#!/bin/sh
env_setup="@env_setup@"
testdir="@testdir@"
if [ "$UID" != 0 ] ; then
echo "must run script as root since it create users"
exit 1
fi
R=ADS.APPLE.COM
. ${env_setup}
cache="FILE:${testdir}/cache.krb5"
kinit="${kinit} -c $cache"
kdestroy="${kdestroy} -c $cache"
test -d ${testdir} || mkdir -p ${testdir}
if ! ping -c 1 dc03.ads.apple.com > /dev/null 2>&1 ; then
{ echo "no dc03 available, skipping tests" ; exit 0; }
fi
echo "checking for ADS"
if odutil show nodenames | grep '/Active Directory/ADS' > /dev/null ; then
echo "already joined to ADS"
needed_unjoin=no
else
echo "joining ads.apple.com"
dsconfigad -add $R -force -user bind -password apple || { echo "join failed" ; exit 1; }
killall -9 digest-service
needed_unjoin=yes
echo "sleep some"
sleep 30
fi
echo "AD"
echo 'show com.apple.opendirectoryd.ActiveDirectory' | scutil
hostname=$(echo 'show com.apple.opendirectoryd.ActiveDirectory' | scutil | grep TrustAccount | cut -f2 -d: | sed -e 's/ //g' -e 's/\$//')
echo "hostname is: $hostname"
defaults delete /Library/Preferences/com.apple.Kerberos kcm
defaults write /Library/Preferences/com.apple.Kerberos kcm -dict-add disable-ntlm-reflection-detection true
echo "getting credential for PAC test"
echo foobar > ${testdir}/foopassword
${kinit} --password-file=${testdir}/foopassword ktestuser@ADS.APPLE.COM || exit 1
echo "testing PAC"
env KRB5CCNAME="$cache" ${test_context} \
--mech=krb5 \
--verify-pac \
--name-type=krb5-principal-name \
"host/${hostname}.ads.apple.com@${R}" || { echo "failed to verify PAC"; exit 1; }
echo "Running NTLM in PKINIT reply test"
cat > ${testdir}/acquire.tmp <<EOF
expect Password:
send foobar\n
EOF
echo " acquire kerberos gss creds with validation"
${rkpty} ${testdir}/acquire.tmp \
${gsstool} acquire-cred \
--mech=krb5 --validate \
--server-hostname=host/${hostname}.ads.apple.com@ADS.APPLE.COM \
ktestuser@ADS.APPLE.COM >/dev/null || exit 1
echo "running http tests"
echo " destroy all cred"
${gsstool} destroy --all
cat > ${testdir}/acquire.tmp <<EOF
expect Password:
send foobar\n
EOF
echo " acquire ntlm creds"
${rkpty} ${testdir}/acquire.tmp \
${gsstool} acquire-cred --mech=ntlm ktestuser@ADS >/dev/null || exit 1
echo " check ntlm creds"
${gsstool} list --mech=ntlm | grep ktestuser@ADS >/dev/null || exit 1
echo " acquire krb5 creds"
${rkpty} ${testdir}/acquire.tmp \
${gsstool} acquire-cred --mech=krb5 ktestuser@ADS.APPLE.COM > /dev/null || exit 1
echo " check krb5 creds"
${gsstool} list --mech=krb5 | grep ktestuser@ADS >/dev/null || exit 1
echo " spnego/krb5"
${http_client} --mech=spnego --cred-mech=krb5 --client=ktestuser@ADS.APPLE.COM \
dc03.ads.apple.com /negotiate/ | grep 'http negotiate' > /dev/null || \
{ echo "spnego/krb5 failed" ; exit 1; }
echo " spnego/ntlm"
${http_client} --mech=spnego --cred-mech=ntlm --client=ktestuser@ADS \
dc03.ads.apple.com /negotiate/ | grep 'http negotiate' > /dev/null || \
{ echo "spnego/ntlm failed" ; exit 1; }
echo " ntlm"
${http_client} --mech=ntlm --cred-mech=ntlm --client=ktestuser@ADS \
dc03.ads.apple.com /negotiate/ | grep 'http negotiate' > /dev/null || \
{ echo "spnego/ntlm failed" ; exit 1; }
echo " check delegation (spnego w/ kerberos credentials delegate)"
${http_client} --mech=spnego --cred-mech=krb5 --delegate --client=ktestuser@ADS.APPLE.COM \
dc03.ads.apple.com /authpage/ | grep 'ImpersonationLevel: Delegation' > /dev/null || \
{ echo "spnego/kerberos delegate failed" ; exit 1; }
echo " check delegation (spnego w/ kerberos credentials policy)"
${http_client} --mech=spnego --cred-mech=krb5 --policy --client=ktestuser@ADS.APPLE.COM \
dc03.ads.apple.com /authpage/ | grep 'ImpersonationLevel: Delegation' > /dev/null || \
{ echo "spnego/kerberos delegate failed" ; exit 1; }
echo " check delegation (spnego w/ kerberos credentials, no delegate)"
${http_client} --mech=spnego --cred-mech=krb5 --client=ktestuser@ADS.APPLE.COM \
dc03.ads.apple.com /authpage/ | grep 'ImpersonationLevel: Impersonation' > /dev/null || \
{ echo "spnego/kerberos delgate (not) failed" ; exit 1; }
echo " destroy all cred"
${gsstool} destroy --all
echo "test change password"
echo admin > ${testdir}/foopassword
${kinit} --password-file=${testdir}/foopassword da3admin@ADS.APPLE.COM || exit 1
pw=ak4unandsop39NuJ
echo "Changing password using admin"
cat > cpw.tmp <<EOF
expect New password
send ${pw}\n
expect New password
send ${pw}\n
expect Success
EOF
${rkpty} cpw.tmp env ${kpasswd} -c ${cache} --admin-principal=da3admin@${R} ktestuser2@${R} ||
exit 1
echo "test with regular user too"
oldpw="$pw"
pw="39NuJnNjkiHNkhU"
echo "Changing password using regular account"
cat > cpw.tmp <<EOF
expect Password
password ${oldpw}\n
expect New password
send ${pw}\n
expect New password
send ${pw}\n
expect Success
EOF
${rkpty} cpw.tmp env ${kpasswd} ktestuser2@${R} || \
exit 1
echo "test with test_gsscf"
${test_gsscf} ktestuser2@ADS.APPLE.COM ${pw} ${oldpw} > /dev/null 2>/dev/null || \
{ echo "failed to change password"; exit 1; }
echo "Changing password back using admin"
pw=foobar
cat > cpw.tmp <<EOF
expect New password
send ${pw}\n
expect New password
send ${pw}\n
expect Success
EOF
${rkpty} cpw.tmp env ${kpasswd} -c ${cache} --admin-principal=da3admin@${R} ktestuser2@${R} || \
exit 1
${kdestroy}
if [ ${needed_unjoin} = yes ] ; then
echo "unjoin"
dsconfigad -remove $R -force -user bind -password apple
killall -9 digest-service
fi
defaults delete /Library/Preferences/com.apple.Kerberos kcm
exit 0