#!/bin/sh if [ $# -lt 1 ]; then cat < "${1}.sync_kvno" sed "$SED1" < "$2" | sed "$SED2" | sort > "${2}.sync_kvno" diff "${1}.sync_kvno" "${2}.sync_kvno" return $? } compare_keytabs_nosync_kvno() { sed "$SED1" < "$1" | sort -k1rn -k3 > "${1}.nosync_kvno" sed "$SED1" < "$2" | sort -k1rn -k3 > "${2}.nosync_kvno" diff "${1}.nosync_kvno" "${2}.nosync_kvno" return $? } test_pwd_change() { testname="$1" shift # get biggest vno before password change from keytab1k get_biggest_vno "$PREFIX/ad_member_idmap_nss/keytab1k" old_vno=$vno if [ ! "$old_vno" -gt 0 ] ; then echo "There is no key with vno in the keytab list above." return 1 fi # change password cmd="$*"; eval echo "$cmd" out=$(eval "$cmd") ret=$? if [ $ret != 0 ] ; then echo "$out" echo "command failed" return 1 fi # test ads join cmd="$samba_net ads testjoin" eval echo "$cmd" out=$(eval "$cmd") ret=$? if [ $ret != 0 ] ; then echo "$out" echo "command failed" return 1 fi # if keytab was updated the bigest vno should be incremented by one get_biggest_vno "$PREFIX/ad_member_idmap_nss/keytab1k" if [ ! "$vno" -eq $((old_vno + 1)) ] ; then echo "Old vno=$old_vno, new vno=$vno. Increment by one failed." return 1 fi # Store keytabs in the tmp dir for keytab in $keytabs_all do $samba_net ads keytab list "$PREFIX/ad_member_idmap_nss/$keytab" | grep -v "^Vno\|^Warning\|^$" > "$TMPDIR/${keytab}_${testname}" done # Compare keytabs that do not sync kvno for keytab in $keytabs_nosync_kvno do if ! compare_keytabs_nosync_kvno "$TMPDIR/${keytab}_template" "$TMPDIR/${keytab}_${testname}" then echo "Comparison of $keytab failed" return 1 fi done # Compare keytabs that sync kvno for keytab in $keytabs_sync_kvno do if ! compare_keytabs_sync_kvno "$TMPDIR/${keytab}_template" "$TMPDIR/${keytab}_${testname}" then echo "Comparison of $keytab failed" return 1 fi done return 0 } # Create tmp dir TMPDIR=$(mktemp -d "$PREFIX/ad_member_idmap_nss/keytab_dir_XXXXXX") # Create template files using the variables defined above printf '%s' "$keytab0" > "$TMPDIR/keytab0_template" printf '%s' "$keytab0k" > "$TMPDIR/keytab0k_template" printf '%s' "$keytab1" > "$TMPDIR/keytab1_template" printf '%s' "$keytab1k" > "$TMPDIR/keytab1k_template" printf '%s' "$keytab2" > "$TMPDIR/keytab2_template" printf '%s' "$keytab2k" > "$TMPDIR/keytab2k_template" printf '%s' "$keytab3" > "$TMPDIR/keytab3_template" printf '%s' "$keytab3k" > "$TMPDIR/keytab3k_template" printf '%s' "$keytab4k" > "$TMPDIR/keytab4k_template" # Other approach could e.g. compare first six entries from the template. # The 6 entries correspond to password and old_password, each has 3 enc. types. # for k in "$TMPDIR"/keytab*_template # do # head -6 "$k" > "${k}_head6" # done # Remove all keytabs for keytab in $keytabs_all do rm -f "$PREFIX/ad_member_idmap_nss/$keytab" done DC_DNSNAME="${DC_SERVER}.${REALM}" SMBCLIENT_UNC="//${DC_DNSNAME}/tmp" # To have both old and older password we do one unnecessary password change: testit "wbinfo_change_secret_initial" \ "$samba_wbinfo" --change-secret --domain="${DOMAIN}" \ || failed=$((failed + 1)) testit "wbinfo_check_secret_initial" \ "$samba_wbinfo" --check-secret --domain="${DOMAIN}" \ || failed=$((failed + 1)) # Create/sync all keytabs testit "net_ads_keytab_sync" "$samba_net" ads keytab create || failed=$((failed + 1)) testit "wbinfo_change_secret" \ test_pwd_change "wbinfo_changesecret" \ "$samba_wbinfo --change-secret --domain=${DOMAIN}" \ || failed=$((failed + 1)) testit "wbinfo_check_secret" \ "$samba_wbinfo" --check-secret --domain="${DOMAIN}" \ || failed=$((failed + 1)) test_smbclient "Test machine login with the changed secret" \ "ls" "${SMBCLIENT_UNC}" \ --machine-pass || failed=$((failed + 1)) testit "rpcclient_changetrustpw" test_pwd_change "rpcclient_changetrustpw" "$samba_rpcclient --machine-pass ncacn_np:${DC_DNSNAME}[schannel] -c change_trust_pw" || failed=$((failed + 1)) testit "net_rpc_changetrustpw" test_pwd_change "net_rpc_changetrustpw" "$samba_net rpc changetrustpw --server ${DC_DNSNAME}" || failed=$((failed + 1)) testit "net_ads_changetrustpw" test_pwd_change "net_ads_changetrustpw" "$samba_net ads changetrustpw -I ${DC_DNSNAME}" || failed=$((failed + 1)) test_smbclient "Test machine login with the changed secret end" \ "ls" "${SMBCLIENT_UNC}" \ --machine-pass || failed=$((failed + 1)) # Delete tmp dir rm -rf "$TMPDIR" testok "$0" "$failed"