +x check-kdc.tmp + mv check-kdc.tmp check-kdc + +check-keys: check-keys.in Makefile + $(do_subst) < $(srcdir)/check-keys.in > check-keys.tmp + chmod +x check-keys.tmp + mv check-keys.tmp check-keys + +check-kadmin: check-kadmin.in Makefile + $(do_subst) < $(srcdir)/check-kadmin.in > check-kadmin.tmp + chmod +x check-kadmin.tmp + mv check-kadmin.tmp check-kadmin + +check-uu: check-uu.in Makefile + $(do_subst) < $(srcdir)/check-uu.in > check-uu.tmp + chmod +x check-uu.tmp + mv check-uu.tmp check-uu + +check-pkinit: check-pkinit.in Makefile krb5-pkinit.conf + $(do_subst) < $(srcdir)/check-pkinit.in > check-pkinit.tmp + chmod +x check-pkinit.tmp + mv check-pkinit.tmp check-pkinit + +check-iprop: check-iprop.in Makefile krb5.conf krb5-slave.conf + $(do_subst) < $(srcdir)/check-iprop.in > check-iprop.tmp + chmod +x check-iprop.tmp + mv check-iprop.tmp check-iprop + +check-digest: check-digest.in Makefile + $(do_subst) < $(srcdir)/check-digest.in > check-digest.tmp + chmod +x check-digest.tmp + mv check-digest.tmp check-digest + +check-referral: check-referral.in Makefile + $(do_subst) < $(srcdir)/check-referral.in > check-referral.tmp + chmod +x check-referral.tmp + mv check-referral.tmp check-referral + +krb5.conf: krb5.conf.in Makefile + $(do_subst) \ + -e 's,[@]kdc[@],,g' < $(srcdir)/krb5.conf.in > krb5.conf.tmp + mv krb5.conf.tmp krb5.conf + +krb5-slave.conf: krb5.conf.in Makefile + $(do_subst) \ + -e 's,[@]kdc[@],.slave,g' < $(srcdir)/krb5.conf.in > krb5-slave.conf.tmp + mv krb5-slave.conf.tmp krb5-slave.conf + +krb5-pkinit.conf: krb5-pkinit.conf.in Makefile + $(do_subst) -e 's,[@]w2k[@],no,g' < $(srcdir)/krb5-pkinit.conf.in > krb5-pkinit.conf.tmp + mv krb5-pkinit.conf.tmp krb5-pkinit.conf + +krb5-pkinit-win.conf: krb5-pkinit.conf.in Makefile + $(do_subst) -e 's,[@]w2k[@],yes,g' < $(srcdir)/krb5-pkinit.conf.in > krb5-pkinit-win.conf.tmp + mv krb5-pkinit-win.conf.tmp krb5-pkinit-win.conf + +CLEANFILES= \ + $(TESTS) \ + iprop-stats \ + barpassword \ + cache.krb5 \ + cdigest-reply \ + *.tmp \ + client-cache \ + current-db* \ + current*.log \ + iprop.keytab \ + digest-reply \ + foopassword \ + krb5.conf \ + krb5-slave.conf \ + krb5-pkinit.conf \ + krb5-pkinit-win.conf \ + krb5.conf.keys \ + signal \ + messages.log \ + o2cache.krb5 \ + o2digest-reply \ + ocache.krb5 \ + s2digest-reply \ + sdigest-init \ + sdigest-reply \ + server.keytab \ + req-pkinit.der \ + req-pkinit2.der \ + req-kdc.der \ + pkinit.crt \ + pkinit2.crt \ + pkinit3.crt \ + kdc.crt \ + ca.crt \ + uuserver.log \ + tempfile \ + test-rc-file.rc + +EXTRA_DIST = \ + check-kadmin.in \ + check-kdc.in \ + check-keys.in \ + check-referral.in \ + check-uu.in \ + check-pkinit.in \ + check-iprop.in \ + check-digest.in \ + heimdal.acl \ + krb5.conf.in \ + krb5.conf.keys.in \ + krb5-pkinit.conf.in \ + iprop-acl \ + wait-kdc.sh \ + pki-mapping \ + ntlm-user-file.txt \ + uuserver.txt \ + donotexists.txt diff --git a/tests/kdc/Makefile.in b/tests/kdc/Makefile.in new file mode 100644 index 000000000000..cf6f6d8489cc --- /dev/null +++ b/tests/kdc/Makefile.in @@ -0,0 +1,971 @@ +# Makefile.in generated by automake 1.10 from Makefile.am. +# @configure_input@ + +# Copyright (C) 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, +# 2003, 2004, 2005, 2006 Free Software Foundation, Inc. +# This Makefile.in is free software; the Free Software Foundation +# gives unlimited permission to copy and/or distribute it, +# with or without modifications, as long as this notice is preserved. + +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY, to the extent permitted by law; without +# even the implied warranty of MERCHANTABILITY or FITNESS FOR A +# PARTICULAR PURPOSE. + +@SET_MAKE@ + +# $Id: Makefile.am 22447 2008-01-15 06:05:17Z lha $ + +# $Id: Makefile.am.common 10998 2002-05-19 18:35:37Z joda $ + +# $Id: Makefile.am.common 22488 2008-01-21 11:47:22Z lha $ + +VPATH = @srcdir@ +pkgdatadir = $(datadir)/@PACKAGE@ +pkglibdir = $(libdir)/@PACKAGE@ +pkgincludedir = $(includedir)/@PACKAGE@ +am__cd = CDPATH="$${ZSH_VERSION+.}$(PATH_SEPARATOR)" && cd +install_sh_DATA = $(install_sh) -c -m 644 +install_sh_PROGRAM = $(install_sh) -c +install_sh_SCRIPT = $(install_sh) -c +INSTALL_HEADER = $(INSTALL_DATA) +transform = $(program_transform_name) +NORMAL_INSTALL = : +PRE_INSTALL = : +POST_INSTALL = : +NORMAL_UNINSTALL = : +PRE_UNINSTALL = : +POST_UNINSTALL = : +build_triplet = @build@ +host_triplet = @host@ +DIST_COMMON = $(srcdir)/Makefile.am $(srcdir)/Makefile.in \ + $(top_srcdir)/Makefile.am.common \ + $(top_srcdir)/cf/Makefile.am.common +check_PROGRAMS = ap-req$(EXEEXT) +subdir = tests/kdc +ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 +am__aclocal_m4_deps = $(top_srcdir)/cf/aix.m4 \ + $(top_srcdir)/cf/auth-modules.m4 $(top_srcdir)/cf/autobuild.m4 \ + $(top_srcdir)/cf/broken-getaddrinfo.m4 \ + $(top_srcdir)/cf/broken-glob.m4 \ + $(top_srcdir)/cf/broken-realloc.m4 \ + $(top_srcdir)/cf/broken-snprintf.m4 $(top_srcdir)/cf/broken.m4 \ + $(top_srcdir)/cf/broken2.m4 $(top_srcdir)/cf/c-attribute.m4 \ + $(top_srcdir)/cf/capabilities.m4 \ + $(top_srcdir)/cf/check-compile-et.m4 \ + $(top_srcdir)/cf/check-getpwnam_r-posix.m4 \ + $(top_srcdir)/cf/check-man.m4 \ + $(top_srcdir)/cf/check-netinet-ip-and-tcp.m4 \ + $(top_srcdir)/cf/check-type-extra.m4 \ + $(top_srcdir)/cf/check-var.m4 $(top_srcdir)/cf/check-x.m4 \ + $(top_srcdir)/cf/check-xau.m4 $(top_srcdir)/cf/crypto.m4 \ + $(top_srcdir)/cf/db.m4 $(top_srcdir)/cf/destdirs.m4 \ + $(top_srcdir)/cf/dlopen.m4 \ + $(top_srcdir)/cf/find-func-no-libs.m4 \ + $(top_srcdir)/cf/find-func-no-libs2.m4 \ + $(top_srcdir)/cf/find-func.m4 \ + $(top_srcdir)/cf/find-if-not-broken.m4 \ + $(top_srcdir)/cf/framework-security.m4 \ + $(top_srcdir)/cf/have-struct-field.m4 \ + $(top_srcdir)/cf/have-type.m4 $(top_srcdir)/cf/irix.m4 \ + $(top_srcdir)/cf/krb-bigendian.m4 \ + $(top_srcdir)/cf/krb-func-getlogin.m4 \ + $(top_srcdir)/cf/krb-ipv6.m4 $(top_srcdir)/cf/krb-prog-ln-s.m4 \ + $(top_srcdir)/cf/krb-readline.m4 \ + $(top_srcdir)/cf/krb-struct-spwd.m4 \ + $(top_srcdir)/cf/krb-struct-winsize.m4 \ + $(top_srcdir)/cf/largefile.m4 $(top_srcdir)/cf/mips-abi.m4 \ + $(top_srcdir)/cf/misc.m4 $(top_srcdir)/cf/need-proto.m4 \ + $(top_srcdir)/cf/osfc2.m4 $(top_srcdir)/cf/otp.m4 \ + $(top_srcdir)/cf/proto-compat.m4 $(top_srcdir)/cf/pthreads.m4 \ + $(top_srcdir)/cf/resolv.m4 $(top_srcdir)/cf/retsigtype.m4 \ + $(top_srcdir)/cf/roken-frag.m4 \ + $(top_srcdir)/cf/socket-wrapper.m4 $(top_srcdir)/cf/sunos.m4 \ + $(top_srcdir)/cf/telnet.m4 $(top_srcdir)/cf/test-package.m4 \ + $(top_srcdir)/cf/version-script.m4 $(top_srcdir)/cf/wflags.m4 \ + $(top_srcdir)/cf/win32.m4 $(top_srcdir)/cf/with-all.m4 \ + $(top_srcdir)/acinclude.m4 $(top_srcdir)/configure.in +am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ + $(ACLOCAL_M4) +mkinstalldirs = $(install_sh) -d +CONFIG_HEADER = $(top_builddir)/include/config.h +CONFIG_CLEAN_FILES = +ap_req_SOURCES = ap-req.c +ap_req_OBJECTS = ap-req.$(OBJEXT) +ap_req_LDADD = $(LDADD) +am__DEPENDENCIES_1 = +ap_req_DEPENDENCIES = ../../lib/krb5/libkrb5.la $(am__DEPENDENCIES_1) +DEFAULT_INCLUDES = -I. -I$(top_builddir)/include@am__isrc@ +depcomp = +am__depfiles_maybe = +COMPILE = $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(AM_CPPFLAGS) \ + $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +LTCOMPILE = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) \ + $(AM_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) +CCLD = $(CC) +LINK = $(LIBTOOL) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) \ + --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) $(AM_LDFLAGS) \ + $(LDFLAGS) -o $@ +SOURCES = ap-req.c +DIST_SOURCES = ap-req.c +DATA = $(noinst_DATA) +ETAGS = etags +CTAGS = ctags +DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) +ACLOCAL = @ACLOCAL@ +AIX_EXTRA_KAFS = @AIX_EXTRA_KAFS@ +AMTAR = @AMTAR@ +AR = @AR@ +AUTOCONF = @AUTOCONF@ +AUTOHEADER = @AUTOHEADER@ +AUTOMAKE = @AUTOMAKE@ +AWK = @AWK@ +CANONICAL_HOST = @CANONICAL_HOST@ +CATMAN = @CATMAN@ +CATMANEXT = @CATMANEXT@ +CC = @CC@ +CFLAGS = @CFLAGS@ +COMPILE_ET = @COMPILE_ET@ +CPP = @CPP@ +CPPFLAGS = @CPPFLAGS@ +CXX = @CXX@ +CXXCPP = @CXXCPP@ +CXXFLAGS = @CXXFLAGS@ +CYGPATH_W = @CYGPATH_W@ +DBLIB = @DBLIB@ +DEFS = @DEFS@ +DIR_com_err = @DIR_com_err@ +DIR_hcrypto = @DIR_hcrypto@ +DIR_hdbdir = @DIR_hdbdir@ +DIR_roken = @DIR_roken@ +ECHO = @ECHO@ +ECHO_C = @ECHO_C@ +ECHO_N = @ECHO_N@ +ECHO_T = @ECHO_T@ +EGREP = @EGREP@ +EXEEXT = @EXEEXT@ +F77 = @F77@ +FFLAGS = @FFLAGS@ +GREP = @GREP@ +GROFF = @GROFF@ +INCLUDES_roken = @INCLUDES_roken@ +INCLUDE_hcrypto = @INCLUDE_hcrypto@ +INCLUDE_hesiod = @INCLUDE_hesiod@ +INCLUDE_krb4 = @INCLUDE_krb4@ +INCLUDE_openldap = @INCLUDE_openldap@ +INCLUDE_readline = @INCLUDE_readline@ +INSTALL = @INSTALL@ +INSTALL_DATA = @INSTALL_DATA@ +INSTALL_PROGRAM = @INSTALL_PROGRAM@ +INSTALL_SCRIPT = @INSTALL_SCRIPT@ +INSTALL_STRIP_PROGRAM = @INSTALL_STRIP_PROGRAM@ +LDFLAGS = @LDFLAGS@ +LDFLAGS_VERSION_SCRIPT = @LDFLAGS_VERSION_SCRIPT@ +LEX = @LEX@ +LEXLIB = @LEXLIB@ +LEX_OUTPUT_ROOT = @LEX_OUTPUT_ROOT@ +LIBADD_roken = @LIBADD_roken@ +LIBOBJS = @LIBOBJS@ +LIBS = @LIBS@ +LIBTOOL = @LIBTOOL@ +LIB_AUTH_SUBDIRS = @LIB_AUTH_SUBDIRS@ +LIB_NDBM = @LIB_NDBM@ +LIB_XauFileName = @LIB_XauFileName@ +LIB_XauReadAuth = @LIB_XauReadAuth@ +LIB_XauWriteAuth = @LIB_XauWriteAuth@ +LIB_bswap16 = @LIB_bswap16@ +LIB_bswap32 = @LIB_bswap32@ +LIB_com_err = @LIB_com_err@ +LIB_com_err_a = @LIB_com_err_a@ +LIB_com_err_so = @LIB_com_err_so@ +LIB_crypt = @LIB_crypt@ +LIB_db_create = @LIB_db_create@ +LIB_dbm_firstkey = @LIB_dbm_firstkey@ +LIB_dbopen = @LIB_dbopen@ +LIB_dlopen = @LIB_dlopen@ +LIB_dn_expand = @LIB_dn_expand@ +LIB_door_create = @LIB_door_create@ +LIB_el_init = @LIB_el_init@ +LIB_freeaddrinfo = @LIB_freeaddrinfo@ +LIB_gai_strerror = @LIB_gai_strerror@ +LIB_getaddrinfo = @LIB_getaddrinfo@ +LIB_gethostbyname = @LIB_gethostbyname@ +LIB_gethostbyname2 = @LIB_gethostbyname2@ +LIB_getnameinfo = @LIB_getnameinfo@ +LIB_getpwnam_r = @LIB_getpwnam_r@ +LIB_getsockopt = @LIB_getsockopt@ +LIB_hcrypto = @LIB_hcrypto@ +LIB_hcrypto_a = @LIB_hcrypto_a@ +LIB_hcrypto_appl = @LIB_hcrypto_appl@ +LIB_hcrypto_so = @LIB_hcrypto_so@ +LIB_hesiod = @LIB_hesiod@ +LIB_hstrerror = @LIB_hstrerror@ +LIB_kdb = @LIB_kdb@ +LIB_krb4 = @LIB_krb4@ +LIB_loadquery = @LIB_loadquery@ +LIB_logout = @LIB_logout@ +LIB_logwtmp = @LIB_logwtmp@ +LIB_openldap = @LIB_openldap@ +LIB_openpty = @LIB_openpty@ +LIB_otp = @LIB_otp@ +LIB_pidfile = @LIB_pidfile@ +LIB_readline = @LIB_readline@ +LIB_res_ndestroy = @LIB_res_ndestroy@ +LIB_res_nsearch = @LIB_res_nsearch@ +LIB_res_search = @LIB_res_search@ +LIB_roken = @LIB_roken@ +LIB_security = @LIB_security@ +LIB_setsockopt = @LIB_setsockopt@ +LIB_socket = @LIB_socket@ +LIB_syslog = @LIB_syslog@ +LIB_tgetent = @LIB_tgetent@ +LN_S = @LN_S@ +LTLIBOBJS = @LTLIBOBJS@ +MAINT = @MAINT@ +MAKEINFO = @MAKEINFO@ +MKDIR_P = @MKDIR_P@ +NROFF = @NROFF@ +OBJEXT = @OBJEXT@ +PACKAGE = @PACKAGE@ +PACKAGE_BUGREPORT = @PACKAGE_BUGREPORT@ +PACKAGE_NAME = @PACKAGE_NAME@ +PACKAGE_STRING = @PACKAGE_STRING@ +PACKAGE_TARNAME = @PACKAGE_TARNAME@ +PACKAGE_VERSION = @PACKAGE_VERSION@ +PATH_SEPARATOR = @PATH_SEPARATOR@ +PTHREADS_CFLAGS = @PTHREADS_CFLAGS@ +PTHREADS_LIBS = @PTHREADS_LIBS@ +RANLIB = @RANLIB@ +SET_MAKE = @SET_MAKE@ +SHELL = @SHELL@ +STRIP = @STRIP@ +VERSION = @VERSION@ +VERSIONING = @VERSIONING@ +VOID_RETSIGTYPE = @VOID_RETSIGTYPE@ +WFLAGS = @WFLAGS@ +WFLAGS_NOIMPLICITINT = @WFLAGS_NOIMPLICITINT@ +WFLAGS_NOUNUSED = @WFLAGS_NOUNUSED@ +XMKMF = @XMKMF@ +X_CFLAGS = @X_CFLAGS@ +X_EXTRA_LIBS = @X_EXTRA_LIBS@ +X_LIBS = @X_LIBS@ +X_PRE_LIBS = @X_PRE_LIBS@ +YACC = @YACC@ +YFLAGS = @YFLAGS@ +abs_builddir = @abs_builddir@ +abs_srcdir = @abs_srcdir@ +abs_top_builddir = @abs_top_builddir@ +abs_top_srcdir = @abs_top_srcdir@ +ac_ct_CC = @ac_ct_CC@ +ac_ct_CXX = @ac_ct_CXX@ +ac_ct_F77 = @ac_ct_F77@ +am__leading_dot = @am__leading_dot@ +am__tar = @am__tar@ +am__untar = @am__untar@ +bindir = @bindir@ +build = @build@ +build_alias = @build_alias@ +build_cpu = @build_cpu@ +build_os = @build_os@ +build_vendor = @build_vendor@ +builddir = @builddir@ +datadir = @datadir@ +datarootdir = @datarootdir@ +docdir = @docdir@ +dpagaix_cflags = @dpagaix_cflags@ +dpagaix_ldadd = @dpagaix_ldadd@ +dpagaix_ldflags = @dpagaix_ldflags@ +dvidir = @dvidir@ +exec_prefix = @exec_prefix@ +host = @host@ +host_alias = @host_alias@ +host_cpu = @host_cpu@ +host_os = @host_os@ +host_vendor = @host_vendor@ +htmldir = @htmldir@ +includedir = @includedir@ +infodir = @infodir@ +install_sh = @install_sh@ +libdir = @libdir@ +libexecdir = @libexecdir@ +localedir = @localedir@ +localstatedir = @localstatedir@ +mandir = @mandir@ +mkdir_p = @mkdir_p@ +oldincludedir = @oldincludedir@ +pdfdir = @pdfdir@ +prefix = @prefix@ +program_transform_name = @program_transform_name@ +psdir = @psdir@ +sbindir = @sbindir@ +sharedstatedir = @sharedstatedir@ +srcdir = @srcdir@ +sysconfdir = @sysconfdir@ +target_alias = @target_alias@ +top_builddir = @top_builddir@ +top_srcdir = @top_srcdir@ +SUFFIXES = .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 +AM_CPPFLAGS = -I$(top_builddir)/include $(INCLUDES_roken) +@do_roken_rename_TRUE@ROKEN_RENAME = -DROKEN_RENAME +AM_CFLAGS = $(WFLAGS) +CP = cp +buildinclude = $(top_builddir)/include +LIB_getattr = @LIB_getattr@ +LIB_getpwent_r = @LIB_getpwent_r@ +LIB_odm_initialize = @LIB_odm_initialize@ +LIB_setpcred = @LIB_setpcred@ +HESIODLIB = @HESIODLIB@ +HESIODINCLUDE = @HESIODINCLUDE@ +NROFF_MAN = groff -mandoc -Tascii +LIB_kafs = $(top_builddir)/lib/kafs/libkafs.la $(AIX_EXTRA_KAFS) +@KRB5_TRUE@LIB_krb5 = $(top_builddir)/lib/krb5/libkrb5.la \ +@KRB5_TRUE@ $(top_builddir)/lib/asn1/libasn1.la + +@KRB5_TRUE@LIB_gssapi = $(top_builddir)/lib/gssapi/libgssapi.la +@KRB5_TRUE@LIB_tsasl = $(top_builddir)/lib/tsasl/libtsasl.la +@DCE_TRUE@LIB_kdfs = $(top_builddir)/lib/kdfs/libkdfs.la +noinst_DATA = \ + krb5.conf \ + krb5-pkinit.conf \ + krb5-pkinit-win.conf \ + krb5-slave.conf + +check_SCRIPTS = $(SCRIPT_TESTS) +SCRIPT_TESTS = \ + check-digest \ + check-kadmin \ + check-kdc \ + check-keys \ + check-pkinit \ + check-iprop \ + check-referral \ + check-uu + +TESTS = $(SCRIPT_TESTS) +port = 49188 +admport = 49189 +@HAVE_DLOPEN_FALSE@do_dlopen = -e 's,[@]DLOPEN[@],false,g' +@HAVE_DLOPEN_TRUE@do_dlopen = -e 's,[@]DLOPEN[@],true,g' +do_subst = sed $(do_dlopen) \ + -e 's,[@]srcdir[@],$(srcdir),g' \ + -e 's,[@]port[@],$(port),g' \ + -e 's,[@]admport[@],$(admport),g' \ + -e 's,[@]objdir[@],$(top_builddir)/tests/kdc,g' \ + -e 's,[@]EGREP[@],$(EGREP),g' + +LDADD = ../../lib/krb5/libkrb5.la $(LIB_roken) +CLEANFILES = \ + $(TESTS) \ + iprop-stats \ + barpassword \ + cache.krb5 \ + cdigest-reply \ + *.tmp \ + client-cache \ + current-db* \ + current*.log \ + iprop.keytab \ + digest-reply \ + foopassword \ + krb5.conf \ + krb5-slave.conf \ + krb5-pkinit.conf \ + krb5-pkinit-win.conf \ + krb5.conf.keys \ + signal \ + messages.log \ + o2cache.krb5 \ + o2digest-reply \ + ocache.krb5 \ + s2digest-reply \ + sdigest-init \ + sdigest-reply \ + server.keytab \ + req-pkinit.der \ + req-pkinit2.der \ + req-kdc.der \ + pkinit.crt \ + pkinit2.crt \ + pkinit3.crt \ + kdc.crt \ + ca.crt \ + uuserver.log \ + tempfile \ + test-rc-file.rc + +EXTRA_DIST = \ + check-kadmin.in \ + check-kdc.in \ + check-keys.in \ + check-referral.in \ + check-uu.in \ + check-pkinit.in \ + check-iprop.in \ + check-digest.in \ + heimdal.acl \ + krb5.conf.in \ + krb5.conf.keys.in \ + krb5-pkinit.conf.in \ + iprop-acl \ + wait-kdc.sh \ + pki-mapping \ + ntlm-user-file.txt \ + uuserver.txt \ + donotexists.txt + +all: all-am + +.SUFFIXES: +.SUFFIXES: .et .h .x .z .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 .c .lo .o .obj +$(srcdir)/Makefile.in: @MAINTAINER_MODE_TRUE@ $(srcdir)/Makefile.am $(top_srcdir)/Makefile.am.common $(top_srcdir)/cf/Makefile.am.common $(am__configure_deps) + @for dep in $?; do \ + case '$(am__configure_deps)' in \ + *$$dep*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh \ + && exit 0; \ + exit 1;; \ + esac; \ + done; \ + echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign --ignore-deps tests/kdc/Makefile'; \ + cd $(top_srcdir) && \ + $(AUTOMAKE) --foreign --ignore-deps tests/kdc/Makefile +.PRECIOUS: Makefile +Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status + @case '$?' in \ + *config.status*) \ + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh;; \ + *) \ + echo ' cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe)'; \ + cd $(top_builddir) && $(SHELL) ./config.status $(subdir)/$@ $(am__depfiles_maybe);; \ + esac; + +$(top_builddir)/config.status: $(top_srcdir)/configure $(CONFIG_STATUS_DEPENDENCIES) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +$(top_srcdir)/configure: @MAINTAINER_MODE_TRUE@ $(am__configure_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh +$(ACLOCAL_M4): @MAINTAINER_MODE_TRUE@ $(am__aclocal_m4_deps) + cd $(top_builddir) && $(MAKE) $(AM_MAKEFLAGS) am--refresh + +clean-checkPROGRAMS: + @list='$(check_PROGRAMS)'; for p in $$list; do \ + f=`echo $$p|sed 's/$(EXEEXT)$$//'`; \ + echo " rm -f $$p $$f"; \ + rm -f $$p $$f ; \ + done +ap-req$(EXEEXT): $(ap_req_OBJECTS) $(ap_req_DEPENDENCIES) + @rm -f ap-req$(EXEEXT) + $(LINK) $(ap_req_OBJECTS) $(ap_req_LDADD) $(LIBS) + +mostlyclean-compile: + -rm -f *.$(OBJEXT) + +distclean-compile: + -rm -f *.tab.c + +.c.o: + $(COMPILE) -c $< + +.c.obj: + $(COMPILE) -c `$(CYGPATH_W) '$<'` + +.c.lo: + $(LTCOMPILE) -c -o $@ $< + +mostlyclean-libtool: + -rm -f *.lo + +clean-libtool: + -rm -rf .libs _libs + +ID: $(HEADERS) $(SOURCES) $(LISP) $(TAGS_FILES) + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + mkid -fID $$unique +tags: TAGS + +TAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + if test -z "$(ETAGS_ARGS)$$tags$$unique"; then :; else \ + test -n "$$unique" || unique=$$empty_fix; \ + $(ETAGS) $(ETAGSFLAGS) $(AM_ETAGSFLAGS) $(ETAGS_ARGS) \ + $$tags $$unique; \ + fi +ctags: CTAGS +CTAGS: $(HEADERS) $(SOURCES) $(TAGS_DEPENDENCIES) \ + $(TAGS_FILES) $(LISP) + tags=; \ + here=`pwd`; \ + list='$(SOURCES) $(HEADERS) $(LISP) $(TAGS_FILES)'; \ + unique=`for i in $$list; do \ + if test -f "$$i"; then echo $$i; else echo $(srcdir)/$$i; fi; \ + done | \ + $(AWK) ' { files[$$0] = 1; } \ + END { for (i in files) print i; }'`; \ + test -z "$(CTAGS_ARGS)$$tags$$unique" \ + || $(CTAGS) $(CTAGSFLAGS) $(AM_CTAGSFLAGS) $(CTAGS_ARGS) \ + $$tags $$unique + +GTAGS: + here=`$(am__cd) $(top_builddir) && pwd` \ + && cd $(top_srcdir) \ + && gtags -i $(GTAGS_ARGS) $$here + +distclean-tags: + -rm -f TAGS ID GTAGS GRTAGS GSYMS GPATH tags + +check-TESTS: $(TESTS) + @failed=0; all=0; xfail=0; xpass=0; skip=0; ws='[ ]'; \ + srcdir=$(srcdir); export srcdir; \ + list=' $(TESTS) '; \ + if test -n "$$list"; then \ + for tst in $$list; do \ + if test -f ./$$tst; then dir=./; \ + elif test -f $$tst; then dir=; \ + else dir="$(srcdir)/"; fi; \ + if $(TESTS_ENVIRONMENT) $${dir}$$tst; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xpass=`expr $$xpass + 1`; \ + failed=`expr $$failed + 1`; \ + echo "XPASS: $$tst"; \ + ;; \ + *) \ + echo "PASS: $$tst"; \ + ;; \ + esac; \ + elif test $$? -ne 77; then \ + all=`expr $$all + 1`; \ + case " $(XFAIL_TESTS) " in \ + *$$ws$$tst$$ws*) \ + xfail=`expr $$xfail + 1`; \ + echo "XFAIL: $$tst"; \ + ;; \ + *) \ + failed=`expr $$failed + 1`; \ + echo "FAIL: $$tst"; \ + ;; \ + esac; \ + else \ + skip=`expr $$skip + 1`; \ + echo "SKIP: $$tst"; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + if test "$$xfail" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="All $$all tests behaved as expected ($$xfail expected failures)"; \ + fi; \ + else \ + if test "$$xpass" -eq 0; then \ + banner="$$failed of $$all tests failed"; \ + else \ + banner="$$failed of $$all tests did not behave as expected ($$xpass unexpected passes)"; \ + fi; \ + fi; \ + dashes="$$banner"; \ + skipped=""; \ + if test "$$skip" -ne 0; then \ + skipped="($$skip tests were not run)"; \ + test `echo "$$skipped" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$skipped"; \ + fi; \ + report=""; \ + if test "$$failed" -ne 0 && test -n "$(PACKAGE_BUGREPORT)"; then \ + report="Please report to $(PACKAGE_BUGREPORT)"; \ + test `echo "$$report" | wc -c` -le `echo "$$banner" | wc -c` || \ + dashes="$$report"; \ + fi; \ + dashes=`echo "$$dashes" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + test -z "$$skipped" || echo "$$skipped"; \ + test -z "$$report" || echo "$$report"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0; \ + else :; fi + +distdir: $(DISTFILES) + @srcdirstrip=`echo "$(srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + topsrcdirstrip=`echo "$(top_srcdir)" | sed 's/[].[^$$\\*]/\\\\&/g'`; \ + list='$(DISTFILES)'; \ + dist_files=`for file in $$list; do echo $$file; done | \ + sed -e "s|^$$srcdirstrip/||;t" \ + -e "s|^$$topsrcdirstrip/|$(top_builddir)/|;t"`; \ + case $$dist_files in \ + */*) $(MKDIR_P) `echo "$$dist_files" | \ + sed '/\//!d;s|^|$(distdir)/|;s,/[^/]*$$,,' | \ + sort -u` ;; \ + esac; \ + for file in $$dist_files; do \ + if test -f $$file || test -d $$file; then d=.; else d=$(srcdir); fi; \ + if test -d $$d/$$file; then \ + dir=`echo "/$$file" | sed -e 's,/[^/]*$$,,'`; \ + if test -d $(srcdir)/$$file && test $$d != $(srcdir); then \ + cp -pR $(srcdir)/$$file $(distdir)$$dir || exit 1; \ + fi; \ + cp -pR $$d/$$file $(distdir)$$dir || exit 1; \ + else \ + test -f $(distdir)/$$file \ + || cp -p $$d/$$file $(distdir)/$$file \ + || exit 1; \ + fi; \ + done + $(MAKE) $(AM_MAKEFLAGS) \ + top_distdir="$(top_distdir)" distdir="$(distdir)" \ + dist-hook +check-am: all-am + $(MAKE) $(AM_MAKEFLAGS) $(check_PROGRAMS) $(check_SCRIPTS) + $(MAKE) $(AM_MAKEFLAGS) check-TESTS check-local +check: check-am +all-am: Makefile $(DATA) all-local +installdirs: +install: install-am +install-exec: install-exec-am +install-data: install-data-am +uninstall: uninstall-am + +install-am: all-am + @$(MAKE) $(AM_MAKEFLAGS) install-exec-am install-data-am + +installcheck: installcheck-am +install-strip: + $(MAKE) $(AM_MAKEFLAGS) INSTALL_PROGRAM="$(INSTALL_STRIP_PROGRAM)" \ + install_sh_PROGRAM="$(INSTALL_STRIP_PROGRAM)" INSTALL_STRIP_FLAG=-s \ + `test -z '$(STRIP)' || \ + echo "INSTALL_PROGRAM_ENV=STRIPPROG='$(STRIP)'"` install +mostlyclean-generic: + +clean-generic: + -test -z "$(CLEANFILES)" || rm -f $(CLEANFILES) + +distclean-generic: + -test -z "$(CONFIG_CLEAN_FILES)" || rm -f $(CONFIG_CLEAN_FILES) + +maintainer-clean-generic: + @echo "This command is intended for maintainers to use" + @echo "it deletes files that may require special tools to rebuild." +clean: clean-am + +clean-am: clean-checkPROGRAMS clean-generic clean-libtool \ + mostlyclean-am + +distclean: distclean-am + -rm -f Makefile +distclean-am: clean-am distclean-compile distclean-generic \ + distclean-tags + +dvi: dvi-am + +dvi-am: + +html: html-am + +info: info-am + +info-am: + +install-data-am: + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-data-hook + +install-dvi: install-dvi-am + +install-exec-am: + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) install-exec-hook + +install-html: install-html-am + +install-info: install-info-am + +install-man: + +install-pdf: install-pdf-am + +install-ps: install-ps-am + +installcheck-am: + +maintainer-clean: maintainer-clean-am + -rm -f Makefile +maintainer-clean-am: distclean-am maintainer-clean-generic + +mostlyclean: mostlyclean-am + +mostlyclean-am: mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool + +pdf: pdf-am + +pdf-am: + +ps: ps-am + +ps-am: + +uninstall-am: + @$(NORMAL_INSTALL) + $(MAKE) $(AM_MAKEFLAGS) uninstall-hook + +.MAKE: install-am install-data-am install-exec-am install-strip \ + uninstall-am + +.PHONY: CTAGS GTAGS all all-am all-local check check-TESTS check-am \ + check-local clean clean-checkPROGRAMS clean-generic \ + clean-libtool ctags dist-hook distclean distclean-compile \ + distclean-generic distclean-libtool distclean-tags distdir dvi \ + dvi-am html html-am info info-am install install-am \ + install-data install-data-am install-data-hook install-dvi \ + install-dvi-am install-exec install-exec-am install-exec-hook \ + install-html install-html-am install-info install-info-am \ + install-man install-pdf install-pdf-am install-ps \ + install-ps-am install-strip installcheck installcheck-am \ + installdirs maintainer-clean maintainer-clean-generic \ + mostlyclean mostlyclean-compile mostlyclean-generic \ + mostlyclean-libtool pdf pdf-am ps ps-am tags uninstall \ + uninstall-am uninstall-hook + + +install-suid-programs: + @foo='$(bin_SUIDS)'; \ + for file in $$foo; do \ + x=$(DESTDIR)$(bindir)/$$file; \ + if chown 0:0 $$x && chmod u+s $$x; then :; else \ + echo "*"; \ + echo "* Failed to install $$x setuid root"; \ + echo "*"; \ + fi; done + +install-exec-hook: install-suid-programs + +install-build-headers:: $(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ) $(nobase_include_HEADERS) + @foo='$(include_HEADERS) $(dist_include_HEADERS) $(nodist_include_HEADERS) $(build_HEADERZ)'; \ + for f in $$foo; do \ + f=`basename $$f`; \ + if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ + else file="$$f"; fi; \ + if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ + : ; else \ + echo " $(CP) $$file $(buildinclude)/$$f"; \ + $(CP) $$file $(buildinclude)/$$f; \ + fi ; \ + done ; \ + foo='$(nobase_include_HEADERS)'; \ + for f in $$foo; do \ + if test -f "$(srcdir)/$$f"; then file="$(srcdir)/$$f"; \ + else file="$$f"; fi; \ + $(mkdir_p) $(buildinclude)/`dirname $$f` ; \ + if cmp -s $$file $(buildinclude)/$$f 2> /dev/null ; then \ + : ; else \ + echo " $(CP) $$file $(buildinclude)/$$f"; \ + $(CP) $$file $(buildinclude)/$$f; \ + fi ; \ + done + +all-local: install-build-headers + +check-local:: + @if test '$(CHECK_LOCAL)' = "no-check-local"; then \ + foo=''; elif test '$(CHECK_LOCAL)'; then \ + foo='$(CHECK_LOCAL)'; else \ + foo='$(PROGRAMS)'; fi; \ + if test "$$foo"; then \ + failed=0; all=0; \ + for i in $$foo; do \ + all=`expr $$all + 1`; \ + if (./$$i --version && ./$$i --help) > /dev/null 2>&1; then \ + echo "PASS: $$i"; \ + else \ + echo "FAIL: $$i"; \ + failed=`expr $$failed + 1`; \ + fi; \ + done; \ + if test "$$failed" -eq 0; then \ + banner="All $$all tests passed"; \ + else \ + banner="$$failed of $$all tests failed"; \ + fi; \ + dashes=`echo "$$banner" | sed s/./=/g`; \ + echo "$$dashes"; \ + echo "$$banner"; \ + echo "$$dashes"; \ + test "$$failed" -eq 0 || exit 1; \ + fi + +.x.c: + @cmp -s $< $@ 2> /dev/null || cp $< $@ +#NROFF_MAN = nroff -man +.1.cat1: + $(NROFF_MAN) $< > $@ +.3.cat3: + $(NROFF_MAN) $< > $@ +.5.cat5: + $(NROFF_MAN) $< > $@ +.8.cat8: + $(NROFF_MAN) $< > $@ + +dist-cat1-mans: + @foo='$(man1_MANS)'; \ + bar='$(man_MANS)'; \ + for i in $$bar; do \ + case $$i in \ + *.1) foo="$$foo $$i";; \ + esac; done ;\ + for i in $$foo; do \ + x=`echo $$i | sed 's/\.[^.]*$$/.cat1/'`; \ + echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ + $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ + done + +dist-cat3-mans: + @foo='$(man3_MANS)'; \ + bar='$(man_MANS)'; \ + for i in $$bar; do \ + case $$i in \ + *.3) foo="$$foo $$i";; \ + esac; done ;\ + for i in $$foo; do \ + x=`echo $$i | sed 's/\.[^.]*$$/.cat3/'`; \ + echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ + $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ + done + +dist-cat5-mans: + @foo='$(man5_MANS)'; \ + bar='$(man_MANS)'; \ + for i in $$bar; do \ + case $$i in \ + *.5) foo="$$foo $$i";; \ + esac; done ;\ + for i in $$foo; do \ + x=`echo $$i | sed 's/\.[^.]*$$/.cat5/'`; \ + echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ + $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ + done + +dist-cat8-mans: + @foo='$(man8_MANS)'; \ + bar='$(man_MANS)'; \ + for i in $$bar; do \ + case $$i in \ + *.8) foo="$$foo $$i";; \ + esac; done ;\ + for i in $$foo; do \ + x=`echo $$i | sed 's/\.[^.]*$$/.cat8/'`; \ + echo "$(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x"; \ + $(NROFF_MAN) $(srcdir)/$$i > $(distdir)/$$x; \ + done + +dist-hook: dist-cat1-mans dist-cat3-mans dist-cat5-mans dist-cat8-mans + +install-cat-mans: + $(SHELL) $(top_srcdir)/cf/install-catman.sh install "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) + +uninstall-cat-mans: + $(SHELL) $(top_srcdir)/cf/install-catman.sh uninstall "$(INSTALL_DATA)" "$(mkinstalldirs)" "$(srcdir)" "$(DESTDIR)$(mandir)" '$(CATMANEXT)' $(man_MANS) $(man1_MANS) $(man3_MANS) $(man5_MANS) $(man8_MANS) + +install-data-hook: install-cat-mans +uninstall-hook: uninstall-cat-mans + +.et.h: + $(COMPILE_ET) $< +.et.c: + $(COMPILE_ET) $< + +# +# Useful target for debugging +# + +check-valgrind: + tobjdir=`cd $(top_builddir) && pwd` ; \ + tsrcdir=`cd $(top_srcdir) && pwd` ; \ + env TESTS_ENVIRONMENT="$${tobjdir}/libtool --mode execute valgrind --leak-check=full --trace-children=yes --quiet -q --num-callers=30 --suppressions=$${tsrcdir}/cf/valgrind-suppressions" make check + +# +# Target to please samba build farm, builds distfiles in-tree. +# Will break when automake changes... +# + +distdir-in-tree: $(DISTFILES) $(INFO_DEPS) + list='$(DIST_SUBDIRS)'; for subdir in $$list; do \ + if test "$$subdir" != .; then \ + (cd $$subdir && $(MAKE) $(AM_MAKEFLAGS) distdir-in-tree) ; \ + fi ; \ + done + +check-kdc: check-kdc.in Makefile + $(do_subst) < $(srcdir)/check-kdc.in > check-kdc.tmp + chmod +x check-kdc.tmp + mv check-kdc.tmp check-kdc + +check-keys: check-keys.in Makefile + $(do_subst) < $(srcdir)/check-keys.in > check-keys.tmp + chmod +x check-keys.tmp + mv check-keys.tmp check-keys + +check-kadmin: check-kadmin.in Makefile + $(do_subst) < $(srcdir)/check-kadmin.in > check-kadmin.tmp + chmod +x check-kadmin.tmp + mv check-kadmin.tmp check-kadmin + +check-uu: check-uu.in Makefile + $(do_subst) < $(srcdir)/check-uu.in > check-uu.tmp + chmod +x check-uu.tmp + mv check-uu.tmp check-uu + +check-pkinit: check-pkinit.in Makefile krb5-pkinit.conf + $(do_subst) < $(srcdir)/check-pkinit.in > check-pkinit.tmp + chmod +x check-pkinit.tmp + mv check-pkinit.tmp check-pkinit + +check-iprop: check-iprop.in Makefile krb5.conf krb5-slave.conf + $(do_subst) < $(srcdir)/check-iprop.in > check-iprop.tmp + chmod +x check-iprop.tmp + mv check-iprop.tmp check-iprop + +check-digest: check-digest.in Makefile + $(do_subst) < $(srcdir)/check-digest.in > check-digest.tmp + chmod +x check-digest.tmp + mv check-digest.tmp check-digest + +check-referral: check-referral.in Makefile + $(do_subst) < $(srcdir)/check-referral.in > check-referral.tmp + chmod +x check-referral.tmp + mv check-referral.tmp check-referral + +krb5.conf: krb5.conf.in Makefile + $(do_subst) \ + -e 's,[@]kdc[@],,g' < $(srcdir)/krb5.conf.in > krb5.conf.tmp + mv krb5.conf.tmp krb5.conf + +krb5-slave.conf: krb5.conf.in Makefile + $(do_subst) \ + -e 's,[@]kdc[@],.slave,g' < $(srcdir)/krb5.conf.in > krb5-slave.conf.tmp + mv krb5-slave.conf.tmp krb5-slave.conf + +krb5-pkinit.conf: krb5-pkinit.conf.in Makefile + $(do_subst) -e 's,[@]w2k[@],no,g' < $(srcdir)/krb5-pkinit.conf.in > krb5-pkinit.conf.tmp + mv krb5-pkinit.conf.tmp krb5-pkinit.conf + +krb5-pkinit-win.conf: krb5-pkinit.conf.in Makefile + $(do_subst) -e 's,[@]w2k[@],yes,g' < $(srcdir)/krb5-pkinit.conf.in > krb5-pkinit-win.conf.tmp + mv krb5-pkinit-win.conf.tmp krb5-pkinit-win.conf +# Tell versions [3.59,3.63) of GNU make to not export all variables. +# Otherwise a system limit (for SysV at least) may be exceeded. +.NOEXPORT: diff --git a/tests/kdc/ap-req.c b/tests/kdc/ap-req.c new file mode 100644 index 000000000000..24cc6111c7dc --- /dev/null +++ b/tests/kdc/ap-req.c @@ -0,0 +1,221 @@ +/* + * Copyright (c) 2006 Kungliga Tekniska Högskolan + * (Royal Institute of Technology, Stockholm, Sweden). + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * 3. Neither the name of KTH nor the names of its contributors may be + * used to endorse or promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY KTH AND ITS CONTRIBUTORS ``AS IS'' AND ANY + * EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR + * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL KTH OR ITS CONTRIBUTORS BE + * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR + * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF + * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR + * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR + * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF + * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ + +#ifdef HAVE_CONFIG_H +#include <config.h> +RCSID("$Id: ap-req.c 19807 2007-01-10 19:35:45Z lha $"); +#endif + +#include <sys/types.h> +#include <stdio.h> +#include <krb5.h> +#include <err.h> +#include <getarg.h> +#include <roken.h> + +static int verify_pac = 0; +static int version_flag = 0; +static int help_flag = 0; + +static struct getargs args[] = { + {"verify-pac",0, arg_flag, &verify_pac, + "verify the PAC", NULL }, + {"version", 0, arg_flag, &version_flag, + "print version", NULL }, + {"help", 0, arg_flag, &help_flag, + NULL, NULL } +}; + +static void +usage (int ret) +{ + arg_printusage (args, sizeof(args)/sizeof(*args), NULL, "..."); + exit (ret); +} + + +static void +test_ap(krb5_context context, + krb5_principal sprincipal, + krb5_keytab keytab, + krb5_ccache ccache, + const krb5_flags client_flags) +{ + krb5_error_code ret; + krb5_auth_context client_ac = NULL, server_ac = NULL; + krb5_data data; + krb5_flags server_flags; + krb5_ticket *ticket = NULL; + int32_t server_seq, client_seq; + + ret = krb5_mk_req_exact(context, + &client_ac, + client_flags, + sprincipal, + NULL, + ccache, + &data); + if (ret) + krb5_err(context, 1, ret, "krb5_mk_req_exact"); + + ret = krb5_rd_req(context, + &server_ac, + &data, + sprincipal, + keytab, + &server_flags, + &ticket); + if (ret) + krb5_err(context, 1, ret, "krb5_rd_req"); + + + if (server_flags & AP_OPTS_MUTUAL_REQUIRED) { + krb5_ap_rep_enc_part *repl; + + krb5_data_free(&data); + + if ((client_flags & AP_OPTS_MUTUAL_REQUIRED) == 0) + krb5_errx(context, 1, "client flag missing mutual req"); + + ret = krb5_mk_rep (context, server_ac, &data); + if (ret) + krb5_err(context, 1, ret, "krb5_mk_rep"); + + ret = krb5_rd_rep (context, + client_ac, + &data, + &repl); + if (ret) + krb5_err(context, 1, ret, "krb5_rd_rep"); + + krb5_free_ap_rep_enc_part (context, repl); + } else { + if (client_flags & AP_OPTS_MUTUAL_REQUIRED) + krb5_errx(context, 1, "server flag missing mutual req"); + } + + krb5_auth_getremoteseqnumber(context, server_ac, &server_seq); + krb5_auth_getremoteseqnumber(context, client_ac, &client_seq); + if (server_seq != client_seq) + krb5_errx(context, 1, "seq num differ"); + + krb5_auth_con_getlocalseqnumber(context, server_ac, &server_seq); + krb5_auth_con_getlocalseqnumber(context, client_ac, &client_seq); + if (server_seq != client_seq) + krb5_errx(context, 1, "seq num differ"); + + krb5_data_free(&data); + krb5_auth_con_free(context, client_ac); + krb5_auth_con_free(context, server_ac); + + if (verify_pac) { + krb5_pac pac; + + ret = krb5_ticket_get_authorization_data_type(context, + ticket, + KRB5_AUTHDATA_WIN2K_PAC, + &data); + if (ret) + krb5_err(context, 1, ret, "get pac"); + + ret = krb5_pac_parse(context, data.data, data.length, &pac); + if (ret) + krb5_err(context, 1, ret, "pac parse"); + + krb5_pac_free(context, pac); + } + + krb5_free_ticket(context, ticket); +} + + +int +main(int argc, char **argv) +{ + krb5_context context; + krb5_error_code ret; + int optidx = 0; + const char *principal, *keytab, *ccache; + krb5_ccache id; + krb5_keytab kt; + krb5_principal sprincipal; + + setprogname(argv[0]); + + if(getarg(args, sizeof(args) / sizeof(args[0]), argc, argv, &optidx)) + usage(1); + + if (help_flag) + usage (0); + + if(version_flag){ + print_version(NULL); + exit(0); + } + + argc -= optidx; + argv += optidx; + + if (argc < 3) + usage(1); + + principal = argv[0]; + keytab = argv[1]; + ccache = argv[2]; + + ret = krb5_init_context(&context); + if (ret) + errx (1, "krb5_init_context failed: %d", ret); + + ret = krb5_cc_resolve(context, ccache, &id); + if (ret) + krb5_err(context, 1, ret, "krb5_cc_resolve"); + + ret = krb5_parse_name(context, principal, &sprincipal); + if (ret) + krb5_err(context, 1, ret, "krb5_parse_name"); + + ret = krb5_kt_resolve(context, keytab, &kt); + if (ret) + krb5_err(context, 1, ret, "krb5_kt_resolve"); + + test_ap(context, sprincipal, kt, id, 0); + test_ap(context, sprincipal, kt, id, AP_OPTS_MUTUAL_REQUIRED); + + krb5_cc_close(context, id); + krb5_kt_close(context, kt); + krb5_free_principal(context, sprincipal); + + krb5_free_context(context); + + return ret; +} diff --git a/tests/kdc/check-digest.in b/tests/kdc/check-digest.in new file mode 100644 index 000000000000..cb6c19f8dcb7 --- /dev/null +++ b/tests/kdc/check-digest.in @@ -0,0 +1,295 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id: check-digest.in 21849 2007-08-08 06:56:41Z lha $ +# + +srcdir="@srcdir@" +objdir="@objdir@" + +# If there is no useful db support compile in, disable test +../db/have-db || exit 77 + +R=TEST.H5L.SE + +port=@port@ + +kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R" +kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" + +server=host/datan.test.h5l.se +cache="FILE:${objdir}/cache.krb5" +ocache="FILE:${objdir}/ocache.krb5" +keytabfile=${objdir}/server.keytab +keytab="FILE:${keytabfile}" + +kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog" +klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache" +kdigest="${TESTS_ENVIRONMENT} ../../kuser/kdigest --ccache=$cache" +test_ntlm="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_ntlm" +context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context" + +username=foo +userpassword=digestpassword + +password=foobarbaz + +KRB5_CONFIG="${objdir}/krb5.conf" +export KRB5_CONFIG + +rm -f ${keytabfile} +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +> messages.log + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +${kadmin} add -p $userpassword --use-defaults ${username}@${R} || exit 1 +${kadmin} add -p $password --use-defaults ${server}@${R} || exit 1 +${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1 +${kadmin} modify --attributes=+allow-digest ${server}@${R} || exit 1 +${kadmin} ext -k ${keytab} ${server}@${R} || exit 1 + +echo "Doing database check" +${kadmin} check ${R} || exit 1 + +echo $password > ${objdir}/foopassword + +echo Starting kdc +${kdc} & +kdcpid=$! + +sh ${srcdir}/wait-kdc.sh +if [ "$?" != 0 ] ; then + kill ${kdcpid} + exit 1 +fi + +trap "kill ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT + +exitcode=0 + +echo "Getting digest server tickets" +${kinit} --password-file=${objdir}/foopassword ${server}@$R || exitcode=1 +${kdigest} digest-server-init \ + --kerberos-realm=${R} \ + --type=CHAP > /dev/null || exitcode=1 + +echo "Trying NTLM" + +NTLM_ACCEPTOR_CCACHE="$cache" +export NTLM_ACCEPTOR_CCACHE + +echo "Trying server-init" +echo ${kdigest} ntlm-server-init \ + --kerberos-realm=${R} \ + > sdigest-init || exitcode=1 + +echo "test_ntlm" +${test_ntlm} || { echo "test_ntlm failed"; exit 1; } + +NTLM_USER_FILE="${srcdir}/ntlm-user-file.txt" +export NTLM_USER_FILE + +echo "test_context --mech-type=ntlm" +${context} --mech-type=ntlm \ + --name-type=hostbased-service datan@TEST || \ + { echo "test_context 1 failed"; exit 1; } + +${context} --mech-type=ntlm \ + --name-type=hostbased-service datan@host.TEST || \ + { echo "test_context 2 failed"; exit 1; } + +${context} --mech-type=ntlm \ + --name-type=hostbased-service datan@host.test.domain2 || \ + { echo "test_context 3 failed"; exit 1; } + +${context} --mech-type=ntlm \ + --name-type=hostbased-service datan@host.foo 2>/dev/null && \ + { echo "test_context 4 failed"; exit 1; } + +echo "Trying SL in NTLM" + + +for type in \ + "" \ + "--getverifymic" \ + "--wrapunwrap" \ + "--getverifymic --wrapunwrap" \ + ; do + + echo "Trying NTLM type: ${type}" + ${context} --mech-type=ntlm ${type} \ + --name-type=hostbased-service datan@TEST || \ + { echo "test_context 1 failed"; exit 1; } + +done + + +echo "Trying CHAP" + +${kdigest} digest-server-init \ + --kerberos-realm=${R} \ + --type=CHAP \ + > sdigest-reply || exitcode=1 + +snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=` +identifier=`grep identifier= sdigest-reply | cut -f2- -d=` +opaque=`grep opaque= sdigest-reply | cut -f2- -d=` + +${kdigest} digest-client-request \ + --type=CHAP \ + --username="$username" \ + --password="$userpassword" \ + --opaque="$opaque" \ + --server-identifier="$identifier" \ + --server-nonce="$snonce" \ + > cdigest-reply || exitcode=1 + +cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=` + +#echo user: $username +#echo server-nonce: $snonce +#echo opaqeue: $opaque +#echo identifier: $identifier + +${kdigest} digest-server-request \ + --kerberos-realm=${R} \ + --type=CHAP \ + --username="$username" \ + --opaque="$opaque" \ + --client-response="$cresponseData" \ + --server-identifier="$identifier" \ + --server-nonce="$snonce" \ + > s2digest-reply || exitcode=1 + +status=`grep status= s2digest-reply | cut -f2- -d=` + +if test "X$status" = "Xok" ; then + echo "CHAP response ok" +else + echo "CHAP response failed" + exitcode=1 +fi + +cresponseData=`echo $cresponseData | sed 's/..../DEADBEEF/'` + +${kdigest} digest-server-request \ + --kerberos-realm=${R} \ + --type=CHAP \ + --username="$username" \ + --opaque="$opaque" \ + --client-response="$cresponseData" \ + --server-identifier="$identifier" \ + --server-nonce="$snonce" \ + > s2digest-reply || exitcode=1 + +status=`grep status= s2digest-reply | cut -f2- -d=` + +if test "X$status" = "Xfailed" ; then + echo "CHAP response fail as it should" +else + echo "CHAP response succeeded errorously" + exitcode=1 +fi + +echo "Trying MS-CHAP-V2" + +${kdigest} digest-server-init \ + --kerberos-realm=${R} \ + --type=MS-CHAP-V2 \ + > sdigest-reply || exitcode=1 + +snonce=`grep server-nonce= sdigest-reply | cut -f2- -d=` +opaque=`grep opaque= sdigest-reply | cut -f2- -d=` +cnonce="21402324255E262A28295F2B3A337C7E" + +echo "MS-CHAP-V2 client request" +${kdigest} digest-client-request \ + --type=MS-CHAP-V2 \ + --username="$username" \ + --password="$userpassword" \ + --opaque="$opaque" \ + --client-nonce="$cnonce" \ + --server-nonce="$snonce" \ + > cdigest-reply || exitcode=1 + +cresponseData=`grep responseData= cdigest-reply | cut -f2- -d=` +cRsp=`grep AuthenticatorResponse= cdigest-reply | cut -f2- -d=` +ckey=`grep session-key= cdigest-reply | cut -f2- -d=` + +${kdigest} digest-server-request \ + --kerberos-realm=${R} \ + --type=MS-CHAP-V2 \ + --username="$username" \ + --opaque="$opaque" \ + --client-response="$cresponseData" \ + --client-nonce="$cnonce" \ + --server-nonce="$snonce" \ + > s2digest-reply || exitcode=1 + +status=`grep status= s2digest-reply | cut -f2- -d=` +sRsp=`grep rsp= s2digest-reply | cut -f2- -d=` +skey=`grep session-key= s2digest-reply | cut -f2- -d=` + +if test "X$sRsp" != "X$cRsp" ; then + echo "rsp wrong $sRsp != $cRsp" + exitcode=1 +fi + +if test "X$skey" != "X$ckey" ; then + echo "rsp wrong" + exitcode=1 +fi + +if test "X$status" = "Xok" ; then + echo "MS-CHAP-V2 response ok" +else + echo "MS-CHAP-V2 response failed" + exitcode=1 +fi + +trap "" EXIT + +echo "killing kdc (${kdcpid})" +kill $kdcpid || exit 1 + +exit $exitcode + diff --git a/tests/kdc/check-iprop.in b/tests/kdc/check-iprop.in new file mode 100644 index 000000000000..448824653613 --- /dev/null +++ b/tests/kdc/check-iprop.in @@ -0,0 +1,248 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id$ +# + +srcdir="@srcdir@" +objdir="@objdir@" +EGREP="@EGREP@" + +# If there is no useful db support compile in, disable test +../db/have-db || exit 77 + +# Dont run this test in AFS, since it lacks support for AF_UNIX +expr "X`/bin/pwd || pwd`" : "X/afs/.*" > /dev/null 2>/dev/null && exit 77 + +R=TEST.H5L.SE + +port=@port@ + +cache="FILE:${objdir}/cache.krb5" +keytabfile=${objdir}/iprop.keytab +keytab="FILE:${keytabfile}" + +kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" +kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -r $R" +ipropdslave="${TESTS_ENVIRONMENT} ../../lib/kadm5/ipropd-slave" +ipropdmaster="${TESTS_ENVIRONMENT} ../../lib/kadm5/ipropd-master" +iproplog="${TESTS_ENVIRONMENT} ../../lib/kadm5/iprop-log" + +kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog" + +KRB5_CONFIG="${objdir}/krb5.conf" +export KRB5_CONFIG + +rm -f ${keytabfile} +rm -f current-db* +rm -f current*.log +rm -f out-* +rm -f mkey.file* +rm -f messages.log + +> messages.log + +echo Creating database +${kadmin} -l \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +${kadmin} -l add -p foo --use-defaults user@${R} || exit 1 + +${kadmin} -l add --random-key --use-defaults iprop/localhost@${R} || exit 1 +${kadmin} -l ext -k ${keytab} iprop/localhost@${R} || exit 1 +${kadmin} -l add --random-key --use-defaults iprop/slave@${R} || exit 1 +${kadmin} -l ext -k ${keytab} iprop/slave@${R} || exit 1 + +echo foo > ${objdir}/foopassword + +# -- foo +ipds= +ipdm= +kdcpid= + +> iprop-stats +trap "echo 'killing ipropd s + m + kdc'; kill \${ipdm} \${ipds} \${kdcpid} >/dev/null 2>/dev/null; tail messages.log ; tail iprop-stats; exit 1;" EXIT + +echo Starting kdc +${kdc} & +kdcpid=$! + +sh ${srcdir}/wait-kdc.sh || exit 1 + +echo "starting master" +${ipropdmaster} --hostname=localhost -k ${keytab} \ + --database=${objdir}/current-db & +ipdm=$! +sh ${srcdir}/wait-kdc.sh ipropd-master || exit 1 + +echo "starting slave" +KRB5_CONFIG="${objdir}/krb5-slave.conf" \ +${ipropdslave} --hostname=slave -k ${keytab} localhost & +ipds=$! +sh ${srcdir}/wait-kdc.sh ipropd-slave || exit 1 + +echo "checking slave is up" +${EGREP} 'iprop/slave@TEST.H5L.SE.*Up' iprop-stats >/dev/null || exit 1 + +# ----------------- checking: pushing lives changes + +echo "Add host" +${kadmin} -l add --random-key --use-defaults host/foo@${R} || exit 1 +sleep 2 +KRB5_CONFIG="${objdir}/krb5-slave.conf" \ +${kadmin} -l get host/foo@${R} > /dev/null || exit 1 + +echo "Rename host" +${kadmin} -l rename host/foo@${R} host/bar@${R} || exit 1 +sleep 2 +KRB5_CONFIG="${objdir}/krb5-slave.conf" \ +${kadmin} -l get host/foo@${R} > /dev/null 2>/dev/null && exit 1 +KRB5_CONFIG="${objdir}/krb5-slave.conf" \ +${kadmin} -l get host/bar@${R} > /dev/null || exit 1 + +echo "Delete host" +${kadmin} -l delete host/bar@${R} || exit 1 +sleep 2 +KRB5_CONFIG="${objdir}/krb5-slave.conf" \ +${kadmin} -l get host/bar@${R} > /dev/null 2>/dev/null && exit 1 + +echo "kill slave" +> iprop-stats +kill ${ipds} +sleep 2 + +${EGREP} 'iprop/slave@TEST.H5L.SE.*Down' iprop-stats >/dev/null || exit 1 + +# ----------------- checking: slave is missing changes while down + +echo "doing changes while slave is down" +${kadmin} -l cpw --random-password user@${R} > /dev/null || exit 1 +${kadmin} -l cpw --random-password user@${R} > /dev/null || exit 1 + +echo "Makeing a copy of the master log file" +cp ${objdir}/current.log ${objdir}/current.log.tmp + +# ----------------- checking: checking that master and slaves resyncs + +echo "starting slave again" +> iprop-stats +> messages.log +KRB5_CONFIG="${objdir}/krb5-slave.conf" \ +${ipropdslave} --hostname=slave -k ${keytab} localhost & +ipds=$! +sh ${srcdir}/wait-kdc.sh ipropd-slave || exit 1 + +echo "checking slave is up again" +${EGREP} 'iprop/slave@TEST.H5L.SE.*Up' iprop-stats >/dev/null || exit 1 +echo "checking for replay problems" +${EGREP} 'Entry already exists in database' messages.log && exit 1 + +echo "kill slave and remove log and database" +kill ${ipds} +sleep 2 + +rm current.slave.log current-db.slave* || exit 1 +> iprop-stats +> messages.log +KRB5_CONFIG="${objdir}/krb5-slave.conf" \ +${ipropdslave} --hostname=slave -k ${keytab} localhost & +ipds=$! +sh ${srcdir}/wait-kdc.sh ipropd-slave || exit 1 + +echo "checking slave is up again" +${EGREP} 'iprop/slave@TEST.H5L.SE.*Up' iprop-stats >/dev/null || exit 1 +echo "checking for replay problems" +${EGREP} 'Entry already exists in database' messages.log && exit 1 + +# ----------------- checking: checking live truncation of master log + +${kadmin} -l cpw --random-password user@${R} > /dev/null || exit 1 +sleep 2 + +echo "live truncate on master log" +${iproplog} truncate || exit 1 +sleep 2 + +echo "Killing master and slave" +kill ${ipdm} ${ipds} >/dev/null 2>/dev/null + +sleep 2 +${EGREP} "^master down at " iprop-stats > /dev/null || exit 1 + +echo "compare versions on master and slave logs" +KRB5_CONFIG=${objdir}/krb5-slave.conf \ +${iproplog} last-version > slave-last.tmp +${iproplog} last-version > master-last.tmp +cmp master-last.tmp slave-last.tmp || exit 1 + +# ----------------- checking: master going backward +> iprop-stats +> messages.log + +echo "Going back to old version of the master log file" +cp ${objdir}/current.log.tmp ${objdir}/current.log + +echo "starting master" +${ipropdmaster} --hostname=localhost -k ${keytab} \ + --database=${objdir}/current-db & +ipdm=$! +sh ${srcdir}/wait-kdc.sh ipropd-master || exit 1 + +echo "starting slave" +KRB5_CONFIG="${objdir}/krb5-slave.conf" \ +${ipropdslave} --hostname=slave -k ${keytab} localhost & +ipds=$! +sh ${srcdir}/wait-kdc.sh ipropd-slave || exit 1 + +echo "checking slave is up again" +${EGREP} 'iprop/slave@TEST.H5L.SE.*Up' iprop-stats >/dev/null || exit 1 +echo "checking for replay problems" +${EGREP} 'Entry already exists in database' messages.log && exit 1 + +echo "pushing one change" +${kadmin} -l cpw --random-password user@${R} > /dev/null || exit 1 +sleep 2 + +trap "" EXIT +kill ${ipdm} ${ipds} ${kdcpid} + +echo "compare versions on master and slave logs" +KRB5_CONFIG=${objdir}/krb5-slave.conf \ +${iproplog} last-version > slave-last.tmp +${iproplog} last-version > master-last.tmp +cmp master-last.tmp slave-last.tmp || exit 1 + +exit $ec diff --git a/tests/kdc/check-kadmin.in b/tests/kdc/check-kadmin.in new file mode 100644 index 000000000000..7888e81ed963 --- /dev/null +++ b/tests/kdc/check-kadmin.in @@ -0,0 +1,151 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id$ +# + +srcdir="@srcdir@" +objdir="@objdir@" +EGREP="@EGREP@" + +# If there is no useful db support compile in, disable test +../db/have-db || exit 77 + +R=TEST.H5L.SE +R2=TEST2.H5L.SE + +port=@port@ +admport=@admport@ + +cache="FILE:${objdir}/cache.krb5" + +kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -r $R" +kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" +kadmind="${TESTS_ENVIRONMENT} ../../kadmin/kadmind -p $admport" + +server=host/datan.test.h5l.se + +kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog" +kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache" +kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog" + +KRB5_CONFIG="${objdir}/krb5.conf" +export KRB5_CONFIG + +rm -f ${keytabfile} +rm -f current-db* +rm -f out-* +rm -f mkey.file* +rm -f messages.log + +> messages.log + +echo Creating database +${kadmin} -l \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +${kadmin} -l add -p foo --use-defaults foo/admin@${R} || exit 1 +${kadmin} -l add -p foo --use-defaults bar@${R} || exit 1 + +echo foo > ${objdir}/foopassword + +echo Starting kdc +${kdc} & +kdcpid=$! + +sh ${srcdir}/wait-kdc.sh +if [ "$?" != 0 ] ; then + kill ${kdcpid} + kill ${kadmpid} + exit 1 +fi + +trap "kill ${kdcpid} ${kadmpid}" EXIT + +#---------------------------------- +${kadmind} -d & +kadmpid=$! +sleep 1 + +echo "kinit (no admin)" +${kinit} --password-file=${objdir}/foopassword \ + -S kadmin/admin@${R} bar@${R} || exit 1 +echo "kadmin" +env KRB5CCNAME=${cache} \ +${kadmin} -p bar@${R} add -p foo --use-defaults kaka2@${R} || + { echo "kadmin failed $?"; cat messages.log ; exit 1; } + +${kadmin} -l get kaka2@${R} > /dev/null || + { echo "kadmin failed $?"; cat messages.log ; exit 1; } + +#---------------------------------- +${kadmind} -d & +kadmpid=$! +sleep 1 + +echo "kinit (admin)" +${kinit} --password-file=${objdir}/foopassword \ + -S kadmin/admin@${R} foo/admin@${R} || exit 1 + +echo "kadmin" +env KRB5CCNAME=${cache} \ +${kadmin} -p foo/admin@${R} add -p foo --use-defaults kaka@${R} || + { echo "kadmin failed $?"; cat messages.log ; exit 1; } + +#---------------------------------- +${kadmind} -d & +kadmpid=$! +sleep 1 + +echo "kadmin get doesnotexists" +env KRB5CCNAME=${cache} \ +${kadmin} -p foo/admin@${R} get -s doesnotexists@${R} \ + > /dev/null 2>kadmin.tmp && \ + { echo "kadmin passed"; cat messages.log ; exit 1; } + +# evil hack to support libtool +sed 's/lt-kadmin:/kadmin:/' < kadmin.tmp > kadmin2.tmp +mv kadmin2.tmp kadmin.tmp + +cmp kadmin.tmp ${srcdir}/donotexists.txt || \ + { echo "wrong response"; exit 1;} + +echo "killing kdc (${kdcpid} ${kadmpid})" +kill ${kdcpid} ${kadmpid} > /dev/null 2>/dev/null + +trap "" EXIT + +exit $ec diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in new file mode 100644 index 000000000000..3a43172471d1 --- /dev/null +++ b/tests/kdc/check-kdc.in @@ -0,0 +1,413 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id: check-kdc.in 22019 2007-10-24 20:47:59Z lha $ +# + +srcdir="@srcdir@" +objdir="@objdir@" +EGREP="@EGREP@" + +testfailed="echo test failed; cat messages.log; exit 1" + +# If there is no useful db support compile in, disable test +../db/have-db || exit 77 + +R=TEST.H5L.SE +R2=TEST2.H5L.SE + +port=@port@ + +kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R" +kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" + +server=host/datan.test.h5l.se +server2=host/computer.example.com +cache="FILE:${objdir}/cache.krb5" +ocache="FILE:${objdir}/ocache.krb5" +o2cache="FILE:${objdir}/o2cache.krb5" +icache="FILE:${objdir}/icache.krb5" +keytabfile=${objdir}/server.keytab +keytab="FILE:${keytabfile}" +ps="proxy-service@${R}" +aesenctype="aes256-cts-hmac-sha1-96" + +kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog" +klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache" +kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache" +kgetcred_imp="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache --out-cache=${ocache}" +kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog" +ktutil="${TESTS_ENVIRONMENT} ../../admin/ktutil" +hxtool="${TESTS_ENVIRONMENT} ../../lib/hx509/hxtool" +kimpersonate="${TESTS_ENVIRONMENT} ../../kuser/kimpersonate -k ${keytab} --ccache=${ocache}" +test_renew="${TESTS_ENVIRONMENT} ../../lib/krb5/test_renew" + +KRB5_CONFIG="${objdir}/krb5.conf" +export KRB5_CONFIG + +rm -f ${keytabfile} +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +> messages.log + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R2} || exit 1 + +${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 +${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 +${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 +${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 + +${kadmin} add -p foo --use-defaults foo@${R} || exit 1 +${kadmin} add -p bar --use-defaults bar@${R} || exit 1 +${kadmin} add -p foo --use-defaults remove@${R} || exit 1 +${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1 +${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1 +${kadmin} add -p foo --use-defaults ${ps} || exit 1 +${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1 +${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1 +${kadmin} ext -k ${keytab} ${server}@${R} || exit 1 +${kadmin} ext -k ${keytab} ${ps} || exit 1 + +${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1 +${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1 +${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1 + +${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1 +${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1 + +${kadmin} add -p foo --use-defaults -- -p || exit 1 +${kadmin} delete -- -p || exit 1 + +echo "Doing database check" +${kadmin} check ${R} || exit 1 +${kadmin} check ${R2} || exit 1 + +echo "Extracting enctypes" +${ktutil} -k ${keytab} list > tempfile || exit 1 +${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \ + awk '$1 !~ /1/ { exit 1 }' || exit 1 + +${kadmin} get foo@${R} > tempfile || exit 1 +enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://'` + +enctype_sans_aes=`echo $enctypes | sed 's/aes[^ ]*//g'` +enctype_sans_des3=`echo $enctypes | sed 's/des3-cbc-sha1//g'` + +echo foo > ${objdir}/foopassword + +echo Starting kdc +${kdc} & +kdcpid=$! + +sh ${srcdir}/wait-kdc.sh +if [ "$?" != 0 ] ; then + kill ${kdcpid} + exit 1 +fi + +trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT + +ec=0 + +echo "Getting client initial tickets"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +echo "Getting tickets"; > messages.log +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +echo "Listing tickets"; > messages.log +${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; } +./ap-req ${server}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Specific enctype"; > messages.log +${kinit} --password-file=${objdir}/foopassword \ + -e ${aesenctype} -e ${aesenctype} \ + foo@$R || \ + { ec=1 ; eval "${testfailed}"; } + +for a in $enctypes; do + echo "Getting client initial tickets ($a)"; > messages.log + ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } + echo "Getting tickets"; > messages.log + ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ./ap-req ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} +done + + +echo "Getting client initial tickets"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +for a in $enctypes; do + echo "Getting tickets ($a)"; > messages.log + ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ./ap-req ${server}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} --credential=${server}@${R} +done +${kdestroy} + +echo "Getting client initial tickets for cross realm case"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } +for a in $enctypes; do + echo "Getting cross realm tickets ($a)"; > messages.log + ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } + ./ap-req ${server2}@${R2} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} --credential=${server2}@${R2} +done +${kdestroy} + +echo "try all permutations"; > messages.log +for a in $enctypes; do + echo "Getting client initial tickets ($a)"; > messages.log + ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } + for b in $enctypes; do + echo "Getting tickets ($a -> $b)"; > messages.log + ${kgetcred} -e $b ${server}@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ./ap-req ${server}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} --credential=${server}@${R} + done + ${kdestroy} +done + +echo "Getting server initial tickets"; > messages.log +${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; } +echo "Listing tickets"; > messages.log +${klist} | grep "Principal: ${server}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "initial tickets for deleted user test case"; > messages.log +${kinit} --password-file=${objdir}/foopassword remove@$R || \ + { ec=1 ; eval "${testfailed}"; } +${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; } +echo "try getting ticket with deleted user"; > messages.log +${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "cross realm case (removed user)"; > messages.log +${kinit} --password-file=${objdir}/foopassword remove2@$R2 || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kadmin} delete remove2@${R2} || exit 1 +${kgetcred} ${server}@${R} 2> /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "rename user"; > messages.log +${kadmin} add -p foo --use-defaults rename@${R} || exit 1 +${kinit} --password-file=${objdir}/foopassword rename@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kadmin} rename rename@${R} rename2@${R} || exit 1 +${kinit} --password-file=${objdir}/foopassword rename2@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} +${kadmin} delete rename2@${R} || exit 1 + +echo "rename user to another realm"; > messages.log +${kadmin} add -p foo --use-defaults rename@${R} || exit 1 +${kinit} --password-file=${objdir}/foopassword rename@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kadmin} rename rename@${R} rename@${R2} || exit 1 +${kinit} --password-file=${objdir}/foopassword rename@${R2} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} +${kadmin} delete rename@${R2} || exit 1 + +echo deleting all but aes enctypes on krbtgt +${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1 + +echo deleting all but des enctypes on server-des3 +${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1 +${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1 + +echo "try all permutations (only aes)"; > messages.log +for a in $enctypes; do + echo "Getting client initial tickets ($a)"; > messages.log + ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\ + { ec=1 ; eval "${testfailed}"; } + for b in $enctypes; do + echo "Getting tickets ($a -> $b)"; > messages.log + ${kgetcred} -e $b ${server}@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ./ap-req ${server}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + + echo "Getting tickets ($a -> $b) (server des3 only)"; > messages.log + ${kgetcred} ${server}-des3@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ./ap-req ${server}-des3@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } + + ${kdestroy} --credential=${server}@${R} + ${kdestroy} --credential=${server}-des3@${R} + done + ${kdestroy} +done + +echo deleting all enctypes on krbtgt +${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ + { ec=1 ; eval "${testfailed}"; } +echo "try initial ticket w/o and keys on krbtgt" +${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } +echo "adding random aes key" +${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ + { ec=1 ; eval "${testfailed}"; } +echo "try initial ticket with random aes key on krbtgt" +${kinit} --password-file=${objdir}/foopassword foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } + +rsa=yes +pkinit=no +if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then + rsa=no +fi +if ${hxtool} info | grep 'rand: not available' > /dev/null ; then + rsa=no +fi +if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then + pkinit=yes +fi + +# If we support pkinit and have RSA, lets try that +if test "$pkinit" = yes -a "$rsa" = yes ; then + + for type in "" "--pk-use-enckey"; do + echo "Trying pk-init (principal in certificate) $type"; > messages.log + base="${srcdir}/../../lib/hx509/data" + ${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit.key bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log + ${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit.key foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + echo "Trying pk-init (password protected key) $type"; > messages.log + ${kinit} $type -C FILE:${base}/pkinit.crt,${base}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kgetcred} ${server}@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + echo "Trying pk-init (proxy cert) $type"; > messages.log + base="${srcdir}/../../lib/hx509/data" + ${kinit} $type -C FILE:${base}/pkinit-proxy-chain.crt,${base}/pkinit-proxy.key foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + + done +else + echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log +fi + +echo "tickets for impersonate test case"; > messages.log +${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred_imp} --impersonate=bar@${R} ${ps} || \ + { ec=1 ; eval "${testfailed}"; } +./ap-req ${ps} ${keytab} ${ocache} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } +echo test constrained delegation +${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} || \ + { ec=1 ; eval "${testfailed}"; } +./ap-req ${server}@${R} ${keytab} ${o2cache} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} bar@${R} 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } + +echo "test constrained delegation impersonation (non forward)"; > messages.log +rm -f ocache.krb5 +${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } + +echo "test constrained delegation impersonation (missing KRB5SignedPath)"; > messages.log +rm -f ocache.krb5 +${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } + +${kdestroy} + +echo "check renewing" > messages.log +${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +echo "kinit -R" +${kinit} -R || \ + { ec=1 ; eval "${testfailed}"; } +echo "check renewing MIT interface" > messages.log +${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \ + { ec=1 ; eval "${testfailed}"; } +echo "test_renew" +env KRB5CCNAME=${cache} ${test_renew} || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + + +echo "killing kdc (${kdcpid})" +kill $kdcpid || exit 1 + +trap "" EXIT + +exit $ec diff --git a/tests/kdc/check-keys.in b/tests/kdc/check-keys.in new file mode 100644 index 000000000000..596c9ca5c888 --- /dev/null +++ b/tests/kdc/check-keys.in @@ -0,0 +1,101 @@ +#!/bin/sh +# +# Copyright (c) 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id$ +# + +srcdir="@srcdir@" +objdir="@objdir@" +EGREP="@EGREP@" + +# If there is no useful db support compile in, disable test +../db/have-db || exit 77 + +R=TEST.H5L.SE +principal=host/datan.test.h5l.se@${R} + +kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -r $R -l" + +CIN=${srcdir}/krb5.conf.keys.in +COUT=${objdir}/krb5.conf.keys + +sedvars="-e s,[@]srcdir[@],${srcdir},g -e s,[@]objdir[@],${objdir},g" + +KRB5_CONFIG="${COUT}" +export KRB5_CONFIG + +rm -f ${COUT} +rm -f current-db* +rm -f out-* +rm -f mkey.file* +rm -f messages.log + +sed -e 's/@keys@/v5/' \ + ${sedvars} < ${CIN} > ${COUT} + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +${kadmin} add -p foo --use-defaults ${principal} || exit 1 + +${kadmin} cpw -p foo ${principal} || exit 1 + +sed -e 's/@keys@/v4/' \ + ${sedvars} < ${CIN} > ${COUT} +${kadmin} cpw -p foo ${principal} || exit 1 + +sed -e 's/@keys@/v4 v5/' \ + ${sedvars} < ${CIN} > ${COUT} +${kadmin} cpw -p foo ${principal} || exit 1 + +sed -e 's/@keys@/v5 v4/' \ + ${sedvars} < ${CIN} > ${COUT} +${kadmin} cpw -p foo ${principal} || exit 1 + +sed -e 's/@keys@/des:pw-salt:/' \ + ${sedvars} < ${CIN} > ${COUT} +${kadmin} cpw -p foo ${principal} || exit 1 + +sed -e 's/@keys@/des-cbc-crc:afs3-salt:test.h5l.se/' \ + ${sedvars} < ${CIN} > ${COUT} +${kadmin} cpw -p foo ${principal} || exit 1 + +sed -e 's/@keys@/des:afs3-salt:test.h5l.se/' \ + ${sedvars} < ${CIN} > ${COUT} +${kadmin} cpw -p foo ${principal} || exit 1 + +exit 0 diff --git a/tests/kdc/check-pkinit.in b/tests/kdc/check-pkinit.in new file mode 100644 index 000000000000..3ae5a74caeaf --- /dev/null +++ b/tests/kdc/check-pkinit.in @@ -0,0 +1,273 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2008 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id: check-pkinit.in 22474 2008-01-17 11:16:25Z lha $ +# + +srcdir="@srcdir@" +objdir="@objdir@" +EGREP="@EGREP@" + +testfailed="echo test failed; cat messages.log; exit 1" + +# If there is no useful db support compile in, disable test +../db/have-db || exit 77 + +R=TEST.H5L.SE + +port=@port@ + +kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R" +kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" + +server=host/datan.test.h5l.se +cache="FILE:${objdir}/cache.krb5" +keyfile="${srcdir}/../../lib/hx509/data/key.der" +keyfile2="${srcdir}/../../lib/hx509/data/key2.der" + +kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog" +kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache" +kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog" +hxtool="${TESTS_ENVIRONMENT} ../../lib/hx509/hxtool" + +KRB5_CONFIG="${objdir}/krb5-pkinit.conf" +export KRB5_CONFIG + +rsa=yes +pkinit=no +if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then + rsa=no +fi +if ${hxtool} info | grep 'rand: not available' > /dev/null ; then + rsa=no +fi + +if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then + pkinit=yes +fi + +# If we doesn't support pkinit and have RSA, give up +if test "$pkinit" != yes -o "$rsa" != yes ; then + exit 77 +fi + + +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +> messages.log + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +${kadmin} add -p foo --use-defaults foo@${R} || exit 1 +${kadmin} add -p bar --use-defaults bar@${R} || exit 1 +${kadmin} add -p baz --use-defaults baz@${R} || exit 1 +${kadmin} modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" baz@${R} || exit 1 + +${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1 + +echo "Doing database check" +${kadmin} check ${R} || exit 1 + +echo "Setting up certificates" +${hxtool} request-create \ + --subject="CN=kdc,DC=test,DC=h5l,DC=se" \ + --key=FILE:${keyfile2} \ + req-kdc.der || exit 1 +${hxtool} request-create \ + --subject="CN=bar,DC=test,DC=h5l,DC=se" \ + --key=FILE:${keyfile2} \ + req-pkinit.der || exit 1 +${hxtool} request-create \ + --subject="CN=baz,DC=test,DC=h5l,DC=se" \ + --key=FILE:${keyfile2} \ + req-pkinit2.der || exit 1 + +echo "issue self-signed ca cert" +${hxtool} issue-certificate \ + --self-signed \ + --issue-ca \ + --ca-private-key=FILE:${keyfile} \ + --subject="CN=CA,DC=test,DC=h5l,DC=se" \ + --certificate="FILE:ca.crt" || exit 1 + +echo "issue kdc certificate" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ + --type="pkinit-kdc" \ + --pk-init-principal="krbtgt/TEST.H5L.SE@TEST.H5L.SE" \ + --req="PKCS10:req-kdc.der" \ + --certificate="FILE:kdc.crt" || exit 1 + +echo "issue user certificate (pkinit san)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ + --type="pkinit-client" \ + --pk-init-principal="bar@TEST.H5L.SE" \ + --req="PKCS10:req-pkinit.der" \ + --certificate="FILE:pkinit.crt" || exit 1 + +echo "issue user 2 certificate (no san)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ + --type="pkinit-client" \ + --req="PKCS10:req-pkinit2.der" \ + --certificate="FILE:pkinit2.crt" || exit 1 + +echo "issue user 3 certificate (ms san)" +${hxtool} issue-certificate \ + --ca-certificate=FILE:$objdir/ca.crt,${keyfile} \ + --type="pkinit-client" \ + --ms-upn="bar@test.h5l.se" \ + --req="PKCS10:req-pkinit2.der" \ + --certificate="FILE:pkinit3.crt" || exit 1 + + +echo foo > ${objdir}/foopassword + +echo Starting kdc +${kdc} & +kdcpid=$! + +sh ${srcdir}/wait-kdc.sh +if [ "$?" != 0 ] ; then + kill ${kdcpid} + exit 1 +fi + +trap "kill ${kdcpid}; echo signal killing kdc; cat ca.crt kdc.crt pkinit.crt ;exit 1;" EXIT + +ec=0 + +echo "Trying pk-init (principal in cert)"; > messages.log +base="${objdir}" +${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Trying pk-init (principal in pki-mapping file) "; > messages.log +${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Trying pk-init (principal subject in DB)"; > messages.log +${kinit} -C FILE:${base}/pkinit2.crt,${keyfile2} baz@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Trying pk-init (ms upn)"; > messages.log +${kinit} -C FILE:${base}/pkinit3.crt,${keyfile2} bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +KRB5_CONFIG="${objdir}/krb5-pkinit-win.conf" +export KRB5_CONFIG + +echo "Duplicated tests, now in windows 2000 mode" + +echo "Trying pk-init (principal in cert)"; > messages.log +base="${objdir}" +${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Trying pk-init (principal in pki-mapping file) "; > messages.log +${kinit} -C FILE:${base}/pkinit.crt,${keyfile2} foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Trying pk-init (principal subject in DB)"; > messages.log +${kinit} -C FILE:${base}/pkinit2.crt,${keyfile2} baz@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Trying pk-init (ms upn)"; > messages.log +${kinit} -C FILE:${base}/pkinit3.crt,${keyfile2} bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } +${kdestroy} + + +KRB5_CONFIG="${objdir}/krb5-pkinit.conf" +export KRB5_CONFIG + +echo "Trying PKCS11 support" + +cat > test-rc-file.rc <<EOF +certificate cert User certificate FILE:${base}/pkinit.crt,${keyfile2} +app-fatal true +EOF + +SOFTPKCS11RC="test-rc-file.rc" +export SOFTPKCS11RC + +dir=${base}/../../lib/hx509 +file= + +for a in libhx509.so .libs/libhx509.so libhx509.dylib .libs/libhx509.dylib ; do + if [ -f $dir/$a ] ; then + file=$dir/$a + break + fi +done + +if [ X"$file" != X -a @DLOPEN@ ] ; then + + echo "Trying pk-init (principal in pki-mapping file) "; > messages.log + ${kinit} -C PKCS11:${file} foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } + ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } + ${kdestroy} + +fi + + +echo "killing kdc (${kdcpid})" +kill $kdcpid || exit 1 + +trap "" EXIT + +exit $ec diff --git a/tests/kdc/check-referral.in b/tests/kdc/check-referral.in new file mode 100644 index 000000000000..fa8be43e8ef6 --- /dev/null +++ b/tests/kdc/check-referral.in @@ -0,0 +1,200 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id: check-referral.in 21854 2007-08-08 06:58:49Z lha $ +# + +srcdir="@srcdir@" +objdir="@objdir@" +EGREP="@EGREP@" + +testfailed="echo test failed; cat messages.log; exit 1" + +# If there is no useful db support compile in, disable test +../db/have-db || exit 77 + +R=TEST.H5L.SE +R2=SUB.TEST.H5L.SE + +service=ldap/host.sub.test.h5l.se + +port=@port@ + +kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R" +kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" + +cache="FILE:${objdir}/cache.krb5" + +kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache --no-afslog" +klist="${TESTS_ENVIRONMENT} ../../kuser/klist -c $cache" +kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache" +kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog" + + +KRB5_CONFIG="${objdir}/krb5.conf" +export KRB5_CONFIG + +rm -f ${keytabfile} +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +> messages.log + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R2} || exit 1 + +${kadmin} add -p foo --use-defaults foo@${R} || exit 1 +${kadmin} modify --alias=alias1 --alias=alias2 foo@${R} || exit 1 + +${kadmin} add -p foo --use-defaults ${service}@${R2} || exit 1 + +${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1 +${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1 + +echo "Doing database check" +${kadmin} check ${R} || exit 1 +${kadmin} check ${R2} || exit 1 + +echo foo > ${objdir}/foopassword + +echo Starting kdc +${kdc} & +kdcpid=$! + +sh ${srcdir}/wait-kdc.sh +if [ "$?" != 0 ] ; then + kill ${kdcpid} + exit 1 +fi + +trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT + +ec=0 + +echo "Test AS-REQ" + +echo "Getting client (no canon)"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal" +${klist} | grep "Principal: foo@${R}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Getting client client tickets (default realm, enterprisename)"; > messages.log +${kinit} --canonicalize \ + --password-file=${objdir}/foopassword foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal" +${klist} | grep "Principal: foo@${R}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Getting client alias1 tickets"; > messages.log +${kinit} --canonicalize \ + --password-file=${objdir}/foopassword foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal" +${klist} | grep "Principal: foo@${R}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + + +echo "Getting client alias2 tickets"; > messages.log +${kinit} --canonicalize \ + --password-file=${objdir}/foopassword alias2@${R}@${R} || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal" +${klist} | grep "Principal: foo@${R}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Getting client alias1 tickets (non canon case)"; > messages.log +${kinit} --password-file=${objdir}/foopassword \ + alias1@${R}@${R} > /dev/null 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } + +echo "Getting client alias2 tickets (removed)"; > messages.log +${kadmin} modify --alias=alias1 foo@${R} || { ec=1 ; eval "${testfailed}"; } +${kinit} --canonicalize \ + --password-file=${objdir}/foopassword \ + alias2@${R}@${R} > /dev/null 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } + +echo "Remove alias" +${kadmin} modify --alias= foo@${R} || { ec=1 ; eval "${testfailed}"; } + +echo "Test TGS-REQ" + +#echo "Getting client for ${service}@${R} (kdc referral)" +#> messages.log +#${kinit} --password-file=${objdir}/foopassword foo@${R} || \ +# { ec=1 ; eval "${testfailed}"; } +#${kgetcred} --server ${service}@${R} || +# { ec=1 ; eval "${testfailed}"; } +#${klist} +#echo "checking that we got back right principal" +#${klist} | grep "${service}@${R2}" > /dev/null || \ +# { ec=1 ; eval "${testfailed}"; } +#${kdestroy} +# +#echo "Getting client for ${service}@${R2} (client side guessing)" +#> messages.log +#${kinit} --password-file=${objdir}/foopassword foo@${R} || \ +# { ec=1 ; eval "${testfailed}"; } +#${kgetcred} --server ${service}@${R2} || +# { ec=1 ; eval "${testfailed}"; } +#${klist} +#echo "checking that we got back right principal" +#${klist} | grep "${service}@${R2}" > /dev/null || \ +# { ec=1 ; eval "${testfailed}"; } +#${kdestroy} + + +echo "killing kdc (${kdcpid})" +kill $kdcpid || exit 1 + +trap "" EXIT + +exit $ec diff --git a/tests/kdc/check-uu.in b/tests/kdc/check-uu.in new file mode 100644 index 000000000000..c9aeb7b9de5c --- /dev/null +++ b/tests/kdc/check-uu.in @@ -0,0 +1,138 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id: check-uu.in 21855 2007-08-08 06:59:09Z lha $ +# + +srcdir="@srcdir@" +objdir="@objdir@" +EGREP="@EGREP@" + +testfailed="echo test failed; cat messages.log; exit 1" + +# If there is no useful db support compile in, disable test +../db/have-db || exit 77 + +R=TEST.H5L.SE + +uuspid= + +port=@port@ + +kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R" +kdc="${TESTS_ENVIRONMENT} ../../kdc/kdc --addresses=localhost -P $port" + +cache1="FILE:${objdir}/cache1.krb5" +cache2="FILE:${objdir}/cache2.krb5" + +kinit1="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache1 --no-afslog" +kinit2="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache2 --no-afslog" +kdestroy1="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache1 --no-unlog" +kdestroy2="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache2 --no-unlog" +uu_server="${TESTS_ENVIRONMENT} ../../appl/test/uu_server" +uu_client="${TESTS_ENVIRONMENT} ../../appl/test/uu_client" + + +KRB5_CONFIG="${objdir}/krb5.conf" +export KRB5_CONFIG + +rm -f current-db* +rm -f out-* +rm -f mkey.file* + +> messages.log + +echo Creating database +${kadmin} \ + init \ + --realm-max-ticket-life=1day \ + --realm-max-renewable-life=1month \ + ${R} || exit 1 + +${kadmin} add -p foo --use-defaults user1@${R} || exit 1 +${kadmin} add -p foo --use-defaults user2@${R} || exit 1 + +echo "Doing database check" +${kadmin} check ${R} || exit 1 + +echo foo > ${objdir}/foopassword + +echo Starting kdc +${kdc} & +kdcpid=$! + +sh ${srcdir}/wait-kdc.sh +if [ "$?" != 0 ] ; then + kill ${kdcpid} + exit 1 +fi + +trap "kill ${kdcpid} ${uuspid}; echo signal killing kdc; exit 1;" EXIT + +ec=0 + +echo "Getting client initial tickets user1"; > messages.log +${kinit1} --password-file=${objdir}/foopassword user1@$R || \ + { ec=1 ; eval "${testfailed}"; } + +echo "Getting client initial tickets user2"; > messages.log +${kinit2} --password-file=${objdir}/foopassword user2@$R || \ + { ec=1 ; eval "${testfailed}"; } + + +echo "starting uu server (using user1)" +KRB5CCNAME=$cache1 ${uu_server} > uuserver.log & +uuspid=$! +sleep 5 + +echo "trying to contact server with client (using user2)" +KRB5CCNAME=$cache2 ${uu_client} localhost > messages.log 2>&1 || \ + { ec=1; eval "${testfailed}"; } + +sleep 5 + +echo "checking if server got the right message" +cmp uuserver.log ${srcdir}/uuserver.txt || \ + { ec=1; eval "${testfailed}"; } + +uuspid="" + +${kdestroy1} +${kdestroy2} + +echo "killing kdc uu_server (${kdcpid} ${uuspid})" +kill $kdcpid $uuspid || exit 1 + +trap "" EXIT + +exit $ec diff --git a/tests/kdc/donotexists.txt b/tests/kdc/donotexists.txt new file mode 100644 index 000000000000..529439725653 --- /dev/null +++ b/tests/kdc/donotexists.txt @@ -0,0 +1 @@ +kadmin: get doesnotexists@TEST.H5L.SE: Principal does not exist diff --git a/tests/kdc/heimdal.acl b/tests/kdc/heimdal.acl new file mode 100644 index 000000000000..c4bd35abf9a7 --- /dev/null +++ b/tests/kdc/heimdal.acl @@ -0,0 +1,3 @@ +# $Id$ +foo/admin@TEST.H5L.SE all +bar@TEST.H5L.SE all diff --git a/tests/kdc/iprop-acl b/tests/kdc/iprop-acl new file mode 100644 index 000000000000..d43f882d1d59 --- /dev/null +++ b/tests/kdc/iprop-acl @@ -0,0 +1 @@ +iprop/slave@TEST.H5L.SE diff --git a/tests/kdc/krb5-pkinit.conf.in b/tests/kdc/krb5-pkinit.conf.in new file mode 100644 index 000000000000..c7144268c7c9 --- /dev/null +++ b/tests/kdc/krb5-pkinit.conf.in @@ -0,0 +1,33 @@ +# $Id: krb5-pkinit.conf.in 20738 2007-05-31 16:52:40Z lha $ + +[libdefaults] + default_realm = TEST.H5L.SE + no-addresses = TRUE + +[appdefaults] + pkinit_anchors = FILE:@objdir@/ca.crt + +[realms] + TEST.H5L.SE = { + kdc = localhost:@port@ + pkinit_win2k = @w2k@ + } + +[kdc] + enable-pkinit = true + pkinit_identity = FILE:@objdir@/kdc.crt,@srcdir@/../../lib/hx509/data/key2.der + pkinit_anchors = FILE:@objdir@/ca.crt + pkinit_mappings_file = @srcdir@/pki-mapping + + database = { + dbname = @objdir@/current-db + realm = TEST.H5L.SE + mkey_file = @objdir@/mkey.file + } + +[logging] + kdc = 0-/FILE:@objdir@/messages.log + default = 0-/FILE:@objdir@/messages.log + +[kadmin] + save-password = true diff --git a/tests/kdc/krb5.conf.in b/tests/kdc/krb5.conf.in new file mode 100644 index 000000000000..eeb5650f0d19 --- /dev/null +++ b/tests/kdc/krb5.conf.in @@ -0,0 +1,56 @@ +# $Id: krb5.conf.in 21754 2007-07-31 21:13:56Z lha $ + +[libdefaults] + default_realm = TEST.H5L.SE + no-addresses = TRUE + +[appdefaults] + pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt + +[realms] + TEST.H5L.SE = { + kdc = localhost:@port@ + admin_server = localhost:@admport@ + } + SUB.TEST.H5L.SE = { + kdc = localhost:@port@ + } + TEST2.H5L.SE = { + kdc = localhost:@port@ + } + +[domain_realms] + .sub.test.h5l.se = SUB.TEST.H5L.SE + localhost = TEST.H5L.SE + + +[kdc] + enable-digest = true + digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2 + + enable-pkinit = true + pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key + pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt + pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt +# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl + pkinit_mappings_file = @srcdir@/pki-mapping + pkinit_allow_proxy_certificate = true + + database = { + dbname = @objdir@/current-db@kdc@ + realm = TEST.H5L.SE + mkey_file = @objdir@/mkey.file + acl_file = @srcdir@/heimdal.acl + log_file = @objdir@/current@kdc@.log + } + + signal_socket = @objdir@/signal + iprop-stats = @objdir@/iprop-stats + iprop-acl = @srcdir@/iprop-acl + +[logging] + kdc = 0-/FILE:@objdir@/messages.log + default = 0-/FILE:@objdir@/messages.log + +[kadmin] + save-password = true diff --git a/tests/kdc/krb5.conf.keys.in b/tests/kdc/krb5.conf.keys.in new file mode 100644 index 000000000000..f02ecc74b55b --- /dev/null +++ b/tests/kdc/krb5.conf.keys.in @@ -0,0 +1,13 @@ +# $Id$ + +[kdc] + database = { + dbname = @objdir@/current-db + realm = TEST.H5L.SE + mkey_file = @objdir@/mkey.file + acl_file = @srcdir@/heimdal.acl + } + + +[kadmin] + default_keys = @keys@ diff --git a/tests/kdc/ntlm-user-file.txt b/tests/kdc/ntlm-user-file.txt new file mode 100644 index 000000000000..abf33e6e7d02 --- /dev/null +++ b/tests/kdc/ntlm-user-file.txt @@ -0,0 +1,2 @@ +# $Id: ntlm-user-file.txt 19523 2006-12-28 10:20:00Z lha $ +TEST:foo:digestpassword diff --git a/tests/kdc/pki-mapping b/tests/kdc/pki-mapping new file mode 100644 index 000000000000..af8099cd452f --- /dev/null +++ b/tests/kdc/pki-mapping @@ -0,0 +1,3 @@ +# $Id: pki-mapping 19661 2007-01-04 01:58:01Z lha $ +foo@TEST.H5L.SE:CN=pkinit,C=SE +foo@TEST.H5L.SE:CN=bar,DC=test,DC=h5l,DC=se diff --git a/tests/kdc/uuserver.txt b/tests/kdc/uuserver.txt new file mode 100644 index 000000000000..2c191bf3b750 --- /dev/null +++ b/tests/kdc/uuserver.txt @@ -0,0 +1,4 @@ +User is `user2@TEST.H5L.SE' +Server is `user1@TEST.H5L.SE' +safe packet: hej +priv packet: hemligt diff --git a/tests/kdc/wait-kdc.sh b/tests/kdc/wait-kdc.sh new file mode 100644 index 000000000000..814b4b5e52b6 --- /dev/null +++ b/tests/kdc/wait-kdc.sh @@ -0,0 +1,66 @@ +#!/bin/sh +# +# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan +# (Royal Institute of Technology, Stockholm, Sweden). +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# 3. Neither the name of the Institute nor the names of its contributors +# may be used to endorse or promote products derived from this software +# without specific prior written permission. +# +# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE +# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE +# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL +# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS +# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY +# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF +# SUCH DAMAGE. +# +# $Id: wait-kdc.sh 21881 2007-08-09 07:14:08Z lha $ +# + +name=${1:-KDC} +log=${2:-messages.log} + +t=0 +waitsec=20 + +echo "Waiting for ${name} to start, looking logfile ${log}" + +while true ; do + t=`expr ${t} + 2` + sleep 2 + echo "Have waited $t seconds" + if tail -30 ${log} | grep "${name} started" > /dev/null; then + break + fi + if tail -30 ${log} | grep "No sockets" ; then + echo "The ${name} failed to bind to any sockets, another ${name} running ?" + exit 1 + fi + if tail -30 ${log} | grep "bind" | grep "Operation not permitted" ; then + echo "The ${name} failed to bind to any sockets, another ${name} running ?" + exit 1 + fi + if [ "$t" -gt $waitsec ]; then + echo "Waited for $waitsec for the ${name} to start, and it didnt happen" + exit 2 + fi +done + +exit 0
\ No newline at end of file |