From: Tom Yu Date: Fri, 22 Jun 2001 23:37:16 +0000 (+0000) Subject: * default.exp: Use the interface variable $TMPDIR to allow the X-Git-Tag: krb5-1.3-alpha1~1286 X-Git-Url: http://git.tremily.us/?a=commitdiff_plain;h=7fc757acc35aa16e8794295269fc2ed4aa03ca6d;p=krb5.git * default.exp: Use the interface variable $TMPDIR to allow the specification of an alternative temporary directory. Wrap a loop around various testings and settings of interface variables that specify the locations of programs to be tested, e.g. $KADMIND. Add some support for having different sets of enctypes on client, server, and kdc. The envstack changes and multiple config file support should get cleaned up somewhat later to possibly allow for programs to execute on different hosts. (check_k5login): Fix up to reflect actual (perhaps bogus) behavior of krb5_kuserok(), which doesn't do quite what we expect, so there really does need to be something like "luser@KRBTEST.COM" in the .k5login file. (check_klogin): New procedure; .klogin also needs to be checked for the v4gssftp test. (envstack_push, envstack_pop): New procedure; keep a stack of environment variable state, which is useful for running different programs with different config files. (setup_runtime_flags, setup_kerberos_env): Rewrite somewhat so they play nice with the envstack. (setup_krb5_conf): New procedure; write a config file with the contents parameterized based on the type of program that will use it. (setup_kerberos_files): Create different krb5.conf files for client, server, and kdc. (setup_kadmind_srvtab, setup_kerberos_db, start_kerberos_daemons): Rewrite to play nice with envstack. (setup_root_shell_noremote): New procedure from raeburn; handle the case where we're already running as root. (setup_root_shell): Call setup_root_shell_noremote as appropriate. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@13500 dc483132-0cff-0310-8789-dd5450dbe970 --- diff --git a/src/tests/dejagnu/config/ChangeLog b/src/tests/dejagnu/config/ChangeLog index 86dbf519a..863ccd882 100644 --- a/src/tests/dejagnu/config/ChangeLog +++ b/src/tests/dejagnu/config/ChangeLog @@ -1,3 +1,35 @@ +2001-06-22 Tom Yu + + * default.exp: Use the interface variable $TMPDIR to allow the + specification of an alternative temporary directory. Wrap a loop + around various testings and settings of interface variables that + specify the locations of programs to be tested, e.g. $KADMIND. + Add some support for having different sets of enctypes on client, + server, and kdc. The envstack changes and multiple config file + support should get cleaned up somewhat later to possibly allow for + programs to execute on different hosts. + (check_k5login): Fix up to reflect actual (perhaps bogus) behavior + of krb5_kuserok(), which doesn't do quite what we expect, so there + really does need to be something like "luser@KRBTEST.COM" in the + .k5login file. + (check_klogin): New procedure; .klogin also needs to be checked + for the v4gssftp test. + (envstack_push, envstack_pop): New procedure; keep a stack of + environment variable state, which is useful for running different + programs with different config files. + (setup_runtime_flags, setup_kerberos_env): Rewrite somewhat so + they play nice with the envstack. + (setup_krb5_conf): New procedure; write a config file with the + contents parameterized based on the type of program that will use + it. + (setup_kerberos_files): Create different krb5.conf files for + client, server, and kdc. + (setup_kadmind_srvtab, setup_kerberos_db, start_kerberos_daemons): + Rewrite to play nice with envstack. + (setup_root_shell_noremote): New procedure from raeburn; handle + the case where we're already running as root. + (setup_root_shell): Call setup_root_shell_noremote as appropriate. + 2001-06-17 Ezra Peisach * default.exp: Add an entry for krb524_server for the localhost diff --git a/src/tests/dejagnu/config/default.exp b/src/tests/dejagnu/config/default.exp index 827c994f8..bfc262a4c 100644 --- a/src/tests/dejagnu/config/default.exp +++ b/src/tests/dejagnu/config/default.exp @@ -7,7 +7,7 @@ # This file provides several functions which deal with a local # Kerberos database. We have to do this such that we don't interfere # with any existing Kerberos database. We will create all the files -# in the directory tmpdir, which will have been created by the +# in the directory $tmppwd, which will have been created by the # testsuite default script. We will use $REALMNAME as our Kerberos # realm name, defaulting to KRBTEST.COM. @@ -19,37 +19,115 @@ set des3_krbtgt 0 set supported_enctypes "des-cbc-crc:normal" set kdc_supported_enctypes "des-cbc-crc:normal" +# The names of the individual passes must be unique; lots of things +# depend on it. The PASSES variable may not contain comments; only +# small pieces get evaluated, so comments will do strange things. + +# The des.no-kdc-md5 pass will fail due to the SUPPORTS_MD5 flag not +# being set. + +# The des.no-kdc-md5.client-md4-skey will fail on TGS requests due to +# the KDC issuing session keys that it won't accept. It will also +# fail for a kadmin client, but for different reasons, since the kadm5 +# library does some curious filtering of enctypes, and also uses +# get_in_tkt() rather than get_init_creds(); the former does an +# intersection of the enctypes provided by the caller and those listed +# in the config file! + set passes { { des des3_krbtgt=0 - {supported_enctypes=\"des-cbc-crc:normal\"} - {kdc_supported_enctypes=\"des-cbc-crc:normal\"} + {supported_enctypes=des-cbc-crc:normal} + {kdc_supported_enctypes=des-cbc-crc:normal} {dummy=[verbose -log "DES TGT, DES enctype"]} } { des.des3tgt des3_krbtgt=1 - {supported_enctypes=\"des-cbc-crc:normal\"} - {kdc_supported_enctypes=\"des3-cbc-sha1:normal des-cbc-crc:normal\"} + {supported_enctypes=des-cbc-crc:normal} + {kdc_supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal} {dummy=[verbose -log "DES3 TGT, DES enctype"]} } { des3 des3_krbtgt=1 - {supported_enctypes=\"des3-cbc-sha1:normal des-cbc-crc:normal\"} - {kdc_supported_enctypes=\"des3-cbc-sha1:normal des-cbc-crc:normal\"} + {supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal} + {kdc_supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal} {dummy=[verbose -log "DES3 TGT, DES3 + DES enctypes"]} } { - allenctypes + all-des-des3-enctypes des3_krbtgt=1 - {supported_enctypes=\"des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal des-cbc-crc:v4 des-cbc-md5:norealm\"} - {kdc_supported_enctypes=\"des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal des-cbc-crc:v4 des-cbc-md5:norealm\"} + {supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal \ + des-cbc-md5:normal des-cbc-crc:v4 des-cbc-md5:norealm \ + des-cbc-md4:normal} + {kdc_supported_enctypes=des3-cbc-sha1:normal des-cbc-crc:normal \ + des-cbc-md5:normal des-cbc-crc:v4 des-cbc-md5:norealm \ + des-cbc-md4:normal} {dummy=[verbose -log "DES3 TGT, many DES3 + DES enctypes"]} } } +set unused_passes { + { + des.no-kdc-md5 + des3_krbtgt=0 + {permitted_enctypes(kdc)=des-cbc-crc} + {default_tgs_enctypes(client)=des-cbc-md5} + {default_tkt_enctypes(client)=des-cbc-md5} + {supported_enctypes=des-cbc-crc:normal} + {kdc_supported_enctypes=des-cbc-crc:normal} + {dummy=[verbose -log \ + "DES TGT, DES enctype, KDC permitting only des-cbc-crc"]} + } + { + des.no-kdc-md5.client-md4-skey + des3_krbtgt=0 + {permitted_enctypes(kdc)=des-cbc-crc} + {permitted_enctypes(client)=des-cbc-crc des-cbc-md4} + {default_tgs_enctypes(client)=des-cbc-crc des-cbc-md4} + {default_tkt_enctypes(client)=des-cbc-md4} + {supported_enctypes=des-cbc-crc:normal} + {kdc_supported_enctypes=des-cbc-crc:normal} + {dummy=[verbose -log \ + "DES TGT, DES enctype, KDC permitting only des-cbc-crc, client requests des-cbc-md4 session key"]} + } + { + all-enctypes + des3_krbtgt=1 + {supported_enctypes=\ + rijndael256-hmac-sha1:normal rijndael192-hmac-sha1:normal rijndael128-hmac-sha1:normal \ + serpent256-hmac-sha1:normal serpent192-hmac-sha1:norealm serpent128-hmac-sha1:normal \ + twofish256-hmac-sha1:normal twofish192-hmac-sha1:norealm twofish128-hmac-sha1:normal \ + des3-cbc-sha1:normal des3-cbc-sha1:none \ + des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \ + des-cbc-md5:v4 des-cbc-md4:v4 des-cbc-crc:v4 \ + } + {kdc_supported_enctypes=\ + rijndael256-hmac-sha1:normal rijndael192-hmac-sha1:normal rijndael128-hmac-sha1:normal \ + serpent256-hmac-sha1:normal serpent192-hmac-sha1:norealm serpent128-hmac-sha1:normal \ + twofish256-hmac-sha1:normal twofish192-hmac-sha1:norealm twofish128-hmac-sha1:normal \ + des3-cbc-sha1:normal des3-cbc-sha1:none \ + des-cbc-md5:normal des-cbc-md4:normal des-cbc-crc:normal \ + des-cbc-md5:v4 des-cbc-md4:v4 des-cbc-crc:v4 \ + } + {dummy=[verbose -log "DES3 TGT, default enctypes"]} + } + { + aes + des3_krbtgt=0 + {supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal} + {kdc_supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal} + {default_tgs_enctypes=rijndael256-hmac-sha1 des-cbc-crc} + {default_tkt_enctypes=rijndael256-hmac-sha1 des-cbc-crc} + {dummy=[verbose -log "DES3 TGT, default enctypes"]} + } +} +# {supported_enctypes=des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal } +# {kdc_supported_enctypes= des-cbc-md5:normal des-cbc-crc:normal twofish256-hmac-sha1:normal} +# This shouldn't be necessary on dejagnu-1.4 and later, but 1.3 seems +# to need it because its runtest.exp doesn't deal with PASS at all. if [info exists PASS] { foreach pass $passes { if { [lsearch -exact $PASS [lindex $pass 0]] >= 0 } { @@ -64,9 +142,15 @@ set last_passname_conf "" set last_passname_db "" # We do everything in a temporary directory. -if ![file isdirectory tmpdir] {catch "exec mkdir tmpdir" status} - -set tmppwd "[pwd]/tmpdir" +if ![info exists TMPDIR] { + set tmppwd "[pwd]/tmpdir" + if ![file isdirectory $tmppwd] { + catch "exec mkdir $tmppwd" status + } +} else { + set tmppwd $TMPDIR +} +verbose "tmppwd=$tmppwd" # On Ultrix, use /bin/sh5 in preference to /bin/sh. if ![info exists BINSH] { @@ -87,7 +171,7 @@ if ![info exists BINSH] { if ![info exists KEY] { catch {exec $BINSH -c "echo $$"} KEY verbose "KEY is $KEY" - set keyfile [open tmpdir/KEY w] + set keyfile [open $tmppwd/KEY w] puts $keyfile "$KEY" close $keyfile } @@ -95,7 +179,7 @@ if ![info exists KEY] { # Clear away any files left over from a previous run. # We can't use them now because we don't know the right KEY. # krb5.conf might change if running tests on another host -catch "exec rm -f tmpdir/db.ok tmpdir/srvtab tmpdir/krb5.conf tmpdir/kdc.conf tmpdir/cpw_srvtab tmpdir/krb.realms tmpdir/krb.conf" +catch "exec rm -f $tmppwd/db.ok $tmppwd/srvtab $tmppwd/krb5.conf $tmppwd/kdc.conf $tmppwd/cpw_srvtab $tmppwd/krb.realms $tmppwd/krb.conf" # Put the installed kerberos directories on PATH. # This needs to be fixed for V5. @@ -125,41 +209,27 @@ verbose "Test realm is $REALMNAME" # if they exist. If they do not, then they must be in PATH. We # expect $objdir to be ...tests/dejagnu. -if ![info exists KDB5_UTIL] { - set KDB5_UTIL [findfile $objdir/../../kadmin/dbutil/kdb5_util] -} - -if ![info exists KRB5KDC] { - set KRB5KDC [findfile $objdir/../../kdc/krb5kdc] -} - -if ![info exists KADMIND] { - set KADMIND [findfile $objdir/../../kadmin/server/kadmind] -} - -if ![info exists KADMIN] { - set KADMIN [findfile $objdir/../../kadmin/cli/kadmin] -} - -if ![info exists KADMIN_LOCAL] { - set KADMIN_LOCAL [findfile $objdir/../../kadmin/cli/kadmin.local] -} - - -if ![info exists KINIT] { - set KINIT [findfile $objdir/../../clients/kinit/kinit] -} - -if ![info exists KTUTIL] { - set KTUTIL [findfile $objdir/../../kadmin/ktutil/ktutil] -} - -if ![info exists RESOLVE] { - set RESOLVE [findfile $objdir/../resolve/resolve] -} - -if ![info exists T_INETD] { - set T_INETD [findfile $objdir/t_inetd] +foreach i { + {KDB5_UTIL $objdir/../../kadmin/dbutil/kdb5_util} + {KRB5KDC $objdir/../../kdc/krb5kdc} + {KADMIND $objdir/../../kadmin/server/kadmind} + {KADMIN $objdir/../../kadmin/cli/kadmin} + {KADMIN_LOCAL $objdir/../../kadmin/cli/kadmin.local} + {KINIT $objdir/../../clients/kinit/kinit} + {KTUTIL $objdir/../../kadmin/ktutil/ktutil} + {RESOLVE $objdir/../resolve/resolve} + {T_INETD $objdir/t_inetd} +} { + set varname [lindex $i 0] + if ![info exists $varname] { + eval set varval [lindex $i 1] + set varval [findfile $varval] + set $varname $varval + verbose "$varname=$varval" + } { + eval set varval \$$varname + verbose "$varname already set to $varval" + } } if ![info exists RLOGIN] { @@ -188,22 +258,29 @@ exit -onexit [concat { } [exit -onexit]] # check_k5login + # Most of the tests won't work if the user has a .k5login file, unless -# the user's name appears unadorned in .k5login (in which case kuserok -# will assume a null instance and the local realm). This procedure -# returns 1 if the .k5login file appears to be OK, 0 otherwise. This -# check is not foolproof. +# the user's name appears with $REALMNAME in .k5login + +# This procedure returns 1 if the .k5login file appears to be OK, 0 +# otherwise. This check is not foolproof. + +# Note that this previously checked for a username with no realm; this +# works for krb4's kuserok() but not for krb5_kuserok(), due to some +# implementation details. *sigh* proc check_k5login { testname } { global env global REALMNAME - if ![file exists ~/.k5login] { + if {![file exists ~/.k5login] && $env(USER) != "root"} { return 1 } + verbose "looking for $env(USER)@$REALMNAME in ~/.k5login" 2 set file [open ~/.k5login r] while { [gets $file principal] != -1 } { + verbose " found $principal" 2 if { $principal == "$env(USER)@$REALMNAME" } { close $file return 1 @@ -212,7 +289,34 @@ proc check_k5login { testname } { close $file note "$testname test requires that your name appear in your ~/.k5login" - note "file with no realm or instance." + note "file in the form $env(USER)@$REALMNAME" + unsupported "$testname" + + return 0 +} + +proc check_klogin { testname } { + global env + global REALMNAME + + if {![file exists ~/.klogin] && $env(USER) != "root" } { + return 1 + } + + verbose "looking for $env(USER) in ~/.klogin" 2 + set file [open ~/.klogin r] + while { [gets $file principal] != -1 } { + verbose " found $principal" 2 + if { $principal == "$env(USER)" \ + || $principal == "$env(USER)@$REALMNAME" } { + close $file + return 1 + } + } + close $file + + note "$testname test requires that your name appear in your ~/.klogin" + note "file without a realm." unsupported "$testname" return 0 @@ -238,73 +342,126 @@ proc check_exit_status { testname } { } } -# setup_runtime_flags -# Sets the proper flags for shared libraries. -# Configuration is through a site.exp and the runvarlist variable -# Returns 1 if variables were already set, otherwise 0 -proc setup_runtime_env { } { - global env - global runvarlist - global krb5_init_vars - global krb5_old_vars - global runtime_setup +# +# ENVSTACK +# - if [info exists runtime_setup] { - return 1 - } +# These procedures implement an environment variable stack. They use +# the global variable $envvars_tosave for the purpose of identifying +# which environment variables to save. They also track which ones are +# unset at any particular point. The stack pointer is $envstackp, +# which is an integer. The arrays $envstack$envstackp and +# $unenvstack$envstackp store respectively the set of old environment +# variables/values pushed onto the stack and the set of old unset +# environment variables for a given value of $envstackp. - set runtime_setup 1 - set krb5_init_vars [list ] - set krb5_old_vars [list ] +# Changing the value of $envvars_tosave after performing the first +# push operation may result in strangeness. - # Only keep the foo=bar and ignore export commands... - foreach i $runvarlist { - if {[regexp ".*=.*" $i]} { - lappend krb5_init_vars $i +# +# envstack_push +# +# Push set of current environment variables. +# +proc envstack_push { } { + global env + global envvars_tosave + global envstackp + global envstack$envstackp + global unenvstack$envstackp + + verbose "envstack_push: starting, sp=$envstackp" + foreach i $envvars_tosave { + if [info exists env($i)] { + verbose "envstack_push: saving $i=$env($i)" + set envstack${envstackp}($i) $env($i) + } { + verbose "envstack_push: marking $i as unset" + set unenvstack${envstackp}($i) unset } } + incr envstackp + verbose "envstack_push: exiting, sp=$envstackp" +} - - # Set the variables... (and save the old ones) - foreach i $krb5_init_vars { - regexp "^(\[^=\]*)=(.*)" $i foo evar evalue - if [info exists env($evar)] { - lappend krb5_old_vars $evar=$env($evar) - } - set env($evar) "$evalue" - verbose "$evar=$evalue" +# +# envstack_pop +# +# Pop set of current environment variables. +# +proc envstack_pop { } { + global env + global envstackp + + verbose "envstack_pop: starting, sp=$envstackp" + incr envstackp -1 + global envstack$envstackp # YUCK!!! no obvious better way though... + global unenvstack$envstackp + if {$envstackp < 0} { + perror "envstack_pop: stack underflow!" + return + } + if [info exists envstack$envstackp] { + foreach i [array names envstack$envstackp] { + if [info exists env($i)] { + verbose "envstack_pop: $i was $env($i)" + } + eval set env($i) \$envstack${envstackp}($i) + verbose "envstack_pop: restored $i to $env($i)" + } + unset envstack$envstackp + } + if [info exists unenvstack$envstackp] { + foreach i [array names unenvstack$envstackp] { + if [info exists env($i)] { + verbose "envstack_pop: $i was $env($i)" + unset env($i) + verbose "envstack_pop: $i unset" + } { + verbose "envstack_pop: ignoring already unset $i" + } + } + unset unenvstack$envstackp } + verbose "envstack_pop: exiting, sp=$envstackp" +} - return 0 +# +# Initialize the envstack +# +set envvars_tosave { + KRB5_CONFIG KRB5CCNAME KRBTKFILE KRB5RCACHEDIR + KERBEROS_SERVER KRB5_KDC_PROFILE +} +set krb5_init_vars [list ] +# XXX -- fix me later! +foreach i $runvarlist { + verbose "processing $i" + if {[regexp "^(\[^=\]*)=(.*)" $i foo evar evalue]} { + verbose "adding $evar to savelist" + lappend envvars_tosave $evar + verbose "savelist $envvars_tosave" + lappend krb5_init_vars $i + } } +set envstackp 0 +envstack_push +# setup_runtime_flags +# Sets the proper flags for shared libraries. # Configuration is through a site.exp and the runvarlist variable -proc restore_runtime_env { } { +# Returns 1 if variables were already set, otherwise 0 +proc setup_runtime_env { } { global env global krb5_init_vars - global krb5_old_vars - global runtime_setup - - - if ![info exists runtime_setup] { - return 1 - } - # restore the variables... + # Set the variables foreach i $krb5_init_vars { regexp "^(\[^=\]*)=(.*)" $i foo evar evalue - set idx [lsearch -regexp $krb5_old_vars "^$evar=" ] - if {$idx >= 0} { - - regexp "^(\[^=\]*)=(.*)" [lindex $krb5_old_vars $idx] foo evar evalue - set env($evar) "$evalue" - - } else { - catch "unset env($evar)" - } + set env($evar) "$evalue" + verbose "$evar=$evalue" } - - unset runtime_setup + return 0 } # get_hostname @@ -317,36 +474,35 @@ proc get_hostname { } { global hostname global localhostname global domain + global tmppwd if {[info exists hostname] && [info exists localhostname]} { return 1 } - set setup [setup_runtime_env] - - catch "exec $RESOLVE -q >tmpdir/hostname" exec_output + envstack_push + setup_runtime_env + catch "exec $RESOLVE -q >$tmppwd/hostname" exec_output + envstack_pop if ![string match "" $exec_output] { verbose -log $exec_output perror "can't get hostname" - if {$setup == 0} restore_runtime_env return 0 } - set file [open tmpdir/hostname r] + set file [open $tmppwd/hostname r] if { [ gets $file hostname ] == -1 } { perror "no output from hostname" - if {$setup == 0} restore_runtime_env return 0 } close $file - catch "exec rm -f tmpdir/hostname" exec_output - regexp "^(\[^.\]*)\.(.*)$" $hostname foo localhostname domain + catch "exec rm -f $tmppwd/hostname" exec_output + regexp "^(\[^.\]*)\\.(.*)$" $hostname foo localhostname domain set hostname [string tolower $hostname] set localhostname [string tolower $localhostname] set domain [string tolower $domain] verbose "hostname: $hostname; localhostname: $localhostname; domain $domain" - if {$setup == 0} restore_runtime_env return 1 } @@ -360,7 +516,6 @@ proc setup_kerberos_files { } { global hostname global domain global tmppwd - global default_tgt_enctypes global supported_enctypes global kdc_supported_enctypes global last_passname_conf @@ -370,44 +525,14 @@ proc setup_kerberos_files { } { return 0 } - # Create a krb5.conf file. - if { ![file exists tmpdir/krb5.conf] \ - || $last_passname_conf != $multipass_name } { - set conffile [open tmpdir/krb5.conf w] - puts $conffile "\[libdefaults\]" - puts $conffile " default_realm = $REALMNAME" - # puts $conffile "default_tgs_enctypes = des-cbc-md5 des-cbc-crc" - if [info exists default_tgt_enctypes] { - puts $conffile "default_tgs_enctypes = $default_tgs_enctypes" - } - puts $conffile " krb4_config = $tmppwd/krb.conf" - puts $conffile " krb4_realms = $tmppwd/krb.realms" - puts $conffile " krb4_srvtab = $tmppwd/v4srvtab" - puts $conffile "" - puts $conffile "\[realms\]" - puts $conffile " $REALMNAME = \{" - puts $conffile " kdc = $hostname:3088" - puts $conffile " admin_server = $hostname:3750" - puts $conffile " kpasswd_server = $hostname:3751" - puts $conffile " default_domain = $domain" - puts $conffile " krb524_server = $hostname:3752" - puts $conffile " \}" - puts $conffile "" - puts $conffile "\[domain_realm\]" - puts $conffile " .$domain = $REALMNAME" - puts $conffile " $domain = $REALMNAME" - puts $conffile "" - puts $conffile "\[logging\]" - puts $conffile " admin_server = FILE:$tmppwd/kadmind5.log" - puts $conffile " kdc = FILE:$tmppwd/kdc.log" - puts $conffile " default = FILE:$tmppwd/others.log" - close $conffile - } + setup_krb5_conf client + setup_krb5_conf server + setup_krb5_conf kdc # Create a kdc.conf file. - if { ![file exists tmpdir/kdc.conf] \ + if { ![file exists $tmppwd/kdc.conf] \ || $last_passname_conf != $multipass_name } { - set conffile [open tmpdir/kdc.conf w] + set conffile [open $tmppwd/kdc.conf w] puts $conffile "\[kdcdefaults\]" puts $conffile " kdc_ports = 3085,3086,3087,3088,3089" puts $conffile "" @@ -427,8 +552,6 @@ proc setup_kerberos_files { } { puts $conffile " master_key_name = master/key" puts $conffile " supported_enctypes = $supported_enctypes" puts $conffile " kdc_supported_enctypes = $kdc_supported_enctypes" - # puts $conffile " supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal des-cbc-crc:v4 des-cbc-md5:norealm" - # puts $conffile " kdc_supported_enctypes = des3-cbc-sha1:normal des-cbc-crc:normal des-cbc-md5:normal des-cbc-crc:v4 des-cbc-md5:norealm" puts $conffile " kdc_ports = 3088" puts $conffile " default_principal_expiration = 2037.12.31.23.59.59" puts $conffile " default_principal_flags = -postdateable forwardable" @@ -439,31 +562,31 @@ proc setup_kerberos_files { } { } # Create ACL file. - if ![file exists tmpdir/acl] { - set aclfile [open tmpdir/acl w] + if ![file exists $tmppwd/acl] { + set aclfile [open $tmppwd/acl w] puts $aclfile "krbtest/admin@$REALMNAME *" close $aclfile } # Create krb.conf file - if ![file exists tmpdir/krb.conf] { - set conffile [open tmpdir/krb.conf w] + if ![file exists $tmppwd/krb.conf] { + set conffile [open $tmppwd/krb.conf w] puts $conffile "$REALMNAME" puts $conffile "$REALMNAME $hostname:3088 admin server" close $conffile } # Create krb.realms file - if ![file exists tmpdir/krb.realms] { - set conffile [open tmpdir/krb.realms w] + if ![file exists $tmppwd/krb.realms] { + set conffile [open $tmppwd/krb.realms w] puts $conffile ".[string toupper $domain] $REALMNAME" puts $conffile "[string toupper $domain]. $REALMNAME" close $conffile } # Create dictfile file. - if ![file exists tmpdir/dictfile] { - set dictfile [open tmpdir/dictfile w] + if ![file exists $tmppwd/dictfile] { + set dictfile [open $tmppwd/dictfile w] puts $dictfile "weak_password" close $dictfile } @@ -472,11 +595,67 @@ proc setup_kerberos_files { } { return 1 } +proc setup_krb5_conf { {type client} } { + global tmppwd + global hostname + global domain + global REALMNAME + global last_passname_conf + global multipass_name + global default_tgs_enctypes + global default_tkt_enctypes + global permitted_enctypes + + # Create a krb5.conf file. + if { ![file exists $tmppwd/krb5.$type.conf] \ + || $last_passname_conf != $multipass_name } { + set conffile [open $tmppwd/krb5.$type.conf w] + puts $conffile "\[libdefaults\]" + puts $conffile " default_realm = $REALMNAME" + if [info exists default_tgs_enctypes($type)] { + puts $conffile \ + " default_tgs_enctypes = $default_tgs_enctypes($type)" + } + if [info exists default_tkt_enctypes($type)] { + puts $conffile \ + " default_tkt_enctypes = $default_tkt_enctypes($type)" + } + if [info exists permitted_enctypes($type)] { + puts $conffile \ + " permitted_enctypes = $permitted_enctypes($type)" + } + puts $conffile " krb4_config = $tmppwd/krb.conf" + puts $conffile " krb4_realms = $tmppwd/krb.realms" + puts $conffile " krb4_srvtab = $tmppwd/v4srvtab" + puts $conffile "" + puts $conffile "\[realms\]" + puts $conffile " $REALMNAME = \{" + puts $conffile " kdc = $hostname:3088" + puts $conffile " admin_server = $hostname:3750" + puts $conffile " kpasswd_server = $hostname:3751" + puts $conffile " default_domain = $domain" + puts $conffile " krb524_server = $hostname:3752" + puts $conffile " \}" + puts $conffile "" + puts $conffile "\[domain_realm\]" + puts $conffile " .$domain = $REALMNAME" + puts $conffile " $domain = $REALMNAME" + puts $conffile "" + puts $conffile "\[logging\]" + puts $conffile " admin_server = FILE:$tmppwd/kadmind5.log" + puts $conffile " kdc = FILE:$tmppwd/kdc.log" + puts $conffile " default = FILE:$tmppwd/others.log" + close $conffile + } +} + # Save the original values of the environment variables we are going # to muck with. +# XXX deal with envstack later. + if [info exists env(KRB5_CONFIG)] { - set orig_krb_conf $env(KRB5_CONFIG) + set orig_krb5_conf $env(KRB5_CONFIG) } else { catch "unset orig_krb5_config" } @@ -502,7 +681,7 @@ if [ info exists env(KERBEROS_SERVER)] { # setup_kerberos_env # Set the environment variables needed to run Kerberos programs. -proc setup_kerberos_env { } { +proc setup_kerberos_env { {type client} } { global REALMNAME global env global tmppwd @@ -512,7 +691,7 @@ proc setup_kerberos_env { } { # Set the environment variable KRB5_CONFIG to point to our krb5.conf file. # All the Kerberos tools check KRB5_CONFIG. # Actually, V5 doesn't currently use this. - set env(KRB5_CONFIG) $tmppwd/krb5.conf + set env(KRB5_CONFIG) $tmppwd/krb5.$type.conf verbose "KRB5_CONFIG=$env(KRB5_CONFIG)" # Direct the Kerberos programs at a local ticket file. @@ -540,8 +719,8 @@ proc setup_kerberos_env { } { verbose "KRB5_KDC_PROFILE=$env(KRB5_KDC_PROFILE)" # Create an environment setup script. (For convenience) - if ![file exists tmpdir/env.sh] { - set envfile [open tmpdir/env.sh w] + if ![file exists $tmppwd/env.sh] { + set envfile [open $tmppwd/env.sh w] puts $envfile "KRB5_CONFIG=$env(KRB5_CONFIG)" puts $envfile "KRB5CCNAME=$env(KRB5CCNAME)" puts $envfile "KRB5RCACHEDIR=$env(KRB5RCACHEDIR)" @@ -556,8 +735,8 @@ proc setup_kerberos_env { } { } close $envfile } - if ![file exists tmpdir/env.csh] { - set envfile [open tmpdir/env.csh w] + if ![file exists $tmppwd/env.csh] { + set envfile [open $tmppwd/env.csh w] puts $envfile "setenv KRB5_CONFIG $env(KRB5_CONFIG)" puts $envfile "setenv KRB5CCNAME $env(KRB5CCNAME)" puts $envfile "setenv KRB5RCACHEDIR $env(KRB5RCACHEDIR)" @@ -606,7 +785,6 @@ proc restore_kerberos_env { } { catch "unset env(KERBEROS_SERVER)" } - restore_runtime_env } # setup_kadmind_srvtab @@ -619,18 +797,21 @@ proc setup_kadmind_srvtab { } { global KEY global tmppwd - catch "exec rm -f tmpdir/admin-keytab" + catch "exec rm -f $tmppwd/admin-keytab" + envstack_push + setup_kerberos_env kdc spawn $KADMIN_LOCAL -r $REALMNAME + envstack_pop expect_after { timeout { fail "kadmin.local admin-keytab (timeout)" - catch "exec rm -f tmpdir/admin-keytab" + catch "exec rm -f $tmppwd/admin-keytab" catch "expect_after" return 0 } eof { fail "kadmin.local admin-keytab (eof)" - catch "exec rm -f tmpdir/admin-keytab" + catch "exec rm -f $tmppwd/admin-keytab" catch "expect_after" return 0 } @@ -654,12 +835,12 @@ proc setup_kadmind_srvtab { } { expect "\r" expect_after if ![check_exit_status "kadmin.local admin-keytab"] { - catch "exec rm -f tmpdir/admin-keytab" + catch "exec rm -f $tmppwd/admin-keytab" perror "kadmin.local admin-keytab exited abnormally" return 0 } - catch "exec mv -f changepw-new-srvtab tmpdir/admin-keytab" exec_output + catch "exec mv -f changepw-new-srvtab $tmppwd/admin-keytab" exec_output if ![string match "" $exec_output] { verbose -log "$exec_output" perror "can't mv new admin-keytab" @@ -668,7 +849,7 @@ proc setup_kadmind_srvtab { } { # Make the srvtab file globally readable in case we are using a # root shell and the srvtab is NFS mounted. - catch "exec chmod a+r tmpdir/admin-keytab" + catch "exec chmod a+r $tmppwd/admin-keytab" return 1 } @@ -688,207 +869,197 @@ proc setup_kerberos_db { standalone } { global multipass_name global last_passname_db - if {!$standalone && [file exists tmpdir/db.ok] \ + set failall 0 + + if {!$standalone && [file exists $tmppwd/db.ok] \ && $last_passname_db == $multipass_name} { return 1 } - catch "exec rm -f [glob -nocomplain tmpdir/db* tmpdir/adb*]" + catch "exec rm -f [glob -nocomplain $tmppwd/db* $tmppwd/adb*]" # Creating a new database means we need a new srvtab. - catch "exec rm -f tmpdir/srvtab" + catch "exec rm -f $tmppwd/srvtab" - if { ![setup_kerberos_files] || ![setup_kerberos_env] } { - return 0 + envstack_push + if { ![setup_kerberos_files] || ![setup_kerberos_env kdc] } { + set failall 1 } - spawn $KDB5_UTIL -r $REALMNAME create - - expect { - "Enter KDC database master key:" { - verbose "kdb5_util started" - } + # Set up a common expect_after for use in multiple places. + set def_exp_after { timeout { - fail "kdb5_util - create" - return 0 + set test "$test (timeout)" + break } eof { - fail "kdb5_util - create" - return 0 + set test "$test (eof)" + break } } - send "masterkey$KEY\r" - set failed 0 - expect { - "Re-enter KDC database master key to verify:" { } - timeout { - fail "kdb5_util create - verify" - return 0 - } - eof { - fail "kdb5_util create - verify" - return 0 + + set test "kdb5_util create" + set body { + if $failall { + break } - } - send "masterkey$KEY\r" - expect { - -re "\[Cc\]ouldn't" { - fail "kdb5_util - create" - return 0 + #exec xterm + verbose "starting $test" + spawn $KDB5_UTIL -r $REALMNAME create + expect_after $def_exp_after + + expect "Enter KDC database master key:" + + set test "kdb5_util create (verify)" + send "masterkey$KEY\r" + expect "Re-enter KDC database master key to verify:" + + set test "kdb5_util create" + send "masterkey$KEY\r" + expect { + -re "\[Cc\]ouldn't" { + break + } + "Cannot find/read stored" exp_continue + "Warning: proceeding without master key" exp_continue + eof { } } - "Cannot find/read stored" { - exp_continue + if ![check_exit_status kdb5_util] { + break } - "Warning: proceeding without master key" { - exp_continue + } + set ret [catch $body] + if $ret { + set failall 1 + if $standalone { + fail $test } - timeout { - fail "kdb5_util - create" - return 0 + } else { + if $standalone { + pass $test } - eof { } - } - if ![check_exit_status kdb5_util] { - return 0 - } - - if {$standalone} { - pass "kdb5_util - create" } # Stash the master key in a file. - spawn $KDB5_UTIL -r $REALMNAME stash - expect { - "Enter KDC database master key:" { - verbose "kdb5_util stash started" - } - timeout { - fail "kdb5_util stash" - if {!$standalone} { - catch "exec rm -f tmpdir/db.ok tmpdir/adb.db" - } - return 0 + set test "kdb5_util stash" + set body { + if $failall { + break } - eof { - fail "kdb5_util stash" - if {!$standalone} { - catch "exec rm -f tmpdir/db.ok tmpdir/adb.db" - } - return 0 + spawn $KDB5_UTIL -r $REALMNAME stash + verbose "starting $test" + expect_after $def_exp_after + expect "Enter KDC database master key:" + send "masterkey$KEY\r" + expect eof + if ![check_exit_status kdb5_util] { + break } } - send "masterkey$KEY\r" - expect { - eof { } - timeout { - fail "kdb5_util stash" - if {!$standalone} { - catch "exec rm -f tmpdir/db.ok tmpdir/adb.db" - } - return 0 + if [catch $body] { + set failall 1 + if $standalone { + fail $test + } else { + catch "exec rm -f $tmppwd/db.ok $tmppwd/adb.db" + } + } else { + if $standalone { + pass $test } - } - if ![check_exit_status kdb5_util] { - return 0 - } - - if {$standalone} { - pass "kdb5_util stash" } # Add an admin user. - spawn $KADMIN_LOCAL -r $REALMNAME - expect_after { - timeout { - catch "expect_after" - fail "kadmin.local (timeout)" - if {!$standalone} { - catch "exec rm -f tmpdir/db.ok tmpdir/adb.db" - } - return 0 +#send_user "will run: $KADMIN_LOCAL -r $REALMNAME\n" +#exec xterm + set test "kadmin.local ank krbtest/admin" + set body { + if $failall { + break } - eof { - catch "expect_after" - fail "kadmin.local (eof)" - if {!$standalone} { - catch "exec rm -f tmpdir/db.ok tmpdir/adb.db" - } - return 0 + spawn $KADMIN_LOCAL -r $REALMNAME + verbose "starting $test" + expect_after $def_exp_after + + expect "kadmin.local: " + send "ank krbtest/admin@$REALMNAME\r" + # It echos... + expect "ank krbtest/admin@$REALMNAME\r" + expect "Enter password for principal \"krbtest/admin@$REALMNAME\":" + send "adminpass$KEY\r" + expect "Re-enter password for principal \"krbtest/admin@$REALMNAME\":" + send "adminpass$KEY\r" + expect { + "Principal \"krbtest/admin@$REALMNAME\" created" { } + "Principal or policy already exists while creating*" { } + } + expect "kadmin.local: " + send "quit\r" + expect eof + if ![check_exit_status kadmin_local] { + break } } - expect "kadmin.local: " - send "ank krbtest/admin@$REALMNAME\r" - # It echos... - expect "ank krbtest/admin@$REALMNAME\r" - expect "Enter password for principal \"krbtest/admin@$REALMNAME\":" - send "adminpass$KEY\r" - expect "Re-enter password for principal \"krbtest/admin@$REALMNAME\":" - send "adminpass$KEY\r" - expect { - "Principal \"krbtest/admin@$REALMNAME\" created" { } - "Principal or policy already exists while creating*" { expect eof } - } - expect "kadmin.local: " - send "quit\r" - expect "\r" - expect_after - if ![check_exit_status kadmin_local] { - if {!$standalone} { - catch "exec rm -f tmpdir/db.ok tmpdir/adb.db" + if [catch $body] { + set failall 1 + if $standalone { + fail $test + } else { + catch "exec rm -f $tmppwd/db.ok $tmppwd/adb.db" + } + } else { + if $standalone { + pass $test } - return 0 } if $des3_krbtgt { # Set the TGT key to DES3. - spawn $KADMIN_LOCAL -r $REALMNAME -e des3-cbc-sha1:normal - expect_after { - timeout { - catch "expect_after" - fail "kadmin.local (timeout)" - if {!$standalone} { - catch "exec rm -f tmpdir/db.ok tmpdir/adb.db" - } - return 0 + set test "kadmin.local TGT to DES3" + set body { + if $failall { + break } - eof { - catch "expect_after" - fail "kadmin.local (eof)" - if {!$standalone} { - catch "exec rm -f tmpdir/db.ok tmpdir/adb.db" - } - return 0 + spawn $KADMIN_LOCAL -r $REALMNAME -e des3-cbc-sha1:normal + verbose "starting $test" + expect_after $def_exp_after + + expect "kadmin.local: " + send "cpw -randkey krbtgt/$REALMNAME@$REALMNAME\r" + # It echos... + expect "cpw -randkey krbtgt/$REALMNAME@$REALMNAME\r" + expect { + "Key for \"krbtgt/$REALMNAME@$REALMNAME\" randomized." { } + } + expect "kadmin.local: " + send "quit\r" + expect eof + if ![check_exit_status kadmin_local] { + break } } - expect "kadmin.local: " - send "cpw -randkey krbtgt/$REALMNAME@$REALMNAME\r" - # It echos... - expect "cpw -randkey krbtgt/$REALMNAME@$REALMNAME\r" - expect { - "Key for \"krbtgt/$REALMNAME@$REALMNAME\" randomized." { } - } - expect "kadmin.local: " - send "quit\r" - expect "\r" - expect_after - if ![check_exit_status kadmin_local] { - if {!$standalone} { - catch "exec rm -f tmpdir/db.ok tmpdir/adb.db" + if [catch $body] { + set failall 1 + if $standalone { + fail $test + } else { + catch "exec rm -f $tmppwd/db.ok $tmppwd/adb.db" + } + } else { + if $standalone { + pass $test } - return 0 } } - - if ![setup_kadmind_srvtab] { + # XXX should deal with envstack inside setup_kadmind_srvtab too + set ret [setup_kadmind_srvtab] + envstack_pop + if !$ret { return 0 } # create the admin database lock file - catch "exec touch tmpdir/adb.lock" - - if {$standalone} { - pass "kadmin_local" - } + catch "exec touch $tmppwd/adb.lock" set last_passname_db $multipass_name return 1 @@ -920,8 +1091,8 @@ proc start_kerberos_daemons { standalone } { } if {$standalone} { - catch "exec rm -f tmpdir/krb.log" - catch "exec rm -f tmpdir/kadmind.log" + catch "exec rm -f $tmppwd/krb.log" + catch "exec rm -f $tmppwd/kadmind.log" } # Start up the kerberos daemon @@ -942,7 +1113,10 @@ proc start_kerberos_daemons { standalone } { sleep 2 set kdc_start [file mtime $kdc_lfile] + envstack_push + setup_kerberos_env kdc spawn $KRB5KDC -r $REALMNAME -n + envstack_pop set kdc_pid [exp_pid] set kdc_spawn_id $spawn_id @@ -1002,8 +1176,11 @@ proc start_kerberos_daemons { standalone } { # Start up the kadmind daemon # XXXX kadmind uses stderr a lot. the sh -c and redirect can be - # removed when this is fixed + # removed when this is fixed + envstack_push + setup_kerberos_env kdc spawn $BINSH -c "exec $KADMIND -r $REALMNAME -nofork 2>>$kadmind_lfile" + envstack_pop set kadmind_pid [exp_pid] set kadmind_spawn_id $spawn_id @@ -1088,6 +1265,8 @@ proc stop_kerberos_daemons { } { global kadmind_pid global kadmind_spawn_id + verbose "entered stop_kerberos_daemons" + if [info exists kdc_pid] { catch "close -i $kdc_spawn_id" catch "exec kill $kdc_pid" @@ -1106,6 +1285,8 @@ proc stop_kerberos_daemons { } { unset kadmind_list } + verbose "exiting stop_kerberos_daemons" + return 1 } @@ -1122,45 +1303,57 @@ proc add_kerberos_key { kkey standalone } { global spawn_id # Use kadmin to add an key. - spawn $KADMIN -p krbtest/admin@$REALMNAME -q "ank $kkey@$REALMNAME" - expect_after { - "Cannot contact any KDC" { - fail "kadmin interactive add $kkey lost KDC" - catch "expect_after" - return 0 + set test "kadmin ank $kkey" + set body { + envstack_push + setup_kerberos_env client + spawn $KADMIN -p krbtest/admin@$REALMNAME -q "ank $kkey@$REALMNAME" + envstack_pop + verbose "starting $test" + expect_after { + "Cannot contact any KDC" { + set test "$test (lost KDC)" + break + } + timeout { + set test "$test (timeout)" + break + } + eof { + set test "$test (eof)" + break + } } - timeout { - fail "kadmin $kkey" - catch "expect_after" - return 0 + expect "Enter password:" + send "adminpass$KEY\r" + expect "Enter password for principal \"$kkey@$REALMNAME\":" + send "$kkey" + send "$KEY\r" + expect "Re-enter password for principal \"$kkey@$REALMNAME\":" + send "$kkey" + send "$KEY\r" + expect { + "Principal \"$kkey@$REALMNAME\" created" { } + "Principal or policy already exists while creating*" { } } - eof { - fail "kadmin $kkey" - return 0 + expect eof + catch expect_after + if ![check_exit_status kadmin] { + break } } - expect "Enter password:" - send "adminpass$KEY\r" - expect "Enter password for principal \"$kkey@$REALMNAME\":" - send "$kkey" - send "$KEY\r" - expect "Re-enter password for principal \"$kkey@$REALMNAME\":" - send "$kkey" - send "$KEY\r" - expect { - "Principal \"$kkey@$REALMNAME\" created" { } - "Principal or policy already exists while creating*" { expect eof } - } - catch "expect_after" - if ![check_exit_status kadmin] { + set ret [catch $body] + if $ret { + if $standalone { + fail $test + } return 0 + } else { + if $standalone { + pass $test + } + return 1 } - - if {$standalone} { - pass "kadmin $kkey" - } - - return 1 } # add_random_key @@ -1176,35 +1369,44 @@ proc add_random_key { kkey standalone } { global spawn_id # Use kadmin to add an key. - spawn $KADMIN -p krbtest/admin@$REALMNAME -q "ank -randkey $kkey@$REALMNAME" - expect_after { - timeout { - fail "kadmin $kkey" - catch "expect_after" - return 0 + set test "kadmin ark $kkey" + set body { + envstack_push + setup_kerberos_env client + spawn $KADMIN -p krbtest/admin@$REALMNAME -q "ank -randkey $kkey@$REALMNAME" + envstack_pop + expect_after { + timeout { + set test "$test (timeout)" + break + } + eof { + set test "$test (eof)" + break + } } - eof { - fail "kadmin $kkey" - catch "expect_after" - return 0 + expect "Enter password:" + send "adminpass$KEY\r" + expect { + "Principal \"$kkey@$REALMNAME\" created" { } + "Principal or policy already exists while creating*" { } + } + expect eof + if ![check_exit_status kadmin] { + break } } - expect "Enter password:" - send "adminpass$KEY\r" - expect { - "Principal \"$kkey@$REALMNAME\" created" { } - "Principal or policy already exists while creating*" { expect eof} - } - catch "expect_after" - if ![check_exit_status kadmin] { + if [catch $body] { + if $standalone { + fail $test + } return 0 + } else { + if $standalone { + pass $test + } + return 1 } - - if {$standalone} { - pass "kadmin $kkey" - } - - return 1 } # setup_srvtab @@ -1222,11 +1424,11 @@ proc setup_srvtab { standalone {id host} } { global spawn_id global last_service - if {!$standalone && [file exists tmpdir/srvtab] && $last_service == $id} { + if {!$standalone && [file exists $tmppwd/srvtab] && $last_service == $id} { return 1 } - catch "exec rm -f tmpdir/srvtab tmpdir/srvtab.old" + catch "exec rm -f $tmppwd/srvtab $tmppwd/srvtab.old" if ![get_hostname] { return 0 @@ -1234,12 +1436,15 @@ proc setup_srvtab { standalone {id host} } { catch "exec rm -f $hostname-new-srvtab" + envstack_push + setup_kerberos_env kdc spawn $KADMIN_LOCAL -r $REALMNAME + envstack_pop expect_after { timeout { fail "kadmin.local srvtab" if {!$standalone} { - catch "exec rm -f tmpdir/srvtab" + catch "exec rm -f $tmppwd/srvtab" } catch "expect_after" return 0 @@ -1247,7 +1452,7 @@ proc setup_srvtab { standalone {id host} } { eof { fail "kadmin.local srvtab" if {!$standalone} { - catch "exec rm -f tmpdir/srvtab" + catch "exec rm -f $tmppwd/srvtab" } catch "expect_after" return 0 @@ -1262,12 +1467,12 @@ proc setup_srvtab { standalone {id host} } { expect_after if ![check_exit_status "kadmin.local srvtab"] { if {!$standalone} { - catch "exec rm -f tmpdir/srvtab" + catch "exec rm -f $tmppwd/srvtab" } return 0 } - catch "exec mv -f $hostname-new-srvtab tmpdir/srvtab" exec_output + catch "exec mv -f $hostname-new-srvtab $tmppwd/srvtab" exec_output if ![string match "" $exec_output] { verbose -log "$exec_output" perror "can't mv new srvtab" @@ -1280,7 +1485,7 @@ proc setup_srvtab { standalone {id host} } { # Make the srvtab file globally readable in case we are using a # root shell and the srvtab is NFS mounted. - catch "exec chmod a+r tmpdir/srvtab" + catch "exec chmod a+r $tmppwd/srvtab" # Remember what we just extracted set last_service $id @@ -1413,15 +1618,23 @@ proc setup_root_shell { testname } { global env global krb5_init_vars + global timeout + set timeout 300 # Make sure we are using the original values of the environment # variables. This means that the caller must call # setup_kerberos_env after calling this procedure. + # XXX fixme to deal with envstack restore_kerberos_env setup_runtime_env + set me [exec whoami] + if [string match root $me] { + return [setup_root_shell_noremote $testname] + } + if ![get_hostname] { return 0 } @@ -1529,7 +1742,88 @@ proc setup_root_shell { testname } { } } - restore_runtime_env + expect_after + + return 1 +} + +proc setup_root_shell_noremote { testname } { + global BINSH + global ROOT_PROMPT + global KEY + global hostname + global rlogin_spawn_id + global rlogin_pid + global tmppwd + global env + global krb5_init_vars + + eval spawn $BINSH + set rlogin_spawn_id $spawn_id + set rlogin_pid [exp_pid] + + expect_after { + timeout { + perror "timeout from root shell" + stop_root_shell + catch "expect_after" + return 0 + } + eof { + perror "eof from root shell" + stop_root_shell + catch "expect_after" + return 0 + } + } + expect { + -re "$ROOT_PROMPT" { } + } + + # Set up a shell variable tmppwd. The callers use this to keep + # command line lengths down. The command line length is important + # because we are feeding input to a shell via a pty. On some + # systems a pty will only accept 255 characters. + send "tmppwd=$tmppwd\r" + expect { + -re "$ROOT_PROMPT" { } + } + + # Set up our krb5.conf + send "KRB5_CONFIG=$tmppwd/krb5.conf\r" + expect { + -re "$ROOT_PROMPT" { } + } + send "export KRB5_CONFIG\r" + expect { + -re "$ROOT_PROMPT" { } + } + + # For all of our runtime environment variables - send them over... + foreach i $krb5_init_vars { + regexp "^(\[^=\]*)=(.*)" $i foo evar evalue + send "$evar=$env($evar)\r" + expect { + -re "$ROOT_PROMPT" { } + } + + send "export $evar\r" + expect { + -re "$ROOT_PROMPT" { } + } + } + + # Move over to the right directory. + set dir [pwd] + send "cd $dir\r" + expect { + -re "$ROOT_PROMPT" { } + "$dir:" { + perror "root shell can not cd to $dir" + stop_root_shell + return 0 + } + } expect_after @@ -1606,7 +1900,7 @@ proc setup_wrapper { file command } { return 1 } - + proc krb_exit { } { stop_kerberos_daemons }