logo_kerberos.gif

Difference between revisions of "Manual Testing"

From K5Wiki
Jump to: navigation, search
(Basic Test KDC Setup)
Line 59: Line 59:
 
kadmind
 
kadmind
 
If it has trouble starting, check the log file specified in krb5.conf.
 
If it has trouble starting, check the log file specified in krb5.conf.
  +
  +
==Services4User testing==
  +
  +
A test for Services4User can be found in tests/gssapi/t_s4u.c. Here are some notes:
  +
  +
* Create a computer account FOO$
  +
* Set the UPN to host/foo.domain (no suffix); this is necessary to be able to send an AS-REQ as this principal, otherwise you would need to use the canonical name (FOO$), which will cause principal comparison errors in gss_accept_sec_context() (note: apparently only W2K8 supports suffix-less UPNs; you should use the domain as a suffix for earlier versions)
  +
* Add a SPN of host/foo.domain
  +
* Configure the computer account to support constrained delegation with protocol transition (Trust this computer for delegation to specified services only / Use any authentication protocol)
  +
* Add host/foo.domain to the keytab (possibly easiest to do this manually with ktadd)
  +
  +
For S4U2Proxy to work the TGT must be forwardable too.
  +
  +
<pre>
  +
kinit -k -t test.keytab -f 'host/test.win.mit.edu@WIN.MIT.EDU'
  +
./t_s4u delegtest@WIN.MIT.EDU HOST/winhost.win.mit.edu@WIN.MIT.EDU test.keytab
  +
</pre>
  +
  +
In the above example delegtest@WIN.MIT.EDU is the principal on whose behalf credentials are acquired using S4U2Self; HOST/winhost.win.mit.edu is the host to which we wish to delegate using S4U2Proxy; and test.keytab contains the long term key for test.win.mit.edu.

Revision as of 07:16, 11 September 2009

This page describes manual testing procedures. There are two reasons these exist:

  1. Manual testing is sometimes simpler than running an automated test and instrumenting it.
  2. In some cases we have a manual testing procedure for part of the code, but not an automated test.

Basic Test KDC Setup

Test KDCs are a crucial building block of testing. You can do so as follows:

1. Pick a name for your test KDC; this example will assume EXAMPLE.COM.

2. Do a build and install of the krb5 sources into some prefix; this example will assume /usr/local, but anywhere is fine. Put the prefix's bin and sbin directories in your path, or use full pathnames for the commands below.

3. Pick two port numbers, for the KDC and admin server. This example will assume 50000 and 50001.

4. Set up a krb5.conf file somewhere; this example will assume /usr/local/etc/krb5.conf. Make it look something like:

 [libdefaults]
   default_realm = EXAMPLE.COM
   # Depending on what you are testing, you may want something like:
   # default_keytab_name = FILE:/usr/local/var/keytab
 [realms]
   EXAMPLE.COM = {
     admin_server = 127.0.0.1:50001
     kdc = 127.0.0.1:50000
     database_module = DB2
     kdc_ports = 50000
     kadmind_port = 50001
   }
 [dbmodules]
   DB2 = {
     db_library = db2
   }
 [logging]
   # Use any pathnames you want here.
   kdc = FILE:/usr/local/var/krb5kdc/kdc.log
   admin_server = FILE:/usr/local/var/krb5kdc/kadmin.log
 # Depending on what you are testing, you may want:
 # [domain_realm]
 #   .your.domain = EXAMPLE.COM

Set the environment variable KRB5_CONFIG to the pathname of this krb5.conf file. Set the environment variable KRB5_KDC_PROFILE to /dev/null.

5. Run:

 kdb5_util create -s

Enter a master password; it can be something insecure like "master". The DB will be created in /usr/local/var/krb5kdc/principal and a few other similarly-named files. The master key stash will be created in /usr/local/var/krb5kdc/.k5.EXAMPLE.COM.

6. Run:

 kadmin.local
 addprinc user
 quit

Enter a user password; it can be something insecure like "user".

7. Start the KDC by running:

 krb5kdc

Check the log file specified in krb5.conf if the KDC has any trouble starting. You should be able to "kinit user" at this point.

8. If you need kadmind, add another principle user/admin (using kadmin.local as described above), and create the file /usr/local/var/krb5kdc/kadm5.acl containing:

 user/admin *

Then start the kadmind server with:

 kadmind

If it has trouble starting, check the log file specified in krb5.conf.

Services4User testing

A test for Services4User can be found in tests/gssapi/t_s4u.c. Here are some notes:

  • Create a computer account FOO$
  • Set the UPN to host/foo.domain (no suffix); this is necessary to be able to send an AS-REQ as this principal, otherwise you would need to use the canonical name (FOO$), which will cause principal comparison errors in gss_accept_sec_context() (note: apparently only W2K8 supports suffix-less UPNs; you should use the domain as a suffix for earlier versions)
  • Add a SPN of host/foo.domain
  • Configure the computer account to support constrained delegation with protocol transition (Trust this computer for delegation to specified services only / Use any authentication protocol)
  • Add host/foo.domain to the keytab (possibly easiest to do this manually with ktadd)

For S4U2Proxy to work the TGT must be forwardable too.

kinit -k -t test.keytab -f 'host/test.win.mit.edu@WIN.MIT.EDU'
./t_s4u delegtest@WIN.MIT.EDU HOST/winhost.win.mit.edu@WIN.MIT.EDU test.keytab

In the above example delegtest@WIN.MIT.EDU is the principal on whose behalf credentials are acquired using S4U2Self; HOST/winhost.win.mit.edu is the host to which we wish to delegate using S4U2Proxy; and test.keytab contains the long term key for test.win.mit.edu.