# Kerberos kadmin test. # This is a DejaGnu test script. # This script tests Kerberos kadmin5 using kadmin.local as verification. # Set up the kerberos database. if {![get_hostname] \ || ![setup_kerberos_files] \ || ![setup_kerberos_env] \ || ![setup_kerberos_db 0]} { return } # find kpasswd if ![info exists KPASSWD] { set KPASSWD [findfile $objdir/../../kadmin/passwd/kpasswd] } # find kdestroy if ![info exists KDESTROY] { set KDESTROY [findfile $objdir/../../clients/kdestroy/kdestroy] } #++ # kadmin_add - Test add new v5 principal function of kadmin. # # Adds principal $pname with password $password. Returns 1 on success. #-- proc kadmin_add { pname password } { global REALMNAME global KADMIN global KADMIN_LOCAL global KEY global spawn_id global tmppwd set good 0 spawn $KADMIN -p krbtest/admin@$REALMNAME -q "ank $pname" expect_after { "Cannot contact any KDC" { fail "kadmin add$pname lost KDC" catch "expect_after" return 0 } timeout { fail "kadmin add $pname" catch "expect_after" return 0 } eof { fail "kadmin add $pname" catch "expect_after" return 0 } } expect "Enter password:" { send "adminpass$KEY\r" } expect "Enter password for principal \"$pname@$REALMNAME\":" { send "$password\r" } expect "Re-enter password for principal \"$pname@$REALMNAME\":" { send "$password\r" } expect "Principal \"$pname@$REALMNAME\" created." { set good 1 } expect_after expect eof set k_stat [wait -i $spawn_id] verbose "wait -i $spawn_id returned $k_stat (kadmin add)" catch "close -i $spawn_id" if { $good == 1 } { # # use kadmin.local to verify that a principal was created and that its # salt types are 0 (normal). # spawn $KADMIN_LOCAL -r $REALMNAME expect_after { -i $spawn_id timeout { fail "kadmin add $pname" catch "expect_after" return 0 } eof { fail "kadmin add $pname" catch "expect_after" return 0 } } set good 0 expect "kadmin.local: " { send "getprinc $pname\r" } expect "Principal: $pname@$REALMNAME" { set good 1 } expect "Expiration date:" { verbose "got expiration date" } expect "Last password change:" { verbose "got last pwchange" } expect "Password expiration date:" { verbose "got pwexpire date" } expect "Maximum ticket life:" { verbose "got max life" } expect "Maximum renewable life:" { verbose "got max rlife" } expect "Last modified:" { verbose "got last modified" } expect "Last successful authentication:" { verbose "last succ auth" } expect "Last failed authentication:" { verbose "last pw failed" } expect "Failed password attempts:" { verbose "num failed attempts" } expect "Number of keys:" { verbose "num keys"} expect { "Key: " { verbose "Key listed" exp_continue } "Attributes:" { verbose "attributes" } } expect "kadmin.local: " { send "q\r" } expect_after expect eof set k_stat [wait -i $spawn_id] verbose "wait -i $spawn_id returned $k_stat (kadmin.local show)" catch "close -i $spawn_id" if { $good == 1 } { pass "kadmin add $pname" return 1 } else { fail "kadmin add $pname" return 0 } } else { fail "kadmin add $pname" return 0 } } #++ # kadmin_add_rnd - Test add new v5 principal with random key function. # # Adds principal $pname with random key. Returns 1 on success. #-- proc kadmin_add_rnd { pname } { global REALMNAME global KADMIN global KADMIN_LOCAL global KEY global spawn_id global tmppwd set good 0 spawn $KADMIN -p krbtest/admin@$REALMNAME -q "ank -randkey $pname" expect_after { "Cannot contact any KDC" { fail "kadmin add rnd $pname lost KDC" catch "expect_after" return 0 } timeout { fail "kadmin add_rnd $pname" catch "expect_after" return 0 } eof { fail "kadmin add_rnd $pname" catch "expect_after" return 0 } } expect "Enter password:" { send "adminpass$KEY\r" } expect "Principal \"$pname@$REALMNAME\" created." { set good 1 } expect_after expect eof set k_stat [wait -i $spawn_id] verbose "wait -i $spawn_id returned $k_stat (kadmin add_rnt)" catch "close -i $spawn_id" if { $good == 1 } { # # use kadmin.local to verify that a principal was created and that its # salt types are 0 (normal). # spawn $KADMIN_LOCAL -r $REALMNAME expect_after { -i $spawn_id timeout { fail "kadmin add_rnd $pname" catch "expect_after" return 0 } eof { fail "kadmin add_rnd $pname" catch "expect_after" return 0 } } set good 0 expect "kadmin.local:" { send "getprinc $pname\r" } expect "Principal: $pname@$REALMNAME" { set good 1 } expect "kadmin.local:" { send "q\r" } expect_after expect eof set k_stat [wait -i $spawn_id] verbose "wait -i $spawn_id returned $k_stat (kadmin.local show)" catch "close -i $spawn_id" if { $good == 1 } { pass "kadmin add_rnd $pname" return 1 } else { fail "kadmin add_rnd $pname" return 0 } } else { fail "kadmin add_rnd $pname" return 0 } } #++ # kadmin_show - Test show principal function of kadmin. # # Retrieves entry for $pname. Returns 1 on success. #-- proc kadmin_show { pname } { global REALMNAME global KADMIN global KEY global spawn_id spawn $KADMIN -p krbtest/admin@$REALMNAME -q "get_principal $pname" expect_after { "Cannot contact any KDC" { fail "kadmin show $pname lost KDC" catch "expect_after" return 0 } timeout { fail "kadmin show $pname" catch "expect_after" return 0 } eof { fail "kadmin show $pname" catch "expect_after" return 0 } } expect "Enter password:" send "adminpass$KEY\r" expect -re "\r.*Principal: $pname@$REALMNAME.*Key: .*Attributes:.*Policy: .*\r" expect_after expect eof set k_stat [wait -i $spawn_id] verbose "wait -i $spawn_id returned $k_stat (kadmin show)" catch "close -i $spawn_id" pass "kadmin show $pname" return 1 } #++ # kadmin_cpw - Test change password function of kadmin # # Change password of $pname to $password. Returns 1 on success. #-- proc kadmin_cpw { pname password } { global REALMNAME global KADMIN global KEY global spawn_id spawn $KADMIN -p krbtest/admin@$REALMNAME -q "cpw $pname" expect_after { "Cannot contact any KDC" { fail "kadmin cpw $pname lost KDC" catch "expect_after" return 0 } timeout { fail "kadmin cpw $pname" catch "expect_after" return 0 } eof { fail "kadmin cpw $pname" catch "expect_after" return 0 } } expect "Enter password:" { send "adminpass$KEY\r" } expect "Enter password for principal \"$pname\":" { send "$password\r" } expect "Re-enter password for principal \"$pname\":" { send "$password\r" } # When in doubt, jam one of these in there. expect "\r" expect "Password for \"$pname@$REALMNAME\" changed." expect_after expect eof set k_stat [wait -i $spawn_id] verbose "wait -i $spawn_id returned $k_stat (kadmin cpw)" catch "close -i $spawn_id" pass "kadmin cpw $pname" return 1 } #++ # kadmin_cpw_rnd - Test change random key function of kadmin. # # Changes principal $pname's key to a new random key. Returns 1 on success. #-- proc kadmin_cpw_rnd { pname } { global REALMNAME global KADMIN global KEY global spawn_id spawn $KADMIN -p krbtest/admin@$REALMNAME -q "cpw -randkey $pname" expect_after { "Cannot contact any KDC" { fail "kadmin cpw_rnd $pname lost KDC" catch "expect_after" return 0 } timeout { fail "kadmin cpw_rnd $pname" catch "expect_after" return 0 } eof { fail "kadmin cpw_rnd $pname" catch "expect_after" return 0 } } expect "Enter password:" { send "adminpass$KEY\r" } # When in doubt, jam one of these in there. expect "\r" expect "Key for \"$pname@$REALMNAME\" randomized." expect_after expect eof set k_stat [wait -i $spawn_id] verbose "wait -i $spawn_id returned $k_stat (kadmin cpw_rnd)" catch "close -i $spawn_id" pass "kadmin cpw_rnd $pname" return 1 } #++ # kadmin_modify - Test modify principal function of kadmin. # # Modifies principal $pname with flags $flags. Returns 1 on success. #-- proc kadmin_modify { pname flags } { global REALMNAME global KADMIN global KEY global spawn_id spawn $KADMIN -p krbtest/admin@$REALMNAME -q "modprinc $flags $pname" expect_after { "Cannot contact any KDC" { fail "kadmin modify $pname ($flags) lost KDC" catch "expect_after" return 0 } timeout { fail "kadmin modify $pname" catch "expect_after" return 0 } eof { fail "kadmin modify $pname" catch "expect_after" return 0 } } expect "Enter password:" send "adminpass$KEY\r" # When in doubt, jam one of these in there. expect "\r" expect "Principal \"$pname@$REALMNAME\" modified." expect_after expect eof set k_stat [wait -i $spawn_id] verbose "wait -i $spawn_id returned $k_stat (kadmin modify)" catch "close -i $spawn_id" pass "kadmin modify $pname" return 1 } #++ # kadmin_list - Test list database function of kadmin. # # Lists the database and verifies that output matches regular expression # "(.*@$REALMNAME)*". Returns 1 on success. #-- proc kadmin_list { } { global REALMNAME global KADMIN global KEY global spawn_id spawn $KADMIN -p krbtest/admin@$REALMNAME -q "get_principals *" expect_after { "Cannot contact any KDC" { fail "kadmin ldb lost KDC" catch "expect_after" return 0 } timeout { fail "kadmin ldb" catch "expect_after" return 0 } eof { fail "kadmin ldb" catch "expect_after" return 0 } } expect "Enter password:" { send "adminpass$KEY\r" } expect -re "\(.*@$REALMNAME\r\n\)*" expect_after expect eof set k_stat [wait -i $spawn_id] verbose "wait -i $spawn_id returned $k_stat (kadmin list)" catch "close -i $spawn_id" pass "kadmin ldb" return 1 } #++ # kadmin_extract - Test extract service key function of kadmin. # # Extracts service key for service name $name instance $instance. Returns # 1 on success. #-- proc kadmin_extract { instance name } { global REALMNAME global KADMIN global KEY global spawn_id catch "exec rm -f tmpdir/keytab" spawn $KADMIN -p krbtest/admin@$REALMNAME -q "xst -k tmpdir/keytab $name/$instance" expect_after { "Cannot contact any KDC" { fail "kadmin xst $instance $name lost KDC" catch "expect_after" return 0 } timeout { fail "kadmin xst $instance $name" catch "expect_after" return 0 } eof { fail "kadmin xst $instance $name" catch "expect_after" return 0 } } expect "Enter password:" { send "adminpass$KEY\r" } # expect -re "kadmin: Entry for principal $name/$instance with kvno [0-9], encryption type .* added to keytab WRFILE:tmpdir/keytab." expect_after expect eof set k_stat [wait -i $spawn_id] verbose "wait -i $spawn_id returned $k_stat (kadmin xst)" catch "close -i $spawn_id" catch "exec rm -f $instance-new-srvtab" pass "kadmin xst $instance $name" return 1 } #++ # kadmin_extractv4 - Test extract service key in v4 format function of # kadmin. # # Extracts service key for service name $name instance $instance in version # 4 format. Returns 1 on success. #-- #proc kadmin_extractv4 { instance name } { # global REALMNAME # global KADMIN # global KEY # global spawn_id # # spawn $KADMIN -p krbtest/admin@$REALMNAME -q "xst4 $instance $name" # expect_after { # "Cannot contact any KDC" { # fail "kadmin xst4 $instance $name lost KDC" # catch "expect_after" # return 0 # } # timeout { # fail "kadmin xst4 $instance $name" # catch "expect_after" # return 0 # } # eof { # fail "kadmin xst4 $instance $name" # catch "expect_after" # return 0 # } # } # expect "Enter password:" { # send "adminpass$KEY\r" # } # expect "extracted entry $name to key table $instance-new-v4-srvtab" # expect_after # expect eof # set k_stat [wait -i $spawn_id] # verbose "wait -i $spawn_id returned $k_stat (kadmin xst4)" # catch "close -i $spawn_id" # catch "exec rm -f $instance-new-v4-srvtab" # pass "kadmin xst4 $instance $name" # return 1 #} #++ # kadmin_delete - Test delete principal function of kadmin. # # Deletes principal $pname. Returns 1 on success. #-- proc kadmin_delete { pname } { global REALMNAME global KADMIN global KADMIN_LOCAL global KEY global spawn_id global tmppwd set good 0 spawn $KADMIN -p krbtest/admin@$REALMNAME -q "delprinc -force $pname" expect_after { "Cannot contact any KDC" { fail "kadmin_delete $pname lost KDC" catch "expect_after" return 0 } timeout { fail "kadmin delprinc $pname" catch "expect_after" return 0 } eof { fail "kadmin delprinc $pname" catch "expect_after" return 0 } } expect "Enter password:" { send "adminpass$KEY\r" } expect "Principal \"$pname@$REALMNAME\" deleted." { set good 1 } expect_after expect eof set k_stat [wait -i $spawn_id] verbose "wait -i $spawn_id returned $k_stat (kadmin delprinc)" catch "close -i $spawn_id" if { $good == 1 } { # # use kadmin.local to verify that the old principal is not present. # spawn $KADMIN_LOCAL -r $REALMNAME expect_after { -i $spawn_id timeout { fail "kadmin delprinc $pname" catch "expect_after" return 0 } eof { fail "kadmin delprinc $pname" catch "expect_after" return 0 } } set good 0 expect "kadmin.local: " { send "getprinc $pname\r" } expect "Principal does not exist while retrieving \"$pname@$REALMNAME\"." { set good 1 } expect "kadmin.local: " { send "quit\r" } expect_after expect eof set k_stat [wait -i $spawn_id] verbose "wait -i $spawn_id returned $k_stat (kadmin.local show)" catch "close -i $spawn_id" if { $good == 1 } { pass "kadmin delprinc $pname" return 1 } else { fail "kadmin delprinc $pname" return 0 } } else { fail "kadmin delprinc $pname" return 0 } } #++ # kpasswd_cpw - Test password changing using kpasswd. # # Change $princ's password from $opw to $npw. Returns 1 on success. #-- proc kpasswd_cpw { princ opw npw } { global KPASSWD spawn $KPASSWD $princ expect_after { timeout { fail "kpasswd $princ $npw" catch "expect_after" return 0 } eof { fail "kpasswd $princ $npw" catch "expect_after" return 0 } } expect "Changing password for $princ." expect "Old password:" { send "$opw\r" } expect "New password:" { send "$npw\r" } expect "New password (again):" { send "$npw\r" } expect "\r" expect "Kerberos password changed." expect_after expect eof if ![check_exit_status "kpasswd"] { fail "kpasswd $princ $npw" return 0 } pass "kpasswd $princ $npw" return 1 } #++ # kdestroy #-- proc kdestroy { } { global KDESTROY spawn $KDESTROY if ![check_exit_status "kdestroy"] { return 0 } return 1 } # Wrap the tests in a procedure, so that we can kill the daemons if # we get some sort of error. proc kadmin_test { } { # Start up the kerberos and kadmind daemons if {![start_kerberos_daemons 0] } { return } # Test basic kadmin functions. if {![kadmin_add v5principal/instance1 v5principal] \ || ![kadmin_add v4principal/instance2 v4principal] \ || ![kadmin_add_rnd v5random] \ || ![kadmin_show v5principal/instance1] \ || ![kadmin_show v4principal/instance2] \ || ![kadmin_show v5random] \ || ![kadmin_cpw v5principal/instance1 faroutman] \ || ![kadmin_cpw v4principal/instance2 honkydory] \ || ![kadmin_cpw_rnd v5random] \ || ![kadmin_modify v5random -allow_tix] \ || ![kadmin_modify v5random +allow_tix] \ || ![kadmin_list] \ || ![kadmin_extract instance1 v5principal] \ || ![kadmin_delete v5random] \ || ![kadmin_delete v4principal/instance2] \ || ![kadmin_delete v5principal/instance1]} { return } # You cannot extract a v4 key... # || ![kadmin_extractv4 instance2 v4principal] \ # now test kpasswd if {![kadmin_add testprinc/instance thisisatest] \ || ![kpasswd_cpw testprinc/instance thisisatest anothertest] \ || ![kpasswd_cpw testprinc/instance anothertest goredsox] \ || ![kadmin_delete testprinc/instance]} { return } # now test that we can kinit with principals/passwords. if {![kadmin_add testprinc1/instance thisisatest] \ || ![kinit testprinc1/instance thisisatest 0] \ || ![kdestroy] \ || ![kpasswd_cpw testprinc1/instance thisisatest anothertest] \ || ![kinit testprinc1/instance anothertest 0] \ || ![kdestroy] \ || ![kpasswd_cpw testprinc1/instance anothertest goredsox] \ || ![kinit testprinc1/instance goredsox 0] \ || ![kdestroy] \ || ![kadmin_cpw testprinc1/instance betterwork] \ || ![kinit testprinc1/instance betterwork 0] \ || ![kdestroy] \ || ![kadmin_delete testprinc1/instance]} { return } # now test modify changes. if {![kadmin_add testuser longtestpw] \ || ![kinit testuser longtestpw 0] \ || ![kdestroy] \ || ![kadmin_modify testuser "-maxlife \"2500 seconds\""] \ || ![kinit testuser longtestpw 0] \ || ![kdestroy] \ || ![kadmin_delete testuser]} { return } verbose "kadmin_test succeeded" } # Run the test. set status [catch kadmin_test msg] # Shut down the kerberos daemons and the rsh daemon. stop_kerberos_daemons if { $status != 0 } { send_error "ERROR: error in kadmin.exp\n" send_error "$msg\n" exit 1 }