tests/krb5: Add a test for S4U2Self with no authorization data required

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 192d6edfe912105ec344dc554f872a24c03540a3)

diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py
index 2953766ef21fc7b63e476a58143bcfbd792db56d..6ec9af114232e1fa03cc869dbc16b833c8fd60a9 100755 (executable)
--- a/python/samba/tests/krb5/s4u_tests.py
+++ b/python/samba/tests/krb5/s4u_tests.py
@@ -324,6 +324,13 @@ class S4UKerberosTests(KDCBaseTest):
                                    sname=service_sname,
                                    etypes=etypes)
 
+        if not expected_error_mode:
+            # Check that the ticket contains a PAC.
+            ticket = kdc_exchange_dict['rep_ticket_creds']
+
+            pac = self.get_ticket_pac(ticket)
+            self.assertIsNotNone(pac)
+
         # Ensure we used all the parameters given to us.
         self.assertEqual({}, kdc_dict)
 
@@ -504,6 +511,24 @@ class S4UKerberosTests(KDCBaseTest):
                     self.set_ticket_forwardable, flag=True)
             })
 
+    # Do an S4U2Self where the service does not require authorization data. The
+    # resulting ticket should still contain a PAC.
+    def test_s4u2self_no_auth_data_required(self):
+        self._run_s4u2self_test(
+            {
+                'client_opts': {
+                    'not_delegated': False
+                },
+                'service_opts': {
+                    'trusted_to_auth_for_delegation': True,
+                    'no_auth_data_required': True
+                },
+                'kdc_options': 'forwardable',
+                'modify_service_tgt_fn': functools.partial(
+                    self.set_ticket_forwardable, flag=True),
+                'expected_flags': 'forwardable'
+            })
+
     def _run_delegation_test(self, kdc_dict):
         client_opts = kdc_dict.pop('client_opts', None)
         client_creds = self.get_cached_creds(
@@ -654,6 +679,15 @@ class S4UKerberosTests(KDCBaseTest):
                                    etypes=etypes,
                                    additional_tickets=additional_tickets)
 
+        if not expected_error_mode:
+            # Check whether the ticket contains a PAC.
+            ticket = kdc_exchange_dict['rep_ticket_creds']
+            pac = self.get_ticket_pac(ticket, expect_pac=expect_pac)
+            if expect_pac:
+                self.assertIsNotNone(pac)
+            else:
+                self.assertIsNone(pac)
+
         # Ensure we used all the parameters given to us.
         self.assertEqual({}, kdc_dict)
 

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 5e94cb63d7ae0bc142fe09740d294792f1b1460b..2025032a278bc04facef55d213907c7b62b80e7a 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -242,6 +242,7 @@
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_auth_data_required
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed
 #
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required