Kerberos Integration Testing Project Plan

Adam Seering aseering at MIT.EDU
Thu Jul 12 19:11:09 EDT 2007

> Hi all,
> 	I'm working on setting up a nice integration testing system  
> between different Kerberos distributions running on different  
> OS'es.  I've been asked to type up my plan to date; it's attached.

But Mailman filters attachments...  Oops.  The relevant PDF's at ; text (c/o  
dvi2tty) is pasted below.


                           Kerberos  Interoperability  Test  Suite  Plan

                                                         Adam Seering

                                                         Summer 2007

     This project's long-term goal is to develop an extensible test  
suite that will test an array of Kerberos
implementations,  each  as  compiled  and  installed  on  an  array   
of  different  platforms,  against  each  other.
It will have the ability to do blanket tests (all implementations  
against one another) and spot tests (one
implementation against all others). It will store test results in a  
format that is human-readable and computer-
parseable.  It will have a command-line UI for running tests, and  
will have API hooks to allow GUIs to be

1      Pro ject  Segments

There are many pieces to this project.  Here's an outline of those  
pieces, as I see them.  I have included
estimates of how much more time I expect some of these things to take  
(note that I've already made progress
on many of these things, as will be discussed later). I'm not very  
experienced at making these estimates, so
they are fairly rough;

1.1      Write  Kerberos  test  suite

     o  Verify that gssMonger1  works as intended.  Fix, or report  
and have fixed, any major or showstopper
        bugs. (1 week)

     o  Port the gssMaster controller from Windows Linux, and other  
POSIX-compatible OS'es (1 to 2 weeks)

     o  Modularize gssMonger tests (ie., make it easy to add new  
tests).  Add requested tests.  (Arbitrary; no

1.2      Build  virtual  test  rig

     o  Install an array of operating systems on krbdev-xen, for  
testing (3 days)

     o  Place the VM's on an internal network, behind an IPv4 NAT but  
with direct access via IPv6. Provide
        IPv4 VPN access to this network. (1 week)

     o  Write  a  propagation  mechanism  that,  given  a  Kerberos   
distribution,  will  install  and  configure  the
        distribution on the target machine, for any virtual machine  
in this test rig. (1 week)
      gssMonger is a test suite designed by Microsoft for interop  
testing.  It was designed with the MS Active Directory KDC
in mind, though it should support other KDC's. It consists of two  
binaries, gssMaster and gssMaggot. gssMaggot is installed
on an array of Kerberos client computers to be tested, and gssMaster  
connects to gssMaggot instances over IPv4 or IPv6 and
causes them to execute a series of authentication tests against a  
KDC. gssMaster outputs test results to an XML file.
    gssMonger was recently released as an open-source under the  
Microsoft Permissive License. Pieces of it are still being released;
no documentation is currently available.  Right now, gssMaggot builds  
under Windows and Linux i386, and gssMaster builds
under Windows.

1.3      Write  User  Interface

     o  Write a program that accepts a matrix of test computers and  
Kerberos implementations. The program
        will turn that matrix into a set of one or more gssMonger  
tests, and will use gssMonger and other
        scripts described above to execute those tests. (1 to 2 weeks)

2      Intermediate  Output

This project is rather large; it is entirely possible that I won't be  
able to finish all of it this summer.  To
prevent this from causing wasted effort, I'll work through a number  
of intermediate steps, each of which will
be useful by itself.
     I plan to start by working on gssMonger. This task frequently  
blocks on other people; while waiting, I'll
work on building the virtual test rig. Some tests can be run using  
the stock gssMonger and a partial virtual
test rig, and the set of tests that can be run increases as I  
continue to work on these items, so there are a
variety of useful intermediate states here. I've already demonstrated  
Windows-only testing against an Active
Directory KDC; I hope to follow that with cross-platform testing  
against Active Directory, cross-platform
testing against an MIT Kerberos or Heimdal KDC, and cross-platform  
testing between arbitrary KDC's and
clients.  (The order of these may vary a bit depending on which  
pieces of documentation I get first from

3      Current  Progress

To date, I have run gssMonger tests against Windows systems and  
Microsoft's Kerberos implementations.
I have largely ported gssMaster itself to Linux and MacOS X; I'm  
currently in the process of debugging
the ported executable.  I have reported bugs in gssMaggot's x86_64  
support and in its IPv6 support under
Windows XP; both bugs should be fixed in future gssMaggot releases.
     I have looked through gssMonger's test-module system, and  
determined it to be sufficient for now. To add
a test, one writes a C function that executes that test, then adds  
that function (along with a few descriptive
strings) to an array in a header file.
     I have set up an array of virtual machines on krbdev-xen, and  
comparable arrays of machines on several
other computers.  I have both NAT and VPN setups working in test VM's  
on various computers.  NAT
currently fails on krbdev-xen for unknown reasons; I haven't been  
able to reproduce the problem on any test
machine so far.
     gssMonger is written in C, and I don't currently plan to modify  
it to use any other language.  From
discussion with other people, however, it seems wise to write any new  
programs and scripts in Python.


More information about the krbdev mailing list