1 # Standalone Kerberos test.
2 # This is a DejaGnu test script.
3 # This script tests that the Kerberos tools can talk to each other.
5 # This mostly just calls procedures in testsuite/config/default.exp.
7 # Set up the Kerberos files and environment.
8 if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} {
12 # Initialize the Kerberos database. The argument tells
13 # setup_kerberos_db that it is being called from here.
14 if ![setup_kerberos_db 1] {
18 # We are about to start up a couple of daemon processes. We do all
19 # the rest of the tests inside a proc, so that we can easily kill the
20 # processes when the procedure ends.
22 proc dump_and_reload {} {
26 set dumpfile $tmppwd/dump-file
27 set dumpokfile $dumpfile.dump_ok
29 set test1name "kdb5_util dump"
30 set test2name "kdb5_util load"
32 if [file exists $dumpfile] { file delete $dumpfile }
33 if [file exists $dumpokfile] { file delete $dumpokfile }
35 spawn $KDB5_UTIL dump $dumpfile
49 if ![check_exit_status $test1name] {
53 if ![file exists $dumpfile]||![file exists $dumpokfile] {
60 spawn $KDB5_UTIL load $dumpfile
72 if [check_exit_status $test2name] {
77 proc kinit_wrong_pw { name badpass } {
82 # Use kinit to get a ticket.
84 # For now always get forwardable tickets. Later when we need to make
85 # tests that distiguish between forwardable tickets and otherwise
86 # we should but another option to this proc. --proven
88 spawn $KINIT -5 -f $name@$REALMNAME
90 "Password for $name@$REALMNAME:" {
91 verbose "kinit started"
104 "Password incorrect while getting initial credentials" {
117 set status_list [wait -i $spawn_id]
118 catch "close -i $spawn_id"
119 verbose -log "exit status: $status_list"
120 if { [lindex $status_list 2] != 0 || [lindex $status_list 3] != 0 } {
137 global supported_enctypes
144 setup_kerberos_env kdc
146 # Start up the kerberos and kadmind daemons.
147 if ![start_kerberos_daemons 1] {
151 # Use kadmin to add an host key.
152 if ![add_random_key host/$hostname 1] {
156 spawn $KADMIN_LOCAL -q "addpol fred"
160 fail "kadmin.local addpol fred"
163 pass "kadmin.local addpol fred"
166 set k_stat [wait -i $spawn_id]
167 verbose "wait -i $spawn_id returned $k_stat (kadmin addpol)"
168 catch "close -i $spawn_id"
170 # Use ksrvutil to create a srvtab entry.
171 if ![setup_srvtab 1] {
175 # Test dump and load. Continue on, whatever the result.
178 spawn $KADMIN_LOCAL -q "getpols"
181 pass "kadmin.local getpols"
185 fail "kadmin.local getpols"
188 fail "kadmin.local getpols"
191 set k_stat [wait -i $spawn_id]
192 verbose "wait -i $spawn_id returned $k_stat (kadmin addpol)"
193 catch "close -i $spawn_id"
195 # Test use of wrong password.
196 kinit_wrong_pw krbtest/admin wrongpassword
198 setup_kerberos_env client
199 # Use kinit to get a ticket.
200 if ![kinit krbtest/admin adminpass$KEY 1] {
204 if ![kinit_renew krbtest/admin adminpass$KEY 1] {
208 # Make sure that klist can see the ticket.
209 if ![do_klist "krbtest/admin@$REALMNAME" "krbtgt/$REALMNAME@$REALMNAME" "klist"] {
213 # Get a ticket to later use with FAST
214 if ![kinit krbtest/fast adminpass$KEY 1] {
218 # Use fast to get a ticket
219 if ![kinit_fast krbtest/fast adminpass$KEY 1] {
223 # Destroy the ticket.
225 if ![check_exit_status "kdestroy"] {
230 # Double check that the ticket was destroyed.
231 if ![do_klist_err "klist after destroy"] { return }
233 if ![add_random_key WELLKNOWN/ANONYMOUS 0] {
237 # If we have anonymous then test it
238 if [file exists "$tmppwd/../../../util/fakedest$MODULE_DIR/preauth/pkinit.so" ] {
239 kinit_anonymous "WELLKNOWN/ANONYMOUS"
242 if ![add_random_key foo/bar 1] {
246 set keytab $tmppwd/fookeytab
247 catch "exec rm -f $keytab"
249 modify_principal foo/bar -kvno 252
250 foreach vno {253 254 255 256 257 258} {
251 xst $tmppwd/fookeytab foo/bar
252 do_klist_kt $tmppwd/fookeytab "klist keytab foo/bar vno $vno"
253 kinit_kt "foo/bar" $tmppwd/fookeytab 1 "kt kvno $vno"
254 do_klist "foo/bar" "krbtgt/$REALMNAME@$REALMNAME" "klist kt foo/bar vno $vno"
255 do_kdestroy "kdestroy foo/bar vno $vno"
257 catch "exec rm -f $keytab"
258 # Check that kadmin.local can actually read the correct kvno, even
259 # if we don't expect kadmin to be able to.
260 setup_kerberos_env kdc
261 spawn $KADMIN_LOCAL -r $REALMNAME
264 timeout { fail "kadmin.local correct high kvno" ; set ok 0 }
265 eof { fail "kadmin.local correct high kvno" ; set ok 0 }
267 expect "kadmin.local: "
268 send "getprinc foo/bar\r"
270 expect "Key: vno $vno,"
273 if [check_exit_status "kadmin.local examine foo/bar for high kvno"] {
275 pass "kadmin.local correct high kvno"
280 set status [catch doit msg]
282 stop_kerberos_daemons
284 if { $status != 0 } {
285 send_error "ERROR: error in standalone.exp\n"