1#!/bin/sh 2# 3# Copyright (c) 2006 - 2007 Kungliga Tekniska Högskolan 4# (Royal Institute of Technology, Stockholm, Sweden). 5# All rights reserved. 6# 7# Redistribution and use in source and binary forms, with or without 8# modification, are permitted provided that the following conditions 9# are met: 10# 11# 1. Redistributions of source code must retain the above copyright 12# notice, this list of conditions and the following disclaimer. 13# 14# 2. Redistributions in binary form must reproduce the above copyright 15# notice, this list of conditions and the following disclaimer in the 16# documentation and/or other materials provided with the distribution. 17# 18# 3. Neither the name of the Institute nor the names of its contributors 19# may be used to endorse or promote products derived from this software 20# without specific prior written permission. 21# 22# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 23# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 24# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 25# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 26# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 27# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 28# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 29# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 30# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 31# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 32# SUCH DAMAGE. 33 34top_builddir="@top_builddir@" 35env_setup="@env_setup@" 36objdir="@objdir@" 37 38. ${env_setup} 39 40KRB5_CONFIG="${1-${objdir}/krb5.conf}" 41export KRB5_CONFIG 42 43testfailed="echo test failed; cat messages.log; exit 1" 44 45# If there is no useful db support compile in, disable test 46${have_db} || exit 77 47 48R=TEST.H5L.SE 49R2=TEST2.H5L.SE 50R3=TEST-HTTP.H5L.SE 51 52port=@port@ 53 54kadmin="${kadmin} -l -r $R" 55kdc="${kdc} --addresses=localhost -P $port" 56 57server=host/datan.test.h5l.se 58server2=host/computer.example.com 59serverip=host/10.11.12.13 60serveripname=host/ip.test.h5l.org 61serveripname2=host/10.11.12.14 62alias1=host/datan.example.com 63alias2=host/datan 64aliaskeytab=host/datan 65cache="FILE:${objdir}/cache.krb5" 66ocache="FILE:${objdir}/ocache.krb5" 67o2cache="FILE:${objdir}/o2cache.krb5" 68icache="FILE:${objdir}/icache.krb5" 69keytabfile=${objdir}/server.keytab 70keytab="FILE:${keytabfile}" 71ps="proxy-service@${R}" 72aesenctype="aes256-cts-hmac-sha1-96" 73 74kinit="${kinit} -c $cache ${afs_no_afslog}" 75klist="${klist} -c $cache" 76kgetcred="${kgetcred} -c $cache" 77kgetcred_imp="${kgetcred} -c $cache --out-cache=${ocache}" 78kdestroy="${kdestroy} -c $cache ${afs_no_unlog}" 79kimpersonate="${kimpersonate} -k ${keytab} --ccache=${ocache}" 80 81rm -f ${keytabfile} 82rm -f current-db* 83rm -f out-* 84rm -f mkey.file* 85 86> messages.log 87 88echo Creating database 89${kadmin} \ 90 init \ 91 --realm-max-ticket-life=1day \ 92 --realm-max-renewable-life=1month \ 93 ${R} || exit 1 94 95${kadmin} \ 96 init \ 97 --realm-max-ticket-life=1day \ 98 --realm-max-renewable-life=1month \ 99 ${R2} || exit 1 100 101${kadmin} \ 102 init \ 103 --realm-max-ticket-life=1day \ 104 --realm-max-renewable-life=1month \ 105 ${R3} || exit 1 106 107${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 108${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 109${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 110${kadmin} cpw -r krbtgt/${R}@${R} || exit 1 111 112${kadmin} add -p foo --use-defaults foo@${R} || exit 1 113${kadmin} add -p bar --use-defaults bar@${R} || exit 1 114${kadmin} add -p foo --use-defaults remove@${R} || exit 1 115${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1 116${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1 117${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1 118${kadmin} add -p foo --use-defaults ${ps} || exit 1 119${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1 120${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1 121${kadmin} ext -k ${keytab} ${server}@${R} || exit 1 122${kadmin} ext -k ${keytab} ${ps} || exit 1 123 124${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1 125${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1 126${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1 127${kadmin} ext -k ${keytab} ${serverip}@${R} || exit 1 128${kadmin} add -p kaka --use-defaults ${serveripname}@${R} || exit 1 129${kadmin} ext -k ${keytab} ${serveripname}@${R} || exit 1 130${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R} 131${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1 132 133${kadmin} add -p kaka --use-defaults ${alias1}@${R} || exit 1 134${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1 135${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R} 136 137${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1 138${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1 139 140${kadmin} add -p foo --use-defaults pw-expire@${R} || exit 1 141${kadmin} modify --pw-expiration-time=+1day pw-expire@${R} || exit 1 142 143${kadmin} add -p foo --use-defaults foo@${R3} || exit 1 144 145echo "Check parser" 146${kadmin} add -p foo --use-defaults -- -p || exit 1 147${kadmin} delete -- -p || exit 1 148 149echo "Doing database check" 150${kadmin} check ${R} || exit 1 151${kadmin} check ${R2} || exit 1 152 153echo "Extracting enctypes" 154${ktutil} -k ${keytab} list > tempfile || exit 1 155${EGREP} -v '^FILE:' tempfile | ${EGREP} -v '^Vno' | ${EGREP} -v '^$' | \ 156 awk '$1 !~ /1/ { exit 1 }' || exit 1 157 158${kadmin} get foo@${R} > tempfile || exit 1 159enctypes=`grep Keytypes: tempfile | sed 's/(pw-salt)//g' | sed 's/,//g' | sed 's/Keytypes://'` 160 161enctype_sans_aes=`echo $enctypes | sed 's/aes[^ ]*//g'` 162enctype_sans_des3=`echo $enctypes | sed 's/des3-cbc-sha1//g'` 163 164echo "deleting all but des enctypes on kt-des3 in keytab" 165${kadmin} ext -k ${keytab} kt-des3@${R} || exit 1 166for a in ${enctype_sans_des3} ; do 167 ${ktutil} -k ${keytab} remove -p kt-des3@${R} -e $a 168done 169 170echo foo > ${objdir}/foopassword 171 172echo Starting kdc 173env MallocStackLogging=1 MallocStackLoggingNoCompact=1 MallocErrorAbort=1 MallocLogFile=${objdir}/malloc-log \ 174${kdc} & 175kdcpid=$! 176 177sh ${wait_kdc} 178if [ "$?" != 0 ] ; then 179 kill -9 ${kdcpid} 180 exit 1 181fi 182 183trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT 184 185ec=0 186 187echo "Getting client initial tickets"; > messages.log 188${kinit} --password-file=${objdir}/foopassword foo@$R || \ 189 { ec=1 ; eval "${testfailed}"; } 190echo "Getting tickets"; > messages.log 191${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 192echo "Listing tickets"; > messages.log 193${klist} > /dev/null || { ec=1 ; eval "${testfailed}"; } 194${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 195 { ec=1 ; eval "${testfailed}"; } 196${kdestroy} 197 198echo "Getting client initial tickets (http transport)"; > messages.log 199${kinit} --password-file=${objdir}/foopassword foo@${R3} || \ 200 { ec=1 ; eval "${testfailed}"; } 201${kdestroy} 202 203echo "Specific enctype"; > messages.log 204${kinit} --password-file=${objdir}/foopassword \ 205 -e ${aesenctype} -e ${aesenctype} \ 206 foo@$R || \ 207 { ec=1 ; eval "${testfailed}"; } 208 209for a in $enctypes; do 210 echo "Getting client initial tickets ($a)"; > messages.log 211 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 212 echo "Getting tickets"; > messages.log 213 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 214 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || { ec=1 ; eval "${testfailed}"; } 215 ${kdestroy} 216done 217 218 219echo "Getting client initial tickets"; > messages.log 220${kinit} --password-file=${objdir}/foopassword foo@$R || \ 221 { ec=1 ; eval "${testfailed}"; } 222for a in $enctypes; do 223 echo "Getting tickets ($a)"; > messages.log 224 ${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 225 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 226 { ec=1 ; eval "${testfailed}"; } 227 ${kdestroy} --credential=${server}@${R} 228done 229${kdestroy} 230 231echo "Getting client initial tickets for cross realm case"; > messages.log 232${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 233for a in $enctypes; do 234 echo "Getting cross realm tickets ($a)"; > messages.log 235 ${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; } 236 echo " checking we we got back right ticket" 237 ${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } 238 echo " checking if ticket is useful" 239 ${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \ 240 { ec=1 ; eval "${testfailed}"; } 241 ${kdestroy} --credential=${server2}@${R2} 242done 243${kdestroy} 244 245echo "try all permutations"; > messages.log 246for a in $enctypes; do 247 echo "Getting client initial tickets ($a)"; > messages.log 248 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@$R || \ 249 { ec=1 ; eval "${testfailed}"; } 250 for b in $enctypes; do 251 echo "Getting tickets ($a -> $b)"; > messages.log 252 ${kgetcred} -e $b ${server}@${R} || \ 253 { ec=1 ; eval "${testfailed}"; } 254 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 255 { ec=1 ; eval "${testfailed}"; } 256 ${kdestroy} --credential=${server}@${R} 257 done 258 ${kdestroy} 259done 260 261echo "Getting client initial tickets ip based name"; > messages.log 262${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 263echo "Getting ip based name tickets"; > messages.log 264${kgetcred} ${serverip}@${R} || { ec=1 ; eval "${testfailed}"; } 265echo " checking we we got back right ticket" 266${klist} | grep ${serverip}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } 267echo " checking if ticket is useful" 268${test_ap_req} ${serverip}@${R} ${keytab} ${cache} || \ 269 { ec=1 ; eval "${testfailed}"; } 270${kdestroy} 271 272echo "Getting client initial tickets ip based name (alias)"; > messages.log 273${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; } 274for a in ${serveripname} ${serveripname2} ; do 275 echo "Getting ip based name tickets (alias) $a"; > messages.log 276 ${kgetcred} ${a}@${R} || { ec=1 ; eval "${testfailed}"; } 277 echo " checking we we got back right ticket" 278 ${klist} | grep ${a}@ > /dev/null || { ec=1 ; eval "${testfailed}"; } 279 echo " checking if ticket is useful" 280 ${test_ap_req} --server-any ${a}@${R} ${keytab} ${cache} || \ 281 { ec=1 ; eval "${testfailed}"; } 282done 283${kdestroy} 284 285echo "Getting server initial tickets"; > messages.log 286${kinit} --keytab=${keytab} ${server}@$R || { ec=1 ; eval "${testfailed}"; } 287echo "Listing tickets"; > messages.log 288${klist} | grep "Principal: ${server}" > /dev/null || \ 289 { ec=1 ; eval "${testfailed}"; } 290${kdestroy} 291 292echo "Getting key for key that are a subset in keytab compared to kdb" 293${kinit} --keytab=${keytab} kt-des3@${R} 294${klist} | grep "Principal: kt-des3" > /dev/null || \ 295 { ec=1 ; eval "${testfailed}"; } 296${kdestroy} 297 298echo "initial tickets for deleted user test case"; > messages.log 299${kinit} --password-file=${objdir}/foopassword remove@$R || \ 300 { ec=1 ; eval "${testfailed}"; } 301${kadmin} delete remove@${R} || { ec=1 ; eval "${testfailed}"; } 302echo "try getting ticket with deleted user"; > messages.log 303${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; } 304${kdestroy} 305 306echo "cross realm case (deleted user)"; > messages.log 307${kinit} --password-file=${objdir}/foopassword remove2@$R2 || \ 308 { ec=1 ; eval "${testfailed}"; } 309${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \ 310 { ec=1 ; eval "${testfailed}"; } 311${kadmin} delete remove2@${R2} || exit 1 312${kgetcred} ${server}@${R} 2> /dev/null || \ 313 { ec=1 ; eval "${testfailed}"; } 314${kdestroy} 315 316echo "rename user"; > messages.log 317${kadmin} add -p foo --use-defaults rename@${R} || exit 1 318${kinit} --password-file=${objdir}/foopassword rename@${R} || \ 319 { ec=1 ; eval "${testfailed}"; } 320${kadmin} rename rename@${R} rename2@${R} || exit 1 321${kinit} --password-file=${objdir}/foopassword rename2@${R} || \ 322 { ec=1 ; eval "${testfailed}"; } 323${kdestroy} 324${kadmin} delete rename2@${R} || exit 1 325 326echo "rename user to another realm"; > messages.log 327${kadmin} add -p foo --use-defaults rename@${R} || exit 1 328${kinit} --password-file=${objdir}/foopassword rename@${R} || \ 329 { ec=1 ; eval "${testfailed}"; } 330${kadmin} rename rename@${R} rename@${R2} || exit 1 331${kinit} --password-file=${objdir}/foopassword rename@${R2} || \ 332 { ec=1 ; eval "${testfailed}"; } 333${kdestroy} 334${kadmin} delete rename@${R2} || exit 1 335 336echo deleting all but aes enctypes on krbtgt 337${kadmin} del_enctype krbtgt/${R}@${R} ${enctype_sans_aes} || exit 1 338 339echo deleting all but des enctypes on server-des3 340${kadmin} del_enctype ${server}-des3@${R} ${enctype_sans_des3} || exit 1 341${kadmin} ext -k ${keytab} ${server}-des3@${R} || exit 1 342 343echo "try all permutations (only aes)"; > messages.log 344for a in $enctypes; do 345 echo "Getting client initial tickets ($a)"; > messages.log 346 ${kinit} --enctype=$a --password-file=${objdir}/foopassword foo@${R} ||\ 347 { ec=1 ; eval "${testfailed}"; } 348 for b in $enctypes; do 349 echo "Getting tickets ($a -> $b)"; > messages.log 350 ${kgetcred} -e $b ${server}@${R} || \ 351 { ec=1 ; eval "${testfailed}"; } 352 ${test_ap_req} ${server}@${R} ${keytab} ${cache} || \ 353 { ec=1 ; eval "${testfailed}"; } 354 355 echo "Getting tickets ($a -> $b) (server des3 only)"; > messages.log 356 ${kgetcred} ${server}-des3@${R} || \ 357 { ec=1 ; eval "${testfailed}"; } 358 ${test_ap_req} ${server}-des3@${R} ${keytab} ${cache} || \ 359 { ec=1 ; eval "${testfailed}"; } 360 361 ${kdestroy} --credential=${server}@${R} 362 ${kdestroy} --credential=${server}-des3@${R} 363 done 364 ${kdestroy} 365done 366 367echo deleting all enctypes on krbtgt 368${kadmin} del_enctype krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ 369 { ec=1 ; eval "${testfailed}"; } 370echo "try initial ticket w/o and keys on krbtgt" 371${kinit} --password-file=${objdir}/foopassword foo@${R} 2>/dev/null && \ 372 { ec=1 ; eval "${testfailed}"; } 373echo "adding random aes key" 374${kadmin} add_enctype -r krbtgt/${R}@${R} aes256-cts-hmac-sha1-96 || \ 375 { ec=1 ; eval "${testfailed}"; } 376echo "try initial ticket with random aes key on krbtgt" 377${kinit} --password-file=${objdir}/foopassword foo@${R} || \ 378 { ec=1 ; eval "${testfailed}"; } 379${kdestroy} 380 381rsa=yes 382ecdsa=yes 383pkinit=no 384if ${hxtool} info | grep 'rsa: hx509 null RSA' > /dev/null ; then 385 rsa=no 386fi 387if ${hxtool} info | grep 'rand: not available' > /dev/null ; then 388 rsa=no 389fi 390if ${kinit} --help 2>&1 | grep "CA certificates" > /dev/null; then 391 pkinit=yes 392fi 393 394if ${hxtool} info | grep 'ecdsa: hcrypto null' > /dev/null ; then 395 ecdsa=no 396fi 397 398 399# If we support pkinit and have RSA, lets try that 400if test "$pkinit" = yes -a "$rsa" = yes ; then 401 402 echo "try anonymous pkinit"; > messages.log 403 ${kinit} --anonymous ${R} || \ 404 { ec=1 ; eval "${testfailed}"; } 405 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 406 ${kdestroy} 407 408 for type in "" "--pk-use-enckey"; do 409 echo "Trying pk-init (principal in certificate) $type"; > messages.log 410 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key bar@${R} || \ 411 { ec=1 ; eval "${testfailed}"; } 412 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 413 ${kdestroy} 414 415 echo "Trying pk-init (principal in pki-mapping) $type"; > messages.log 416 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit.key foo@${R} || \ 417 { ec=1 ; eval "${testfailed}"; } 418 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 419 ${kdestroy} 420 421 echo "Trying pk-init (password protected key) $type"; > messages.log 422 ${kinit} $type -C FILE:${hx509_data}/pkinit.crt,${hx509_data}/pkinit-pw.key --password-file=${objdir}/foopassword foo@${R} || \ 423 { ec=1 ; eval "${testfailed}"; } 424 ${kgetcred} ${server}@${R} || \ 425 { ec=1 ; eval "${testfailed}"; } 426 ${kdestroy} 427 428 echo "Trying pk-init (proxy cert) $type"; > messages.log 429 ${kinit} $type -C FILE:${hx509_data}/pkinit-proxy-chain.crt,${hx509_data}/pkinit-proxy.key foo@${R} || \ 430 { ec=1 ; eval "${testfailed}"; } 431 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 432 ${kdestroy} 433 434 done 435 436 if test "$ecdsa" = yes > /dev/null ; then 437 echo "Trying pk-init (ec certificate)" 438 > messages.log 439 ${kinit} -C FILE:${hx509_data}/pkinit-ec.crt,${hx509_data}/pkinit-ec.key bar@${R} || \ 440 { ec=1 ; eval "${testfailed}"; } 441 ${kgetcred} ${server}@${R} || { ec=1 ; eval "${testfailed}"; } 442 ${kdestroy} 443 grep 'PK-INIT using ecdh' messages.log > /dev/null || \ 444 { ec=1 ; eval "${testfailed}"; } 445 fi 446 447else 448 echo "no pkinit (pkinit: $pkinit, rsa: $rsa)"; > messages.log 449fi 450 451echo "tickets for impersonate test case"; > messages.log 452${kinit} --forwardable --password-file=${objdir}/foopassword ${ps} || \ 453 { ec=1 ; eval "${testfailed}"; } 454${kgetcred_imp} --impersonate=bar@${R} ${ps} || \ 455 { ec=1 ; eval "${testfailed}"; } 456${test_ap_req} ${ps} ${keytab} ${ocache} || \ 457 { ec=1 ; eval "${testfailed}"; } 458echo " negative check" 459${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \ 460 { ec=1 ; eval "${testfailed}"; } 461 462echo "test constrained delegation"; > messages.log 463${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \ 464 { ec=1 ; eval "${testfailed}"; } 465${kgetcred} \ 466 --out-cache=${o2cache} \ 467 --delegation-credential-cache=${ocache} \ 468 ${server}@${R} || \ 469 { ec=1 ; eval "${testfailed}"; } 470echo " try using the credential" 471${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \ 472 { ec=1 ; eval "${testfailed}"; } 473echo " negative check" 474${kgetcred} \ 475 --out-cache=${o2cache} \ 476 --delegation-credential-cache=${ocache} \ 477 bar@${R} 2>/dev/null && \ 478 { ec=1 ; eval "${testfailed}"; } 479 480echo "test constrained delegation impersonation (non forward)"; > messages.log 481rm -f ocache.krb5 482${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \ 483 { ec=1 ; eval "${testfailed}"; } 484${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ 485 { ec=1 ; eval "${testfailed}"; } 486 487echo "test constrained delegation impersonation (missing KRB5SignedPath)"; > messages.log 488rm -f ocache.krb5 489${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} -f forwardable || \ 490 { ec=1 ; eval "${testfailed}"; } 491${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} > /dev/null 2>/dev/null && \ 492 { ec=1 ; eval "${testfailed}"; } 493 494${kdestroy} 495 496echo "check renewing" > messages.log 497${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \ 498 { ec=1 ; eval "${testfailed}"; } 499echo "kinit -R" 500${kinit} -R || \ 501 { ec=1 ; eval "${testfailed}"; } 502echo "check renewing MIT interface" > messages.log 503${kinit} --renewable --password-file=${objdir}/foopassword foo@$R || \ 504 { ec=1 ; eval "${testfailed}"; } 505echo "test_renew" 506env KRB5CCNAME=${cache} ${test_renew} || \ 507 { ec=1 ; eval "${testfailed}"; } 508${kdestroy} 509 510echo "checking server aliases"; > messages.log 511${kinit} --password-file=${objdir}/foopassword foo@$R || \ 512 { ec=1 ; eval "${testfailed}"; } 513echo "Getting tickets"; > messages.log 514${kgetcred} ${alias1}@${R} || { ec=1 ; eval "${testfailed}"; } 515${kgetcred} ${alias2}@${R} || { ec=1 ; eval "${testfailed}"; } 516echo " verify entry in keytab" 517${test_ap_req} ${alias1}@${R} ${keytab} ${cache} || \ 518 { ec=1 ; eval "${testfailed}"; } 519echo " verify entry in keytab with any" 520${test_ap_req} --server-any ${alias1}@${R} ${keytab} ${cache} || \ 521 { ec=1 ; eval "${testfailed}"; } 522echo " verify failure with alias entry" 523${test_ap_req} ${alias2}@${R} ${keytab} ${cache} 2>/dev/null && \ 524 { ec=1 ; eval "${testfailed}"; } 525echo " verify alias entry in keytab with any" 526${test_ap_req} --server-any ${alias2}@${R} ${keytab} ${cache} || \ 527 { ec=1 ; eval "${testfailed}"; } 528${kdestroy} 529 530echo "testing removal of keytab" 531${ktutil} -k ${keytab} destroy || { ec=1 ; eval "${testfailed}"; } 532test -f ${keytabfile} && { ec=1 ; eval "${testfailed}"; } 533 534echo "Getting client pw expire"; > messages.log 535${kinit} --password-file=${objdir}/foopassword \ 536 pw-expire@${R} 2>kinit-log.tmp|| \ 537 { ec=1 ; eval "${testfailed}"; } 538grep 'Your password will expire' kinit-log.tmp > /dev/null || \ 539 { ec=1 ; eval "${testfailed}"; } 540echo " kinit passes" 541${test_gic} --client=pw-expire@${R} --password=foo > kinit-log.tmp 2>/dev/null 542${EGREP} "^e type: 6" kinit-log.tmp > /dev/null || \ 543 { ec=1 ; eval "${testfailed}"; } 544echo " test_gic passes" 545${kdestroy} 546 547echo "killing kdc (${kdcpid})" 548sh ${leaks_kill} kdc $kdcpid || exit 1 549 550trap "" EXIT 551 552exit $ec 553