git.samba.org / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9b302a5)
selftest: test forwardable flag in cross-realm with s4u2proxy
authorIsaac Boukris <iboukris@gmail.com>
Sat, 9 May 2020 14:26:45 +0000 (16:26 +0200)
committerAndrew Bartlett <abartlet@samba.org>
Fri, 12 Jun 2020 20:42:38 +0000 (20:42 +0000)
Signed-off-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
selftest/knownfail.d/s4u2p_fwd [new file with mode: 0644] patch | blob
source4/selftest/tests.py patch | blob | history
testprogs/blackbox/test_s4u_heimdal.sh patch | blob | history

diff --git a/selftest/knownfail.d/s4u2p_fwd b/selftest/knownfail.d/s4u2p_fwd
new file mode 100644 (file)
index 0000000..63ade3e
--- /dev/null
+++ b/selftest/knownfail.d/s4u2p_fwd
@@ -0,0 +1,2 @@
+^samba4.blackbox.krb5.s4u.get a ticket to impersonator for trust user
+^samba4.blackbox.krb5.s4u.test S4U2Proxy evidence ticket obtained by TGS of trust user
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index d0deeecbd23290ca23e016ccbd1d892c196be0f3..39502236f216b290f1e362fe4898ccd30ea1a453 100755 (executable)
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -488,7 +488,7 @@ if have_heimdal_support:
     plantestsuite("samba4.blackbox.kinit_trust", "fl2003dc:local", [os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external", "arcfour-hmac-md5"])
     plantestsuite("samba4.blackbox.export.keytab", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_heimdal.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4])
     plantestsuite("samba4.blackbox.kpasswd", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"])
-    plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local", [os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', configuration])
+    plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local", [os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', configuration])
 else:
     plantestsuite("samba4.blackbox.kinit", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient4, configuration])
     plantestsuite("samba4.blackbox.kinit", "fl2000dc:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient3, configuration])
diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh
index c6ada54e85bf77f39382aee400041d749760e30c..c63eeaa2e30d0c38f7dafcb7cbb906d1d064e9ea 100755 (executable)
--- a/testprogs/blackbox/test_s4u_heimdal.sh
+++ b/testprogs/blackbox/test_s4u_heimdal.sh
@@ -12,8 +12,13 @@ USERNAME=$2
 PASSWORD=$3
 REALM=$4
 DOMAIN=$5
-PREFIX=$6
-shift 6
+TRUST_SERVER=$6
+TRUST_USERNAME=$7
+TRUST_PASSWORD=$8
+TRUST_REALM=$9
+TRUST_DOMAIN=${10}
+PREFIX=${11}
+shift 11
 failed=0
 
 
@@ -39,7 +44,7 @@ export KRB5CCNAME
 rm -rf $KRB5CCNAME_PATH
 
 princ=test_impersonate_princ
-impersonator=test_impersonator
+impersonator=test_impersonator.$REALM
 target="CIFS/$SERVER.$REALM"
 
 
@@ -72,6 +77,12 @@ testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmp
 testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1`
 testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
 
+echo $TRUST_PASSWORD > $PREFIX/tmppassfile
+testit "kinit trust user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
+testit "get a ticket to impersonator for trust user" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1`
+testit "test S4U2Proxy evidence ticket obtained by TGS of trust user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
+
+echo $PASSWORD > $PREFIX/tmppassfile
 testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=`expr $failed + 1`
 testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1`
 testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1`
Samba Shared Repository