s4:torture: Adapt LSA tests to newer Heimdal version

The Heimdal upgrade results in some changes that affect these tests. The
cname is now non-NULL in certain circumstances, the IO counts are
different due to a change between the ordering of capaths and referrals,
some requests no longer fail, and referral tickets are not cached
anymore, and so cannot be checked.

NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index 010a253961e272aae49432051d5f967c2dca45e1..d430ee57108122be12fd2754de723606e28c1929 100644 (file)
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -3226,12 +3226,16 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
        const char *error_string = NULL;
        const char *workstation = cli_credentials_get_workstation(credentials);
        const char *password = cli_credentials_get_password(credentials);
+#ifndef USING_EMBEDDED_HEIMDAL
        const struct samr_Password *nthash = NULL;
        const struct samr_Password *old_nthash = NULL;
+#endif
        const char *old_password = cli_credentials_get_old_password(credentials);
+#ifndef USING_EMBEDDED_HEIMDAL
        int kvno = cli_credentials_get_kvno(credentials);
        int expected_kvno = 0;
        krb5uint32 t_kvno = 0;
+#endif
        const char *host = torture_setting_string(tctx, "host", NULL);
        krb5_error_code k5ret;
        krb5_boolean k5ok;
@@ -3259,8 +3263,10 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
        realm = cli_credentials_get_realm(credentials);
        trusted_realm_name = strupper_talloc(tctx, trusted_dns_name);
 
+#ifndef USING_EMBEDDED_HEIMDAL
        nthash = cli_credentials_get_nt_hash(credentials, ctx);
        old_nthash = cli_credentials_get_old_nt_hash(credentials, ctx);
+#endif
 
        k5ret = smb_krb5_init_context(ctx, tctx->lp_ctx, &ctx->smb_krb5_context);
        torture_assert_int_equal(tctx, k5ret, 0, "smb_krb5_init_context failed");
@@ -3346,7 +3352,14 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
        torture_assert_int_equal(tctx, KRB5_ERROR_CODE(&ctx->error), 68, assertion_message);
        torture_assert(tctx, ctx->error.crealm != NULL, assertion_message);
        torture_assert_str_equal(tctx, *ctx->error.crealm, trusted_realm_name, assertion_message);
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert(tctx, ctx->error.cname != NULL, assertion_message);
+       torture_assert_int_equal(tctx, ctx->error.cname->name_type, KRB5_NT_ENTERPRISE_PRINCIPAL, assertion_message);
+       torture_assert_int_equal(tctx, ctx->error.cname->name_string.len, 1, assertion_message);
+       torture_assert_str_equal(tctx, ctx->error.cname->name_string.val[0], upn_realm_string, assertion_message);
+#else
        torture_assert(tctx, ctx->error.cname == NULL, assertion_message);
+#endif
        torture_assert_str_equal(tctx, ctx->error.realm, realm, assertion_message);
 
        ZERO_STRUCT(ctx->counts);
@@ -3371,7 +3384,14 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
        torture_assert_int_equal(tctx, KRB5_ERROR_CODE(&ctx->error), 68, assertion_message);
        torture_assert(tctx, ctx->error.crealm != NULL, assertion_message);
        torture_assert_str_equal(tctx, *ctx->error.crealm, trusted_realm_name, assertion_message);
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert(tctx, ctx->error.cname != NULL, assertion_message);
+       torture_assert_int_equal(tctx, ctx->error.cname->name_type, KRB5_NT_ENTERPRISE_PRINCIPAL, assertion_message);
+       torture_assert_int_equal(tctx, ctx->error.cname->name_string.len, 1, assertion_message);
+       torture_assert_str_equal(tctx, ctx->error.cname->name_string.val[0], upn_dns_string, assertion_message);
+#else
        torture_assert(tctx, ctx->error.cname == NULL, assertion_message);
+#endif
        torture_assert_str_equal(tctx, ctx->error.realm, realm, assertion_message);
 
        ZERO_STRUCT(ctx->counts);
@@ -3396,7 +3416,14 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
        torture_assert_int_equal(tctx, KRB5_ERROR_CODE(&ctx->error), 68, assertion_message);
        torture_assert(tctx, ctx->error.crealm != NULL, assertion_message);
        torture_assert_str_equal(tctx, *ctx->error.crealm, trusted_realm_name, assertion_message);
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert(tctx, ctx->error.cname != NULL, assertion_message);
+       torture_assert_int_equal(tctx, ctx->error.cname->name_type, KRB5_NT_ENTERPRISE_PRINCIPAL, assertion_message);
+       torture_assert_int_equal(tctx, ctx->error.cname->name_string.len, 1, assertion_message);
+       torture_assert_str_equal(tctx, ctx->error.cname->name_string.val[0], upn_netbios_string, assertion_message);
+#else
        torture_assert(tctx, ctx->error.cname == NULL, assertion_message);
+#endif
        torture_assert_str_equal(tctx, ctx->error.realm, realm, assertion_message);
 
        torture_comment(tctx, "(%s:%s) password[%s] old_password[%s]\n",
@@ -3558,7 +3585,11 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                trusted->trust_type,
                                trusted->trust_attributes,
                                ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+#else
        torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message);
+#endif
        torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
        torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message);
 
@@ -3576,6 +3607,9 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                k5ret,
                                smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
                                                           k5ret, ctx));
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);
+#else
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
 
        k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
@@ -3645,6 +3679,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
                                                           k5ret, ctx));
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+#endif
 
        /* Confirm if we can do a TGS for krbtgt/trusted_dns no CANON */
        ZERO_STRUCT(ctx->counts);
@@ -3665,12 +3700,21 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                trusted->trust_attributes,
                                ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
+       torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message);
+#else
        torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message);
        torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message);
+#endif
 
        k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
                                      ctx->krbtgt_trust_dns_creds->server,
+#ifdef USING_EMBEDDED_HEIMDAL
+                                     ctx->krbtgt_trust_dns);
+#else
                                      ctx->krbtgt_trust_realm);
+#endif
        torture_assert(tctx, k5ok, assertion_message);
        type = smb_krb5_principal_get_type(ctx->smb_krb5_context->krb5_context,
                                           ctx->krbtgt_trust_dns_creds->server);
@@ -3690,6 +3734,9 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                k5ret,
                                smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
                                                           k5ret, ctx));
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);
+#else
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
 
        k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
@@ -3712,6 +3759,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
                                                           k5ret, ctx));
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+#endif
 
        /* Confirm if we can do a TGS for krbtgt/NETBIOS with CANON */
        ZERO_STRUCT(ctx->counts);
@@ -3731,7 +3779,11 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                trusted->trust_type,
                                trusted->trust_attributes,
                                ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+#else
        torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message);
+#endif
        torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
        torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message);
 
@@ -3749,6 +3801,9 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                k5ret,
                                smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
                                                           k5ret, ctx));
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);
+#else
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
 
        k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
@@ -3771,6 +3826,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
                                                           k5ret, ctx));
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+#endif
 
        /* Confirm if we can do a TGS for krbtgt/NETBIOS no CANON */
        ZERO_STRUCT(ctx->counts);
@@ -3791,12 +3847,21 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                trusted->trust_attributes,
                                ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
+       torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message);
+#else
        torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message);
        torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message);
+#endif
 
        k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
                                      ctx->krbtgt_trust_netbios_creds->server,
+#ifdef USING_EMBEDDED_HEIMDAL
+                                     ctx->krbtgt_trust_netbios);
+#else
                                      ctx->krbtgt_trust_realm);
+#endif
        torture_assert(tctx, k5ok, assertion_message);
        type = smb_krb5_principal_get_type(ctx->smb_krb5_context->krb5_context,
                                           ctx->krbtgt_trust_netbios_creds->server);
@@ -3816,6 +3881,9 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                k5ret,
                                smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
                                                           k5ret, ctx));
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);
+#else
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
 
        k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
@@ -3838,6 +3906,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
                                                           k5ret, ctx));
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+#endif
 
        cifs_trust_dns_string = talloc_asprintf(ctx, "cifs/%s@%s",
                                                trusted_dns_name, realm);
@@ -3866,8 +3935,13 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                trusted->trust_attributes,
                                ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
        torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message);
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message);
+       torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message);
+#else
        torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
        torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message);
+#endif
 
        /* Confirm if we have the referral ticket in the cache */
        krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context,
@@ -3883,6 +3957,9 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                k5ret,
                                smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
                                                           k5ret, ctx));
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);
+#else
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
 
        k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
@@ -3905,6 +3982,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
                                                           k5ret, ctx));
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+#endif
 
        cifs_trust_netbios_string = talloc_asprintf(ctx, "cifs/%s@%s",
                                                trusted_netbios_name, realm);
@@ -3933,8 +4011,13 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                trusted->trust_attributes,
                                ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
        torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message);
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message);
+       torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message);
+#else
        torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
        torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message);
+#endif
 
        /* Confirm if we have the referral ticket in the cache */
        krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context,
@@ -3950,6 +4033,9 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                k5ret,
                                smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
                                                           k5ret, ctx));
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);
+#else
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
 
        k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
@@ -3972,6 +4058,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
                                                           k5ret, ctx));
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+#endif
 
        drs_trust_dns_string = talloc_asprintf(ctx,
                        "E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s@%s",
@@ -4001,8 +4088,13 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                trusted->trust_attributes,
                                ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
        torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message);
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message);
+       torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message);
+#else
        torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
        torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message);
+#endif
 
        /* Confirm if we have the referral ticket in the cache */
        krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context,
@@ -4018,6 +4110,9 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                k5ret,
                                smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
                                                           k5ret, ctx));
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);
+#else
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
 
        k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
@@ -4040,6 +4135,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
                                                           k5ret, ctx));
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+#endif
 
        drs_trust_netbios_string = talloc_asprintf(ctx,
                        "E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s@%s",
@@ -4069,8 +4165,13 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                trusted->trust_attributes,
                                ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
        torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message);
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message);
+       torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message);
+#else
        torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
        torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message);
+#endif
 
        /* Confirm if we have the referral ticket in the cache */
        krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context,
@@ -4086,6 +4187,9 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                k5ret,
                                smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
                                                           k5ret, ctx));
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message);
+#else
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
 
        k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context,
@@ -4108,6 +4212,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context,
                                                           k5ret, ctx));
        torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
+#endif
 
        four_trust_dns_string = talloc_asprintf(ctx, "four/tree/two/%s@%s",
                                                trusted_dns_name, realm);
@@ -4136,8 +4241,13 @@ static bool check_pw_with_krb5(struct torture_context *tctx,
                                trusted->trust_attributes,
                                ctx->counts.io, ctx->counts.errors, ctx->counts.ok);
        torture_assert_int_equal(tctx, k5ret, KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, assertion_message);
+#ifdef USING_EMBEDDED_HEIMDAL
+       torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message);
+       torture_assert_int_equal(tctx, ctx->counts.error_io, 2, assertion_message);
+#else
        torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message);
        torture_assert_int_equal(tctx, ctx->counts.error_io, 1, assertion_message);
+#endif
        torture_assert_int_equal(tctx, KRB5_ERROR_CODE(&ctx->error), 7, assertion_message);
 
        /* Confirm if we have no referral ticket in the cache */