check-apple-ad.in   [plain text]

#!/bin/sh
#
# Copyright (c) 2010 Kungliga Tekniska Högskolan
# (Royal Institute of Technology, Stockholm, Sweden). 
# All rights reserved. 
#
# Portions Copyright (c) 2010 Apple Inc. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without 
# modification, are permitted provided that the following conditions 
# are met: 
#
# 1. Redistributions of source code must retain the above copyright 
#    notice, this list of conditions and the following disclaimer. 
#
# 2. Redistributions in binary form must reproduce the above copyright 
#    notice, this list of conditions and the following disclaimer in the 
#    documentation and/or other materials provided with the distribution. 
#
# 3. Neither the name of the Institute nor the names of its contributors 
#    may be used to endorse or promote products derived from this software 
#    without specific prior written permission. 
#
# THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND 
# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 
# ARE DISCLAIMED.  IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE 
# FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 
# DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 
# OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 
# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 
# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 
# OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 
# SUCH DAMAGE. 

env_setup="@env_setup@"
testdir="@testdir@"

if [ "$UID" != 0 ] ; then
    echo "must run script as root since it create users"
    exit 1
fi

R=ADS.APPLE.COM

. ${env_setup}

cache="FILE:${testdir}/cache.krb5"

kinit="${kinit} -c $cache"
kdestroy="${kdestroy} -c $cache"

test -d ${testdir} || mkdir -p ${testdir}

if ! ping -c 1 dc03.ads.apple.com > /dev/null 2>&1 ; then
      { echo "no dc03 available, skipping tests" ; exit 0; }
fi

echo "checking for ADS"
if odutil show nodenames | grep '/Active Directory/ADS' > /dev/null ; then
    echo "already joined to ADS"
    needed_unjoin=no
else
    echo "joining ads.apple.com"
    dsconfigad -add $R -force -user bind -password apple || { echo "join failed" ; exit 1; }
    killall -9 digest-service
    needed_unjoin=yes

    echo "sleep some"
    sleep 30
fi

echo "AD"
echo 'show com.apple.opendirectoryd.ActiveDirectory' | scutil


hostname=$(echo 'show com.apple.opendirectoryd.ActiveDirectory' | scutil  | grep TrustAccount | cut -f2 -d: | sed -e 's/ //g' -e 's/\$//')
echo "hostname is: $hostname"

defaults delete /Library/Preferences/com.apple.Kerberos kcm
defaults write /Library/Preferences/com.apple.Kerberos kcm -dict-add disable-ntlm-reflection-detection true


echo "getting credential for PAC test"
echo foobar > ${testdir}/foopassword
${kinit} --password-file=${testdir}/foopassword ktestuser@ADS.APPLE.COM || exit 1

echo "testing PAC"
env KRB5CCNAME="$cache" ${test_context} \
    --mech=krb5 \
    --verify-pac \
    --name-type=krb5-principal-name \
    "host/${hostname}.ads.apple.com@${R}" || { echo "failed to verify PAC"; exit 1; }


echo "Running NTLM in PKINIT reply test"
cat > ${testdir}/acquire.tmp <<EOF
expect Password:
send foobar\n
EOF

echo "	acquire kerberos gss creds with validation"
${rkpty} ${testdir}/acquire.tmp \
	${gsstool} acquire-cred \
             --mech=krb5 --validate \
             --server-hostname=host/${hostname}.ads.apple.com@ADS.APPLE.COM \
             ktestuser@ADS.APPLE.COM >/dev/null || exit 1


echo "running http tests"
echo "	destroy all cred"
${gsstool} destroy --all

cat > ${testdir}/acquire.tmp <<EOF
expect Password:
send foobar\n
EOF

echo "	acquire ntlm creds"
${rkpty} ${testdir}/acquire.tmp \
	${gsstool} acquire-cred --mech=ntlm ktestuser@ADS >/dev/null || exit 1

echo "	check ntlm creds"
${gsstool} list --mech=ntlm | grep ktestuser@ADS >/dev/null || exit 1

echo "	acquire krb5 creds"
${rkpty} ${testdir}/acquire.tmp \
	${gsstool} acquire-cred --mech=krb5 ktestuser@ADS.APPLE.COM  > /dev/null || exit 1

echo "	check krb5 creds"
${gsstool} list --mech=krb5 | grep ktestuser@ADS >/dev/null || exit 1

echo "	spnego/krb5"
${http_client} --mech=spnego --cred-mech=krb5 --client=ktestuser@ADS.APPLE.COM \
    dc03.ads.apple.com /negotiate/ | grep 'http negotiate' > /dev/null || \
    { echo "spnego/krb5 failed" ; exit 1; }

echo "	spnego/ntlm"
${http_client} --mech=spnego --cred-mech=ntlm --client=ktestuser@ADS \
    dc03.ads.apple.com /negotiate/ | grep 'http negotiate' > /dev/null || \
    { echo "spnego/ntlm failed" ; exit 1; }

echo "	ntlm"
${http_client} --mech=ntlm --cred-mech=ntlm --client=ktestuser@ADS \
    dc03.ads.apple.com /negotiate/ | grep 'http negotiate' > /dev/null || \
    { echo "spnego/ntlm failed" ; exit 1; }

echo "	check delegation (spnego w/ kerberos credentials delegate)"
${http_client} --mech=spnego --cred-mech=krb5 --delegate --client=ktestuser@ADS.APPLE.COM \
    dc03.ads.apple.com /authpage/ | grep 'ImpersonationLevel: Delegation' > /dev/null || \
    { echo "spnego/kerberos delegate failed" ; exit 1; }

echo "	check delegation (spnego w/ kerberos credentials policy)"
${http_client} --mech=spnego --cred-mech=krb5 --policy --client=ktestuser@ADS.APPLE.COM \
    dc03.ads.apple.com /authpage/ | grep 'ImpersonationLevel: Delegation' > /dev/null || \
    { echo "spnego/kerberos delegate failed" ; exit 1; }

echo "	check delegation (spnego w/ kerberos credentials, no delegate)"
${http_client} --mech=spnego --cred-mech=krb5 --client=ktestuser@ADS.APPLE.COM \
    dc03.ads.apple.com /authpage/ | grep 'ImpersonationLevel: Impersonation' > /dev/null || \
    { echo "spnego/kerberos delgate (not) failed" ; exit 1; }

echo "	destroy all cred"
${gsstool} destroy --all

# ------------------------------------------------------------------------------------

echo "test change password"
echo admin > ${testdir}/foopassword

${kinit} --password-file=${testdir}/foopassword da3admin@ADS.APPLE.COM || exit 1

pw=ak4unandsop39NuJ

echo "Changing password using admin"
cat > cpw.tmp <<EOF
expect New password
send ${pw}\n
expect New password
send ${pw}\n
expect Success
EOF

${rkpty} cpw.tmp env ${kpasswd} -c ${cache} --admin-principal=da3admin@${R} ktestuser2@${R} || 
	exit 1

echo "test with regular user too"

oldpw="$pw"
pw="39NuJnNjkiHNkhU"

echo "Changing password using regular account"
cat > cpw.tmp <<EOF
expect Password
password ${oldpw}\n
expect New password
send ${pw}\n
expect New password
send ${pw}\n
expect Success
EOF

${rkpty} cpw.tmp env ${kpasswd} ktestuser2@${R} || \
	exit 1

echo "test with test_gsscf"
${test_gsscf} ktestuser2@ADS.APPLE.COM ${pw} ${oldpw} > /dev/null 2>/dev/null || \
    { echo "failed to change password"; exit 1; }


echo "Changing password back using admin"

pw=foobar

cat > cpw.tmp <<EOF
expect New password
send ${pw}\n
expect New password
send ${pw}\n
expect Success
EOF

${rkpty} cpw.tmp env ${kpasswd} -c ${cache} --admin-principal=da3admin@${R} ktestuser2@${R} || \
	exit 1

${kdestroy}

# ------------------------------------------------------------------------------------

#echo "checking ldap"
#echo foobar > ${testdir}/foopassword
#    
#${kinit} --password-file=${testdir}/foopassword ktestuser@ADS.APPLE.COM || exit 1
#    
#env KRB5CCNAME=${cache} \
#    ldapsearch -h dc02.ads.apple.com -b "DC=ads,DC=apple,DC=com" -s base \+ || \
#        { echo "ldap test failed"; exit 1; }
#    
#${kdestroy}

# ------------------------------------------------------------------------------------

#echo "checking mounting with NTLM"
#host=$(hostname)
#if expr "$host" : '.*\.apple\.com' > /dev/null ; then
#    launchctl load -F /System/Library/LaunchDaemons/com.apple.smbd.plist
#    killall smbd
#    sleep 3
#    ${winmount} ${testbase}/apple/coswin7-ads.plist ${host} || exit 1
#    ${winmount} ${testbase}/apple/coswin7-ads-specific.plist ${host} || exit 1
#else
#    echo "not running windows mount test since you are no on apple network"
#fi

# ------------------------------------------------------------------------------------

if [ ${needed_unjoin} = yes ] ; then
    echo "unjoin"
    dsconfigad -remove $R -force -user bind -password apple
    killall -9 digest-service
fi

defaults delete /Library/Preferences/com.apple.Kerberos kcm


exit 0