oysteikt/heimdal
0
0
Fork 0
Code Issues 5 Pull Requests Releases Activity

Compare commits

base: oysteikt:master
Branches Tags
oysteikt:master oysteikt:systemd-support oysteikt:kadmin-get-printf-debugging oysteikt:sd-notify
oysteikt:git2svn-syncpoint-master oysteikt:switch-from-svn-to-git
..
compare: oysteikt:systemd-support
Branches Tags
oysteikt:master oysteikt:systemd-support oysteikt:kadmin-get-printf-debugging oysteikt:sd-notify
oysteikt:git2svn-syncpoint-master oysteikt:switch-from-svn-to-git

2 Commits
master ... systemd-su

Author SHA1 Message Date
h7x4
3a17ecb3e5 WIP 2026-02-08 16:07:33 +09:00
h7x4
19156b61f1 Set up nix tooling 2026-02-08 15:58:06 +09:00
17 changed files with 239 additions and 149 deletions
Expand all files Collapse all files

3
.gitignore vendored
View File

@@ -720,6 +720,3 @@ asn1_*_asn1.c
/tools/krb5-gssapi.pc /tools/krb5-gssapi.pc
/tools/krb5.pc /tools/krb5.pc
/tools/krb5-config /tools/krb5-config
result
result-*

15
configure.ac
View File

@@ -230,6 +230,21 @@ AM_CONDITIONAL([HAVE_MICROHTTPD], [test "$with_microhttpd" != "no"])
AC_SUBST([MICROHTTPD_CFLAGS]) AC_SUBST([MICROHTTPD_CFLAGS])
AC_SUBST([MICROHTTPD_LIBS]) AC_SUBST([MICROHTTPD_LIBS])
dnl systemd sd_notify support
AC_ARG_WITH([systemd],
AC_HELP_STRING([--with-systemd], [use systemd sd_notify for readiness @<:@default=check@:>@]),
[],
[with_systemd=check])
if test "$with_systemd" != "no"; then
PKG_CHECK_MODULES([SYSTEMD], [libsystemd], [with_systemd=yes],[with_systemd=no])
fi
if test "$with_systemd" = "yes"; then
AC_DEFINE_UNQUOTED([HAVE_SYSTEMD], 1, [Define if libsystemd sd_notify is available])
fi
AM_CONDITIONAL([HAVE_SYSTEMD], [test "$with_systemd" != "no"])
AC_SUBST([SYSTEMD_CFLAGS])
AC_SUBST([SYSTEMD_LIBS])
dnl mitkrb5 dnl mitkrb5
AC_ARG_WITH([mitkrb5], AC_ARG_WITH([mitkrb5],
AC_HELP_STRING([--with-mitkrb5=PATH], [Path to MIT Kerberos for interop testing]), AC_HELP_STRING([--with-mitkrb5=PATH], [Path to MIT Kerberos for interop testing]),

6
flake.lock generated
View File

@@ -2,11 +2,11 @@
"nodes": { "nodes": {
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1770380644, "lastModified": 1769740369,
"narHash": "sha256-P7dWMHRUWG5m4G+06jDyThXO7kwSk46C1kgjEWcybkE=", "narHash": "sha256-xKPyJoMoXfXpDM5DFDZDsi9PHArf2k5BJjvReYXoFpM=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "ae67888ff7ef9dff69b3cf0cc0fbfbcd3a722abe", "rev": "6308c3b21396534d8aaeac46179c14c439a89b8a",
"type": "github" "type": "github"
}, },
"original": { "original": {

22
flake.nix
View File

@@ -22,27 +22,13 @@
default = pkgs.callPackage ./nix/shell.nix { }; default = pkgs.callPackage ./nix/shell.nix { };
}); });
packages = forAllSystems (system: pkgs: let packages = forAllSystems (system: pkgs: with pkgs; {
src = lib.fileset.toSource {
root = ./.;
fileset = lib.fileset.difference ./. (lib.fileset.unions [
./.github
./.gitignore
./.zed
./flake.nix
./flake.lock
./nix
]);
};
in {
default = self.packages.${system}.heimdal; default = self.packages.${system}.heimdal;
src = pkgs.runCommand "heimdal-src" {} "ln -s ${src} \"$out\""; heimdal = pkgs.callPackage ./nix/heimdal {
src = lib.cleanSource ./.;
heimdal = pkgs.callPackage ./nix/heimdal/package.nix {
inherit src;
inherit (pkgs.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration; inherit (pkgs.darwin.apple_sdk.frameworks) CoreFoundation Security SystemConfiguration;
autoreconfHook = pkgs.buildPackages.autoreconfHook271; autoreconfHook = pkgs.buildPackages.autoreconfHook269;
}; };
nixosTest = pkgs.testers.runNixOSTest (import ./nix/nixosTest.nix { inherit nixpkgs; }); nixosTest = pkgs.testers.runNixOSTest (import ./nix/nixosTest.nix { inherit nixpkgs; });

7
kadmin/kadm_conn.c
View File

@@ -35,6 +35,9 @@
#ifdef HAVE_SYS_WAIT_H #ifdef HAVE_SYS_WAIT_H
#include <sys/wait.h> #include <sys/wait.h>
#endif #endif
#ifdef HAVE_SYSTEMD
#include <systemd/sd-daemon.h>
#endif
extern int daemon_child; extern int daemon_child;
@@ -304,6 +307,10 @@ start_server(krb5_context contextp, const char *port_str)
krb5_errx(contextp, 1, "no sockets to listen to - exiting"); krb5_errx(contextp, 1, "no sockets to listen to - exiting");
roken_detach_finish(NULL, daemon_child); roken_detach_finish(NULL, daemon_child);
#ifdef HAVE_SYSTEMD
if (getenv("NOTIFY_SOCKET") != NULL)
sd_notify(0, "READY=1");
#endif
wait_for_connection(contextp, socks, num_socks); wait_for_connection(contextp, socks, num_socks);
free(socks); free(socks);

4
kdc/Makefile.am
View File

@@ -4,7 +4,7 @@ include $(top_srcdir)/Makefile.am.common
WFLAGS += $(WFLAGS_ENUM_CONV) WFLAGS += $(WFLAGS_ENUM_CONV)
AM_CPPFLAGS += $(INCLUDE_libintl) $(INCLUDE_openssl_crypto) -I$(srcdir)/../lib/krb5 AM_CPPFLAGS += $(INCLUDE_libintl) $(INCLUDE_openssl_crypto) -I$(srcdir)/../lib/krb5 $(SYSTEMD_CFLAGS)
lib_LTLIBRARIES = ipc_csr_authorizer.la \ lib_LTLIBRARIES = ipc_csr_authorizer.la \
libkdc.la libkdc.la
@@ -174,7 +174,7 @@ hpropd_LDADD = \
$(LIB_kdb) \ $(LIB_kdb) \
$(top_builddir)/lib/asn1/libasn1.la \ $(top_builddir)/lib/asn1/libasn1.la \
$(LIB_roken) \ $(LIB_roken) \
$(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB) $(DB3LIB) $(DB1LIB) $(LMDBLIB) $(NDBMLIB) $(SYSTEMD_LIBS)
if PKINIT if PKINIT
LIB_pkinit = $(top_builddir)/lib/hx509/libhx509.la LIB_pkinit = $(top_builddir)/lib/hx509/libhx509.la

9
kdc/connect.c
View File

@@ -32,6 +32,9 @@
*/ */
#include "kdc_locl.h" #include "kdc_locl.h"
#ifdef HAVE_SYSTEMD
#include <systemd/sd-daemon.h>
#endif
/* /*
* a tuple describing on what to listen * a tuple describing on what to listen
@@ -1208,6 +1211,12 @@ start_kdc(krb5_context context,
#endif #endif
roken_detach_finish(NULL, daemon_child); roken_detach_finish(NULL, daemon_child);
#ifdef HAVE_SYSTEMD
/* If built with systemd support and running under systemd, notify readiness.
We check NOTIFY_SOCKET to avoid unnecessary calls when not under systemd. */
if (getenv("NOTIFY_SOCKET") != NULL)
sd_notify(0, "READY=1");
#endif
#ifdef HAVE_FORK #ifdef HAVE_FORK
if (!testing_flag) { if (!testing_flag) {

8
kdc/hpropd.c
View File

@@ -32,6 +32,9 @@
*/ */
#include "hprop.h" #include "hprop.h"
#ifdef HAVE_SYSTEMD
#include <systemd/sd-daemon.h>
#endif
static int inetd_flag = -1; static int inetd_flag = -1;
static int help_flag; static int help_flag;
@@ -156,6 +159,11 @@ main(int argc, char **argv)
mini_inetd (krb5_getportbyname (context, "hprop", "tcp", mini_inetd (krb5_getportbyname (context, "hprop", "tcp",
HPROP_PORT), &sock); HPROP_PORT), &sock);
} }
#ifdef HAVE_SYSTEMD
/* Notify systemd that the service is ready when running standalone */
if (getenv("NOTIFY_SOCKET") != NULL)
sd_notify(0, "READY=1");
#endif
socket_set_keepalive(sock, 1); socket_set_keepalive(sock, 1);
sin_len = sizeof(ss); sin_len = sizeof(ss);
if (getpeername(sock, sa, &sin_len) < 0) if (getpeername(sock, sa, &sin_len) < 0)

8
kpasswd/kpasswdd.c
View File

@@ -744,6 +744,14 @@ doit(krb5_keytab keytab, int port)
krb5_errx(context, 1, "No sockets!"); krb5_errx(context, 1, "No sockets!");
roken_detach_finish(NULL, daemon_child); roken_detach_finish(NULL, daemon_child);
#ifdef HAVE_SYSTEMD
/* If built with systemd support and running under systemd, notify readiness.
We check NOTIFY_SOCKET to avoid unnecessary calls when not under systemd. */
if (getenv("NOTIFY_SOCKET") != NULL) {
extern int sd_notify(int, const char *);
(void) sd_notify(0, "READY=1");
}
#endif
while (exit_flag == 0) { while (exit_flag == 0) {
krb5_ssize_t retx; krb5_ssize_t retx;

4
lib/roken/Makefile.am
View File

@@ -9,7 +9,7 @@ CLEANFILES = roken.h make-roken.c $(XHEADERS)
lib_LTLIBRARIES = libroken.la lib_LTLIBRARIES = libroken.la
libroken_la_LDFLAGS = -version-info 20:0:1 libroken_la_LDFLAGS = -version-info 20:0:1
libroken_la_CPPFLAGS = -DBUILD_ROKEN_LIB libroken_la_CPPFLAGS = -DBUILD_ROKEN_LIB $(SYSTEMD_CFLAGS)
if versionscript if versionscript
libroken_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map libroken_la_LDFLAGS += $(LDFLAGS_VERSION_SCRIPT)$(srcdir)/version-script.map
@@ -199,7 +199,7 @@ EXTRA_libroken_la_SOURCES = \
search.hin \ search.hin \
vis.hin vis.hin
libroken_la_LIBADD = @LTLIBOBJS@ $(LIB_crypt) $(LIB_pidfile) libroken_la_LIBADD = @LTLIBOBJS@ $(LIB_crypt) $(LIB_pidfile) $(SYSTEMD_LIBS)
if SUNOS if SUNOS
libroken_la_LIBADD += -lnsl -lsocket libroken_la_LIBADD += -lnsl -lsocket
endif endif

29
lib/roken/detach.c
View File

@@ -38,6 +38,10 @@
#endif #endif
#include "roken.h" #include "roken.h"
#ifdef HAVE_SYSTEMD
#include <systemd/sd-daemon.h>
#endif
#ifdef WIN32 #ifdef WIN32
#define dup2 _dup2 #define dup2 _dup2
#endif #endif
@@ -171,6 +175,24 @@ roken_detach_prep(int argc, char **argv, const char *special_arg)
#define dup2 _dup2 #define dup2 _dup2
#endif #endif
ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL
roken_sd_notify(const char *state)
{
#ifdef HAVE_SYSTEMD
int r;
if (state == NULL)
return -1;
r = sd_notify(0, state);
if (r > 0)
return 0;
return -1;
#else
(void)state;
return -1;
#endif
}
ROKEN_LIB_FUNCTION void ROKEN_LIB_CALL ROKEN_LIB_FUNCTION void ROKEN_LIB_CALL
roken_detach_finish(const char *dir, int daemon_child_fd) roken_detach_finish(const char *dir, int daemon_child_fd)
{ {
@@ -203,6 +225,13 @@ roken_detach_finish(const char *dir, int daemon_child_fd)
err(1, "failed to chdir to /"); err(1, "failed to chdir to /");
#endif #endif
/*
* Notify systemd that we are ready (if built with systemd support).
* Do this after setsid/chdir and after pidfiles are written so that
* systemd sees the process in its final state.
*/
(void) roken_sd_notify("READY=1");
do { do {
bytes = write(pipefds[1], buf, sizeof(buf)); bytes = write(pipefds[1], buf, sizeof(buf));
} while (bytes == -1 && errno == EINTR); } while (bytes == -1 && errno == EINTR);

1
lib/roken/roken.h.in
View File

@@ -939,6 +939,7 @@ ROKEN_LIB_FUNCTION size_t ROKEN_LIB_CALL
ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL roken_detach_prep(int, char **, const char *); ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL roken_detach_prep(int, char **, const char *);
ROKEN_LIB_FUNCTION void ROKEN_LIB_CALL roken_detach_finish(const char *, int); ROKEN_LIB_FUNCTION void ROKEN_LIB_CALL roken_detach_finish(const char *, int);
ROKEN_LIB_FUNCTION int ROKEN_LIB_CALL roken_sd_notify(const char *);
ROKEN_LIB_FUNCTION ssize_t ROKEN_LIB_CALL ROKEN_LIB_FUNCTION ssize_t ROKEN_LIB_CALL
net_write (rk_socket_t, const void *, size_t); net_write (rk_socket_t, const void *, size_t);

25
nix/heimdal/0001-Include-db.h-for-nbdb-compat-mode.patch Normal file
View File

@@ -0,0 +1,25 @@
From 749d9451293f9d9f8a3f506401cae369003aeebf Mon Sep 17 00:00:00 2001
From: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
Date: Sun, 13 Oct 2024 17:16:13 -0400
Subject: [PATCH] Include db.h for nbdb compat mode
---
lib/otp/otp_db.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/otp/otp_db.c b/lib/otp/otp_db.c
index 036359c1d..32c04bc8c 100644
--- a/lib/otp/otp_db.c
+++ b/lib/otp/otp_db.c
@@ -39,7 +39,7 @@ RCSID("$Id$");
#include "otp_locl.h"
#if defined(HAVE_DB_NDBM)
-# include <ndbm.h>
+# include <db.h>
#elif !defined(HAVE_NDBM)
# include "ndbm_wrap.h"
#endif
--
2.46.0

51
nix/heimdal/0001-Link-tests-with-libresolv.patch Normal file
View File

@@ -0,0 +1,51 @@
From 862900febaec4a2c70257a39374b81138ee9f168 Mon Sep 17 00:00:00 2001
From: Ihar Hrachyshka <ihar.hrachyshka@gmail.com>
Date: Tue, 15 Oct 2024 16:06:33 -0400
Subject: [PATCH] Link tests with libresolv
---
lib/gssapi/Makefile.am | 1 +
lib/krb5/Makefile.am | 2 ++
lib/roken/Makefile.am | 1 +
3 files changed, 4 insertions(+)
diff --git a/lib/gssapi/Makefile.am b/lib/gssapi/Makefile.am
index 3254866dc..db967e586 100644
--- a/lib/gssapi/Makefile.am
+++ b/lib/gssapi/Makefile.am
@@ -403,6 +403,7 @@ LDADD = libgssapi.la \
$(top_builddir)/lib/krb5/libkrb5.la \
$(LIB_roken)
+test_names_LDFLAGS = -lresolv
test_names_LDADD = $(LDADD) $(top_builddir)/lib/asn1/libasn1.la
test_context_LDADD = $(LDADD) $(top_builddir)/lib/asn1/libasn1.la $(top_builddir)/lib/wind/libwind.la
diff --git a/lib/krb5/Makefile.am b/lib/krb5/Makefile.am
index ecce461dd..e22cfe87c 100644
--- a/lib/krb5/Makefile.am
+++ b/lib/krb5/Makefile.am
@@ -330,6 +330,8 @@ test_rfc3961_LDADD = \
$(LIB_hcrypto) \
$(LIB_roken)
+test_plugin_LDFLAGS = -lresolv
+
if DEVELOPER_MODE
headerdeps = $(dist_libkrb5_la_SOURCES)
endif
diff --git a/lib/roken/Makefile.am b/lib/roken/Makefile.am
index 1f530c7ae..8350d7034 100644
--- a/lib/roken/Makefile.am
+++ b/lib/roken/Makefile.am
@@ -54,6 +54,7 @@ libtest_la_CFLAGS = -DTEST_SNPRINTF -DTEST_STRPFTIME
parse_reply_test_SOURCES = parse_reply-test.c resolve.c
parse_reply_test_CFLAGS = -DTEST_RESOLVE
+parse_reply_test_LDFLAGS = -lresolv
test_readenv_SOURCES = test-readenv.c test-mem.c
test_auxval_SOURCES = test-auxval.c
--
2.46.0

13
nix/heimdal/package.nix → nix/heimdal/default.nix
View File

@@ -22,6 +22,7 @@
pam, pam,
libmicrohttpd, libmicrohttpd,
cjson, cjson,
systemdLibs,
CoreFoundation, CoreFoundation,
Security, Security,
@@ -43,6 +44,7 @@
withOpenLDAPAsHDBModule ? false, withOpenLDAPAsHDBModule ? false,
withOpenSSL ? true, withOpenSSL ? true,
withSQLite3 ? true, withSQLite3 ? true,
withSystemd ? true,
}: }:
assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) '' assert lib.assertMsg (withOpenLDAPAsHDBModule -> withOpenLDAP) ''
@@ -89,9 +91,14 @@ stdenv.mkDerivation {
++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ] ++ lib.optionals (withMicroHTTPD) [ libmicrohttpd ]
++ lib.optionals (withOpenLDAP) [ openldap ] ++ lib.optionals (withOpenLDAP) [ openldap ]
++ lib.optionals (withOpenSSL) [ openssl ] ++ lib.optionals (withOpenSSL) [ openssl ]
++ lib.optionals (withSQLite3) [ sqlite ]; ++ lib.optionals (withSQLite3) [ sqlite ]
++ lib.optionals (withSystemd) [ systemdLibs ];
doCheck = true; # env = {
# CHECK_LOCAL = "no-check-local";
# };
# doCheck = true;
nativeCheckInputs = [ nativeCheckInputs = [
curl curl
jdk_headless jdk_headless
@@ -142,8 +149,6 @@ stdenv.mkDerivation {
--replace-fail 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema ' --replace-fail 'SCHEMA_PATHS="' 'SCHEMA_PATHS="${openldap}/etc/schema '
substituteInPlace tests/ldap/check-ldap.in \ substituteInPlace tests/ldap/check-ldap.in \
--replace-fail 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:' --replace-fail 'PATH=' 'PATH=${openldap}/libexec:${openldap}/bin:'
substituteInPlace tests/ldap/Makefile.am \
--replace-fail 'TESTS = check-ldap' 'TESTS ='
substituteInPlace tests/kdc/check-iprop.in \ substituteInPlace tests/kdc/check-iprop.in \
--replace-fail '/bin/pwd' 'pwd' --replace-fail '/bin/pwd' 'pwd'
''; '';

3
nix/module/heimdal.nix
View File

@@ -71,6 +71,7 @@ in
partOf = [ "kerberos-server.target" ]; partOf = [ "kerberos-server.target" ];
wantedBy = [ "kerberos-server.target" ]; wantedBy = [ "kerberos-server.target" ];
serviceConfig = { serviceConfig = {
Type = "notify";
ExecStart = "${package}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf"; ExecStart = "${package}/libexec/kadmind --config-file=/etc/heimdal-kdc/kdc.conf";
Slice = "system-kerberos-server.slice"; Slice = "system-kerberos-server.slice";
StateDirectory = "heimdal"; StateDirectory = "heimdal";
@@ -83,6 +84,7 @@ in
partOf = [ "kerberos-server.target" ]; partOf = [ "kerberos-server.target" ];
wantedBy = [ "kerberos-server.target" ]; wantedBy = [ "kerberos-server.target" ];
serviceConfig = { serviceConfig = {
Type = "notify";
ExecStart = "${package}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf"; ExecStart = "${package}/libexec/kdc --config-file=/etc/heimdal-kdc/kdc.conf";
Slice = "system-kerberos-server.slice"; Slice = "system-kerberos-server.slice";
StateDirectory = "heimdal"; StateDirectory = "heimdal";
@@ -95,6 +97,7 @@ in
partOf = [ "kerberos-server.target" ]; partOf = [ "kerberos-server.target" ];
wantedBy = [ "kerberos-server.target" ]; wantedBy = [ "kerberos-server.target" ];
serviceConfig = { serviceConfig = {
Type = "notify";
ExecStart = "${package}/libexec/kpasswdd"; ExecStart = "${package}/libexec/kpasswdd";
Slice = "system-kerberos-server.slice"; Slice = "system-kerberos-server.slice";
StateDirectory = "heimdal"; StateDirectory = "heimdal";

180
nix/nixosTest.nix
View File

@@ -1,6 +1,6 @@
{ nixpkgs }: { nixpkgs }:
( (
{ pkgs, lib, ... }: { pkgs, ... }:
{ {
name = "kerberos_server-heimdal"; name = "kerberos_server-heimdal";
@@ -66,7 +66,6 @@
{ {
principal = "kadmin/admin@FOO.BAR"; principal = "kadmin/admin@FOO.BAR";
access = "all"; access = "all";
target = "";
} }
{ {
principal = "alice/admin@FOO.BAR"; principal = "alice/admin@FOO.BAR";
@@ -78,7 +77,6 @@
"list" "list"
"modify" "modify"
]; ];
target = "";
} }
]; ];
}; };
@@ -141,81 +139,6 @@
testScript = testScript =
{ nodes, ... }: { nodes, ... }:
let
expectTemplate = program: argc: interaction:
pkgs.writeScriptBin "${program}-auto-password" ''
#!${pkgs.expect}/bin/expect -f
set timeout 30
${lib.concatMapStringsSep "\n" (i: "set arg${toString i} [lindex $argv ${toString i}]") (lib.range 0 (argc - 1))}
set args [lrange $argv ${toString argc} end]
eval spawn ${program} $args
${interaction}
expect eof
set exit_status [lindex [wait] 3]
exit $exit_status
'';
kadmin = expectTemplate "kadmin" 1 ''
expect {
"alice/admin@FOO.BAR's Password: " {
send -- "$arg0\n"
}
timeout {
puts stderr "Error: Timeout waiting for password prompt"
exit 2
}
eof {
puts stderr "Error: kadmin exited unexpectedly"
break
}
}
'';
ktutil = expectTemplate "ktutil" 1 ''
expect {
"alice/admin@FOO.BAR's Password: " {
send -- "$arg0\n"
}
timeout {
puts stderr "Error: Timeout waiting for password prompt"
exit 2
}
eof {
puts stderr "Error: ktutil exited unexpectedly"
break
}
}
'';
kpasswd = expectTemplate "kpasswd" 2 ''
set exchanges [list \
[list "alice@FOO.BAR's Password: " $arg0] \
[list "New password: " $arg1] \
[list "Verify password - New password: " $arg1] \
]
foreach pair $exchanges {
lassign $pair prompt reply
expect {
-exact $prompt {
send -- "$reply\n"
}
timeout {
puts stderr "Error: Timeout waiting for: $prompt"
exit 2
}
eof {
puts stderr "Error: Unexpected EOF while waiting for: $prompt"
exit 3
}
}
}
'';
in
'' ''
import string import string
import random import random
@@ -224,6 +147,7 @@
start_all() start_all()
with subtest("Server: initialize realm"): with subtest("Server: initialize realm"):
# for unit in ["kadmind.service", "kdc.socket", "kpasswdd.socket"]:
for unit in ["kadmind.service", "kdc.service", "kpasswdd.service"]: for unit in ["kadmind.service", "kdc.service", "kpasswdd.service"]:
server.wait_for_unit(unit) server.wait_for_unit(unit)
@@ -235,45 +159,36 @@
alice_krb_pw = "alice_hunter2" alice_krb_pw = "alice_hunter2"
alice_old_krb_pw = "" alice_old_krb_pw = ""
alice_krb_admin_pw = "alice_admin_hunter2" alice_krb_admin_pw = "alice_admin_hunter2"
bob_krb_pw = "bob_hunter2"
def random_password(): def random_password():
password_chars = string.ascii_letters + string.digits + "-_" password_chars = string.ascii_letters + string.digits + string.punctuation.replace('"', "")
return "".join(random.choice(password_chars) for _ in range(16)) return "".join(random.choice(password_chars) for _ in range(16))
def kinit(node, user, password):
node.succeed(
f"echo '{password}' > /tmp/pw.txt",
f"kinit --password-file=/tmp/pw.txt {user}",
"rm /tmp/pw.txt",
)
tickets = node.succeed("klist")
assert f"Principal: {user}@FOO.BAR" in tickets
def kadmin(node, command, localAuth=False):
if localAuth:
return node.succeed(f"kadmin -l {command}")
else:
return node.succeed(f"${lib.getExe kadmin} '{alice_krb_admin_pw}' -p alice/admin {command}")
with subtest("Server: initialize user principals and keytabs"): with subtest("Server: initialize user principals and keytabs"):
kadmin(server, f'add --password="{alice_krb_admin_pw}" --use-defaults alice/admin', localAuth=True) server.succeed(f'kadmin -l add --password="{alice_krb_admin_pw}" --use-defaults alice/admin')
kadmin(server, f'add --password="{alice_krb_pw}" --use-defaults alice') server.succeed("kadmin -l ext_keytab --keytab=admin.keytab alice/admin")
kadmin(server, f'add --password="{bob_krb_pw}" --use-defaults bob')
kadmin(server, 'check') server.succeed(f'kadmin -p alice/admin -K admin.keytab add --password="{alice_krb_pw}" --use-defaults alice')
server.succeed("kadmin -l ext_keytab --keytab=alice.keytab alice")
server.wait_for_unit("getty@tty1.service") server.wait_for_unit("getty@tty1.service")
server.wait_until_succeeds("pgrep -f 'agetty.*tty1'") server.wait_until_succeeds("pgrep -f 'agetty.*tty1'")
server.wait_for_unit("default.target") server.wait_for_unit("default.target")
with subtest("Server: initialize host principal with keytab"): with subtest("Server: initialize host principal with keytab"):
server.succeed(f"${lib.getExe ktutil} '{alice_krb_admin_pw}' get -p alice/admin host/server.foo.bar") server.send_chars("sudo ktutil get -p alice/admin host/server.foo.bar\n")
server.wait_until_tty_matches("1", "password for alice:")
server.send_chars("${nodes.server.config.users.users.alice.password}\n")
server.wait_until_tty_matches("1", "alice/admin@FOO.BAR's Password:")
server.send_chars(f'{alice_krb_admin_pw}\n')
server.wait_for_file("/etc/krb5.keytab") server.wait_for_file("/etc/krb5.keytab")
ktutil_list = server.succeed("ktutil list") ktutil_list = server.succeed("sudo ktutil list")
if not "host/server.foo.bar" in ktutil_list: if not "host/server.foo.bar" in ktutil_list:
exit(1) exit(1)
server.send_chars("clear\n")
client.systemctl("start network-online.target") client.systemctl("start network-online.target")
client.wait_for_unit("network-online.target") client.wait_for_unit("network-online.target")
client.wait_for_unit("getty@tty1.service") client.wait_for_unit("getty@tty1.service")
@@ -281,40 +196,71 @@
client.wait_for_unit("default.target") client.wait_for_unit("default.target")
with subtest("Client: initialize host principal with keytab"): with subtest("Client: initialize host principal with keytab"):
kinit(client, "alice/admin", alice_krb_admin_pw) client.succeed(
client.succeed(f"${lib.getExe ktutil} '{alice_krb_admin_pw}' get -p alice/admin host/client.foo.bar") f'echo "{alice_krb_admin_pw}" > pw.txt',
"kinit -p --password-file=pw.txt alice/admin",
)
client.send_chars("sudo ktutil get -p alice/admin host/client.foo.bar\n")
client.wait_until_tty_matches("1", "password for alice:")
client.send_chars("${nodes.client.config.users.users.alice.password}\n")
client.wait_until_tty_matches("1", "alice/admin@FOO.BAR's Password:")
client.send_chars(f"{alice_krb_admin_pw}\n")
client.wait_for_file("/etc/krb5.keytab") client.wait_for_file("/etc/krb5.keytab")
ktutil_list = client.succeed("ktutil list") ktutil_list = client.succeed("sudo ktutil list")
if not "host/client.foo.bar" in ktutil_list: if not "host/client.foo.bar" in ktutil_list:
exit(1) exit(1)
client.send_chars("clear\n")
with subtest("Client: kinit alice"): with subtest("Client: kinit alice"):
kinit(client, "alice", alice_krb_pw) client.succeed(
f"echo '{alice_krb_pw}' > pw.txt",
"kinit -p --password-file=pw.txt alice",
)
tickets = client.succeed("klist")
assert "Principal: alice@FOO.BAR" in tickets
client.send_chars("clear\n")
with subtest("Client: kpasswd alice"): with subtest("Client: kpasswd alice"):
alice_old_krb_pw = alice_krb_pw alice_old_krb_pw = alice_krb_pw
alice_krb_pw = random_password() alice_krb_pw = random_password()
output = client.succeed(f"${lib.getExe kpasswd} {alice_old_krb_pw} {alice_krb_pw}") client.send_chars("kpasswd\n")
assert "Success : Password changed" in output client.wait_until_tty_matches("1", "alice@FOO.BAR's Password:")
client.send_chars(f"{alice_old_krb_pw}\n", 0.1)
client.wait_until_tty_matches("1", "New password:")
client.send_chars(f"{alice_krb_pw}\n", 0.1)
client.wait_until_tty_matches("1", "Verify password - New password:")
client.send_chars(f"{alice_krb_pw}\n", 0.1)
with subtest("Client: kadmin get bob"): client.wait_until_tty_matches("1", "Success : Password changed")
output = kadmin(client, "get bob")
print(output) client.send_chars("clear\n")
assert "Principal: bob@FOO.BAR" in output
with subtest("Server: kinit alice"): with subtest("Server: kinit alice"):
kinit(server, "alice", alice_krb_pw) server.succeed(
"echo 'alice_pw_2' > pw.txt"
"kinit -p --password-file=pw.txt alice",
)
tickets = client.succeed("klist")
assert "Principal: alice@FOO.BAR" in tickets
server.send_chars("clear\n")
with subtest("Server: kpasswd alice"): with subtest("Server: kpasswd alice"):
alice_old_krb_pw = alice_krb_pw alice_old_krb_pw = alice_krb_pw
alice_krb_pw = random_password() alice_krb_pw = random_password()
output = server.succeed(f"${lib.getExe kpasswd} {alice_old_krb_pw} {alice_krb_pw}") server.send_chars("kpasswd\n")
assert "Success : Password changed" in output server.wait_until_tty_matches("1", "alice@FOO.BAR's Password:")
server.send_chars(f"{alice_old_krb_pw}\n", 0.1)
server.wait_until_tty_matches("1", "New password:")
server.send_chars(f"{alice_krb_pw}\n", 0.1)
server.wait_until_tty_matches("1", "Verify password - New password:")
server.send_chars(f"{alice_krb_pw}\n", 0.1)
with subtest("Server: kadmin get bob"): server.wait_until_tty_matches("1", "Success : Password changed")
output = kadmin(server, "get bob")
assert "Principal: bob@FOO.BAR" in output server.send_chars("clear\n")
''; '';
meta.maintainers = pkgs.heimdal.meta.maintainers; meta.maintainers = pkgs.heimdal.meta.maintainers;