s4-torture: Add TORTURE_KRB5_TEST_CLOCK_SKEW test

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlet <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 8b2e4a664b3aa2b409ae2f83d5ad9be4a5522fa5..1600ed8066a7e9afc45870f95471995919663e12 100644 (file)
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -205,6 +205,9 @@ sub mk_krb5_conf($$)
  # This is especially required by samba3.raw.session krb5 and
  # reauth tests
  clockskew = 5
+ # We are running on the same machine, do not correct
+ # system clock differences
+ kdc_timesync = 0
 
 ";
 

diff --git a/source4/torture/krb5/kdc-mit.c b/source4/torture/krb5/kdc-mit.c
index 1e12a17b3cf2d79ea62606db86aaeea49411aefe..8037ba3c9fa33f20164e5f69eb98a4053d54b41e 100644 (file)
--- a/source4/torture/krb5/kdc-mit.c
+++ b/source4/torture/krb5/kdc-mit.c
@@ -21,6 +21,7 @@
 
 #include "includes.h"
 #include "system/kerberos.h"
+#include "system/time.h"
 #include "torture/smbtorture.h"
 #include "torture/winbind/proto.h"
 #include "torture/krb5/proto.h"
@@ -358,6 +359,44 @@ static krb5_error_code torture_krb5_post_recv_test(krb5_context context,
                                    "Too many packets");
                break;
        case TORTURE_KRB5_TEST_CLOCK_SKEW:
+               if (test_context->recv_packet_count == 0) {
+                       ok = torture_check_krb5_error(test_context,
+                                                     context,
+                                                     reply,
+                                                     KRB5KDC_ERR_PREAUTH_REQUIRED,
+                                                     false);
+                       torture_assert_goto(test_context->tctx,
+                                           ok,
+                                           ok,
+                                           out,
+                                           "torture_check_krb5_error failed");
+                       if (!ok) {
+                               goto out;
+                       }
+               } else if (test_context->recv_packet_count == 1) {
+                       /*
+                        * This only works if kdc_timesync 0 is set in krb5.conf
+                        *
+                        * See commit 5f39a4438eafd693a3eb8366bbc3901efe62e538
+                        * in the MIT Kerberos source tree.
+                        */
+                       ok = torture_check_krb5_error(test_context,
+                                                     context,
+                                                     reply,
+                                                     KRB5KRB_AP_ERR_SKEW,
+                                                     false);
+                       torture_assert_goto(test_context->tctx,
+                                           ok,
+                                           ok,
+                                           out,
+                                           "torture_check_krb5_error failed");
+               }
+
+               torture_assert_goto(test_context->tctx,
+                                   test_context->recv_packet_count < 2,
+                                   ok,
+                                   out,
+                                   "Too many packets");
                break;
        }
 
@@ -455,6 +494,12 @@ static bool torture_krb5_as_req_creds(struct torture_context *tctx,
                password = "NOT the password";
                break;
        case TORTURE_KRB5_TEST_CLOCK_SKEW:
+               code = krb5_set_real_time(smb_krb5_context->krb5_context,
+                                         time(NULL) + 3600,
+                                         0);
+               torture_assert_int_equal(tctx,
+                                        code, 0,
+                                        "krb5_set_real_time failed");
                break;
        }
 
@@ -487,7 +532,12 @@ static bool torture_krb5_as_req_creds(struct torture_context *tctx,
                                         "have failed");
                return true;
        case TORTURE_KRB5_TEST_CLOCK_SKEW:
-               break;
+               torture_assert_int_equal(tctx,
+                                        code,
+                                        KRB5KRB_AP_ERR_SKEW,
+                                        "krb5_get_init_creds_password should "
+                                        "have failed");
+               return true;
        }
 
        krb5_free_cred_contents(smb_krb5_context->krb5_context,
@@ -526,6 +576,13 @@ static bool torture_krb5_as_req_break_pw(struct torture_context *tctx)
                                         TORTURE_KRB5_TEST_BREAK_PW);
 }
 
+static bool torture_krb5_as_req_clock_skew(struct torture_context *tctx)
+{
+       return torture_krb5_as_req_creds(tctx,
+                                        cmdline_credentials,
+                                        TORTURE_KRB5_TEST_CLOCK_SKEW);
+}
+
 NTSTATUS torture_krb5_init(TALLOC_CTX *ctx)
 {
        struct torture_suite *suite =
@@ -547,10 +604,11 @@ NTSTATUS torture_krb5_init(TALLOC_CTX *ctx)
        torture_suite_add_simple_test(kdc_suite, "as-req-break-pw",
                                      torture_krb5_as_req_break_pw);
 
-#if 0
+       /* This only works if kdc_timesync 0 is set in krb5.conf */
        torture_suite_add_simple_test(kdc_suite, "as-req-clock-skew",
                                      torture_krb5_as_req_clock_skew);
 
+#if 0
        torture_suite_add_suite(kdc_suite, torture_krb5_canon(kdc_suite));
 #endif
        torture_suite_add_suite(suite, kdc_suite);