s3-selftest: add tests for "net ads kerberos" commands

author Günther Deschner <gd@samba.org>

Sun, 20 Jul 2025 15:59:37 +0000 (17:59 +0200)

committer Günther Deschner <gd@samba.org>

Thu, 24 Jul 2025 16:30:32 +0000 (16:30 +0000)
author Günther Deschner <gd@samba.org>
Sun, 20 Jul 2025 15:59:37 +0000 (17:59 +0200)
committer Günther Deschner <gd@samba.org>
Thu, 24 Jul 2025 16:30:32 +0000 (16:30 +0000)
diff --git a/selftest/knownfail b/selftest/knownfail

index 103a0bb1d76a53bfb0899e960d0e99d0f611e560..e602c29adc0823484c806792158d17e318a6ab52 100644 (file)
--- a/selftest/knownfail
+++ b/selftest/knownfail
@@ -339,3 +339,6 @@
  # We currently don't send referrals for LDAP modify of non-replicated attrs
  ^samba4.ldap.rodc.python\(rodc\).__main__.RodcTests.test_modify_nonreplicated.*
  
+# net ads kerberos
+samba3.blackbox.net_ads_kerberos.*net_ads_kerberos_kinit.*
+samba3.blackbox.net_ads_kerberos.*net_ads_kerberos_renew.*
diff --git a/source3/script/tests/test_net_ads_kerberos.sh b/source3/script/tests/test_net_ads_kerberos.sh

new file mode 100755 (executable)

index 0000000..8a3c9ef
--- /dev/null
+++ b/source3/script/tests/test_net_ads_kerberos.sh
@@ -0,0 +1,158 @@
+#!/bin/sh
+
+if [ $# -lt 5 ]; then
+       cat <<EOF
+Usage: test_net_ads_kerberos.sh USERNAME REALM PASSWORD PREFIX
+EOF
+       exit 1
+fi
+
+USERNAME="$1"
+REALM="$2"
+PASSWORD="$3"
+PREFIX="$4"
+shift 4
+ADDARGS="$*"
+
+incdir=$(dirname "$0")/../../../testprogs/blackbox
+. "$incdir"/subunit.sh
+
+mkdir -p "$PREFIX"/private
+PACFILE=$PREFIX/private/pacsave.$$
+
+KRB5CCNAME_PATH="$PREFIX/net_ads_kerberos_krb5ccache"
+rm -f "$KRB5CCNAME_PATH"
+
+KRB5CCNAME="FILE:$KRB5CCNAME_PATH"
+
+
+#################################################
+## Test "net ads kerberos kinit" variants
+#################################################
+
+testit "net_ads_kerberos_kinit" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+       -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+       || failed=$((failed + 1))
+
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+       -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+       || failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+# --use-krb5-ccache is not working
+#testit "net_ads_kerberos_kinit (with --use-krb5-ccache)" \
+#      $VALGRIND $BINDIR/net ads kerberos kinit \
+#      -U$USERNAME%$PASSWORD $ADDARGS \
+#      --use-krb5-ccache=${KRB5CCNAME} \
+#      || failed=$((failed + 1))
+
+testit "net_ads_kerberos_kinit (-P)" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+       -P "$ADDARGS" \
+       || failed=$((failed + 1))
+
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (-P and KRB5CCNAME env set)" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+       -P "$ADDARGS" \
+       || failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+# --use-krb5-ccache is not working
+#testit "net_ads_kerberos_kinit (-P with --use-krb5-ccache)" \
+#      $VALGRIND $BINDIR/net ads kerberos kinit \
+#      -P $ADDARGS \
+#      --use-krb5-ccache=${KRB5CCNAME} \
+#      || failed=$((failed + 1))
+
+
+#################################################
+## Test "net ads kerberos renew" variants
+#################################################
+
+#testit "net_ads_kerberos_renew" \
+#      $VALGRIND $BINDIR/net ads kerberos renew \
+#      -U$USERNAME%$PASSWORD $ADDARGS \
+#      || failed=$((failed + 1))
+#
+#export KRB5CCNAME=$KRB5CCNAME_PATH
+#testit "net_ads_kerberos_renew (KRB5CCNAME env)" \
+#      $VALGRIND $BINDIR/net ads kerberos renew \
+#      -U$USERNAME%$PASSWORD $ADDARGS \
+#      || failed=$((failed + 1))
+#unset KRB5CCNAME
+#rm -f $KRB5CCNAME_PATH
+#
+# renew only succeeds with pre-kinit
+export KRB5CCNAME="$KRB5CCNAME_PATH"
+testit "net_ads_kerberos_kinit (KRB5CCNAME env set)" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos kinit \
+       -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+       || failed=$((failed + 1))
+
+testit "net_ads_kerberos_renew" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos renew \
+       -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+       || failed=$((failed + 1))
+unset KRB5CCNAME
+rm -f "$KRB5CCNAME_PATH"
+
+
+#################################################
+## Test "net ads kerberos pac" variants
+#################################################
+
+testit "net_ads_kerberos_pac_dump" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+       -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+       || failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_dump (-P)" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+       -P "$ADDARGS" \
+       || failed=$((failed + 1))
+
+IMPERSONATE_PRINC="alice@$REALM"
+
+#testit "net_ads_kerberos_pac_dump (impersonate)" \
+#      $VALGRIND $BINDIR/net ads kerberos pac dump \
+#      -U$USERNAME%$PASSWORD \
+#      impersonate=$IMPERSONATE_PRINC $ADDARGS \
+#      || failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_dump (impersonate and -P)" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos pac dump \
+       -P \
+       impersonate="$IMPERSONATE_PRINC" "$ADDARGS" \
+       || failed=$((failed + 1))
+
+# no clue why this doesn't work...
+#
+#testit_expect_failure "net_ads_kerberos_pac_save (without filename)"
+#      $VALGRIND $BINDIR/net ads kerberos pac save \
+#      -U$USERNAME%$PASSWORD $ADDARGS \
+#      || failed=$((failed + 1))
+
+testit "net_ads_kerberos_pac_save" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos pac save \
+       -U"$USERNAME"%"$PASSWORD" "$ADDARGS" \
+       filename="$PACFILE" \
+       || failed=$((failed + 1))
+
+rm -f "$PACFILE"
+
+testit "net_ads_kerberos_pac_save (-P)" \
+       "$VALGRIND" "$BINDIR"/net ads kerberos pac save \
+       -P "$ADDARGS" \
+       filename="$PACFILE" \
+       || failed=$((failed + 1))
+
+rm -f "$PACFILE"
+rm -f "$KRB5CCNAME_PATH"
+
+testok "$0" "$failed"
diff --git a/source3/selftest/tests.py b/source3/selftest/tests.py

index 2497211faed2593a33e1f66274586d4015e22621..dad58fca5f2dc98e5794e4387261199f6d3ef23a 100755 (executable)
--- a/source3/selftest/tests.py
+++ b/source3/selftest/tests.py
@@ -1954,6 +1954,18 @@ plantestsuite(
       "bin/samba-tool",
       '$DNSNAME'])
  
+for auth in ["$DC_USERNAME", "$DOMAIN\\\\$DC_USERNAME", "$DC_USERNAME@$REALM" ]:
+    plantestsuite(
+        "samba3.blackbox.net_ads_kerberos (%s)" % auth,
+        "ad_member:local",
+        [os.path.join(samba3srcdir,
+                      "script/tests/test_net_ads_kerberos.sh"),
+         auth,
+         '$REALM',
+         '$DC_PASSWORD',
+         '$PREFIX',
+         configuration])
+
  plantestsuite("samba3.blackbox.force-user-unlink",
                "maptoguest:local",
                [os.path.join(samba3srcdir,
author	Günther Deschner <gd@samba.org>
	Sun, 20 Jul 2025 15:59:37 +0000 (17:59 +0200)
committer	Günther Deschner <gd@samba.org>
	Thu, 24 Jul 2025 16:30:32 +0000 (16:30 +0000)
selftest/knownfail		patch \| blob \| blame \| history
source3/script/tests/test_net_ads_kerberos.sh	[new file with mode: 0755]	patch \| blob
source3/selftest/tests.py		patch \| blob \| blame \| history