diff options
6 files changed, 444 insertions, 0 deletions
diff --git a/tests/inplace-upgrade-sanity-test/Makefile b/tests/inplace-upgrade-sanity-test/Makefile
new file mode 100644
index 0000000..ccd8818
--- /dev/null
+++ b/tests/inplace-upgrade-sanity-test/Makefile
@@ -0,0 +1,64 @@
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Makefile of /CoreOS/krb5/Sanity/inplace-upgrade-sanity-test
+# Description: Verifies basic scenarios which should work after inplace upgrade.
+# Author: Patrik Kis <>
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Copyright (c) 2014 Red Hat, Inc.
+# This copyrighted material is made available to anyone wishing
+# to use, modify, copy, or redistribute it subject to the terms
+# and conditions of the GNU General Public License version 2.
+# This program is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY; without even the implied
+# PURPOSE. See the GNU General Public License for more details.
+# You should have received a copy of the GNU General Public
+# License along with this program; if not, write to the Free
+# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+# Boston, MA 02110-1301, USA.
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+export TEST=/CoreOS/krb5/Sanity/inplace-upgrade-sanity-test
+export TESTVERSION=1.0
+.PHONY: all install download clean
+run: $(FILES) build
+ ./
+build: $(BUILT_FILES)
+ test -x || chmod a+x
+ rm -f *~ $(BUILT_FILES)
+include /usr/share/rhts/lib/rhts-make.include
+$(METADATA): Makefile
+ @echo "Owner: Patrik Kis <>" > $(METADATA)
+ @echo "Name: $(TEST)" >> $(METADATA)
+ @echo "TestVersion: $(TESTVERSION)" >> $(METADATA)
+ @echo "Path: $(TEST_DIR)" >> $(METADATA)
+ @echo "Description: Verifies basic scenarios which should work after inplace upgrade." >> $(METADATA)
+ @echo "Type: Sanity" >> $(METADATA)
+ @echo "TestTime: 20m" >> $(METADATA)
+ @echo "RunFor: krb5" >> $(METADATA)
+ @echo "Requires: expect krb5-server krb5-workstation openssh-clients openssh-server rng-tools" >> $(METADATA)
+ @echo "Priority: Normal" >> $(METADATA)
+ @echo "License: GPLv2" >> $(METADATA)
+ @echo "Confidential: no" >> $(METADATA)
+ @echo "Destructive: no" >> $(METADATA)
+ @echo "Releases: -RHEL4 -RHELClient5 -RHELServer5" >> $(METADATA)
+ rhts-lint $(METADATA)
diff --git a/tests/inplace-upgrade-sanity-test/PURPOSE b/tests/inplace-upgrade-sanity-test/PURPOSE
new file mode 100644
index 0000000..763d5a1
--- /dev/null
+++ b/tests/inplace-upgrade-sanity-test/PURPOSE
@@ -0,0 +1,3 @@
+PURPOSE of /CoreOS/krb5/Sanity/inplace-upgrade-sanity-test
+Description: Verifies basic scenarios which should work after inplace upgrade.
+Author: Patrik Kis <>
diff --git a/tests/inplace-upgrade-sanity-test/kdc.conf b/tests/inplace-upgrade-sanity-test/kdc.conf
new file mode 100644
index 0000000..d2212d0
--- /dev/null
+++ b/tests/inplace-upgrade-sanity-test/kdc.conf
@@ -0,0 +1,19 @@
+ kdc_ports = 88
+ kdc_tcp_ports = 88
+ ${krb5REALM1} = {
+ #master_key_type = aes256-cts
+ acl_file = /var/kerberos/krb5kdc/kadm5.acl
+ dict_file = /usr/share/dict/words
+ admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
+ supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
+ }
+ ${krb5REALM2} = {
+ #master_key_type = aes256-cts
+ acl_file = /var/kerberos/krb5kdc/kadm5.acl
+ dict_file = /usr/share/dict/words
+ admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
+ supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
+ }
diff --git a/tests/inplace-upgrade-sanity-test/krb5.conf b/tests/inplace-upgrade-sanity-test/krb5.conf
new file mode 100644
index 0000000..18b40b6
--- /dev/null
+++ b/tests/inplace-upgrade-sanity-test/krb5.conf
@@ -0,0 +1,36 @@
+# To opt out of the system crypto-policies configuration of krb5, remove the
+# symlink at /etc/krb5.conf.d/crypto-policies which will not be recreated.
+includedir /etc/krb5.conf.d/
+ default = FILE:/var/log/krb5libs.log
+ kdc = FILE:/var/log/krb5kdc.log
+ admin_server = FILE:/var/log/kadmind.log
+ default_realm = ${krb5REALM1}
+ dns_lookup_realm = false
+ ticket_lifetime = 24h
+ renew_lifetime = 7d
+ forwardable = true
+ rdns = false
+ default_ccache_name = KEYRING:persistent:%{uid}
+ ${krb5REALM1} = {
+ kdc = localhost.localdomain
+ admin_server = localhost.localdomain
+ }
+ ${krb5REALM2} = {
+ kdc = localhost.localdomain
+ admin_server = localhost.localdomain
+ }
+ ${krb5HostName} = ${krb5REALM1}
+ ${krb5HostName} = ${krb5REALM2}
+ ${krb5REALM1} = {
+ ${krb5REALM2} = .
+ }
diff --git a/tests/inplace-upgrade-sanity-test/ b/tests/inplace-upgrade-sanity-test/
new file mode 100755
index 0000000..db06748
--- /dev/null
+++ b/tests/inplace-upgrade-sanity-test/
@@ -0,0 +1,306 @@
+# vim: dict+=/usr/share/beakerlib/dictionary.vim cpt=.,w,b,u,t,i,k
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# of /CoreOS/krb5/Sanity/inplace-upgrade-sanity-test
+# Description: Verifies basic scenarios which should work after inplace upgrade.
+# Author: Patrik Kis <>
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Copyright (c) 2014 Red Hat, Inc.
+# This copyrighted material is made available to anyone wishing
+# to use, modify, copy, or redistribute it subject to the terms
+# and conditions of the GNU General Public License version 2.
+# This program is distributed in the hope that it will be
+# useful, but WITHOUT ANY WARRANTY; without even the implied
+# PURPOSE. See the GNU General Public License for more details.
+# You should have received a copy of the GNU General Public
+# License along with this program; if not, write to the Free
+# Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
+# Boston, MA 02110-1301, USA.
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+# Include Beaker environment
+. /usr/bin/
+. /usr/share/beakerlib/ || exit 1
+PACKAGES="krb5-libs krb5-server krb5-workstation openssh"
+hostnamectl set-hostname
+echo "`hostname -I`" >>/etc/hosts
+krb5DomainName=`hostname -d`
+ rlPhaseStartSetup
+ for pkg in $PACKAGES; do
+ rlAssertRpm $pkg
+ done
+ rlRun "TmpDir=\$(mktemp -d)"
+ rlRun "pushd $TmpDir"
+ rlPhaseEnd
+ # Run this part on OLD and in "normal" mode
+ if [[ -z $IN_PLACE_UPGRADE || $IN_PLACE_UPGRADE == old ]]; then
+ rlPhaseStartSetup "KDC and kadmind setup"
+ # Stop and backup
+ rlRun "rlServiceStop kadmin krb5kdc"
+ rlRun "rm -f /var/kerberos/krb5kdc/principal* /var/kerberos/krb5kdc/.k5*"
+ rlFileBackup $krb5conf /var/kerberos/krb5kdc /etc/sysconfig/{kadmin,krb5kdc}
+ [ -e /etc/krb5.keytab ] && rlFileBackup /etc/krb5.keytab
+ [ -e $krb5confdir ] && rlFileBackup $krb5confdir
+ # Basic setup of KDC and krb5.conf
+ if rlIsRHEL 6; then
+ rlRun "sed -i \"s/EXAMPLE.COM/$krb5REALM1/\" $krb5conf"
+ rlRun "sed -i \"s/$krb5HostName/\" $krb5conf"
+ rlRun "sed -i \"s/$krb5DomainName/\" $krb5conf"
+ else
+ rlRun "sed -i \"s/\[libdefaults\]/[libdefaults]\n default_realm = $krb5REALM1/\" $krb5conf"
+ rlRun "sed -i \"s/\[realms\]/[realms]\n $krb5REALM1 = {\n kdc = $krb5HostName\n admin_server = $krb5HostName\n }/\" $krb5conf"
+ rlRun "sed -i \"s/\[domain_realm\]/[domain_realm]\n .$krb5DomainName = $krb5REALM1\n $krb5DomainName = $krb5REALM1/\" $krb5conf"
+ fi
+ rlRun "sed -i s/EXAMPLE.COM/$krb5REALM1/ $krb5kdcconf"
+ # Configure the kadmin ACL
+ rlRun "echo \"*/master@$krb5REALM1 *\" > $krb5kadmacl"
+ # Configure the 2nd realmd
+ cat >>$krb5kdcconf <<_EOF
+ $krb5REALM2 = {
+ #master_key_type = aes256-cts
+ database_name = /var/kerberos/krb5kdc/principal.$krb5REALM1
+ acl_file = /var/kerberos/krb5kdc/kadm5.acl
+ dict_file = /usr/share/dict/words
+ admin_keytab = /var/kerberos/krb5kdc/kadm5.keytab
+ supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal
+ }
+ rlIsRHEL 6 || rlRun "sed -i \"s/supported_enctypes.*/supported_enctypes = aes256-cts:normal aes128-cts:normal des3-hmac-sha1:normal arcfour-hmac:normal camellia256-cts:normal camellia128-cts:normal des-hmac-sha1:normal des-cbc-md5:normal des-cbc-crc:normal/\" /var/kerberos/krb5kdc/kdc.conf"
+ rlRun "sed -i \"s/\[realms\]/[realms]\n $krb5REALM2 = {\n kdc = $krb5HostName\n admin_server = $krb5HostName\n }/\" $krb5conf"
+ cat >> $krb5conf << _EOF
+ $krb5REALM1 = {
+ $krb5REALM2 = .
+ }
+ # Test the entropy source (not relevant for RHEL6)
+ if ! rlIsRHEL 6 && [[ $TEST_ENTROPY_SOURCE == 'yes' ]]; then
+ rlLog "The source of entropy will be tested as well"
+ START_DATE=`date +%H:%M:%S`
+ sleep 1
+ rlRun "auditctl -w /dev/random -p rwxa -k RAND"
+ auditctl -l
+ sleep 1
+ rlRun "ausearch -i -k RAND -ts $START_DATE"
+ fi
+ # Create the realm databases
+ rlRun "rngd -r /dev/urandom"
+ rlRun "kdb5_util create -s -r $krb5REALM1 -P $krb5KDCPass"
+ rlRun "kdb5_util create -s -r $krb5REALM2 -P $krb5KDCPass"
+ # Configure KDC to handle 2 realms
+ if rlIsRHEL 6; then
+ rlRun "echo \"KRB5REALM=$krb5REALM1\" > /etc/sysconfig/krb5kdc"
+ rlRun "echo KRB5KDC_ARGS=\\\"-r $krb5REALM2\\\" >> /etc/sysconfig/krb5kdc"
+ else
+ rlRun "echo KRB5KDC_ARGS=\\\"-r $krb5REALM1 -r $krb5REALM2 \\\" >/etc/sysconfig/krb5kdc"
+ fi
+ rlRun "rlServiceStart kadmin krb5kdc"
+ # Add krb5 principals for the 2nd realm
+ rlRun "kadmin.local -r $krb5REALM1 -q \"addprinc -pw $krb5RootPass root/master\""
+ rlRun "kadmin.local -r $krb5REALM1 -q \"addprinc -pw $krb5UserKrbPass $krb5User\""
+ rlRun "kadmin.local -r $krb5REALM1 -q \"addprinc -randkey host/$krb5HostName\""
+ rlRun "kadmin.local -r $krb5REALM1 -q \"ktadd host/$krb5HostName\""
+ rlRun "kadmin.local -r $krb5REALM1 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM1@$krb5REALM2\""
+ rlRun "kadmin.local -r $krb5REALM1 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM2@$krb5REALM1\""
+ # Add krb5 principals for the 2nd realm
+ rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5UserKrbPass $krb5User2\""
+ rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -randkey host/$krb5HostName\""
+ rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM1@$krb5REALM2\""
+ rlRun "kadmin.local -r $krb5REALM2 -q \"addprinc -pw $krb5KDCPass krbtgt/$krb5REALM2@$krb5REALM1\""
+ # Create test system user
+ [ $krb5User != "root" ] && rlRun "useradd $krb5User"
+ rlRun "echo $krb5UserPass | passwd --stdin $krb5User"
+ rlPhaseEnd
+ fi
+ rlPhaseStartTest "Daemon start and log file test"
+ # Make sure there is enough entropy and start recording of the logs
+ rlRun "rngd -r /dev/urandom"
+ if grep -q krb5kdc /var/log/krb5kdc.log; then
+ tail -n0 -f /var/log/krb5kdc.log &> krb5kdc.log.record &
+ echo "log_record_start: PID = $KRB5KDC_LOG_PID"
+ sleep 1
+ elif journalctl |grep -q krb5kdc; then
+ journalctl -f &> krb5kdc.log.record &
+ echo "log_record_start: PID = $KRB5KDC_LOG_PID"
+ sleep 1
+ else
+ rlFail "Could not find krb5kdc logs"
+ echo "journalctl:"
+ journalctl -n 100
+ ls -la /var/log/krb5kdc*
+ echo "/var/log/krb5kdc.log:"
+ tail -n 100 /var/log/krb5kdc.log
+ fi
+ if grep -q kadmind /var/log/kadmind.log; then
+ tail -n0 -f /var/log/kadmind.log &> kadmind.log.record &
+ echo "log_record_start: PID = $KADMIND_LOG_PID"
+ sleep 1
+ elif journalctl |grep -q kadmind; then
+ journalctl -f &> kadmind.log.record &
+ echo "log_record_start: PID = $KADMIND_LOG_PID"
+ sleep 1
+ else
+ rlFail "Could not find kadmind logs"
+ echo "journalctl:"
+ journalctl -n 100
+ ls -la /var/log/kadmind*
+ echo "/var/log/kadmind.log:"
+ tail -n 100 /var/log/kadmind.log
+ fi
+ # Restart daemon auto start
+ if rlIsRHEL 6; then
+ rlRun "service krb5kdc restart"
+ rlRun "service kadmin restart"
+ rlRun "service krb5kdc status"
+ rlRun "service kadmin status"
+ else
+ rlRun "systemctl restart krb5kdc.service"
+ rlRun "systemctl restart kadmin.service"
+ rlRun "systemctl --no-pager status krb5kdc.service"
+ rlRun "systemctl --no-pager status kadmin.service"
+ fi
+ rlRun "echo $krb5UserKrbPass |kinit $krb5User && klist"
+ rlRun "kdestroy"
+ rlRun "kadmin -p root/master -w rrr -q ''"
+ rlAssertGrep "AS_REQ.*$krb5User@$krb5REALM1.*krbtgt/$krb5REALM1@$krb5REALM1" krb5kdc.log.record
+ cat krb5kdc.log.record
+ rlAssertGrep "Request: kadm5_init.*root/master@$krb5REALM1.*service=kadmin/`hostname`@$krb5REALM1" kadmind.log.record
+ cat kadmind.log.record
+ # Stop log recording
+ rlPhaseEnd
+ rlPhaseStartTest "SSH test"
+ cat > sshtest.exp <<'_EOF'
+#!/usr/bin/expect -f
+set USER [lindex $argv 0]
+set HOST [lindex $argv 1]
+set timeout 10
+spawn ssh $USER@$HOST pwd
+expect {
+ -re ".*(yes/no).*" { send -- "yes\r"; exp_continue }
+ -re ".*password:.*" { exit 1 }
+ "/home/$USER" { exit 0 }
+ timeout { exit 2 }
+ eof { exit 3 }
+exit 4
+ chmod 744 sshtest.exp
+ rlAssertExists sshtest.exp
+ rlRun "echo $krb5UserKrbPass |kinit $krb5User && klist"
+ rlRun "./sshtest.exp $krb5User $krb5HostName"; echo
+ rlRun "klist &>klist.log"
+ cat klist.log
+ rlAssertGrep "host/`hostname`@$krb5REALM1" klist.log
+ rlRun "kdestroy"
+ rlPhaseEnd
+ rlPhaseStartTest "Basic kadmin and kpasswd test"
+ rlRun "kadmin.local -q \"listprincs\" |grep -v Authenticating >lplocal"
+ rlRun "kadmin -p root/master -w $krb5RootPass -q \"listprincs\" |grep -v Authenticating >lpremote"
+ rlAssertNotDiffer lplocal lpremote || diff -u lplocal lpremote
+ diff lplocal lpremote
+ rlRun "kadmin -p root/master -w $krb5RootPass -q \"addprinc -pw $krb5User2 $krb5User2@$krb5REALM1\""
+ rlRun "kadmin -p root/master -w $krb5RootPass -q \"listprincs\" | grep \"$krb5User2@$krb5REALM1\""
+ rlRun "echo $krb5User2 | kinit $krb5User2"
+ rlRun "echo -e \"$krb5User2\nqwerty\nqwerty\" | kpasswd &>kpasswd.log"
+ cat kpasswd.log
+ rlAssertGrep "Password changed." kpasswd.log
+ rlRun "echo qwerty | kinit $krb5User2"
+ rlRun "kdestroy"
+ rlRun "kadmin -p root/master -w $krb5RootPass -q \"delprinc -force $krb5User2@$krb5REALM1\""
+ rlPhaseEnd
+ rlPhaseStartTest "Basic ksu test"
+ [[ -f /root/.k5login ]] && rlRun "mv /root/.k5login ."
+ rlRun "echo $krb5User@$krb5REALM1 > /root/.k5login"
+ rlRun "su - $krb5User -c \"echo $krb5UserKrbPass | kinit $krb5User\""
+ rlRun "su - $krb5User -c \"ksu -e /usr/bin/id\" &> ksu.log"
+ cat ksu.log
+ rlAssertGrep "^uid=0(root) gid=0(root)" ksu.log
+ rlRun "su - $krb5User -c kdestroy"
+ [[ -f .k5login ]] && rlRun "mv .k5login /root/.k5login"
+ rlPhaseEnd
+ rlPhaseStartTest "Cross realm test"
+ rlRun "echo $krb5UserKrbPass |kinit $krb5User && klist"
+ rlRun "kvno host/`hostname`@$krb5REALM2"
+ rlRun "klist &>klist.log"
+ cat klist.log
+ rlAssertGrep "krbtgt/$krb5REALM1@$krb5REALM1" klist.log
+ rlAssertGrep "krbtgt/$krb5REALM2@$krb5REALM1" klist.log
+ rlAssertGrep "host/`hostname`@$krb5REALM2" klist.log
+ rlRun "kdestroy"
+ rlPhaseEnd
+ # Test the entropy source (not relevant for RHEL6)
+ if ! rlIsRHEL 6 && [[ $TEST_ENTROPY_SOURCE == 'yes' ]]; then
+ rlPhaseStartTest "Enable faster getrandom-based entropy system"
+ auditctl -l
+ rlRun "ausearch -i -k RAND -ts $START_DATE"
+ rlRun "ausearch -i -k RAND -ts $START_DATE |grep comm= |grep -v 'comm=rngd'" 1
+ rlRun "auditctl -D"
+ rlPhaseEnd
+ fi
+ # Run this part on "normal" mode; in inplace upgrade no cleanup is needed
+ if [[ -z $IN_PLACE_UPGRADE ]]; then
+ rlPhaseStartCleanup "KDC and kadmind cleanup"
+ rlRun "rm -rf /var/kerberos/krb5kdc/* /var/kerberos/krb5kdc/.k5* /etc/krb5* /etc/sysconfig/{kadmin,krb5kdc}"
+ rlFileRestore
+ rlRun "rlServiceRestore krb5kdc kadmin"
+ [ $krb5User != "root" ] && rlRun "userdel -r -f $krb5User"
+ rlPhaseEnd
+ fi
+ rlPhaseStartCleanup
+ rlRun "popd"
+ rlRun "rm -r $TmpDir"
+ rlPhaseEnd
diff --git a/tests/tests.yml b/tests/tests.yml
new file mode 100644
index 0000000..6ebc417
--- /dev/null
+++ b/tests/tests.yml
@@ -0,0 +1,16 @@
+# This first play always runs on the local staging system
+- hosts: localhost
+ roles:
+ - role: standard-test-beakerlib
+ tags:
+ - classic
+ tests:
+ - inplace-upgrade-sanity-test
+ required_packages:
+ - expect # Required for inplace-upgrade-sanity-test
+ - krb5-server # Required for inplace-upgrade-sanity-test
+ - krb5-workstation # Required for inplace-upgrade-sanity-test
+ - openssh-clients # Required for inplace-upgrade-sanity-test
+ - openssh-server # Required for inplace-upgrade-sanity-test
+ - rng-tools # Required for inplace-upgrade-sanity-test