getnameinfo((struct sockaddr *)&c->sa, c->salen,
c->servername, sizeof(c->servername),
- NULL, 0, NI_NUMERICHOST);
+ NULL, 0, NI_NUMERICHOST|NI_NUMERICSERV|NI_NUMERICSCOPE);
}
c->sock = krb5_storage_from_socket(sock);
WFLAGS += $(WFLAGS_LITE)
noinst_PROGRAMS = tcp_client tcp_server gssapi_server gssapi_client \
- uu_server uu_client nt_gss_server nt_gss_client http_client
+ uu_server uu_client nt_gss_server nt_gss_client http_client \
+ kinit_auditdns
tcp_client_SOURCES = tcp_client.c common.c test_locl.h
nt_gss_server_LDADD = $(nt_gss_client_LDADD)
+kinit_auditdns_SOURCES = ../../kuser/kinit.c auditdns.c
+
+kinit_auditdns_CPPFLAGS = $(AM_CPPFLAGS) -I$(srcdir)/../../lib/krb5
+
+# sync with kinit_LDADD in kuser/Makefile.am
+if !NO_AFS
+afs_lib = $(LIB_kafs)
+endif
+kinit_auditdns_LDADD = \
+ $(afs_lib) \
+ $(top_builddir)/lib/krb5/libkrb5.la \
+ $(top_builddir)/lib/gssapi/libgssapi.la \
+ $(top_builddir)/lib/gss_preauth/libgss_preauth.la \
+ $(top_builddir)/lib/ntlm/libheimntlm.la \
+ $(LIB_hcrypto) \
+ $(top_builddir)/lib/asn1/libasn1.la \
+ $(LIB_libintl) \
+ $(LIB_roken)
+
LDADD = $(top_builddir)/lib/krb5/libkrb5.la \
$(LIB_hcrypto) \
$(top_builddir)/lib/asn1/libasn1.la \
--- /dev/null
+/*-
+ * Copyright (c) 2024 Taylor R. Campbell
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <arpa/inet.h>
+#include <assert.h>
+#include <errno.h>
+#include <netdb.h>
+#include <netinet/in.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "resolve.h"
+#include "roken.h"
+
+struct rk_dns_reply *
+rk_dns_lookup(const char *domain, const char *type_name)
+{
+
+ fprintf(stderr, "DNS leak: %s %s (%s)\n", __func__, domain, type_name);
+ abort();
+}
+
+struct hostent *
+gethostbyname(const char *name)
+{
+
+ fprintf(stderr, "DNS leak: %s %s\n", __func__, name);
+ abort();
+}
+
+#ifdef HAVE_GETHOSTBYNAME2
+
+struct hostent *
+gethostbyname2(const char *name, int af)
+{
+
+ fprintf(stderr, "DNS leak: %s %s\n", __func__, name);
+ abort();
+}
+
+#endif /* HAVE_GETHOSTBYNAME2 */
+
+struct hostent *
+gethostbyaddr(const void *addr, socklen_t len, int af)
+{
+ const socklen_t maxlen[] = {
+ [AF_INET] = sizeof(struct in_addr),
+ [AF_INET6] = sizeof(struct in6_addr),
+ };
+ char n[INET6_ADDRSTRLEN + 1];
+
+ if (af < 0 || af >= sizeof(maxlen)/sizeof(maxlen[0]) ||
+ maxlen[af] == 0 || len < maxlen[af] ||
+ inet_ntop(af, addr, n, sizeof n) == NULL)
+ fprintf(stderr, "Reverse DNS leak: %s\n", __func__);
+ else
+ fprintf(stderr, "Reverse DNS leak: %s %s\n", __func__, n);
+ abort();
+}
+
+#ifdef HAVE_GETADDRINFO
+
+void
+freeaddrinfo(struct addrinfo *ai)
+{
+
+ free(ai->ai_addr);
+ free(ai);
+}
+
+int
+getaddrinfo(const char *hostname, const char *servname,
+ const struct addrinfo *restrict hints,
+ struct addrinfo **restrict res)
+{
+ char *servend;
+ unsigned long port;
+ union {
+ struct sockaddr sa;
+ struct sockaddr_in sin;
+ struct sockaddr_in6 sin6;
+ } *addr = NULL;
+ int af[2] = {AF_INET, AF_INET6};
+ socklen_t addrlen[2] = {sizeof(addr->sin), sizeof(addr->sin6)};
+ int socktype[2] = {SOCK_DGRAM, SOCK_STREAM};
+ int proto[2] = {IPPROTO_UDP, IPPROTO_TCP};
+ size_t i, j, naddr, nproto;
+ struct addrinfo *ai = NULL;
+ int error;
+
+ /*
+ * DNS audit: Abort unless the user specified hints with
+ * AI_NUMERICHOST, AI_NUMERICSERV, and no AI_CANONNAME.
+ */
+ if (hints == NULL ||
+ (hints->ai_flags & AI_NUMERICHOST) == 0 ||
+ (hints->ai_flags & AI_NUMERICSERV) == 0 ||
+ (hints->ai_flags & AI_CANONNAME) != 0) {
+ fprintf(stderr, "DNS leak: %s %s:%s\n",
+ __func__, hostname, servname);
+ abort();
+ }
+
+ /*
+ * Check hints for address family. If unspecified, use the default
+ * set of address families: {AF_INET, AF_INET6}.
+ */
+ switch (hints->ai_family) {
+ case AF_UNSPEC:
+ naddr = 2;
+ break;
+ case AF_INET:
+ naddr = 1;
+ af[0] = AF_INET;
+ addrlen[0] = sizeof(addr->sin);
+ break;
+ case AF_INET6:
+ naddr = 1;
+ af[0] = AF_INET6;
+ addrlen[0] = sizeof(addr->sin6);
+ break;
+ default:
+ error = EAI_FAMILY;
+ goto out;
+ }
+
+ /*
+ * Check hints for socket type and protocol. If both are zero, we
+ * use the default set of socktype/proto pairs. If one is
+ * specified but not the other, use the default. If both are
+ * specified, make sure they match.
+ */
+ switch (hints->ai_socktype) {
+ case 0:
+ if (hints->ai_protocol == 0)
+ nproto = sizeof(proto)/sizeof(proto[0]);
+ else
+ nproto = 1;
+ break;
+ case SOCK_DGRAM: /* datagram <-> UDP */
+ if (hints->ai_protocol != 0 && hints->ai_protocol != IPPROTO_UDP) {
+ error = EAI_SOCKTYPE;
+ goto out;
+ }
+ socktype[0] = SOCK_DGRAM;
+ proto[0] = IPPROTO_UDP;
+ nproto = 1;
+ break;
+ case SOCK_STREAM: /* stream <-> TCP */
+ if (hints->ai_protocol != 0 && hints->ai_protocol != IPPROTO_TCP) {
+ error = EAI_SOCKTYPE;
+ goto out;
+ }
+ socktype[0] = SOCK_STREAM;
+ proto[0] = IPPROTO_TCP;
+ nproto = 1;
+ break;
+ default:
+ error = EAI_SOCKTYPE;
+ goto out;
+ }
+
+ /*
+ * Check whether a service is specified at all.
+ */
+ if (servname == NULL) {
+ /*
+ * No service specified. Use the wildcard port 0.
+ */
+ port = 0;
+ } else {
+ /*
+ * Service specified. First verify it is at most 5 decimal
+ * digits; then parse it as a nonnegative integer in decimal,
+ * at most 65535. (This avoids pathological inputs like
+ * -18446744073709551493 for which strtoul will succeed and
+ * return 123 on LP64 platforms.)
+ */
+ if (strlen(servname) > strlen("65535") ||
+ strlen(servname) != strspn(servname, "0123456789")) {
+ error = EAI_NONAME;
+ goto out;
+ }
+ errno = 0;
+ port = strtoul(servname, &servend, 10);
+ if (servend == servname ||
+ *servend != '\0' ||
+ errno != 0 ||
+ port > 65535) {
+ error = EAI_NONAME;
+ goto out;
+ }
+ }
+
+ /*
+ * Check whether a hostname is specified at all.
+ */
+ if (hostname == NULL) {
+ /*
+ * No hostname. This only makes sense if we're going to bind
+ * to a socket and receive incoming packets or listen and
+ * accept incoming connections, i.e., only if AI_PASSIVE is
+ * set. Otherwise, fail with EAI_NONAME.
+ */
+ if ((hints->ai_flags & AI_PASSIVE) == 0) {
+ error = EAI_NONAME;
+ goto out;
+ }
+
+ /*
+ * Allocate an array of as many addresses as the hints allow.
+ */
+ if ((addr = calloc(naddr, sizeof(*addr))) == NULL) {
+ error = EAI_MEMORY;
+ goto out;
+ }
+
+ /*
+ * Fill the addresses with the ANY wildcard address, IPv4
+ * 0.0.0.0 or IPv6 `::' (i.e., 0000:0000:....:0000).
+ */
+ switch (hints->ai_family) {
+ case AF_UNSPEC:
+ assert(naddr == 2);
+ addr[0].sin.sin_family = AF_INET;
+ addr[0].sin.sin_port = htons(port);
+ addr[0].sin.sin_addr.s_addr = htonl(INADDR_ANY);
+ addr[1].sin6.sin6_family = AF_INET6;
+ addr[1].sin6.sin6_port = htons(port);
+ addr[1].sin6.sin6_addr = in6addr_any;
+ break;
+ case AF_INET:
+ assert(naddr == 1);
+ addr[0].sin.sin_family = AF_INET;
+ addr[0].sin.sin_port = htons(port);
+ addr[0].sin.sin_addr.s_addr = htonl(INADDR_ANY);
+ break;
+ case AF_INET6:
+ assert(naddr == 1);
+ addr[0].sin6.sin6_family = AF_INET6;
+ addr[0].sin6.sin6_port = htons(port);
+ addr[0].sin6.sin6_addr = in6addr_any;
+ break;
+ default:
+ error = EAI_FAIL; /* XXX unreachable */
+ goto out;
+ }
+ goto have_addr;
+ } else {
+ /*
+ * Allocate a single socket address record. Since we have
+ * AI_NUMERICHOST, the hostname can be parsed as only one
+ * address and won't be resolved to an array of possibly >1
+ * addresses.
+ */
+ naddr = 1;
+ if ((addr = calloc(naddr, sizeof(*addr))) == NULL) {
+ error = EAI_MEMORY;
+ goto out;
+ }
+
+ /*
+ * If the hints specify AF_INET, or don't specify anything, try
+ * to parse it as an IPv4 address. If this fails, it will fall
+ * through.
+ */
+ if (hints->ai_family == AF_UNSPEC || hints->ai_family == AF_INET) {
+ switch (inet_pton(AF_INET, hostname, &addr->sin.sin_addr)) {
+ case -1: /* system error */
+ error = EAI_SYSTEM;
+ goto out;
+ case 0: /* failure */
+ break;
+ case 1: /* success */
+ addr->sin.sin_family = AF_INET;
+ addr->sin.sin_port = htons(port);
+ af[0] = AF_INET;
+ addrlen[0] = sizeof(addr->sin);
+ goto have_addr;
+ }
+ }
+
+ /*
+ * If the hints specify AF_INET6, or don't specify anything,
+ * try to parse it as an IPv6 address. If this fails, it will
+ * fall through.
+ */
+ if (hints->ai_family == AF_UNSPEC || hints->ai_family == AF_INET6) {
+ /* XXX scope id? */
+ switch (inet_pton(AF_INET6, hostname, &addr->sin6.sin6_addr)) {
+ case -1: /* system error */
+ error = EAI_SYSTEM;
+ goto out;
+ case 0: /* failure */
+ break;
+ case 1: /* success */
+ addr->sin6.sin6_family = AF_INET6;
+ addr->sin6.sin6_port = htons(port);
+ af[0] = AF_INET6;
+ addrlen[0] = sizeof(addr->sin6);
+ goto have_addr;
+ }
+ }
+
+ /*
+ * Hostname can't be parsed.
+ */
+ error = EAI_NONAME;
+ goto out;
+ }
+
+have_addr:
+ /*
+ * We have an address, or multiple possible addresses. Allocate an
+ * array of addrinfo records to store the result.
+ */
+ if ((ai = calloc(naddr * nproto, sizeof(*ai))) == NULL) {
+ error = EAI_MEMORY;
+ goto out;
+ }
+
+ /*
+ * Fill in the addrinfo records with the cartesian product of
+ * matching address families and matching socktype/protocol pairs.
+ *
+ * XXX Consider randomizing the output for fun!
+ */
+ for (i = 0; i < naddr; i++) {
+ for (j = 0; j < nproto; j++) {
+ ai[i*nproto + j] = (struct addrinfo) {
+ .ai_flags = 0, /* input flags, unused on output */
+ .ai_family = af[i],
+ .ai_addrlen = addrlen[i],
+ .ai_addr = &addr[i].sa,
+ .ai_socktype = socktype[j],
+ .ai_protocol = proto[j],
+ .ai_canonname = NULL,
+ .ai_next = &ai[i*nproto + j + 1],
+ };
+ }
+ }
+ addr = NULL; /* reference consumed by ai[...].ai_addr */
+
+ /*
+ * Null out the last addrinfo's next pointer.
+ */
+ ai[naddr*nproto - 1].ai_next = NULL;
+
+ /*
+ * Success!
+ */
+ error = 0;
+
+out:
+ /*
+ * In the event of error, free whatever we've allocated so far.
+ * Make sure to save and restore errno in case free touches it,
+ * because EAI_SYSTEM requires errno to report the system error.
+ */
+ if (error) {
+ int errno_save = errno;
+
+ if (addr)
+ free(addr);
+ addr = NULL;
+ if (ai)
+ freeaddrinfo(ai);
+ ai = NULL;
+
+ errno = errno_save;
+ }
+ *res = ai;
+ return error;
+}
+
+#endif /* HAVE_GETADDRINFO */
+
+#ifdef HAVE_GETNAMEINFO
+
+int
+getnameinfo(const struct sockaddr *restrict sa, socklen_t salen,
+ char *restrict node, socklen_t nodelen,
+ char *restrict service, socklen_t servicelen,
+ int flags)
+{
+ char n[INET6_ADDRSTRLEN + 1] = "";
+ char s[5 + 1] = ""; /* ceil(log_10(2^16)) + 1 */
+
+ /*
+ * Call inet_ntop to format the appropriate member of the
+ * sockaddr_*.
+ */
+ switch (sa->sa_family) {
+ case AF_INET: {
+ struct sockaddr_in sin;
+
+ /*
+ * Verify the socket address length is at least enough for
+ * sockaddr_in, and make a copy to avoid strict aliasing
+ * violation.
+ */
+ if (salen < sizeof sin)
+ return EAI_FAIL;
+ memcpy(&sin, sa, sizeof sin);
+
+ /*
+ * Use inet_ntop to format sin_addr as x.y.z.w, and use
+ * snprintf to format the port number in decimal.
+ */
+ if (inet_ntop(AF_INET, &sin.sin_addr, n, sizeof n) == NULL)
+ return EAI_FAIL;
+ snprintf(s, sizeof s, "%d", (int)sin.sin_port);
+ break;
+ }
+ case AF_INET6: {
+ struct sockaddr_in6 sin6;
+
+ /*
+ * Verify the socket address length is at least enough for
+ * sockaddr_in6, and make a copy to avoid strict aliasing
+ * violation.
+ */
+ if (salen < sizeof sin6)
+ return EAI_FAIL;
+ memcpy(&sin6, sa, sizeof sin6);
+
+ /*
+ * Use inet_ntop to format sin6_addr as a:b:c:...:h, and use
+ * snprintf to format the port number in decimal.
+ */
+ if (inet_ntop(AF_INET6, &sin6.sin6_addr, n, sizeof n) == NULL)
+ return EAI_FAIL;
+ /* XXX scope id? */
+ snprintf(s, sizeof s, "%d", (int)sin6.sin6_port);
+ break;
+ }
+ default:
+ return EAI_FAMILY;
+ }
+
+ /*
+ * DNS audit: Abort unless the user specified flags with
+ * NI_NUMERICHOST|NI_NUMERICSERV|NI_NUMERICSCOPE. We format the
+ * numeric syntax first so it can be included in the error message
+ * to give a clue about what might have DNS leaks.
+ *
+ * The NI_NUMERICSCOPE test is written in a funny way so that on
+ * platforms where it simply doesn't exist (like glibc and
+ * Windows), it doesn't spuriously fail -- scope ids naming is
+ * probably not a source of network leaks.
+ */
+ if ((flags & NI_NUMERICHOST) == 0 ||
+ (flags & NI_NUMERICSERV) == 0 ||
+ (flags & NI_NUMERICSCOPE) != NI_NUMERICSCOPE) {
+ fprintf(stderr, "Reverse DNS leak: %s %s %s\n", __func__, n, s);
+ abort();
+ }
+
+ /*
+ * Verify the (numeric) `names' we determined fit in the buffers
+ * provided, if any.
+ */
+ if ((node && nodelen > 0 && strlen(n) >= nodelen) ||
+ (service && servicelen > 0 && strlen(s) >= servicelen))
+ return EAI_OVERFLOW;
+
+ /*
+ * Copy out the answers that were requested.
+ */
+ if (node)
+ strlcpy(node, n, nodelen);
+ if (service)
+ strlcpy(service, s, servicelen);
+
+ return 0;
+}
+
+#endif /* HAVE_GETNAMEINFO */
use Getopt::Std;
use File::Compare;
-use JSON::PP
-
my $comment = 0;
my $doxygen = 0;
my $funcdoc = 0;
}
if($opt_x) {
+ require JSON::PP;
+
my $EXP;
local $/;
open(EXP, '<', $opt_x) || die "open ${opt_x}";
AC_SUBST([CAPNG_CFLAGS])
AC_SUBST([CAPNG_LIBS])
+dnl mitdb
+AC_ARG_WITH([mitdb],
+ AC_HELP_STRING([--with-mitdb], [Path to MIT Kerberos DB include header and shared object]),
+ [],
+ [with_mitdb=no])
+if test -n "$with_mitdb" -a -d "$with_mitdb"; then
+ AC_DEFINE_UNQUOTED([HAVE_MITDB], 1, [Define if building with MIT Kerberos DB driver])
+ AC_DEFINE(HAVE_DB1, 1, [define if you have a berkeley db1/2 library])
+ mitdb=$with_mitdb
+elif test "$with_mitdb" = no; then
+ with_mitdb=
+ mitdb=
+elif test "$with_mitdb" = yes; then
+ AC_MSG_ERROR([Need path to MIT Kerberos DB include header and shared object])
+fi
+AM_CONDITIONAL([HAVE_MITDB], [test -n "$with_mitdb"])
+AC_SUBST([MITDB], ["$with_mitdb"])
+
dnl libmicrohttpd
AC_ARG_WITH([microhttpd],
AC_HELP_STRING([--with-microhttpd], [use microhttpd to serve KDC REST API @<:@default=check@:>@]),
signal.h \
strings.h \
stropts.h \
- stdatomic.h \
sys/bitypes.h \
sys/category.h \
sys/file.h \
util.h \
])
+AC_CHECK_HEADERS([stdatomic.h],
+ [AC_MSG_CHECKING([whether libatomic is required])
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <stdatomic.h>]], [[_Atomic(long long) i; atomic_init(&i, (long long) 0);]])],
+ [AC_MSG_RESULT([no])],
+ [AC_MSG_RESULT([yes])
+ AC_MSG_CHECKING([whether libatomic works])
+ save_LIBS="$LIBS"
+ LIBS="$LIBS -latomic"
+ AC_LINK_IFELSE([AC_LANG_PROGRAM([[#include <stdatomic.h>]], [[_Atomic(long long) i; atomic_init(&i, (long long) 0);]])],
+ [AC_MSG_RESULT([yes])],
+ [AC_MSG_RESULT([no, using fallback])
+ LIBS="$save_LIBS"
+ AC_DEFINE([HEIM_BASE_ATOMICS_FALLBACK], [], [Define if you want fallbacks for atomic operations])]
+ )]
+ )],
+ []
+)
+
dnl On Solaris 8 there's a compilation warning for term.h because
dnl it doesn't define `bool'.
AC_CHECK_HEADERS(term.h, , , -)
static void
add_standard_ports (krb5_context contextp)
{
- add_kadm_port(contextp, "kerberos-adm", 749);
+ if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL))
+ add_kadm_port(contextp, "749", 749);
+ else
+ add_kadm_port(contextp, "kerberos-adm", 749);
}
/*
hints.ai_flags = AI_PASSIVE;
hints.ai_socktype = SOCK_STREAM;
+ if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL)) {
+ hints.ai_flags &= ~AI_CANONNAME;
+ hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+ }
e = getaddrinfo(NULL, p->port, &hints, &ai);
if(e) {
snprintf(portstr, sizeof(portstr), "%u", p->def_port);
} *s, *servers = NULL;
size_t i, num_servers = 0;
+ if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL)) {
+ ret = KRB5KDC_ERR_SVC_UNAVAILABLE;
+ krb5_set_error_message(context, ret, "DNS blocked when finding AD DC");
+ return ret;
+ }
+
{
struct rk_dns_reply *r;
struct rk_resource_record *rr;
hints.ai_socktype = SOCK_STREAM;
hints.ai_protocol = IPPROTO_TCP;
+ if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL)) {
+ hints.ai_flags &= ~AI_CANONNAME;
+ hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+ }
error = getaddrinfo (hostname, port, &hints, &ai);
if (error) {
warnx ("%s: %s", hostname, gai_strerror(error));
ret = krb5_get_init_creds_opt_set_fast_ccache(kdc_context, opt, fast_cc);
if (ret)
- krb5_err(kdc_context, 1, ret, "krb5_get_init_creds_set_fast_ccache");
+ krb5_err(kdc_context, 1, ret, "krb5_get_init_creds_opt_set_fast_ccache");
ret = krb5_get_init_creds_opt_set_fast_flags(kdc_context, opt, KRB5_FAST_REQUIRED|KRB5_FAST_KDC_VERIFIED);
if (ret)
- krb5_err(kdc_context, 1, ret, "krb5_get_init_creds_set_fast_ccache");
+ krb5_err(kdc_context, 1, ret, "krb5_get_init_creds_opt_set_fast_flags");
fast_cc = NULL;
}
.It Fl P Ar portspec , Fl Fl ports= Ns Ar portspec
Specifies the set of ports the KDC should listen on.
It is given as a
-white-space separated list of services or port numbers.
+white-space separated list of ports.
+A port value of
+.Sq +
+indicates that the standard ports should be used.
+Other values should be service names or port numbers as resolved by
+.Xr getservbyname 3
+(e.g.,
+.Dq kerberos/udp ,
+.Dq kerberos/tcp ,
+.Dq 8088/udp ,
+etc.), or plain numeric port numbers (e.g.,
+.Dq 9088
+).
+Plain numeric port numbers will be used with both UDP and TCP.
+See also the
+.Dq [kdc] ports
+configuration parameter discussion in
+.Xr krb5.conf 5 .
.It Fl Fl addresses= Ns Ar list of addresses
The list of addresses to listen for requests on.
By default, the kdc will listen on all the locally configured
not just addresses and protocol, port tuples.
.Sh SEE ALSO
.Xr kinit 1 ,
-.Xr krb5.conf 5
+.Xr krb5.conf 5,
+.Xr getservbyname 3
krb5_crypto_destroy(r->context, crypto);
/*
* Since the user might have several keys with the same
- * enctype but with diffrent salting, we need to try all
+ * enctype but with different salting, we need to try all
* the keys with the same enctype.
*/
if (ret) {
kvno);
goto out;
}
-
if (ret == KRB5KDC_ERR_PREAUTH_FAILED) {
krb5_error_code ret2;
const char *msg = krb5_get_error_message(r->context, ret);
noinst_PROGRAMS = kverify kdecode_ticket generate-requests
+# sync with kinit_auditdns_LDADD in appl/test/Makefile.am
kinit_LDADD = \
$(afs_lib) \
$(top_builddir)/lib/krb5/libkrb5.la \
ret = krb5_get_init_creds_opt_set_fast_ccache(context, opt, fastid);
if (ret) {
- krb5_warn(context, ret, "krb5_init_creds_set_fast_ccache");
+ krb5_warn(context, ret, "krb5_get_init_creds_opt_set_fast_ccache");
goto out;
}
ret = krb5_get_init_creds_opt_set_fast_flags(context, opt,
KRB5_FAST_REQUIRED);
if (ret) {
- krb5_warn(context, ret, "krb5_init_creds_set_fast_flags");
+ krb5_warn(context, ret, "krb5_get_init_creds_opt_set_fast_flags");
goto out;
}
}
test_cfx_SOURCES = krb5/test_cfx.c
-check_PROGRAMS = test_acquire_cred $(TESTS)
+check_PROGRAMS = test_acquire_cred test_acquire_cred_auditdns $(TESTS)
bin_PROGRAMS = gsstool gss-token
noinst_PROGRAMS = test_cred test_kcred test_context test_ntlm test_add_store_cred
test_context_SOURCES = test_context.c test_common.c test_common.h
test_ntlm_SOURCES = test_ntlm.c test_common.c test_common.h
test_acquire_cred_SOURCES = test_acquire_cred.c test_common.c test_common.h
+test_acquire_cred_auditdns_SOURCES = \
+ test_acquire_cred.c test_common.c test_common.h \
+ ../../appl/test/auditdns.c
test_add_store_cred_SOURCES = test_add_store_cred.c
libhdb_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
endif
+if HAVE_MITDB
+libhdb_la_LDFLAGS += -L$(MITDB)/lib -Wl,-rpath,$(MITDB)/lib -ldb
+AM_CPPFLAGS += -I$(MITDB)/include
+endif
+
# test_hdbkeys and test_mkey are not tests -- they are manual test utils
noinst_PROGRAMS = test_dbinfo test_hdbkeys test_mkey test_namespace test_concurrency
TESTS = test_dbinfo test_namespace test_concurrency
#define CHECK(x) do { if ((x)) goto out; } while(0)
-#ifdef HAVE_DB1
+#ifdef HAVE_MITDB
static krb5_error_code
mdb_principal2key(krb5_context context,
krb5_const_principal principal,
key->length = strlen(str) + 1;
return 0;
}
-#endif /* HAVE_DB1 */
+#endif /* HAVE_MITDB */
#define KRB5_KDB_SALTTYPE_NORMAL 0
#define KRB5_KDB_SALTTYPE_V4 1
}
#endif
-#if HAVE_DB1
+#ifdef HAVE_MITDB
#if defined(HAVE_DB_185_H)
#include <db_185.h>
-#elif defined(HAVE_DB_H)
+#else
#include <db.h>
#endif
return 0;
}
-#endif /* HAVE_DB1 */
+#endif /* HAVE_MITDB */
/*
can have any number of princ stanzas.
#if HAVE_DB3
{ HDB_INTERFACE_VERSION, NULL, NULL, 1, 1, "db3:", hdb_db3_create},
#endif
-#if HAVE_DB1
+#if HAVE_MITDB
{ HDB_INTERFACE_VERSION, NULL, NULL, 1, 1, "mit-db:", hdb_mitdb_create},
#endif
#if HAVE_LMDB
fprintf(f, " unsupported_critical_extensions_count: %u\n",
(unsigned)req->nunsupported_crit);
}
- if (req->nunsupported_crit) {
+ if (req->nunsupported_opt) {
fprintf(f, " unsupported_optional_extensions_count: %u\n",
(unsigned)req->nunsupported_opt);
}
if (slash != NULL)
hostname = slash + 1;
+ if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL)) {
+ hints.ai_flags &= ~AI_CANONNAME;
+ hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+ }
error = getaddrinfo(hostname, portstr, &hints, &ai);
if (error) {
ret = KADM5_BAD_SERVER_NAME;
port_str = port;
}
+ if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL)) {
+ hints.ai_flags &= ~AI_CANONNAME;
+ hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+ }
error = getaddrinfo(master, port_str, &hints, &ai);
if (error) {
krb5_warnx(context, "Failed to get address of to %s: %s",
for (a = ai; a != NULL; a = a->ai_next) {
char node[NI_MAXHOST];
error = getnameinfo(a->ai_addr, a->ai_addrlen,
- node, sizeof(node), NULL, 0, NI_NUMERICHOST);
+ node, sizeof(node), NULL, 0,
+ NI_NUMERICHOST|NI_NUMERICSERV|NI_NUMERICSCOPE);
if (error)
strlcpy(node, "[unknown-addr]", sizeof(node));
memset(&hints, 0, sizeof(hints));
- hints.ai_flags = AI_NUMERICHOST;
+ hints.ai_flags = AI_NUMERICHOST|AI_NUMERICSERV;
if (server_end)
hints.ai_flags |= AI_PASSIVE;
hints.ai_family = AF_INET;
/* if not parsed as numeric address, do a name lookup */
memset(&hint, 0, sizeof(hint));
hint.ai_family = AF_UNSPEC;
+ if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL)) {
+ hint.ai_flags &= ~AI_CANONNAME;
+ hint.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+ }
error = getaddrinfo (string, NULL, &hint, &ai);
if (error) {
krb5_error_code ret2;
struct addrinfo *ai, *a, hints;
int error;
- if ((context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) == 0)
+ if ((context->flags & KRB5_CTX_F_DNS_CANONICALIZE_HOSTNAME) == 0 ||
+ krb5_config_get_bool(context, NULL, "libdefaults", "block_dns", NULL))
return copy_hostname (context, orig_hostname, new_hostname);
memset (&hints, 0, sizeof(hints));
char hostname[MAXHOSTNAMELEN];
struct hostent *hostent;
+ if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL)) {
+ ret = ENXIO;
+ krb5_set_error_message(context, ret,
+ "DNS blocked in gethostname fallback");
+ return ret;
+ }
+
if (gethostname (hostname, sizeof(hostname))) {
ret = errno;
krb5_set_error_message(context, ret, "gethostname: %s", strerror(ret));
memset(&md, 0, sizeof(md));
if (rep.error.e_data) {
- KERB_ERROR_DATA kerb_error_data;
+ KERB_ERROR_DATA error_data;
- memset(&kerb_error_data, 0, sizeof(kerb_error_data));
+ memset(&error_data, 0, sizeof(error_data));
/* First try to decode the e-data as KERB-ERROR-DATA. */
ret = decode_KERB_ERROR_DATA(rep.error.e_data->data,
rep.error.e_data->length,
- &kerb_error_data,
+ &error_data,
&len);
if (ret) {
/* That failed, so try to decode it as METHOD-DATA. */
}
} else if (len != rep.error.e_data->length) {
/* Trailing data — just ignore the error. */
- free_KERB_ERROR_DATA(&kerb_error_data);
+ free_KERB_ERROR_DATA(&error_data);
} else {
/* OK. */
- free_KERB_ERROR_DATA(&kerb_error_data);
+ free_KERB_ERROR_DATA(&error_data);
}
}
krb5_creds *ticket;
krb5_const_realm realm;
krb5_boolean noaddr;
- struct addrinfo *ai;
+ struct addrinfo *ai, hints;
int eai;
if (hostname == 0)
return 0;
/* Need addresses, get the address of the remote host. */
-
- eai = getaddrinfo (hostname, NULL, NULL, &ai);
+ memset(&hints, 0, sizeof(hints));
+ if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL)) {
+ hints.ai_flags &= ~AI_CANONNAME;
+ hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+ }
+ eai = getaddrinfo(hostname, NULL, &hints, &ai);
if (eai) {
ret = krb5_eai_to_heim_errno(eai, errno);
krb5_set_error_message(context, ret,
char **config_labels;
int i, ret = 0;
+ if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL)) {
+ ret = KRB5_KDC_UNREACH;
+ krb5_set_error_message(context, ret,
+ "Realm lookup failed: DNS blocked");
+ return ret;
+ }
+
config_labels = krb5_config_get_strings(context, NULL, "libdefaults",
"dns_lookup_realm_labels", NULL);
if(config_labels != NULL)
else
ctx->runflags.change_password_prompt = ctx->prompter != NULL;
- if (options->opt_private->fast_armor_ccache_name) {
- /* Open the caller-supplied FAST ccache and set the caller flags */
- ret = krb5_cc_resolve(context, options->opt_private->fast_armor_ccache_name,
- &ctx->fast_state.armor_ccache);
- if (ret)
- goto out;
- }
+ if (options->opt_private) {
+ if (options->opt_private->fast_armor_ccache_name) {
+ /* Open the caller-supplied FAST ccache and set the caller flags */
+ ret = krb5_cc_resolve(context, options->opt_private->fast_armor_ccache_name,
+ &ctx->fast_state.armor_ccache);
+ if (ret)
+ goto out;
+ }
- ctx->fast_state.flags = options->opt_private->fast_flags;
+ ctx->fast_state.flags = options->opt_private->fast_flags;
+ }
/*
* If FAST is required with a real credential cache, then the KDC
memset(&ctx->md, 0, sizeof(ctx->md));
if (ctx->error.e_data) {
- KERB_ERROR_DATA kerb_error_data;
+ KERB_ERROR_DATA error_data;
krb5_error_code ret2;
- memset(&kerb_error_data, 0, sizeof(kerb_error_data));
+ memset(&error_data, 0, sizeof(error_data));
/* First try to decode the e-data as KERB-ERROR-DATA. */
ret2 = decode_KERB_ERROR_DATA(ctx->error.e_data->data,
ctx->error.e_data->length,
- &kerb_error_data,
+ &error_data,
&len);
if (ret2) {
/* That failed, so try to decode it as METHOD-DATA. */
}
} else if (len != ctx->error.e_data->length) {
/* Trailing data — just ignore the error. */
- free_KERB_ERROR_DATA(&kerb_error_data);
+ free_KERB_ERROR_DATA(&error_data);
} else {
/* OK. */
- free_KERB_ERROR_DATA(&kerb_error_data);
+ free_KERB_ERROR_DATA(&error_data);
}
}
.It Li allow_weak_crypto = Va boolean
are weak crypto algorithms allowed to be used, among others, DES is
considered weak.
+.It Li block_dns = Va boolean
+If true, prevent Heimdal from doing any DNS resolution.
+Default is false.
.It Li clockskew = Va time
Maximum time differential (in seconds) allowed when comparing
times.
If set pre-authentication is required.
.It Li ports = Va "list of ports"
List of ports the kdc should listen to.
+The list should be double-quoted if it contains more than one
+port specification, and the ports should be separated by space
+or tab characters.
+A port value of
+.Dq +
+means "all the standard ports" for the service, otherwise
+each port value should be of a form resolvable by
+.Xr getservbyname 3
+such as
+.Dq someservicename/tcp ,
+.Dq 12345/udp ,
+or
+.Dq 12345/tcp .
+If a numeric value is given with the
+.Sq /
+and protocol name are missing then that port will be used on
+both, UDP and TCP.
+For example,
+.Dq + 8088/tcp
+means
+.Dq serve on the standard ports and also on port 8088 with TCP .
.It Li addresses = Va "list of interfaces"
List of addresses the kdc should bind to.
.It Li enable-http = Va BOOL
.Xr kinit 1 ,
.Xr krb5_openlog 3 ,
.Xr strftime 3 ,
+.Xr getservbyname 3 ,
.Xr verify_krb5_conf 8
snprintf (portstr, sizeof(portstr), "%d", host->port);
make_hints(&hints, host->proto);
+ if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL)) {
+ hints.ai_flags &= ~AI_CANONNAME;
+ hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+ }
ret = getaddrinfo(host->hostname, portstr, &hints, &host->ai);
if (ret) {
ret = krb5_eai_to_heim_errno(ret, errno);
make_hints(&hints, proto);
snprintf(portstr, sizeof(portstr), "%d", port);
+ if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL)) {
+ hints.ai_flags &= ~AI_CANONNAME;
+ hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+ }
ret = getaddrinfo(host, portstr, &hints, &ai);
if (ret) {
/* no more hosts, so we're done here */
portnum = socket_get_port(addr);
ret = getnameinfo(addr, socklen, host, sizeof(host), port, sizeof(port),
- NI_NUMERICHOST|NI_NUMERICSERV);
+ NI_NUMERICHOST|NI_NUMERICSERV|NI_NUMERICSCOPE);
if (ret != 0)
return 0;
{
struct plctx ctx = { type, kd, 0 };
+ /*
+ * XXX Need a way to pass this through -- unsure if any of this is
+ * useful without DNS, though.
+ */
+ if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns", NULL))
+ return;
+
if (_krb5_homedir_access(context))
ctx.flags |= KRB5_PLF_ALLOW_HOMEDIR;
return KRB5_KDC_UNREACH;
}
- if(context->srv_lookup) {
+ if (!krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL) &&
+ context->srv_lookup) {
if(kd->sitename && (kd->flags & KD_SITE_SRV_TCP) == 0) {
srv_get_hosts(context, kd, kd->sitename, "tcp", "kerberos");
kd->flags |= KD_SITE_SRV_TCP;
return KRB5_KDC_UNREACH;
}
- if(context->srv_lookup) {
+ if (!krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL) &&
+ context->srv_lookup) {
if((kd->flags & KD_SRV_TCP) == 0) {
srv_get_hosts(context, kd, NULL, "tcp", kd->srv_label);
kd->flags |= KD_SRV_TCP;
return KRB5_KDC_UNREACH;
}
- if(context->srv_lookup) {
+ if (!krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL) &&
+ context->srv_lookup) {
if((kd->flags & KD_SRV_UDP) == 0) {
srv_get_hosts(context, kd, NULL, "udp", kd->srv_label);
kd->flags |= KD_SRV_UDP;
struct host {
enum host_state { CONNECT, CONNECTING, CONNECTED, WAITING_REPLY, DEAD } state;
krb5_krbhst_info *hi;
+ struct addrinfo *freeai;
struct addrinfo *ai;
rk_socket_t fd;
const struct host_fun *fun;
proto = "udp";
if (getnameinfo(host->ai->ai_addr, host->ai->ai_addrlen,
- name, sizeof(name), port, sizeof(port), NI_NUMERICHOST) != 0)
+ name, sizeof(name), port, sizeof(port),
+ NI_NUMERICHOST|NI_NUMERICSERV|NI_NUMERICSCOPE) != 0)
name[0] = '\0';
switch (host->state) {
if (!rk_IS_BAD_SOCKET(host->fd))
rk_closesocket(host->fd);
krb5_data_free(&host->data);
+ if (host->freeai)
+ freeaddrinfo(host->freeai);
+ host->freeai = NULL;
host->ai = NULL;
}
submit_request(krb5_context context, krb5_sendto_ctx ctx, krb5_krbhst_info *hi)
{
unsigned long submitted_host = 0;
- krb5_boolean freeai = FALSE;
+ struct addrinfo *freeai = NULL;
struct timeval nrstart, nrstop;
krb5_error_code ret;
struct addrinfo *ai = NULL, *a;
nport = init_port(el, htons(80));
snprintf(portstr, sizeof(portstr), "%d", ntohs(nport));
+ if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL)) {
+ hints.ai_flags &= ~AI_CANONNAME;
+ hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+ }
ret = getaddrinfo(proxy, portstr, &hints, &ai);
free(proxy2);
if (ret)
return krb5_eai_to_heim_errno(ret, errno);
-
- freeai = TRUE;
+
+ freeai = ai;
} else {
ret = krb5_krbhst_get_addrinfo(context, hi, &ai);
host = heim_alloc(sizeof(*host), "sendto-host", deallocate_host);
if (host == NULL) {
if (freeai)
- freeaddrinfo(ai);
+ freeaddrinfo(freeai);
rk_closesocket(fd);
return ENOMEM;
}
host->hi = hi;
host->fd = fd;
host->ai = a;
+ host->freeai = freeai;
+ freeai = NULL;
/* next version of stid */
host->tid = ctx->stid = (ctx->stid & 0xffff0000) | ((ctx->stid & 0xffff) + 1);
}
if (freeai)
- freeaddrinfo(ai);
+ freeai = NULL;
if (submitted_host == 0)
return KRB5_KDC_UNREACH;
socklen_t salen = sizeof(__ss);
char hostname[NI_MAXHOST];
+ if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL)) {
+ ret = HEIM_EAI_FAIL;
+ krb5_set_error_message (context, ret,
+ "krb5_sock_to_principal: block_dns enabled");
+ return ret;
+ }
+
if (getsockname (sock, sa, &salen) < 0) {
ret = errno;
krb5_set_error_message (context, ret, "getsockname: %s", strerror(ret));
defport = tmp;
snprintf(service, sizeof(service), "%u", defport);
}
+ if (krb5_config_get_bool(context, NULL, "libdefaults", "block_dns",
+ NULL)) {
+ hints.ai_flags &= ~AI_CANONNAME;
+ hints.ai_flags |= AI_NUMERICHOST|AI_NUMERICSERV;
+ }
ret = getaddrinfo(hostname, service, &hints, &ai);
if (ret == EAI_SERVICE && !isdigit((unsigned char)service[0])) {
snprintf(service, sizeof(service), "%u", defport);
struct entry libdefaults_entries[] = {
{ "accept_null_addresses", krb5_config_string, check_boolean, 0 },
{ "allow_weak_crypto", krb5_config_string, check_boolean, 0 },
+ { "block_dns", krb5_config_string, check_boolean, 0 },
{ "capath", krb5_config_list, all_strings, 1 },
{ "ccapi_library", krb5_config_string, NULL, 0 },
{ "check_pac", krb5_config_string, check_boolean, 0 },
#define NI_NUMERICSERV 0x10
#endif
+/*
+ * NI_NUMERICSCOPE is still missing from glibc as of 2024:
+ * https://sourceware.org/bugzilla/show_bug.cgi?id=14102
+ */
+#ifndef NI_NUMERICSCOPE
+#define NI_NUMERICSCOPE 0
+#endif
+
/*
* constants for getnameinfo
*/
static SOCKET syslog_socket = INVALID_SOCKET;
static char local_hostname[ MAX_COMPUTERNAME_LENGTH + 1 ];
-static char syslog_hostname[ MAX_COMPUTERNAME_LENGTH + 1 ] = "localhost";
+static char syslog_hostname[ MAX_COMPUTERNAME_LENGTH + 1 ];
static unsigned short syslog_port = SYSLOG_PORT;
static int datagramm_size;
memset(&ai, 0, sizeof(ai));
- ai.ai_flags = flags | AI_NUMERICHOST;
+ ai.ai_flags = flags | AI_NUMERICHOST | AI_NUMERICSERV;
ai.ai_family = AF_INET;
ai.ai_socktype = SOCK_STREAM;
ai.ai_protocol = PF_UNSPEC;
rk_getipnodebyname;
rk_getnameinfo;
rk_getprogname;
+ rk_getpwnam_r;
rk_glob;
rk_globfree;
rk_hex_decode;
kgetcred="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kgetcred"
kimpersonate="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kimpersonate"
kinit="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/kinit"
+kinit_auditdns="${TESTS_ENVIRONMENT} ${top_builddir}/appl/test/kinit_auditdns"
klist="${TESTS_ENVIRONMENT} ${top_builddir}/kuser/heimtools klist"
kpasswd="${TESTS_ENVIRONMENT} ${top_builddir}/kpasswd/kpasswd"
kpasswdd="${TESTS_ENVIRONMENT} ${top_builddir}/kpasswd/kpasswdd"
include $(top_srcdir)/Makefile.am.common
+.NOTPARALLEL:
+
noinst_DATA = krb5.conf krb5.conf-sqlite krb5.conf-db3 krb5.conf-db1 krb5.conf-lmdb
noinst_SCRIPTS = have-db
> messages.log
echo Creating database
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
-echo "Adding foo"
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} modify --alias=foo-alias1@${R} --alias=foo-alias2@${R} foo@${R} || exit 1
-
-echo "Adding bar"
-${kadmin} add -p foo --use-defaults bar@${R} || exit 1
-${kadmin} add_alias bar@${R} bar-alias1@${R} bar-alias2@${R} || exit 1
-${kadmin} add_alias bar@${R} bar-alias4@${R} bar-alias3@${R} || exit 1
-${kadmin} get -o principal bar@${R} | grep "Principal:.bar@${R}" >/dev/null || exit 1
-${kadmin} get -o principal bar-alias1@${R} | grep "Principal:.bar@${R}" >/dev/null || exit 1
-${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias1@${R}" >/dev/null || exit 1
-${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias2@${R}" >/dev/null || exit 1
-${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias3@${R}" >/dev/null || exit 1
-${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias4@${R}" >/dev/null || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults foo@${R}
+modify --alias=foo-alias1@${R} --alias=foo-alias2@${R} foo@${R}
+add -p foo --use-defaults bar@${R}
+add_alias bar@${R} bar-alias1@${R} bar-alias2@${R}
+add_alias bar@${R} bar-alias4@${R} bar-alias3@${R}
+EOF
+
+${kadmin} get -o principal bar@${R} | grep "Principal:.bar@${R}" >/dev/null
+${kadmin} get -o principal bar-alias1@${R} | grep "Principal:.bar@${R}" >/dev/null
+${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias1@${R}" >/dev/null
+${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias2@${R}" >/dev/null
+${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias3@${R}" >/dev/null
+${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias4@${R}" >/dev/null
echo "Baz does not exists"
${kadmin} delete baz-alias1${R} 2>/dev/null && exit 1
echo "Delete aliases with del_alias (must succeed)"
-${kadmin} del_alias bar-alias2@${R} bar-alias3@${R} bar-alias4@${R} || exit 1
+${kadmin} <<EOF || exit 1
+del_alias bar-alias2@${R} bar-alias3@${R} bar-alias4@${R}
+EOF
${kadmin} get -o principal bar@${R} | grep "Principal:.bar@${R}" >/dev/null || exit 1
-${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias1@${R}" >/dev/null || exit 1
+${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias1@${R}" >/dev/null|| exit 1
${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias2@${R}" >/dev/null && exit 1
${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias3@${R}" >/dev/null && exit 1
${kadmin} get -o aliases bar@${R} | grep "Aliases:.*bar-alias4@${R}" >/dev/null && exit 1
${kadmin} delete baz@${R} 2>/dev/null && exit 1
echo "Add alias to deleted name"
-${kadmin} modify --alias=bar-alias1@${R} foo@${R} || exit 1
-${kadmin} modify --alias=bar@${R} foo@${R} || exit 1
-${kadmin} modify --alias=bar@${R} --alias=baz@${R} foo@${R} || exit 1
+${kadmin} <<EOF || exit 1
+modify --alias=bar-alias1@${R} foo@${R}
+modify --alias=bar@${R} foo@${R}
+modify --alias=bar@${R} --alias=baz@${R} foo@${R}
+EOF
${kadmin} get -o principal foo@${R} | grep "Principal:.foo@${R}" >/dev/null || exit 1
${kadmin} get -o principal bar@${R} | grep "Principal:.foo@${R}" >/dev/null || exit 1
${kadmin} get -o principal baz@${R} | grep "Principal:.foo@${R}" >/dev/null || exit 1
echo "Rename over self alias key"
${kadmin} rename foo@${R} foo-alias1@${R} 2>/dev/null && exit 1
-${kadmin} modify --alias= foo@${R} || exit 1
-${kadmin} rename foo@${R} foo-alias1@${R} || exit 1
-${kadmin} modify --alias=foo foo-alias1@${R} || exit 1
+${kadmin} <<EOF || exit 1
+modify --alias= foo@${R}
+rename foo@${R} foo-alias1@${R}
+modify --alias=foo foo-alias1@${R}
+EOF
echo "Doing database check"
${kadmin} check ${R} || exit 1
include $(top_srcdir)/Makefile.am.common
-noinst_DATA = krb5.conf new_clients_k5.conf mech
+.NOTPARALLEL:
-SCRIPT_TESTS = check-basic check-gss check-gssmask check-context check-spnego check-ntlm check-negoex
+noinst_DATA = krb5.conf krb5-nodns.conf new_clients_k5.conf mech
+
+SCRIPT_TESTS = check-basic check-nodns check-gss check-gssmask check-context check-spnego check-ntlm check-negoex
TESTS = $(SCRIPT_TESTS)
chmod +x check-basic.tmp && \
mv check-basic.tmp check-basic
+check-nodns: check-nodns.in Makefile
+ $(do_subst) < $(srcdir)/check-nodns.in > check-nodns.tmp && \
+ chmod +x check-nodns.tmp && \
+ mv check-nodns.tmp check-nodns
+
check-ntlm: check-ntlm.in Makefile
$(do_subst) < $(srcdir)/check-ntlm.in > check-ntlm.tmp && \
chmod +x check-ntlm.tmp && \
$(do_subst) < $(srcdir)/krb5.conf.in > krb5.conf.tmp && \
mv krb5.conf.tmp krb5.conf
+krb5-nodns.conf: krb5-nodns.conf.in Makefile
+ $(do_subst) < $(srcdir)/krb5-nodns.conf.in > krb5-nodns.conf.tmp && \
+ mv krb5-nodns.conf.tmp krb5-nodns.conf
+
new_clients_k5.conf: new_clients_k5.conf.in Makefile
$(do_subst) < $(srcdir)/new_clients_k5.conf.in > new_clients_k5.conf.tmp && \
mv new_clients_k5.conf.tmp new_clients_k5.conf
krb5ccfile-ds \
server.keytab \
krb5.conf \
+ krb5-nodns.conf \
new_clients_k5.conf \
mech \
current-db* \
*.log \
tempfile \
check-basic.tmp \
+ check-nodns.tmp \
check-gss.tmp \
check-gssmask.tmp \
check-spnego.tmp \
EXTRA_DIST = \
NTMakefile \
check-basic.in \
+ check-nodns.in \
check-gss.in \
check-gssmask.in \
check-spnego.in \
> messages.log
-echo Creating database
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
echo upw > ${objdir}/foopassword
-${kadmin} add -p upw --use-defaults user@${R} || exit 1
-${kadmin} add -p upw --use-defaults another@${R} || exit 1
-${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1
-${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+echo Creating database
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p upw --use-defaults user@${R}
+add -p upw --use-defaults another@${R}
+add -p p1 --use-defaults host/host.test.h5l.se@${R}
+ext -k ${keytab} host/host.test.h5l.se@${R}
+check ${R}
+EOF
echo Starting kdc
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
-trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid}
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
exitcode=0
> messages.log
echo Creating database
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
# add both lucid and lucid.test.h5l.se to simulate aliases
-${kadmin} add -p p1 --use-defaults host/lucid.test.h5l.se@${R} || exit 1
-${kadmin} ext -k ${keytab} host/lucid.test.h5l.se@${R} || exit 1
-
-${kadmin} add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R} || exit 1
-${kadmin} mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R} || exit 1
-${kadmin} ext -k ${keytab} host/ok-delegate.test.h5l.se@${R} || exit 1
-
-
-${kadmin} add -p p1 --use-defaults host/short@${R} || exit 1
-${kadmin} mod --alias=host/long.test.h5l.se@${R} host/short@${R} || exit 1
# XXX ext should ext aliases too
-${kadmin} ext -k ${keytab} host/short@${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p p1 --use-defaults host/lucid.test.h5l.se@${R}
+ext -k ${keytab} host/lucid.test.h5l.se@${R}
+add -p p1 --use-defaults host/ok-delegate.test.h5l.se@${R}
+mod --attributes=+ok-as-delegate host/ok-delegate.test.h5l.se@${R}
+ext -k ${keytab} host/ok-delegate.test.h5l.se@${R}
+add -p p1 --use-defaults host/short@${R}
+mod --alias=host/long.test.h5l.se@${R} host/short@${R}
+ext -k ${keytab} host/short@${R}
+EOF
${ktutil} -k ${keytab} rename --no-delete host/short@${R} host/long.test.h5l.se@${R} || exit 1
-${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
-
-${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
-${kadmin} mod --alias=user1.alias user1@${R} || exit 1
-
# Create a server principal with no AES
-${kadmin} add -p p1 --use-defaults host/no-aes.test.h5l.se@${R} || exit 1
-${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1
-${kadmin} del_enctype host/no-aes.test.h5l.se@${R} \
- aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96 || exit 1
-${kadmin} ext -k ${keytab} host/no-aes.test.h5l.se@${R} || exit 1
+${kadmin} <<EOF || exit 1
+add -p kaka --use-defaults digest/${R}@${R}
+add -p u1 --use-defaults user1@${R}
+mod --alias=user1.alias user1@${R}
+add -p p1 --use-defaults host/no-aes.test.h5l.se@${R}
+del_enctype host/no-aes.test.h5l.se@${R} aes256-cts-hmac-sha1-96 aes128-cts-hmac-sha1-96
+ext -k ${keytab} host/no-aes.test.h5l.se@${R}
+check ${R}
+EOF
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} get host/no-aes.test.h5l.se@${R} > tempfile || exit 1
echo u1 > ${objdir}/foopassword
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid} 2>/dev/null
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
testfailed="echo test failed; cat messages.log; exit 1"
> messages.log
echo Creating database
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
# Test virtual principals, why not
-${kadmin} add_ns --key-rotation-epoch=now \
- --key-rotation-period=15m \
- --max-ticket-life=10d \
- --max-renewable-life=20d \
- --attributes= \
- "_/test.h5l.se@${R}" || exit 1
-${kadmin} ext -k ${keytab} host/n1.test.h5l.se@${R} || exit 1
-${kadmin} ext -k ${keytab} host/n2.test.h5l.se@${R} || exit 1
-${kadmin} ext -k ${keytab} host/n3.test.h5l.se@${R} || exit 1
-
-${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add_ns --key-rotation-epoch=now --key-rotation-period=15m --max-ticket-life=10d --max-renewable-life=20d --attributes= "_/test.h5l.se@${R}"
+ext -k ${keytab} host/n1.test.h5l.se@${R}
+ext -k ${keytab} host/n2.test.h5l.se@${R}
+ext -k ${keytab} host/n3.test.h5l.se@${R}
+add -p u1 --use-defaults user1@${R}
+check ${R}
+EOF
+
+kdcpid=
+n1pid=
+n2pid=
+n3pid=
+cleanup() {
+ echo signal killing kdcs
+ kill -9 ${kdcpid} ${n1pid} ${n2pid} ${n3pid} 2>/dev/null
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
echo Starting kdc
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
-
exitcode=0
echo "Starting client 1"
${gssmaskn2} --moniker=n2 &
n2pid=$!
-echo "Starting client 3"
-${gssmaskn3} --moniker=n3 &
-n3pid=$!
-
-trap "kill ${kdcpid} ${n1pid} ${n2pid} ${n3pid} 2> /dev/null; echo signal killing kdc and maskar; exit 1;" EXIT
+#echo "Starting client 3"
+#${gssmaskn3} --moniker=n3 &
+#n3pid=$!
sleep 10
-# --wrap-ext
+# XXX Make --wrap-ext work (seems to fail)
+#
+# Add --slaves=localhost:8891 if re-enabling client 3
${gssmaestro} \
--slaves=localhost:8889 \
--slaves=localhost:8890 \
- --slaves=localhost:8891 \
--principals=user1@${R}:u1 || exitcode=1
trap "" EXIT
done
-trap "" EXIT
-
exit $exitcode
--- /dev/null
+#!/bin/sh
+#
+# Copyright (c) 2007 Kungliga Tekniska Högskolan
+# (Royal Institute of Technology, Stockholm, Sweden).
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in the
+# documentation and/or other materials provided with the distribution.
+#
+# 3. Neither the name of the Institute nor the names of its contributors
+# may be used to endorse or promote products derived from this software
+# without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
+# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+# ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
+# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+# SUCH DAMAGE.
+#
+# $Id$
+#
+
+env_setup="@env_setup@"
+srcdir="@srcdir@"
+objdir="@objdir@"
+
+. ${env_setup}
+
+# If there is no useful db support compiled in, disable test
+../db/have-db || exit 77
+
+R=TEST.H5L.SE
+
+port=@port@
+
+keytabfile=${objdir}/server.keytab
+keytab="FILE:${keytabfile}"
+nokeytab="FILE:no-such-keytab"
+cache="FILE:krb5ccfile"
+cache2="FILE:krb5ccfile2"
+nocache="FILE:no-such-cache"
+
+kadmin="${kadmin} -l -r $R"
+kdc="${kdc} --addresses=127.0.0.1 -P $port"
+
+acquire_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_acquire_cred_auditdns"
+test_kcred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_kcred"
+test_add_store_cred="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_add_store_cred"
+
+KRB5_CONFIG="${objdir}/krb5-nodns.conf"
+export KRB5_CONFIG
+
+KRB5_KTNAME="${keytab}"
+export KRB5_KTNAME
+KRB5CCNAME="${cache}"
+export KRB5CCNAME
+
+rm -f ${keytabfile}
+rm -f current-db*
+rm -f out-*
+rm -f mkey.file*
+
+> messages.log
+
+echo Creating database
+echo upw > ${objdir}/foopassword
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p upw --use-defaults user@${R}
+add -p upw --use-defaults another@${R}
+add -p p1 --use-defaults host/host.test.h5l.se@${R}
+ext -k ${keytab} host/host.test.h5l.se@${R}
+check ${R}
+EOF
+
+echo Starting kdc
+${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
+kdcpid=`getpid kdc`
+
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid}
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
+
+exitcode=0
+
+echo "initial ticket"
+${kinit_auditdns} -c ${cache} --password-file=${objdir}/foopassword user@${R} || exitcode=1
+
+echo "copy ccache with gss_store_cred"
+# Note we test that the ccache used for storing is token-expanded
+${test_add_store_cred} --default --overwrite --env ${cache} "${cache2}%{null}" || exit 1
+${klist} -c ${cache2} || exit 1
+
+echo "keytab"
+${acquire_cred} \
+ --acquire-type=accept \
+ --acquire-name=host@host.test.h5l.se || exit 1
+
+echo "keytab w/ short-form name and name canon rules"
+${acquire_cred} \
+ --acquire-type=accept \
+ --acquire-name=host@host || exit 1
+
+echo "keytab w/o name"
+${acquire_cred} \
+ --acquire-type=accept || exit 1
+
+echo "keytab w/ wrong name"
+${acquire_cred} \
+ --acquire-type=accept --kerberos \
+ --acquire-name=host@host2.test.h5l.se 2>/dev/null && exit 1
+
+echo "init using keytab"
+${acquire_cred} \
+ --kerberos \
+ --acquire-type=initiate \
+ --acquire-name=host@host.test.h5l.se > /dev/null || exit 1
+
+echo "init using keytab (loop 10)"
+${acquire_cred} \
+ --kerberos \
+ --acquire-type=initiate \
+ --loops=10 \
+ --acquire-name=host@host.test.h5l.se > /dev/null || exit 1
+
+echo "init using keytab (loop 10, target)"
+${acquire_cred} \
+ --kerberos \
+ --acquire-type=initiate \
+ --loops=10 \
+ --target=host@host.test.h5l.se \
+ --acquire-name=host@host.test.h5l.se > /dev/null || exit 1
+
+echo "init using keytab (loop 10, kerberos)"
+${acquire_cred} \
+ --acquire-type=initiate \
+ --loops=10 \
+ --kerberos \
+ --acquire-name=host@host.test.h5l.se > /dev/null || exit 1
+
+echo "init using keytab (loop 10, target, kerberos)"
+${acquire_cred} \
+ --acquire-type=initiate \
+ --loops=10 \
+ --kerberos \
+ --target=host@host.test.h5l.se \
+ --acquire-name=host@host.test.h5l.se > /dev/null || exit 1
+
+echo "init using existing cc"
+${acquire_cred} \
+ --kerberos \
+ --name-type=user-name \
+ --acquire-type=initiate \
+ --acquire-name=user || exit 1
+
+KRB5CCNAME=${nocache}
+
+echo "fail init using existing cc"
+${acquire_cred} \
+ --kerberos \
+ --name-type=user-name \
+ --acquire-type=initiate \
+ --acquire-name=user 2>/dev/null && exit 1
+
+echo "use gss_krb5_ccache_name for user"
+${acquire_cred} \
+ --kerberos \
+ --name-type=user-name \
+ --ccache=${cache} \
+ --acquire-type=initiate \
+ --acquire-name=user >/dev/null || exit 1
+
+KRB5CCNAME=${cache}
+KRB5_KTNAME=${nokeytab}
+
+echo "kcred"
+${test_kcred} || exit 1
+
+${kdestroy} -c ${cache}
+
+KRB5_KTNAME="${keytab}"
+
+echo "init using keytab"
+${acquire_cred} \
+ --kerberos \
+ --acquire-type=initiate \
+ --acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1
+
+echo "init using keytab (ccache)"
+${acquire_cred} \
+ --kerberos \
+ --acquire-type=initiate \
+ --ccache=${cache} \
+ --acquire-name=host@host.test.h5l.se 2>/dev/null || exit 1
+
+trap "" EXIT
+
+echo "killing kdc (${kdcpid})"
+kill ${kdcpid} 2> /dev/null
+
+exit $exitcode
> messages.log
echo Creating database
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
-${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1
-${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1
-
-${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
-
-${kadmin} add -p ds --use-defaults digestserver@${R} || exit 1
-${kadmin} modify --attributes=+allow-digest digestserver@${R} || exit 1
-
-${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p p1 --use-defaults host/host.test.h5l.se@${R}
+ext -k ${keytab} host/host.test.h5l.se@${R}
+add -p kaka --use-defaults digest/${R}@${R}
+add -p ds --use-defaults digestserver@${R}
+modify --attributes=+allow-digest digestserver@${R}
+add -p u1 --use-defaults user1@${R}
+check ${R}
+EOF
echo u1 > ${objdir}/foopassword
echo ds > ${objdir}/barpassword
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid}
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
exitcode=0
> messages.log
echo Creating database
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
-${kadmin} add -p p1 --use-defaults host/host.test.h5l.se@${R} || exit 1
-${kadmin} ext -k ${keytab} host/host.test.h5l.se@${R} || exit 1
-
-${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
-
-${kadmin} add -p ds --use-defaults digestserver@${R} || exit 1
-${kadmin} modify --attributes=+allow-digest digestserver@${R} || exit 1
-
-${kadmin} add -p u1 --use-defaults user1@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p p1 --use-defaults host/host.test.h5l.se@${R}
+ext -k ${keytab} host/host.test.h5l.se@${R}
+add -p kaka --use-defaults digest/${R}@${R}
+add -p ds --use-defaults digestserver@${R}
+modify --attributes=+allow-digest digestserver@${R}
+add -p u1 --use-defaults user1@${R}
+check ${R}
+EOF
echo u1 > ${objdir}/foopassword
echo ds > ${objdir}/barpassword
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid}
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
exitcode=0
--- /dev/null
+include @srcdirabs@/include-krb5.conf
+
+[libdefaults]
+ default_keytab_name = @objdir@/server.keytab
+ enable-kx509 = yes
+ kx509_store = PEM-FILE:/tmp/cert_%{euid}.pem
+ default_realm = TEST.H5L.SE
+ kuserok = SYSTEM-K5LOGIN:@srcdir@/../kdc/k5login
+ kuserok = USER-K5LOGIN
+ kuserok = SIMPLE
+ block_dns = yes
+
+[realms]
+ TEST.H5L.SE = {
+ kdc = 127.0.0.1:@port@
+ auth_to_local_names = {
+ user1 = mapped_user1
+ }
+ }
+
+[kdc]
+ enable-digest = true
+ allow-anonymous = true
+ digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
+ strict-nametypes = true
+ synthetic_clients = true
+ enable_gss_preauth = true
+ gss_mechanisms_allowed = sanon-x25519
+ enable-pkinit = true
+ pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
+ pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
+ pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
+# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
+ pkinit_mappings_file = @srcdir@/pki-mapping
+ pkinit_allow_proxy_certificate = true
+
+ database = {
+ dbname = @objdir@/current-db
+ realm = TEST.H5L.SE
+ mkey_file = @objdir@/mkey.file
+ log_file = @objdir@/current.log
+ }
+
+[hdb]
+ db-dir = @objdir@
+ enable_virtual_hostbased_princs = true
+ virtual_hostbased_princ_mindots = 1
+ virtual_hostbased_princ_maxdots = 3
+ same_realm_aliases_are_soft = true
+
+[logging]
+ kdc = 0-/FILE:@objdir@/messages.log
+ default = 0-/FILE:@objdir@/messages.log
+
+include @srcdirabs@/missing-krb5.conf
echo foo > ${objdir}/foopassword
echo Creating database
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
-${kadmin} add -p foo --use-defaults lha@${R} || exit 1
-${kadmin} modify --attributes=+requires-pre-auth lha@${R} || exit 1
-${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
-${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults lha@${R}
+modify --attributes=+requires-pre-auth lha@${R}
+add -p kaka --use-defaults ${server}@${R}
+ext -k ${keytab} ${server}@${R}
+EOF
echo Starting kdc
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid}
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
echo "Run init"
java \
include $(top_srcdir)/Makefile.am.common
+.NOTPARALLEL:
+
noinst_DATA = \
an2ln-db.txt \
kdc-tester4.json \
kdcpid=
bx509pid=
test_csr_authorizer_pid=
-trap 'kill -9 ${kdcpid} ${bx509pid} ${test_csr_authorizer_pid}; echo signal killing kdc, bx509d, and test_csr_authorizer; exit 1;' EXIT
+cleanup() {
+ echo signal killing kdc, bx509d, and test_csr_authorizer
+ kill -9 ${kdcpid} ${bx509pid} ${test_csr_authorizer_pid} 2>/dev/null
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
# csr_grant ext-type value grantee_principal
csr_grant() {
echo "Creating database"
initflags="init --realm-max-ticket-life=1day --realm-max-renewable-life=1month"
-${kadmin} ${initflags} ${R1} || exit 1
-${kadmin} ${initflags} ${R2} || exit 1
-${kadmin} ${initflags} ${R3} || exit 1
-
-${kadmin} add -p foo --use-defaults foo@${R1} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${R1}@${R2} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R1} || exit 1
-${kadmin} add -p cross3 --use-defaults krbtgt/${R3}@${R1} || exit 1
-${kadmin} add -p cross4 --use-defaults krbtgt/${R1}@${R3} || exit 1
-${kadmin} add -p cross5 --use-defaults krbtgt/${R3}@${R2} || exit 1
-${kadmin} add -p cross6 --use-defaults krbtgt/${R2}@${R3} || exit 1
-
-${kadmin} add -p foo --use-defaults host/t1@${R1} || exit 1
-${kadmin} add -p foo --use-defaults host/t2@${R2} || exit 1
-${kadmin} add -p foo --use-defaults host/t3@${R3} || exit 1
-${kadmin} add -p foo --use-defaults host/t11.test1.h5l.se@${R1} || exit 1
-${kadmin} add -p foo --use-defaults host/t12.test1.h5l.se@${R2} || exit 1
-${kadmin} add -p foo --use-defaults host/t22.test2.h5l.se@${R2} || exit 1
-${kadmin} add -p foo --use-defaults host/t23.test2.h5l.se@${R3} || exit 1
-${kadmin} add -p foo --use-defaults host/t33.test3.h5l.se@${R3} || exit 1
-
-
-echo "Doing database check"
-${kadmin} check ${R1} || exit 1
-${kadmin} check ${R2} || exit 1
-${kadmin} check ${R3} || exit 1
+${kadmin} <<EOF || exit 1
+${initflags} ${R1}
+${initflags} ${R2}
+${initflags} ${R3}
+add -p foo --use-defaults foo@${R1}
+add -p cross1 --use-defaults krbtgt/${R1}@${R2}
+add -p cross2 --use-defaults krbtgt/${R2}@${R1}
+add -p cross3 --use-defaults krbtgt/${R3}@${R1}
+add -p cross4 --use-defaults krbtgt/${R1}@${R3}
+add -p cross5 --use-defaults krbtgt/${R3}@${R2}
+add -p cross6 --use-defaults krbtgt/${R2}@${R3}
+add -p foo --use-defaults host/t1@${R1}
+add -p foo --use-defaults host/t2@${R2}
+add -p foo --use-defaults host/t3@${R3}
+add -p foo --use-defaults host/t11.test1.h5l.se@${R1}
+add -p foo --use-defaults host/t12.test1.h5l.se@${R2}
+add -p foo --use-defaults host/t22.test2.h5l.se@${R2}
+add -p foo --use-defaults host/t23.test2.h5l.se@${R3}
+add -p foo --use-defaults host/t33.test3.h5l.se@${R3}
+check ${R1}
+check ${R2}
+check ${R3}
+EOF
echo foo > ${objdir}/foopassword
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid}
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
ec=0
> messages.log
echo Creating database
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} add -p foo --use-defaults bar@${R} || exit 1
-${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
-${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults foo@${R}
+add -p foo --use-defaults bar@${R}
+add -p kaka --use-defaults ${server}@${R}
+ext -k ${keytab} ${server}@${R}
+check ${R}
+EOF
echo foo > ${objdir}/foopassword
HEIM_IPC_DIR=${objdir}
export HEIM_IPC_DIR
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid}
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
ec=0
echo Creating database
initflags="init --realm-max-ticket-life=1day --realm-max-renewable-life=1month"
-${kadmin} ${initflags} ${R} || exit 1
-${kadmin} ${initflags} ${R2} || exit 1
-${kadmin} ${initflags} ${R3} || exit 1
-${kadmin} ${initflags} ${R4} || exit 1
-
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R3}@${R2} || exit 1
-${kadmin} add -p cross3 --use-defaults krbtgt/${R4}@${R3} || exit 1
-
-${kadmin} modify --attributes=+ok-as-delegate krbtgt/${R2}@${R} || exit 1
-${kadmin} modify --attributes=+ok-as-delegate krbtgt/${R3}@${R2} || exit 1
-
-${kadmin} add -p foo --use-defaults host/server.test3.h5l.se@${R3} || exit 1
-${kadmin} modify --attributes=+ok-as-delegate host/server.test3.h5l.se@${R3} || exit 1
-${kadmin} add -p foo --use-defaults host/noserver.test3.h5l.se@${R3} || exit 1
-
-${kadmin} add -p foo --use-defaults host/server.test4.h5l.se@${R4} || exit 1
-${kadmin} modify --attributes=+ok-as-delegate host/server.test4.h5l.se@${R4} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
-${kadmin} check ${R2} || exit 1
-${kadmin} check ${R3} || exit 1
-${kadmin} check ${R4} || exit 1
+${kadmin} <<EOF || exit 1
+${initflags} ${R}
+${initflags} ${R2}
+${initflags} ${R3}
+${initflags} ${R4}
+add -p foo --use-defaults foo@${R}
+add -p cross1 --use-defaults krbtgt/${R2}@${R}
+add -p cross2 --use-defaults krbtgt/${R3}@${R2}
+add -p cross3 --use-defaults krbtgt/${R4}@${R3}
+modify --attributes=+ok-as-delegate krbtgt/${R2}@${R}
+modify --attributes=+ok-as-delegate krbtgt/${R3}@${R2}
+add -p foo --use-defaults host/server.test3.h5l.se@${R3}
+modify --attributes=+ok-as-delegate host/server.test3.h5l.se@${R3}
+add -p foo --use-defaults host/noserver.test3.h5l.se@${R3}
+add -p foo --use-defaults host/server.test4.h5l.se@${R4}
+modify --attributes=+ok-as-delegate host/server.test4.h5l.se@${R4}
+check ${R}
+check ${R2}
+check ${R3}
+check ${R4}
+EOF
echo foo > ${objdir}/foopassword
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid}
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
ec=0
> messages.log
echo Creating database
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R2} || exit 1
-
-${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
-
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} add -p kaka --use-defaults ${afsserver}@${R} || exit 1
-${kadmin} add -p kaka --use-defaults ${hostserver}@${R} || exit 1
-${kadmin} add_enctype -r ${afsserver}@${R} des-cbc-crc || exit 1
-${kadmin} add_enctype -r ${hostserver}@${R} des-cbc-crc || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R2}
+cpw -r krbtgt/${R}@${R}
+add -p foo --use-defaults foo@${R}
+add -p kaka --use-defaults ${afsserver}@${R}
+add -p kaka --use-defaults ${hostserver}@${R}
+add_enctype -r ${afsserver}@${R} des-cbc-crc
+add_enctype -r ${hostserver}@${R} des-cbc-crc
+check ${R}
+EOF
echo foo > ${objdir}/foopassword
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid}
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
ec=0
> messages.log
echo Creating database
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
-${kadmin} add -p $userpassword --use-defaults ${username}@${R} || exit 1
-${kadmin} add -p $password --use-defaults ${server}@${R} || exit 1
-${kadmin} add -p kaka --use-defaults digest/${R}@${R} || exit 1
-${kadmin} modify --attributes=+allow-digest ${server}@${R} || exit 1
-${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p $userpassword --use-defaults ${username}@${R}
+add -p $password --use-defaults ${server}@${R}
+add -p kaka --use-defaults digest/${R}@${R}
+modify --attributes=+allow-digest ${server}@${R}
+ext -k ${keytab} ${server}@${R}
+check ${R}
+EOF
echo $password > ${objdir}/foopassword
{ echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
-trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid}
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
exitcode=0
> messages.log
echo Creating database
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} add -p foo --use-defaults ${server}@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults foo@${R}
+add -p foo --use-defaults ${server}@${R}
+check ${R}
+EOF
echo foo > ${objdir}/foopassword
echo bar > ${objdir}/barpassword
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
-trap "kill -9 ${kdcpid}; echo signal killing kdc; cat messages.log; exit 1;" EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid}
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
ec=0
# If there is no ldap support compiled in, disable test
if ${kdc} --builtin-hdb | grep mit-db > /dev/null ; then
- :
+ echo "Testing MIT KDB support"
+ ${kdc} --builtin-hdb
else
echo "no MIT KDB support"
exit 77
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid}
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
ec=0
{ echo signal killing kadmind; kill -9 "$kadmindpid"; }
test -n "$kadmind2pid" &&
{ echo signal killing kadmind; kill -9 "$kadmind2pid"; }
+ trap '' EXIT INT TERM
}
-trap cleanup EXIT
+trap cleanup EXIT INT TERM
rm -f extracted_keytab
> messages.log2
echo Creating database
-${kadmin} -l \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
-${kadmin} -l add -p foo --use-defaults user@${R} || exit 1
-
-${kadmin} -l add --random-key --use-defaults iprop/localhost@${R} || exit 1
-${kadmin} -l ext -k ${keytab} iprop/localhost@${R} || exit 1
-${kadmin} -l add --random-key --use-defaults iprop/slave.test.h5l.se@${R} || exit 1
-${kadmin} -l ext -k ${keytab} iprop/slave.test.h5l.se@${R} || exit 1
+${kadmin} -l <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults user@${R}
+add --random-key --use-defaults iprop/localhost@${R}
+ext -k ${keytab} iprop/localhost@${R}
+add --random-key --use-defaults iprop/slave.test.h5l.se@${R}
+ext -k ${keytab} iprop/slave.test.h5l.se@${R}
+EOF
echo foo > ${objdir}/foopassword
test -n "$ipds" && kill -9 $ipds >/dev/null 2>/dev/null
test -n "$ipds2" && kill -9 $ipds2 >/dev/null 2>/dev/null
test -n "$kdcpid" && kill -9 $kdcpid >/dev/null 2>/dev/null
+ trap '' EXIT INT TERM
tail messages.log
tail iprop-stats
exit 1
}
-trap cleanup EXIT
+trap cleanup EXIT INT TERM
echo Starting kdc ; > messages.log
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
> messages.log
echo Creating database
-${kadmin} -l \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
-${kadmin} -l add -p "$foopassword" --use-defaults foo/admin@${R} || exit 1
-${kadmin} -l add -p "$foopassword" --use-defaults bar@${R} || exit 1
-${kadmin} -l add -p "$foopassword" --use-defaults baz@${R} || exit 1
-${kadmin} -l add -p "$foopassword" --use-defaults bez@${R} || exit 1
-${kadmin} -l add -p "$foopassword" --use-defaults fez@${R} || exit 1
-${kadmin} -l add -p "$foopassword" --use-defaults hasalias@${R} || exit 1
-${kadmin} -l add -p "$foopassword" --use-defaults pkinit@${R} || exit 1
-${kadmin} -l modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" pkinit@${R} || exit 1
-${kadmin} -l add -p "$foopassword" --use-defaults prune@${R} || exit 1
-${kadmin} -l cpw --keepold --random-key prune@${R} || exit 1
-${kadmin} -l cpw --keepold --random-key prune@${R} || exit 1
-${kadmin} -l add -p "$foopassword" --use-defaults pruneall@${R} || exit 1
-${kadmin} -l cpw --pruneall --random-key pruneall@${R} || exit 1
-${kadmin} -l cpw --pruneall --random-key pruneall@${R} || exit 1
+${kadmin} -l <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p "$foopassword" --use-defaults foo/admin@${R}
+add -p "$foopassword" --use-defaults bar@${R}
+add -p "$foopassword" --use-defaults baz@${R}
+add -p "$foopassword" --use-defaults bez@${R}
+add -p "$foopassword" --use-defaults fez@${R}
+add -p "$foopassword" --use-defaults hasalias@${R}
+add -p "$foopassword" --use-defaults pkinit@${R}
+modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" pkinit@${R}
+add -p "$foopassword" --use-defaults prune@${R}
+cpw --keepold --random-key prune@${R}
+cpw --keepold --random-key prune@${R}
+add -p "$foopassword" --use-defaults pruneall@${R}
+cpw --pruneall --random-key pruneall@${R}
+cpw --pruneall --random-key pruneall@${R}
+EOF
echo "$foopassword" > ${objdir}/foopassword
|| { echo "kadmind failed to start"; cat messages.log; exit 1; }
kadmpid=`getpid kadmind`
-trap "kill -9 ${kdcpid} ${kadmpid}" EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid} ${kadmpid} 2>/dev/null
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
#----------------------------------
echo "kinit (no admin); test mod --alias authorization"
> messages.log
echo Creating database
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R2} || exit 1
-
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R3} || exit 1
-
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R4} || exit 1
-
-${kadmin5} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R5} || exit 1
-
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R6} || exit 1
-
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R7} || exit 1
-
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R8} || exit 1
-
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${H1} || exit 1
-
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${H2} || exit 1
-
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${H3} || exit 1
-
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${H4} || exit 1
-
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${RH} || exit 1
-
-${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
-${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
-${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
-${kadmin} cpw -r krbtgt/${R}@${R} || exit 1
-
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} add -p foo --use-defaults foo/host.${r}@${R} || exit 1
-${kadmin} add -p foo --use-defaults foo@${R2} || exit 1
-${kadmin} add -p foo --use-defaults foo@${R3} || exit 1
-${kadmin} add -p foo --use-defaults foo@${R4} || exit 1
-${kadmin5} add -p foo --use-defaults foo@${R5} || exit 1
-${kadmin} add -p foo --use-defaults foo@${R6} || exit 1
-${kadmin} add -p foo --use-defaults foo@${R7} || exit 1
-${kadmin} add -p foo --use-defaults foo@${R8} || exit 1
-${kadmin} add -p foo --use-defaults foo@${H1} || exit 1
-${kadmin} add -p foo --use-defaults foo/host.${h1}@${H1} || exit 1
-${kadmin} add -p foo --use-defaults foo@${H2} || exit 1
-${kadmin} add -p foo --use-defaults foo/host.${h2}@${H2} || exit 1
-${kadmin} add -p foo --use-defaults foo@${H3} || exit 1
-${kadmin} add -p foo --use-defaults foo/host.${h3}@${H3} || exit 1
-${kadmin} add -p foo --use-defaults foo@${H4} || exit 1
-${kadmin} add -p foo --use-defaults foo/host.${h4}@${H4} || exit 1
-${kadmin} add -p bar --use-defaults bar@${R} || exit 1
-${kadmin} add -p foo --use-defaults remove@${R} || exit 1
-${kadmin} add -p nop --use-defaults ${server}@${R} || exit 1
-${kadmin} cpw -p bla --keepold ${server}@${R} || exit 1
-${kadmin} cpw -p kaka --keepold ${server}@${R} || exit 1
-${kadmin} add -p kaka --use-defaults ${server}-des3@${R} || exit 1
-${kadmin} add -p kaka --use-defaults kt-des3@${R} || exit 1
-${kadmin} add -p kaka --use-defaults foo/des3-only@${R} || exit 1
-${kadmin} add -p kaka --use-defaults bar/des3-only@${R} || exit 1
-${kadmin} add -p kaka --use-defaults foo/aes-only@${R} || exit 1
-
-${kadmin} add -p sens --use-defaults --attributes=disallow-forwardable sensitive@${R} || exit 1
-${kadmin} add -p foo --use-defaults ${ps} || exit 1
-${kadmin} modify --attributes=+trusted-for-delegation ${ps} || exit 1
-${kadmin} modify --constrained-delegation=${server} ${ps} || exit 1
-${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
-${kadmin} ext -k ${keytab} ${ps} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R2}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R3}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R4}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R6}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R7}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R8}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${H1}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${H2}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${H3}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${H4}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${RH}
+cpw -r krbtgt/${R}@${R}
+cpw -r krbtgt/${R}@${R}
+cpw -r krbtgt/${R}@${R}
+cpw -r krbtgt/${R}@${R}
+add -p foo --use-defaults foo@${R}
+add -p foo --use-defaults foo/host.${r}@${R}
+add -p foo --use-defaults foo@${R2}
+add -p foo --use-defaults foo@${R3}
+add -p foo --use-defaults foo@${R4}
+add -p foo --use-defaults foo@${R6}
+add -p foo --use-defaults foo@${R7}
+add -p foo --use-defaults foo@${R8}
+add -p foo --use-defaults foo@${H1}
+add -p foo --use-defaults foo/host.${h1}@${H1}
+add -p foo --use-defaults foo@${H2}
+add -p foo --use-defaults foo/host.${h2}@${H2}
+add -p foo --use-defaults foo@${H3}
+add -p foo --use-defaults foo/host.${h3}@${H3}
+add -p foo --use-defaults foo@${H4}
+add -p foo --use-defaults foo/host.${h4}@${H4}
+add -p bar --use-defaults bar@${R}
+add -p foo --use-defaults remove@${R}
+add -p nop --use-defaults ${server}@${R}
+cpw -p bla --keepold ${server}@${R}
+cpw -p kaka --keepold ${server}@${R}
+add -p kaka --use-defaults ${server}-des3@${R}
+add -p kaka --use-defaults kt-des3@${R}
+add -p kaka --use-defaults foo/des3-only@${R}
+add -p kaka --use-defaults bar/des3-only@${R}
+add -p kaka --use-defaults foo/aes-only@${R}
+add -p sens --use-defaults --attributes=disallow-forwardable sensitive@${R}
+add -p foo --use-defaults ${ps}
+modify --attributes=+trusted-for-delegation ${ps}
+modify --constrained-delegation=${server} ${ps}
+ext -k ${keytab} ${server}@${R}
+ext -k ${keytab} ${ps}
+add -p kaka --use-defaults ${server2}@${R2}
+ext -k ${keytab} ${server2}@${R2}
+add -p foo --use-defaults WELLKNOWN/REFERRALS/TARGET@${R5}
+add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${server3}@${R}
+add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${namespace}@${R}
+add -p kaka --use-defaults ${serverip}@${R}
+ext -k ${keytab} ${serverip}@${R}
+add -p kaka --use-defaults ${serveripname}@${R}
+ext -k ${keytab} ${serveripname}@${R}
+modify --alias=${serveripname2}@${R} ${serveripname}@${R}
+add -p foo --use-defaults remove2@${R2}
+add -p nopac --use-defaults ${server4}@${R2}
+modify --attributes=+no-auth-data-reqd ${server4}@${R2}
+ext -k ${keytab} ${server4}@${R2}
+add -p kaka --use-defaults ${alias1}@${R}
+ext -k ${keytab} ${alias1}@${R}
+modify --alias=${alias2}@${R} ${alias1}@${R}
+add -p cross1 --use-defaults krbtgt/${R2}@${R}
+modify --attributes=+no-auth-data-reqd krbtgt/${R2}@${R}
+add -p cross2 --use-defaults krbtgt/${R}@${R2}
+add -p cross1 --use-defaults krbtgt/${R3}@${R2}
+add -p cross2 --use-defaults krbtgt/${R2}@${R3}
+add -p cross1 --use-defaults krbtgt/${R4}@${R2}
+add -p cross2 --use-defaults krbtgt/${R2}@${R4}
+add -p cross1 --use-defaults krbtgt/${R4}@${R3}
+add -p cross2 --use-defaults krbtgt/${R3}@${R4}
+add -p cross1 --use-defaults krbtgt/${R7}@${R6}
+add -p cross2 --use-defaults krbtgt/${R6}@${R7}
+add -p cross1 --use-defaults krbtgt/${R8}@${R6}
+add -p cross2 --use-defaults krbtgt/${R6}@${R8}
+add -p cross1 --use-defaults krbtgt/${H1}@${R}
+add -p cross2 --use-defaults krbtgt/${R}@${H1}
+add -p cross1 --use-defaults krbtgt/${H2}@${R}
+add -p cross2 --use-defaults krbtgt/${R}@${H2}
+add -p cross1 --use-defaults krbtgt/${H3}@${H2}
+add -p cross2 --use-defaults krbtgt/${H2}@${H3}
+add -p cross1 --use-defaults krbtgt/${H3}@${H4}
+add -p cross2 --use-defaults krbtgt/${H4}@${H3}
+add -p foo --use-defaults pw-expire@${R}
+modify --pw-expiration-time=+1day pw-expire@${R}
+add -p foo --use-defaults pw-expired@${R}
+modify --pw-expiration-time=2012-06-12 pw-expired@${R}
+add -p foo --use-defaults account-expired@${R}
+modify --expiration-time=2012-06-12 account-expired@${R}
+add -p foo --use-defaults foo@${RH}
+EOF
+
+${kadmin5} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R5}
+add -p foo --use-defaults foo@${R5}
+add -p kaka --use-defaults ${server3}@${R5}
+ext -k ${keytab} ${server3}@${R5}
+add -p kaka --use-defaults ${server5}@${R5}
+ext -k ${keytab} ${server5}@${R5}
+EOF
# Note: rps is not trusted-for-delegation
-${kadmin} add -p foo --use-defaults ${rps} || exit 1
-${kadmin} modify --constrained-delegation=${server} ${rps} || exit 1
-${kadmin} ext -k ${keytab} ${rps} || exit 1
-
-${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1
-${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1
-${kadmin} add -p foo --use-defaults WELLKNOWN/REFERRALS/TARGET@${R5} || exit 1
-${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${server3}@${R} || exit 1
-${kadmin5} add -p kaka --use-defaults ${server3}@${R5} || exit 1
-${kadmin5} ext -k ${keytab} ${server3}@${R5} || exit 1
-${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${namespace}@${R} || exit 1
-${kadmin5} add -p kaka --use-defaults ${server5}@${R5} || exit 1
-${kadmin5} ext -k ${keytab} ${server5}@${R5} || exit 1
-${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1
-${kadmin} ext -k ${keytab} ${serverip}@${R} || exit 1
-${kadmin} add -p kaka --use-defaults ${serveripname}@${R} || exit 1
-${kadmin} ext -k ${keytab} ${serveripname}@${R} || exit 1
-${kadmin} modify --alias=${serveripname2}@${R} ${serveripname}@${R}
-${kadmin} add -p foo --use-defaults remove2@${R2} || exit 1
-
-${kadmin} add -p nopac --use-defaults ${server4}@${R2} || exit 1
-${kadmin} modify --attributes=+no-auth-data-reqd ${server4}@${R2} || exit 1
-${kadmin} ext -k ${keytab} ${server4}@${R2} || exit 1
-
-${kadmin} add -p kaka --use-defaults ${alias1}@${R} || exit 1
-${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1
-${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R}
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
-${kadmin} modify --attributes=+no-auth-data-reqd krbtgt/${R2}@${R} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${R3}@${R2} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R3} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R2} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R2}@${R4} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${R4}@${R3} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R3}@${R4} || exit 1
+${kadmin} <<EOF || exit 1
+add -p foo --use-defaults ${rps}
+modify --constrained-delegation=${server} ${rps}
+ext -k ${keytab} ${rps}
+EOF
${kadmin} add -p cross1 --use-defaults krbtgt/${R5}@${R} || exit 1
${kadmin5} add -p cross2 --use-defaults krbtgt/${R}@${R5} || exit 1
-
${kadmin5} add -p cross1 --use-defaults krbtgt/${R6}@${R5} || exit 1
${kadmin} add -p cross2 --use-defaults krbtgt/${R5}@${R6} || exit 1
-${kadmin} add -p cross1 --use-defaults krbtgt/${R7}@${R6} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R7} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${R8}@${R6} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R6}@${R8} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${H1}@${R} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H1} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${H2}@${R} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${H2} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H2} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${H2}@${H3} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${H3}@${H4} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${H4}@${H3} || exit 1
-
-${kadmin} add -p foo --use-defaults pw-expire@${R} || exit 1
-${kadmin} modify --pw-expiration-time=+1day pw-expire@${R} || exit 1
-
-${kadmin} add -p foo --use-defaults pw-expired@${R} || exit 1
-${kadmin} modify --pw-expiration-time=2012-06-12 pw-expired@${R} || exit 1
-
-${kadmin} add -p foo --use-defaults account-expired@${R} || exit 1
-${kadmin} modify --expiration-time=2012-06-12 account-expired@${R} || exit 1
-
-${kadmin} add -p foo --use-defaults foo@${RH} || exit 1
-
echo "Check parser"
${kadmin} add -p foo --use-defaults -- -p || exit 1
${kadmin} delete -- -p || exit 1
echo "Doing database check"
-${kadmin} check ${R} || exit 1
-${kadmin} check ${R2} || exit 1
-${kadmin} check ${R3} || exit 1
-${kadmin} check ${R4} || exit 1
+${kadmin} <<EOF
+check ${R}
+check ${R2}
+check ${R3}
+check ${R4}
+check ${R6}
+check ${R7}
+check ${R8}
+check ${H1}
+check ${H2}
+check ${H3}
+check ${H4}
+EOF
+
${kadmin5} check ${R5} || exit 1
-${kadmin} check ${R6} || exit 1
-${kadmin} check ${R7} || exit 1
-${kadmin} check ${R8} || exit 1
-${kadmin} check ${H1} || exit 1
-${kadmin} check ${H2} || exit 1
-${kadmin} check ${H3} || exit 1
-${kadmin} check ${H4} || exit 1
echo "Extracting enctypes"
${ktutil} -k ${keytab} list > tempfile || exit 1
{ echo "kpasswdd failed to start"; exit 1; }
kpasswddpid=`getpid kpasswdd`
-
-trap "kill -9 ${kdcpid} ${kpasswddpid}; echo signal killing kdc kpasswdd; exit 1;" EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid} ${kpasswddpid} 2>/dev/null
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
ec=0
${sedvars} < ${CIN} > ${COUT}
echo Creating database
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
-${kadmin} add -p foo --use-defaults ${principal} || exit 1
-
-${kadmin} cpw -p foo ${principal} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults ${principal}
+cpw -p foo ${principal}
+EOF
sed -e 's/@keys@/v4/' \
${sedvars} < ${CIN} > ${COUT}
parent_shell_proc=$$
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid}
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+
if (($# == 0)); then
echo "This is a MANUAL test."
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
- trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+ trap cleanup EXIT INT TERM
ec=0
else
> messages.log
echo "Creating database for $R"
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
-${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
-
-echo "Creating database for ${R2}"
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R2} || exit 1
-
-${kadmin} add -p foo --use-defaults bar@${R2} || exit 1
-
-echo "Doing database check for ${R} ${R2}"
-${kadmin} check ${R} || exit 1
-${kadmin} check ${R2} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults foo@${R}
+add -p kaka --use-defaults ${server}@${R}
+ext -k ${keytab} ${server}@${R}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R2}
+add -p foo --use-defaults bar@${R2}
+check ${R}
+check ${R2}
+EOF
echo foo > ${objdir}/foopassword
{ echo "kpasswdd failed to start"; exit 1; }
kpasswddpid=`getpid kpasswdd`
-trap "kill -9 ${kdcpid} ${kpasswddpid}; echo signal killing kdc; exit \$ec;" EXIT
+cleanup() {
+ echo signal killing kdc and kpasswdd
+ kill -9 ${kdcpid} ${kpasswddpid} 2>/dev/null
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
ec=0
> messages.log
echo Creating database
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
-${kadmin} modify --max-ticket-life=5d krbtgt/${R}@${R} || exit 1
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} add -p bar --use-defaults bar@${R} || exit 1
-${kadmin} add -p baz --use-defaults baz@${R} || exit 1
-${kadmin} add -p foo --use-defaults host/server.test.h5l.se@${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+modify --max-ticket-life=5d krbtgt/${R}@${R}
+add -p foo --use-defaults foo@${R}
+add -p bar --use-defaults bar@${R}
+add -p baz --use-defaults baz@${R}
+add -p foo --use-defaults host/server.test.h5l.se@${R}
+modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" baz@${R}
+add -p kaka --use-defaults ${server}@${R}
+check ${R}
+EOF
${kadmin} modify --alias=baz2\\@test.h5l.se@${R} baz@${R} || exit 1
-${kadmin} modify --pkinit-acl="CN=baz,DC=test,DC=h5l,DC=se" baz@${R} || exit 1
-
-${kadmin} add -p kaka --use-defaults ${server}@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
# XXX Do not use committed, in-tree private keys or certificates!
# XXX Add hxtool command to generate a private key w/o generating a CSR
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
-trap 'kill -9 ${kdcpid}; echo signal killing kdc; cat ca.crt kdc.crt pkinit.crt pkinit-synthetic.crt; exit 1;' EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid}
+ trap '' EXIT INT TERM
+ cat messages.log
+ cat ca.crt kdc.crt pkinit.crt pkinit-synthetic.crt
+ exit 1
+}
+trap cleanup EXIT INT TERM
ec=0
> messages.log
echo Creating database
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R2} || exit 1
-
-${kadmin} add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R} || exit 1
-${kadmin} add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R2} || exit 1
-
# User 'foo' gets two aliases in the same realm, and one in the other
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} add_alias foo@${R} foo@${R2} alias1 alias2 || exit 1
-${kadmin} get foo@${R} | grep alias1@${R} >/dev/null || exit 1
-${kadmin} get foo@${R} | grep alias2@${R} >/dev/null || exit 1
-${kadmin} get foo@${R} | grep foo@${R2} >/dev/null || exit 1
-
# service1 is an alias of service2, in different realms
-${kadmin} add -p foo --use-defaults ${service2}@${R2} || exit 1
-${kadmin} add_alias ${service2}@${R2} ${service1}@${R} || exit 1
-${kadmin} get ${service2}@${R2} | grep ${service1}@${R} >/dev/null || exit 1
-
# service3 and service4 get soft aliases in each other's realms
-${kadmin} add -p foo --use-defaults ${service3}@${R} || exit 1
-${kadmin} add -p foo --use-defaults ${service4}@${R2} || exit 1
-${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R2} ${service4}@${R} || exit 1
-${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R} ${service3}@${R2} || exit 1
-
# service6 is a hard alias of service5
-${kadmin} add -p foo --use-defaults ${service5}@${R} || exit 1
-${kadmin} add_alias ${service5}@${R} ${service6}@${R2} || exit 1
-
# service8 is a hard alias of service7, but in the opposite direction
-${kadmin} add -p foo --use-defaults ${service7}@${R2} || exit 1
-${kadmin} add_alias ${service5}@${R} ${service8}@${R} || exit 1
-
-${kadmin} add -p foo --use-defaults bar@${R} || exit 1
-${kadmin} add -p foo --use-defaults 'baz\@realm.foo@'${R} || exit 1
-
-${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
-${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1
-
-${kadmin} ext -k ${keytab} krbtgt/${R}@${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R2}
+add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R}
+add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R2}
+add -p foo --use-defaults foo@${R}
+add_alias foo@${R} foo@${R2} alias1 alias2
+add -p foo --use-defaults ${service2}@${R2}
+add_alias ${service2}@${R2} ${service1}@${R}
+add -p foo --use-defaults ${service3}@${R}
+add -p foo --use-defaults ${service4}@${R2}
+add_alias WELLKNOWN/REFERRALS/TARGET@${R2} ${service4}@${R}
+add_alias WELLKNOWN/REFERRALS/TARGET@${R} ${service3}@${R2}
+add -p foo --use-defaults ${service5}@${R}
+add_alias ${service5}@${R} ${service6}@${R2}
+add -p foo --use-defaults ${service7}@${R2}
+add_alias ${service5}@${R} ${service8}@${R}
+add -p foo --use-defaults bar@${R}
+add -p cross1 --use-defaults krbtgt/${R2}@${R}
+add -p cross2 --use-defaults krbtgt/${R}@${R2}
+ext -k ${keytab} krbtgt/${R}@${R}
+check ${R}
+check ${R2}
+EOF
+
+${kadmin} add -p foo --use-defaults baz\\@realm.foo@${R} || exit 1
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
-${kadmin} check ${R2} || exit 1
+${kadmin} get foo@${R} | grep alias1@${R} >/dev/null || exit 1
+${kadmin} get foo@${R} | grep alias2@${R} >/dev/null || exit 1
+${kadmin} get foo@${R} | grep foo@${R2} >/dev/null || exit 1
+${kadmin} get ${service2}@${R2} | grep ${service1}@${R} >/dev/null || exit 1
echo foo > ${objdir}/foopassword
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
-trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid}
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
ec=0
> messages.log
echo Creating database
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
-${kadmin} add -p foo --use-defaults ${server}@${R} || exit 1
-${kadmin} add -p foo --use-defaults foo@${R} || exit 1
-${kadmin} ext -k ${keytab} foo@${R} || exit 1
-${kadmin} ext -k ${keytab} ${server}@${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults ${server}@${R}
+add -p foo --use-defaults foo@${R}
+ext -k ${keytab} foo@${R}
+ext -k ${keytab} ${server}@${R}
+EOF
echo "password"
${kdc_tester} ${srcdir}/kdc-tester1.json > out-log 2>&1 || exit 1
> messages.log
echo Creating database
-${kadmin} \
- init \
- --realm-max-ticket-life=1day \
- --realm-max-renewable-life=1month \
- ${R} || exit 1
-
-${kadmin} add -p foo --use-defaults user1@${R} || exit 1
-${kadmin} add -p foo --use-defaults user2@${R} || exit 1
-
-echo "Doing database check"
-${kadmin} check ${R} || exit 1
+${kadmin} <<EOF || exit 1
+init --realm-max-ticket-life=1day --realm-max-renewable-life=1month ${R}
+add -p foo --use-defaults user1@${R}
+add -p foo --use-defaults user2@${R}
+check ${R}
+EOF
echo foo > ${objdir}/foopassword
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
-trap "kill -9 ${kdcpid} ${uuspid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid} ${uuspid} 2>/dev/null
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
ec=0
sh ${objdir}/slapd-init || exit 1
-trap "sh ${srcdir}/slapd-stop ; exit 1;" EXIT
+kdcpid=
+cleanup() {
+ if test -n "$kdcpid"; then
+ echo signal killing kdc
+ kill -9 ${kdcpid} 2>/dev/null
+ fi
+ echo Stopping slapd
+ sh ${srcdir}/slapd-stop
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
rm -f current-db*
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
-trap "kill ${kdcpid}; echo signal killing kdc; sh ${srcdir}/slapd-stop ; exit 1;" EXIT
-
ec=0
echo "Getting client initial tickets";
${kdc} --detach --testing || { echo "kdc failed to start"; cat messages.log; exit 1; }
kdcpid=`getpid kdc`
-trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
+cleanup() {
+ echo signal killing kdc
+ kill -9 ${kdcpid}
+ trap '' EXIT INT TERM
+ cat messages.log
+ exit 1
+}
+trap cleanup EXIT INT TERM
ec=0
projects / thirdparty / samba.git / commitdiff
