+2002-03-06 Ken Raeburn <raeburn@mit.edu>
+
+ * default.exp (modify_principal, kinit_kt, v4kinit_kt, do_klist,
+ do_klist_kt, do_klist_err, do_kdestroy, xst, v4klist, v4kdestroy,
+ v4klist_none): New procs.
+ (add_random_key): No need to call expect_after in 'body' since
+ both branches at invocation site will do it.
+ (setup_root_shell, setup_root_shell_remote): Set correct value for
+ KRB5_CONFIG.
+ (passes): Add des-crc and des-md5 krb4 passes.
+ (top level): Set KLIST and KDESTROY.
+ (spawn_xterm): New proc useful for debugging only.
+ (start_kerberos_daemons): Wait longer for "starting"
+ line in log file.
+
2002-02-20 Ezra Peisach <epeisach@mit.edu>
* default.exp (start_kerberos_daemons): In starting the kadmin
{kdc_supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal}
{dummy=[verbose -log "DES3 TGT, DES3 + DES enctypes"]}
}
+ {
+ des-v4
+ des3_krbtgt=0
+ {supported_enctypes=des-cbc-crc:v4}
+ {kdc_supported_enctypes=des-cbc-crc:v4}
+ {default_tkt_enctypes(client)=des-cbc-crc}
+ {dummy=[verbose -log "DES TGT, DES-CRC enctype, V4 salt"]}
+ }
+ {
+ des-md5-v4
+ des3_krbtgt=0
+ {supported_enctypes=des-cbc-md5:v4 des-cbc-crc:v4}
+ {kdc_supported_enctypes=des-cbc-md5:v4 des-cbc-crc:v4}
+ {default_tkt_enctypes(client)=des-cbc-md5 des-cbc-crc}
+ {dummy=[verbose -log "DES TGT, DES-MD5 and -CRC enctypes, V4 salt"]}
+ }
{
all-des-des3-enctypes
des3_krbtgt=1
{KADMIN_LOCAL $objdir/../../kadmin/cli/kadmin.local}
{KINIT $objdir/../../clients/kinit/kinit}
{KTUTIL $objdir/../../kadmin/ktutil/ktutil}
+ {KLIST $objdir/../../clients/klist/klist}
+ {KDESTROY $objdir/../../clients/kdestroy/kdestroy}
{RESOLVE $objdir/../resolve/resolve}
{T_INETD $objdir/t_inetd}
} {
return 1
}
+# modify_principal name options...
+
+proc modify_principal { name args } {
+ global KADMIN_LOCAL
+ global REALMNAME
+
+ spawn $KADMIN_LOCAL -r $REALMNAME
+ expect_after {
+ eof {
+ fail "modprinc (kadmin.local)"
+ return 0
+ }
+ timeout {
+ fail "modprinc (kadmin.local)"
+ return 0
+ }
+ }
+ expect "kadmin.local: "
+ send "modprinc $args $name\r"
+ expect -re "modprinc \[^\n\r\]* $name"
+ expect -re "Principal .* modified."
+ send "quit\r"
+ expect eof
+ catch expect_after
+ if ![check_exit_status "kadmin.local modprinc"] {
+ perror "kadmin.local modprinc exited abnormally"
+ }
+ return 1
+}
+
# setup_kerberos_files
# This procedure will create some Kerberos files which must be created
# manually before trying to run any Kerberos programs. Returns 1 on
set line [tail1 $kadmind_lfile]
switch -regexp $line {
"Seeding random number" {
- # Wait a few seconds and get the new line
- sleep 3
+ # Wait a few seconds and get the new line.
+ # (Should loop -- we don't want to wait 10 seconds if it takes
+ # 1, but we don't want to give up at 3 seconds if it takes 14
+ # either. Probably should wait up to $timeout seconds.)
+ sleep 20
set line [tail1 $kadmind_lfile]
}
}
"starting" { }
default {
if {$standalone} {
- verbose -log "kadmind failed to start"
+ verbose -log "kadmind failed to start: $line"
fail "kadmind"
} else {
+ verbose -log "kadmind failed to start: $line"
perror "kadmind failed to start"
}
+sleep 10
stop_kerberos_daemons
return 0
}
"Principal or policy already exists while creating*" { }
}
expect eof
- catch expect_after
if ![check_exit_status kadmin] {
break
}
return 1
}
+proc kinit_kt { name keytab standalone testname } {
+ global REALMNAME
+ global KINIT
+ global spawn_id
+
+ # Use kinit to get a ticket.
+ #
+ # For now always get forwardable tickets. Later when we need to make
+ # tests that distiguish between forwardable tickets and otherwise
+ # we should but another option to this proc. --proven
+ #
+ spawn $KINIT -5 -f -k -t $keytab $name@$REALMNAME
+ expect {
+ timeout {
+ fail "kinit $testname"
+ return 0
+ }
+ eof { }
+ }
+ if ![check_exit_status "kinit $testname"] {
+ return 0
+ }
+
+ if {$standalone} {
+ pass "kinit $testname"
+ }
+
+ return 1
+}
+
+# List tickets. Requires client and server names, and test name.
+# Checks that klist exist status is zero.
+# Records pass or fail, and returns 1 or 0.
+proc do_klist { myname servname testname } {
+ global KLIST
+ global tmppwd
+
+ spawn $KLIST -5 -e
+ expect {
+ -re "Ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*Default principal:\[ \]*$myname.*$servname\r\n" {
+ verbose "klist started"
+ }
+ timeout {
+ fail $testname
+ return 0
+ }
+ eof {
+ fail $testname
+ return 0
+ }
+ }
+
+ expect {
+ "\r" { }
+ eof { }
+ }
+
+ if ![check_exit_status $testname] {
+ return 0
+ }
+ pass $testname
+ return 1
+}
+
+proc do_klist_kt { keytab testname } {
+ global KLIST
+ global tmppwd
+
+ spawn $KLIST -5 -e -k $keytab
+ expect {
+ -re "Keytab name:\[ \]*(.+:)?.*KVNO Principal\r\n---- -*\r\n" {
+ verbose "klist started"
+ }
+ timeout {
+ fail $testname
+ return 0
+ }
+ eof {
+ fail $testname
+ return 0
+ }
+ }
+ set more 1
+ while {$more} {
+ expect {
+ -re { *[0-9][0-9]* *[a-zA-Z/@.-]* \([/a-zA-Z 0-9-]*\) *\r\n} {
+ verbose -log "key: $expect_out(buffer)"
+ }
+ eof { set more 0 }
+ }
+ }
+
+ if ![check_exit_status $testname] {
+ return 0
+ }
+ pass $testname
+ return 1
+}
+
+proc do_klist_err { testname } {
+ global KLIST
+ global spawn_id
+
+ spawn $KLIST -5
+ # Might say "credentials cache" or "credentials cache file".
+ expect {
+ -re "klist: No credentials cache.*found.*\r\n" {
+ verbose "klist started"
+ }
+ timeout {
+ fail $testname
+ return 0
+ }
+ eof {
+ fail $testname
+ return 0
+ }
+ }
+ # We can't use check_exit_status, because we expect an exit status
+ # of 1.
+ set status_list [wait -i $spawn_id]
+ verbose "wait -i $spawn_id returned $status_list ($testname)"
+ if { [lindex $status_list 2] != 0 } {
+ fail "$testname (bad exit status) $status_list"
+ return 0
+ } else { if { [lindex $status_list 3] != 1 } {
+ fail "$testname (bad exit status) $status_list"
+ return 0
+ } else {
+ pass $testname
+ } }
+ return 1
+}
+
+proc do_kdestroy { testname } {
+ global KDESTROY
+ spawn $KDESTROY -5
+ if ![check_exit_status $testname] {
+ fail $testname
+ return 0
+ }
+ pass $testname
+ return 1
+}
+
+proc xst { keytab name } {
+ global KADMIN_LOCAL
+ global REALMNAME
+
+ envstack_push
+ setup_kerberos_env kdc
+ spawn $KADMIN_LOCAL -r $REALMNAME
+ envstack_pop
+ catch expect_after
+ expect_after {
+ -re "(.*)\r\nkadmin.local: " {
+ fail "kadmin.local xst $keytab (unmatched output: $expect_out(1,string)"
+ catch "expect_after"
+ return 0
+ }
+ timeout {
+ fail "kadmin.local xst $keytab (timeout)"
+ catch "expect_after"
+ return 0
+ }
+ eof {
+ fail "kadmin.local xst $keytab (eof)"
+ catch "expect_after"
+ return 0
+ }
+ }
+ expect "kadmin.local: "
+ send "xst -k $keytab $name\r"
+ expect -re "xst -k \[^\r\n\]*\r\n.*Entry for principal .* added to keytab WRFILE:.*\r\nkadmin.local: "
+ send "quit\r"
+ expect eof
+ catch expect_after
+ if ![check_exit_status "kadmin.local $keytab"] {
+ perror "kadmin.local xst $keytab exited abnormally"
+ return 0
+ }
+ return 1
+}
# v4_compatible_enctype
# Returns 1 if v4 testing is enabled this passes encryption types are compatable with kerberos 4 work
return 1
}
+proc v4kinit_kt { name keytab standalone } {
+ global REALMNAME
+ global KINIT
+ global spawn_id
+
+ # Use kinit to get a ticket.
+ #
+ # For now always get forwardable tickets. Later when we need to make
+ # tests that distiguish between forwardable tickets and otherwise
+ # we should but another option to this proc. --proven
+ #
+ spawn $KINIT -4 -k -t $keytab $name@$REALMNAME
+ expect {
+ timeout {
+ fail "v4kinit"
+ return 0
+ }
+ eof { }
+ }
+ if ![check_exit_status kinit] {
+ return 0
+ }
+
+ if {$standalone} {
+ pass "v4kinit"
+ }
+
+ return 1
+}
+
+# List v4 tickets.
+# Client and server are regular expressions.
+proc v4klist { client server testname } {
+ global KLIST
+ global tmppwd
+
+ spawn $KLIST -4
+ expect {
+ -re "Kerberos 4 ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*Principal:\[ \]*$client.*$server\r\n" {
+ verbose "klist started"
+ }
+ timeout {
+ fail $testname
+ return 0
+ }
+ eof {
+ fail $testname
+ return 0
+ }
+ }
+
+ expect {
+ "\r" { }
+ eof { }
+ }
+
+ if ![check_exit_status $testname] {
+ return 0
+ }
+ pass $testname
+ return 1
+}
+
+# Destroy tickets.
+proc v4kdestroy { testname } {
+ global KDESTROY
+ spawn $KDESTROY -4
+ if ![check_exit_status $testname] {
+ return 0
+ }
+ pass $testname
+ return 1
+}
+
+# Try to list the krb4 tickets -- there shouldn't be any ticket file.
+proc v4klist_none { testname } {
+ global KLIST
+ global tmppwd
+
+ # Double check that the ticket was destroyed.
+ spawn $KLIST -4
+ expect {
+ -re "Kerberos 4 ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*klist: You have no tickets cached.*\r\n" {
+ verbose "v4klist started"
+ pass "$testname (output)"
+ }
+ timeout {
+ fail "$testname (output)"
+ # Skip the 'wait' below, if it's taking too long.
+ untested "$testname (exit status)"
+ return 0
+ }
+ eof {
+ fail "$testname (output)"
+ }
+ }
+ # We can't use check_exit_status, because we expect an exit status
+ # of 1.
+ set status_list [wait -i $spawn_id]
+ verbose "wait -i $spawn_id returned $status_list (v4klist)"
+ if { [lindex $status_list 2] != 0 } {
+ fail "$testname (exit status)"
+ return 0
+ } else {
+ if { [lindex $status_list 3] != 1 } {
+ fail "$testname (exit status)"
+ return 0
+ } else {
+ pass "$testname (exit status)"
+ }
+ }
+ return 1
+}
+
# Set up a root shell using rlogin $hostname -l root. This is used
# when testing the daemons that must be run as root, such as telnetd
# or rlogind. This sets the global variables rlogin_spawn_id and
}
# Set up our krb5.conf
- send "KRB5_CONFIG=$tmppwd/krb5.conf\r"
+ send "KRB5_CONFIG=$tmppwd/krb5.server.conf\r"
expect {
-re "$ROOT_PROMPT" { }
}
}
# Set up our krb5.conf
- send "KRB5_CONFIG=$tmppwd/krb5.conf\r"
+ send "KRB5_CONFIG=$tmppwd/krb5.server.conf\r"
expect {
-re "$ROOT_PROMPT" { }
}
proc krb_exit { } {
stop_kerberos_daemons
}
+
+# helpful sometimes for debugging the test suite
+proc spawn_xterm { } {
+ global env
+ foreach i {KDB5_UTIL KRB5KDC KADMIND KADMIN KADMIN_LOCAL KINIT KTUTIL KLIST} {
+ global $i
+ set env($i) [set $i]
+ }
+ exec "xterm"
+}
+
+ * standalone.exp: Move setting of KLIST and KDESTROY into
+ default.exp.
+ (doit): Call do_klist instead of implementing it here. Add a new
+ principal to the database, and test getting tickets using a
+ keytab, with multiple kvnos starting at 253 and going up past
+ 256; if first supported enctype supports v4, convert the keytab to
+ a srvtab and try getting tickets using it too. Verify that
+ kadmin.local can read the high kvno correctly.
+
+ * v4standalone.exp: Move setting of KLIST and KDESTROY into
+ default.exp. Print correct filename in top-level error message.
+ (check_and_destroy_v4_tix): New proc.
+ (doit): Call v4kinit and check_and_destroy_v4_tix.
+
+ * gssftp.exp (ftp_test): Bump kvno past 256, with multiple entries
+ in the keytab, before running test.
+
2001-11-06 Tom Yu <tlyu@mit.edu>
* rsh.exp: Fix date-grabbing regexp to deal with older versions of
# ticket file.
if {![start_kerberos_daemons 0] \
|| ![add_random_key ftp/$hostname 0] \
+ || ![modify_principal ftp/$hostname -kvno 254] \
|| ![setup_srvtab 0 ftp] \
+ || ![xst $tmppwd/srvtab ftp/$hostname]
+ || ![xst $tmppwd/srvtab ftp/$hostname]
+ || ![xst $tmppwd/srvtab ftp/$hostname]
+ || ![do_klist_kt $tmppwd/srvtab "gssftp keytab list"]
|| ![add_kerberos_key $env(USER) 0] \
|| ![kinit $env(USER) $env(USER)$KEY 0]} {
return
# This mostly just calls procedures in testsuite/config/default.exp.
-if ![info exists KLIST] {
- set KLIST [findfile $objdir/../../clients/klist/klist]
-}
-
-if ![info exists KDESTROY] {
- set KDESTROY [findfile $objdir/../../clients/kdestroy/kdestroy]
-}
-
# Set up the Kerberos files and environment.
if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} {
return
global KLIST
global KDESTROY
global KEY
+ global KADMIN_LOCAL
+ global KTUTIL
global hostname
global tmppwd
global spawn_id
+ global supported_enctypes
# Start up the kerberos and kadmind daemons.
if ![start_kerberos_daemons 1] {
}
# Make sure that klist can see the ticket.
- spawn $KLIST -5 -e
- expect {
- -re "Ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*Default principal:\[ \]*krbtest/admin@$REALMNAME.*krbtgt/$REALMNAME@$REALMNAME\r\n" {
- verbose "klist started"
- }
- timeout {
- fail "klist"
- return
- }
- eof {
- fail "klist"
- return
- }
- }
-
- expect {
- "\r" { }
- eof { }
- }
-
- if ![check_exit_status "klist"] {
+ if ![do_klist "krbtest/admin@$REALMNAME" "krbtgt/$REALMNAME@$REALMNAME" "klist"] {
return
}
- pass "klist"
# Destroy the ticket.
spawn $KDESTROY -5
pass "kdestroy"
# Double check that the ticket was destroyed.
- spawn $KLIST -5
- expect {
- -re "klist: No credentials cache file found.*\r\n" {
- verbose "klist started"
- }
- timeout {
- fail "klist after kdestroy"
- return
+ if ![do_klist_err "klist after destroy"] { return }
+
+ if ![add_random_key foo/bar 1] {
+ return
+ }
+
+ set keytab $tmppwd/fookeytab
+ catch "exec rm -f $keytab"
+
+ modify_principal foo/bar -kvno 252
+ foreach vno {253 254 255 256 257 258} {
+ xst $tmppwd/fookeytab foo/bar
+ do_klist_kt $tmppwd/fookeytab "klist keytab foo/bar vno $vno"
+ kinit_kt "foo/bar" $tmppwd/fookeytab 1 "kt kvno $vno"
+ do_klist "foo/bar" "krbtgt/$REALMNAME@$REALMNAME" "klist kt foo/bar vno $vno"
+ do_kdestroy "kdestroy foo/bar vno $vno"
+
+ if [regexp {des-cbc-[a-z0-9-]*:v4} [lindex $supported_enctypes 0]] {
+ catch "exec rm -f $tmppwd/foosrvtab"
+ spawn $KTUTIL
+ expect_after {
+ timeout { fail "ktutil converting keytab to srvtab" ; set ok 0 }
+ eof { fail "ktutil converting keytab to srvtab" ; set ok 0 }
+ }
+ expect "ktutil: "
+ send "rkt $tmppwd/fookeytab\r"
+ expect -ex "rkt $tmppwd/fookeytab\r"
+ expect "ktutil: "
+# for debugging, just log this
+# send "list\r"
+# expect "ktutil: "
+ #
+ send "wst $tmppwd/foosrvtab\r"
+ expect -ex "wst $tmppwd/foosrvtab\r"
+ expect "ktutil: "
+# for debugging, just log this
+# send "clear\r"
+# expect "ktutil: "
+# send "rst $tmppwd/foosrvtab\r"
+# expect "ktutil: "
+# send "list\r"
+# expect "ktutil: "
+ # okay, now quit and finish testing
+ send "quit\r"
+ expect eof
+ catch expect_after
+ if [check_exit_status "ktutil converting keytab to srvtab (vno $vno)"] {
+ pass "ktutil converting keytab to srvtab (vno $vno)"
+ do_klist_kt $tmppwd/fookeytab "klist srvtab foo/bar vno $vno"
+ kinit_kt "foo/bar" "SRVTAB:$tmppwd/foosrvtab" 1 "st kvno $vno"
+ do_klist "foo/bar" "krbtgt/$REALMNAME@$REALMNAME" "klist st foo/bar vno $vno"
+ do_kdestroy "kdestroy st foo/bar vno $vno"
+ }
+ } else {
+ verbose "skipping v5kinit/srvtab tests because of non-v4 enctype"
}
- eof {
- fail "klist after kdestroy"
- return
+ }
+ catch "exec rm -f $keytab"
+ # Check that kadmin.local can actually read the correct kvno, even
+ # if we don't expect kadmin to be able to.
+ spawn $KADMIN_LOCAL -r $REALMNAME
+ set ok 1
+ expect_after {
+ timeout { fail "kadmin.local correct high kvno" ; set ok 0 }
+ eof { fail "kadmin.local correct high kvno" ; set ok 0 }
+ }
+ expect "kadmin.local: "
+ send "getprinc foo/bar\r"
+# exec sleep 10
+ expect "Key: vno $vno,"
+ send "quit\r"
+ expect eof
+ if [check_exit_status "kadmin.local examine foo/bar for high kvno"] {
+ if $ok {
+ pass "kadmin.local correct high kvno"
}
}
- # We can't use check_exit_status, because we expect an exit status
- # of 1.
- set status_list [wait -i $spawn_id]
- verbose "wait -i $spawn_id returned $status_list (klist)"
- if { [lindex $status_list 2] != 0 } {
- fail "klist (bad exit status) $status_list"
- return
- } else { if { [lindex $status_list 3] != 1 } {
- fail "klist (bad exit status) $status_list"
- return
- } else {
- pass klist
- } }
}
set status [catch doit msg]
# This mostly just calls procedures in testsuite/config/default.exp.
-if ![info exists KLIST] {
- set KLIST [findfile $objdir/../../clients/klist/klist]
-}
-
-if ![info exists KDESTROY] {
- set KDESTROY [findfile $objdir/../../clients/kdestroy/kdestroy]
-}
-
# Set up the Kerberos files and environment.
if {![get_hostname] || ![setup_kerberos_files] || ![setup_kerberos_env]} {
return
# the rest of the tests inside a proc, so that we can easily kill the
# processes when the procedure ends.
+proc check_and_destroy_v4_tix { client server } {
+ global REALMNAME
+
+ # Make sure that klist can see the ticket.
+ if ![v4klist "$client" "$server" "v4klist"] {
+ return
+ }
+
+ # Destroy the ticket.
+ if ![v4kdestroy "v4kdestroy"] {
+ return
+ }
+
+ if ![v4klist_none "v4klist no tix 1"] {
+ return
+ }
+}
+
proc doit { } {
global REALMNAME
global KLIST
global KDESTROY
global KEY
global hostname
- global tmppwd
global spawn_id
+ global tmppwd
# Start up the kerberos and kadmind daemons.
if ![start_kerberos_daemons 1] {
}
# Use kinit to get a ticket.
- if ![v4kinit krbtest.admin adminpass$KEY 1] {
- return
+ if [v4kinit krbtest.admin adminpass$KEY 1] {
+ check_and_destroy_v4_tix krbtest.admin@$REALMNAME krbtgt.$REALMNAME@$REALMNAME
}
- # Make sure that klist can see the ticket.
- spawn $KLIST -4
- expect {
- -re "Kerberos 4 ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*Principal:\[ \]*krbtest.admin@$REALMNAME.*krbtgt\.$REALMNAME@$REALMNAME\r\n" {
- verbose "klist started"
- }
- timeout {
- fail "v4klist"
- return
- }
- eof {
- fail "v4klist"
- return
- }
- }
-
- expect {
- "\r" { }
- eof { }
- }
-
- if ![check_exit_status "klist"] {
- return
- }
- pass "v4klist"
-
- # Destroy the ticket.
- spawn $KDESTROY -4
- if ![check_exit_status "kdestroy"] {
- return
- }
- pass "v4kdestroy"
-
- # Double check that the ticket was destroyed.
- spawn $KLIST -4
- expect {
- -re "Kerberos 4 ticket cache:\[ \]*(.+:)?$tmppwd/tkt.*klist: You have no tickets cached.*\r\n" {
- verbose "v4klist started"
- }
- timeout {
- fail "v4klist after kdestroy"
- return
- }
- eof {
- fail "v4klist after kdestroy"
- return
- }
- }
- # We can't use check_exit_status, because we expect an exit status
- # of 1.
- set status_list [wait -i $spawn_id]
- verbose "wait -i $spawn_id returned $status_list (klist)"
- if { [lindex $status_list 2] != 0 } {
- fail "v4klist (bad exit status) $status_list"
- return
- } else { if { [lindex $status_list 3] != 1 } {
- fail "v4klist (bad exit status) $status_list"
- return
- } else {
- pass v4klist
- } }
+ # Use kinit with srvtab to get a ticket.
+ # XXX - Currently kinit doesn't support "-4 -k"!
+# set shorthost [string range $hostname 0 [expr [string first . $hostname] - 1]]
+# if [v4kinit_kt host.$shorthost SRVTAB:$tmppwd/srvtab 1] {
+# check_and_destroy_v4_tix host.$shorthost@$REALMNAME krbtgt.$REALMNAME@$REALMNAME
+# }
}
set status [catch doit msg]
stop_kerberos_daemons
if { $status != 0 } {
- send_error "ERROR: error in standalone.exp\n"
+ send_error "ERROR: error in v4standalone.exp\n"
send_error "$msg\n"
exit 1
}
projects / krb5.git / commitdiff