1 # Standalone Kerberos test.
2 # This is a DejaGnu test script.
3 # This script tests that the Kerberos tools can talk to each other.
5 # This mostly just calls procedures in testsuite/config/default.exp.
7 # Set up the Kerberos files and environment.
8 if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} {
12 # Initialize the Kerberos database. The argument tells
13 # setup_kerberos_db that it is being called from here.
14 if ![setup_kerberos_db 1] {
18 # We are about to start up a couple of daemon processes. We do all
19 # the rest of the tests inside a proc, so that we can easily kill the
20 # processes when the procedure ends.
22 proc dump_and_reload {} {
26 set dumpfile $tmppwd/dump-file
27 set dumpokfile $dumpfile.dump_ok
29 set test1name "kdb5_util dump"
30 set test2name "kdb5_util load"
32 if [file exists $dumpfile] { file delete $dumpfile }
33 if [file exists $dumpokfile] { file delete $dumpokfile }
35 spawn $KDB5_UTIL dump $dumpfile
49 if ![check_exit_status $test1name] {
53 if ![file exists $dumpfile]||![file exists $dumpokfile] {
60 spawn $KDB5_UTIL load $dumpfile
72 if [check_exit_status $test2name] {
77 proc kinit_wrong_pw { name badpass } {
82 # Use kinit to get a ticket.
84 # For now always get forwardable tickets. Later when we need to make
85 # tests that distiguish between forwardable tickets and otherwise
86 # we should but another option to this proc. --proven
88 spawn $KINIT -5 -f $name@$REALMNAME
90 "Password for $name@$REALMNAME:" {
91 verbose "kinit started"
104 "Password incorrect while getting initial credentials" {
117 set status_list [wait -i $spawn_id]
118 catch "close -i $spawn_id"
119 verbose -log "exit status: $status_list"
120 if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 0 } {
137 global supported_enctypes
143 setup_kerberos_env kdc
145 # Start up the kerberos and kadmind daemons.
146 if ![start_kerberos_daemons 1] {
150 # Use kadmin to add an host key.
151 if ![add_random_key host/$hostname 1] {
155 spawn $KADMIN_LOCAL -q "addpol fred"
159 fail "kadmin.local addpol fred"
162 pass "kadmin.local addpol fred"
165 set k_stat [wait -i $spawn_id]
166 verbose "wait -i $spawn_id returned $k_stat (kadmin addpol)"
167 catch "close -i $spawn_id"
169 # Use ksrvutil to create a srvtab entry.
170 if ![setup_srvtab 1] {
174 # Test dump and load. Continue on, whatever the result.
177 spawn $KADMIN_LOCAL -q "getpols"
180 pass "kadmin.local getpols"
184 fail "kadmin.local getpols"
187 fail "kadmin.local getpols"
190 set k_stat [wait -i $spawn_id]
191 verbose "wait -i $spawn_id returned $k_stat (kadmin addpol)"
192 catch "close -i $spawn_id"
194 # Test use of wrong password.
195 kinit_wrong_pw krbtest/admin wrongpassword
197 setup_kerberos_env client
198 # Use kinit to get a ticket.
199 if ![kinit krbtest/admin adminpass$KEY 1] {
203 if ![kinit_renew krbtest/admin adminpass$KEY 1] {
207 # Make sure that klist can see the ticket.
208 if ![do_klist "krbtest/admin@$REALMNAME" "krbtgt/$REALMNAME@$REALMNAME" "klist"] {
212 # Get a ticket to later use with FAST
213 if ![kinit krbtest/fast adminpass$KEY 1] {
217 # Use fast to get a ticket
218 if ![kinit_fast krbtest/fast adminpass$KEY 1] {
222 # Destroy the ticket.
224 if ![check_exit_status "kdestroy"] {
229 # Double check that the ticket was destroyed.
230 if ![do_klist_err "klist after destroy"] { return }
232 if ![add_random_key WELLKNOWN/ANONYMOUS 0] {
236 # If we have anonymous then test it
237 if [file exists "$tmppwd/../../../plugins/preauth/pkinit.so" ] {
238 kinit_anonymous "WELLKNOWN/ANONYMOUS"
241 if ![add_random_key foo/bar 1] {
245 set keytab $tmppwd/fookeytab
246 catch "exec rm -f $keytab"
248 modify_principal foo/bar -kvno 252
249 foreach vno {253 254 255 256 257 258} {
250 xst $tmppwd/fookeytab foo/bar
251 do_klist_kt $tmppwd/fookeytab "klist keytab foo/bar vno $vno"
252 kinit_kt "foo/bar" $tmppwd/fookeytab 1 "kt kvno $vno"
253 do_klist "foo/bar" "krbtgt/$REALMNAME@$REALMNAME" "klist kt foo/bar vno $vno"
254 do_kdestroy "kdestroy foo/bar vno $vno"
256 catch "exec rm -f $keytab"
257 # Check that kadmin.local can actually read the correct kvno, even
258 # if we don't expect kadmin to be able to.
259 setup_kerberos_env kdc
260 spawn $KADMIN_LOCAL -r $REALMNAME
263 timeout { fail "kadmin.local correct high kvno" ; set ok 0 }
264 eof { fail "kadmin.local correct high kvno" ; set ok 0 }
266 expect "kadmin.local: "
267 send "getprinc foo/bar\r"
269 expect "Key: vno $vno,"
272 if [check_exit_status "kadmin.local examine foo/bar for high kvno"] {
274 pass "kadmin.local correct high kvno"
279 set status [catch doit msg]
281 stop_kerberos_daemons
283 if { $status != 0 } {
284 send_error "ERROR: error in standalone.exp\n"