xref: /freebsd/crypto/krb5/src/tests/t_general.py (revision b670c9bafc0e31c7609969bf374b2e80bdc00211) 
1from k5test import *
2
3for realm in multipass_realms(create_host=False):
4    # Check that kinit fails appropriately with the wrong password.
5    mark('kinit wrong password failure')
6    msg = 'Password incorrect while getting initial credentials'
7    realm.run([kinit, realm.user_princ], input='wrong\n', expected_code=1,
8              expected_msg=msg)
9
10    # Check that we can kinit as a different principal.
11    mark('kinit with specified principal')
12    realm.kinit(realm.admin_princ, password('admin'))
13    realm.klist(realm.admin_princ)
14
15    # Test FAST kinit.
16    mark('FAST kinit')
17    fastpw = password('fast')
18    realm.run([kadminl, 'ank', '-pw', fastpw, '+requires_preauth',
19               'user/fast'])
20    realm.kinit('user/fast', fastpw)
21    realm.kinit('user/fast', fastpw, flags=['-T', realm.ccache])
22    realm.klist('user/fast@%s' % realm.realm)
23
24    # Test kinit against kdb keytab
25    realm.run([kinit, "-k", "-t", "KDB:", realm.user_princ])
26
27# Test that we can get initial creds with an empty password via the
28# API.  We have to disable the "empty" pwqual module to create a
29# principal with an empty password.  (Regression test for #7642.)
30mark('initial creds with empty password')
31conf={'plugins': {'pwqual': {'disable': 'empty'}}}
32realm = K5Realm(create_user=False, create_host=False, krb5_conf=conf)
33realm.run([kadminl, 'addprinc', '-pw', '', 'user'])
34realm.run(['./icred', 'user', ''])
35realm.run(['./icred', '-s', 'user', ''])
36realm.stop()
37
38realm = K5Realm(create_host=False)
39
40# Regression test for #6428 (KDC should prefer account expiration
41# error to password expiration error).
42mark('#6428 regression test')
43realm.run([kadminl, 'addprinc', '-randkey', '-pwexpire', 'yesterday', 'xpr'])
44realm.run(['./icred', 'xpr'], expected_code=1,
45          expected_msg='Password has expired')
46realm.run([kadminl, 'modprinc', '-expire', 'yesterday', 'xpr'])
47realm.run(['./icred', 'xpr'], expected_code=1,
48          expected_msg="Client's entry in database has expired")
49
50# Regression test for #8454 (responder callback isn't used when
51# preauth is not required).
52mark('#8454 regression test')
53realm.run(['./responder', '-r', 'password=%s' % password('user'),
54           realm.user_princ])
55
56# Test that WRONG_REALM responses aren't treated as referrals unless
57# they contain a crealm field pointing to a different realm.
58# (Regression test for #8060.)
59mark('#8060 regression test')
60realm.run([kinit, '-C', 'notfoundprinc'], expected_code=1,
61          expected_msg='not found in Kerberos database')
62
63# Spot-check KRB5_TRACE output
64mark('KRB5_TRACE spot check')
65expected_trace = ('Sending initial UDP request',
66                  'Received answer',
67                  'Selected etype info',
68                  'AS key obtained',
69                  'Decrypted AS reply',
70                  'FAST negotiation: available',
71                  'Storing user@KRBTEST.COM')
72realm.kinit(realm.user_princ, password('user'), expected_trace=expected_trace)
73
74success('FAST kinit, trace logging')
75