2016-06-02 11:14:25 +03:00
/*
2015-01-21 07:27:09 +03:00
Unix SMB / CIFS implementation .
Validate the krb5 pac generation routines
2016-06-02 11:14:25 +03:00
2015-01-21 07:27:09 +03:00
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2005 - 2015
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation ; either version 3 of the License , or
( at your option ) any later version .
2016-06-02 11:14:25 +03:00
2015-01-21 07:27:09 +03:00
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
2016-06-02 11:14:25 +03:00
2015-01-21 07:27:09 +03:00
You should have received a copy of the GNU General Public License
along with this program . If not , see < http : //www.gnu.org/licenses/>.
*/
# include "includes.h"
# include "system/kerberos.h"
# include "torture/smbtorture.h"
# include "torture/krb5/proto.h"
# include "auth/credentials/credentials.h"
2020-12-02 19:24:22 +03:00
# include "lib/cmdline/cmdline.h"
2015-01-21 07:27:09 +03:00
# include "source4/auth/kerberos/kerberos.h"
# include "source4/auth/kerberos/kerberos_util.h"
# include "lib/util/util_net.h"
2015-03-11 05:58:36 +03:00
# include "auth/auth.h"
# include "auth/auth_sam_reply.h"
# include "auth/gensec/gensec.h"
# include "param/param.h"
2015-01-21 07:27:09 +03:00
2020-08-07 23:27:39 +03:00
# undef strcasecmp
2015-01-21 07:27:09 +03:00
# define TEST_CANONICALIZE 0x0000001
# define TEST_ENTERPRISE 0x0000002
# define TEST_UPPER_USERNAME 0x0000008
2015-01-23 04:38:51 +03:00
# define TEST_WIN2K 0x0000020
2015-01-23 06:43:48 +03:00
# define TEST_UPN 0x0000040
2015-03-09 01:12:01 +03:00
# define TEST_S4U2SELF 0x0000080
2015-03-27 16:41:19 +03:00
# define TEST_REMOVEDOLLAR 0x0000100
2017-11-16 04:01:56 +03:00
# define TEST_AS_REQ_SPN 0x0000200
2020-05-07 18:17:12 +03:00
# define TEST_ALL 0x00003FF
2015-01-21 07:27:09 +03:00
struct test_data {
2015-01-30 02:31:10 +03:00
const char * test_name ;
2015-01-21 07:27:09 +03:00
const char * realm ;
const char * real_realm ;
2015-01-23 06:43:48 +03:00
const char * real_domain ;
2015-01-21 07:27:09 +03:00
const char * username ;
2015-01-23 06:43:48 +03:00
const char * real_username ;
2015-01-21 07:27:09 +03:00
bool canonicalize ;
bool enterprise ;
bool upper_username ;
2015-01-23 04:38:51 +03:00
bool win2k ;
2015-01-23 06:43:48 +03:00
bool upn ;
bool other_upn_suffix ;
2015-03-09 01:12:01 +03:00
bool s4u2self ;
2015-03-27 16:41:19 +03:00
bool removedollar ;
2017-11-16 04:01:56 +03:00
bool as_req_spn ;
bool spn_is_upn ;
2015-02-05 05:49:40 +03:00
const char * krb5_service ;
const char * krb5_hostname ;
2016-06-02 11:14:25 +03:00
} ;
2015-01-30 02:31:10 +03:00
2015-01-21 07:27:09 +03:00
struct torture_krb5_context {
2015-02-02 02:18:23 +03:00
struct smb_krb5_context * smb_krb5_context ;
2015-01-21 07:27:09 +03:00
struct torture_context * tctx ;
struct addrinfo * server ;
struct test_data * test_data ;
int packet_count ;
} ;
2015-03-11 05:58:36 +03:00
struct pac_data {
const char * principal_name ;
} ;
/*
* A helper function which avoids touching the local databases to
* generate the session info , as we just want to verify the principal
* name that we found in the ticket not the full local token
*/
static NTSTATUS test_generate_session_info_pac ( struct auth4_context * auth_ctx ,
TALLOC_CTX * mem_ctx ,
struct smb_krb5_context * smb_krb5_context ,
DATA_BLOB * pac_blob ,
const char * principal_name ,
const struct tsocket_address * remote_address ,
uint32_t session_info_flags ,
struct auth_session_info * * session_info )
{
NTSTATUS nt_status ;
struct auth_user_info_dc * user_info_dc ;
TALLOC_CTX * tmp_ctx ;
struct pac_data * pac_data ;
2021-12-24 17:21:21 +03:00
if ( pac_blob = = NULL ) {
DBG_ERR ( " pac_blob missing \n " ) ;
return NT_STATUS_NO_IMPERSONATION_TOKEN ;
}
2015-03-11 05:58:36 +03:00
tmp_ctx = talloc_named ( mem_ctx , 0 , " gensec_gssapi_session_info context " ) ;
NT_STATUS_HAVE_NO_MEMORY ( tmp_ctx ) ;
auth_ctx - > private_data = pac_data = talloc_zero ( auth_ctx , struct pac_data ) ;
pac_data - > principal_name = talloc_strdup ( pac_data , principal_name ) ;
if ( ! pac_data - > principal_name ) {
talloc_free ( tmp_ctx ) ;
return NT_STATUS_NO_MEMORY ;
}
nt_status = kerberos_pac_blob_to_user_info_dc ( tmp_ctx ,
* pac_blob ,
smb_krb5_context - > krb5_context ,
& user_info_dc , NULL , NULL ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
talloc_free ( tmp_ctx ) ;
return nt_status ;
}
2022-12-12 00:50:01 +03:00
if ( ! ( user_info_dc - > info - > user_flags & NETLOGON_GUEST ) ) {
2015-03-11 05:58:36 +03:00
session_info_flags | = AUTH_SESSION_INFO_AUTHENTICATED ;
}
session_info_flags | = AUTH_SESSION_INFO_SIMPLE_PRIVILEGES ;
nt_status = auth_generate_session_info ( mem_ctx ,
NULL ,
NULL ,
user_info_dc , session_info_flags ,
session_info ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
talloc_free ( tmp_ctx ) ;
return nt_status ;
}
talloc_free ( tmp_ctx ) ;
return NT_STATUS_OK ;
}
/* Check to see if we can pass the PAC across to the NETLOGON server for validation */
2023-08-03 16:42:18 +03:00
/* Also happens to be a really good one-step verification of our Kerberos stack */
2015-03-11 05:58:36 +03:00
static bool test_accept_ticket ( struct torture_context * tctx ,
struct cli_credentials * credentials ,
const char * principal ,
DATA_BLOB client_to_server )
{
NTSTATUS status ;
struct gensec_security * gensec_server_context ;
DATA_BLOB server_to_client ;
struct auth4_context * auth_context ;
struct auth_session_info * session_info ;
struct pac_data * pac_data ;
TALLOC_CTX * tmp_ctx = talloc_new ( tctx ) ;
torture_assert ( tctx , tmp_ctx ! = NULL , " talloc_new() failed " ) ;
auth_context = talloc_zero ( tmp_ctx , struct auth4_context ) ;
torture_assert ( tctx , auth_context ! = NULL , " talloc_new() failed " ) ;
auth_context - > generate_session_info_pac = test_generate_session_info_pac ;
status = gensec_server_start ( tctx ,
lpcfg_gensec_settings ( tctx , tctx - > lp_ctx ) ,
auth_context , & gensec_server_context ) ;
torture_assert_ntstatus_ok ( tctx , status , " gensec_server_start (server) failed " ) ;
status = gensec_set_credentials ( gensec_server_context , credentials ) ;
torture_assert_ntstatus_ok ( tctx , status , " gensec_set_credentials (server) failed " ) ;
status = gensec_start_mech_by_name ( gensec_server_context , " krb5 " ) ;
torture_assert_ntstatus_ok ( tctx , status , " gensec_start_mech_by_name (server) failed " ) ;
server_to_client = data_blob ( NULL , 0 ) ;
/* Do a client-server update dance */
status = gensec_update ( gensec_server_context , tmp_ctx , client_to_server , & server_to_client ) ;
torture_assert_ntstatus_ok ( tctx , status , " gensec_update (server) failed " ) ;
/* Extract the PAC using Samba's code */
status = gensec_session_info ( gensec_server_context , gensec_server_context , & session_info ) ;
torture_assert_ntstatus_ok ( tctx , status , " gensec_session_info failed " ) ;
pac_data = talloc_get_type ( auth_context - > private_data , struct pac_data ) ;
torture_assert ( tctx , pac_data ! = NULL , " gensec_update failed to fill in pac_data in auth_context " ) ;
torture_assert ( tctx , pac_data - > principal_name ! = NULL , " principal_name not present " ) ;
torture_assert_str_equal ( tctx , pac_data - > principal_name , principal , " wrong principal name " ) ;
return true ;
}
2015-01-23 04:07:41 +03:00
2016-06-02 11:14:25 +03:00
/*
2015-01-23 04:07:41 +03:00
* This function is set in torture_krb5_init_context_canon as krb5
* send_and_recv function . This allows us to override what server the
* test is aimed at , and to inspect the packets just before they are
* sent to the network , and before they are processed on the recv
* side .
*
*/
2016-02-03 16:58:47 +03:00
static krb5_error_code test_krb5_send_to_realm_canon_override ( struct smb_krb5_context * smb_krb5_context ,
void * data , /* struct torture_krb5_context */
krb5_const_realm realm ,
time_t timeout ,
const krb5_data * send_buf ,
krb5_data * recv_buf )
2015-01-21 07:27:09 +03:00
{
krb5_error_code k5ret ;
2015-02-02 02:18:23 +03:00
2015-01-21 07:27:09 +03:00
struct torture_krb5_context * test_context
= talloc_get_type_abort ( data , struct torture_krb5_context ) ;
2016-02-03 16:58:47 +03:00
SMB_ASSERT ( smb_krb5_context = = test_context - > smb_krb5_context ) ;
k5ret = smb_krb5_send_and_recv_func_forced_tcp ( smb_krb5_context ,
test_context - > server ,
timeout ,
send_buf ,
recv_buf ) ;
2015-02-07 10:58:42 +03:00
if ( k5ret ! = 0 ) {
return k5ret ;
}
2015-01-21 07:27:09 +03:00
test_context - > packet_count + + ;
2016-06-02 11:14:25 +03:00
2015-01-21 07:27:09 +03:00
return k5ret ;
}
static int test_context_destructor ( struct torture_krb5_context * test_context )
{
freeaddrinfo ( test_context - > server ) ;
return 0 ;
}
2016-06-02 11:14:25 +03:00
2015-01-21 07:27:09 +03:00
static bool torture_krb5_init_context_canon ( struct torture_context * tctx ,
struct test_data * test_data ,
2015-02-02 02:18:23 +03:00
struct torture_krb5_context * * torture_krb5_context )
2015-01-21 07:27:09 +03:00
{
const char * host = torture_setting_string ( tctx , " host " , NULL ) ;
krb5_error_code k5ret ;
bool ok ;
struct torture_krb5_context * test_context = talloc_zero ( tctx , struct torture_krb5_context ) ;
torture_assert ( tctx , test_context ! = NULL , " Failed to allocate " ) ;
test_context - > test_data = test_data ;
test_context - > tctx = tctx ;
2016-06-02 11:14:25 +03:00
2015-02-02 02:18:23 +03:00
k5ret = smb_krb5_init_context ( test_context , tctx - > lp_ctx , & test_context - > smb_krb5_context ) ;
2015-01-21 07:27:09 +03:00
torture_assert_int_equal ( tctx , k5ret , 0 , " smb_krb5_init_context failed " ) ;
ok = interpret_string_addr_internal ( & test_context - > server , host , AI_NUMERICHOST ) ;
torture_assert ( tctx , ok , " Failed to parse target server " ) ;
talloc_set_destructor ( test_context , test_context_destructor ) ;
2016-06-02 11:14:25 +03:00
2015-01-21 07:27:09 +03:00
set_sockaddr_port ( test_context - > server - > ai_addr , 88 ) ;
2016-02-03 16:58:47 +03:00
k5ret = smb_krb5_set_send_to_kdc_func ( test_context - > smb_krb5_context ,
test_krb5_send_to_realm_canon_override ,
NULL , /* send_to_kdc */
test_context ) ;
2015-01-21 07:27:09 +03:00
torture_assert_int_equal ( tctx , k5ret , 0 , " krb5_set_send_to_kdc_func failed " ) ;
2015-02-02 02:18:23 +03:00
* torture_krb5_context = test_context ;
2015-01-21 07:27:09 +03:00
return true ;
}
static bool torture_krb5_as_req_canon ( struct torture_context * tctx , const void * tcase_data )
{
krb5_error_code k5ret ;
krb5_get_init_creds_opt * krb_options = NULL ;
struct test_data * test_data = talloc_get_type_abort ( tcase_data , struct test_data ) ;
krb5_principal principal ;
2015-02-03 05:22:52 +03:00
krb5_principal krbtgt_other ;
2015-01-21 07:27:09 +03:00
krb5_principal expected_principal ;
2017-11-16 04:01:56 +03:00
const char * principal_string = NULL ;
2015-02-03 05:22:52 +03:00
char * krbtgt_other_string ;
2015-01-21 07:27:09 +03:00
int principal_flags ;
2017-11-16 04:01:56 +03:00
const char * expected_principal_string = NULL ;
2015-03-11 05:58:36 +03:00
char * expected_unparse_principal_string ;
2015-01-21 07:27:09 +03:00
int expected_principal_flags ;
char * got_principal_string ;
char * assertion_message ;
2017-05-10 02:10:03 +03:00
const char * password = cli_credentials_get_password (
2020-12-02 19:24:22 +03:00
samba_cmdline_get_creds ( ) ) ;
2015-02-02 02:18:23 +03:00
krb5_context k5_context ;
struct torture_krb5_context * test_context ;
2015-01-21 07:27:09 +03:00
bool ok ;
krb5_creds my_creds ;
2015-01-30 08:17:16 +03:00
krb5_creds * server_creds ;
2015-01-30 02:31:10 +03:00
krb5_ccache ccache ;
krb5_auth_context auth_context ;
char * cc_name ;
krb5_data in_data , enc_ticket ;
2015-01-30 08:17:16 +03:00
krb5_get_creds_opt opt ;
2016-06-02 11:14:25 +03:00
2017-11-16 04:01:56 +03:00
const char * spn = NULL ;
const char * spn_real_realm = NULL ;
2015-01-23 06:43:48 +03:00
const char * upn = torture_setting_string ( tctx , " krb5-upn " , " " ) ;
2015-02-05 05:49:40 +03:00
test_data - > krb5_service = torture_setting_string ( tctx , " krb5-service " , " host " ) ;
test_data - > krb5_hostname = torture_setting_string ( tctx , " krb5-hostname " , " " ) ;
2015-01-23 06:43:48 +03:00
2016-06-02 11:14:25 +03:00
/*
2015-01-23 06:43:48 +03:00
* If we have not passed a UPN on the command line ,
* then skip the UPN tests .
*/
if ( test_data - > upn & & upn [ 0 ] = = ' \0 ' ) {
torture_skip ( tctx , " This test needs a UPN specified as --option=torture:krb5-upn=user@example.com to run " ) ;
}
2017-11-16 04:01:56 +03:00
/*
* If we have not passed a SPN on the command line ,
* then skip the SPN tests .
*/
if ( test_data - > as_req_spn & & test_data - > krb5_hostname [ 0 ] = = ' \0 ' ) {
2019-08-29 22:53:43 +03:00
torture_skip ( tctx , " This test needs a hostname specified as --option=torture:krb5-hostname=hostname.example.com and optionally --option=torture:krb5-service=service (defaults to host) to run " ) ;
2017-11-16 04:01:56 +03:00
}
2015-03-27 16:41:19 +03:00
if ( test_data - > removedollar & &
! torture_setting_bool ( tctx , " run_removedollar_test " , false ) )
{
torture_skip ( tctx , " --option=torture:run_removedollar_test=true not specified " ) ;
}
2021-12-22 06:08:43 +03:00
test_data - > realm = test_data - > real_realm ;
2015-01-23 06:43:48 +03:00
if ( test_data - > upn ) {
char * p ;
test_data - > username = talloc_strdup ( test_data , upn ) ;
p = strchr ( test_data - > username , ' @ ' ) ;
if ( p ) {
* p = ' \0 ' ;
p + + ;
}
2016-06-02 11:14:25 +03:00
/*
2015-01-23 06:43:48 +03:00
* Test the UPN behaviour carefully . We can
* test in two different modes , depending on
* what UPN has been set up for us .
*
2016-06-02 11:14:25 +03:00
* If the UPN is in our realm , then we do all the tests with this name also .
2015-01-23 06:43:48 +03:00
*
* If the UPN is not in our realm , then we
* expect the tests that replace the realm to
* fail ( as it won ' t match )
*/
if ( strcasecmp ( p , test_data - > real_realm ) ! = 0 ) {
test_data - > other_upn_suffix = true ;
} else {
test_data - > other_upn_suffix = false ;
}
2016-06-02 11:14:25 +03:00
/*
2015-01-23 06:43:48 +03:00
* This lets us test the combination of the UPN prefix
* with a valid domain , without adding even more
2016-06-02 11:14:25 +03:00
* combinations
2015-01-23 06:43:48 +03:00
*/
2021-12-22 06:08:43 +03:00
test_data - > realm = p ;
2015-01-23 06:43:48 +03:00
}
2015-02-02 02:18:23 +03:00
ok = torture_krb5_init_context_canon ( tctx , test_data , & test_context ) ;
2015-01-21 07:27:09 +03:00
torture_assert ( tctx , ok , " torture_krb5_init_context failed " ) ;
2015-02-02 02:18:23 +03:00
k5_context = test_context - > smb_krb5_context - > krb5_context ;
2016-06-02 11:14:25 +03:00
2021-12-22 06:08:43 +03:00
test_data - > realm = strupper_talloc ( test_data , test_data - > realm ) ;
2015-01-21 07:27:09 +03:00
if ( test_data - > upper_username ) {
2015-02-02 05:01:40 +03:00
test_data - > username = strupper_talloc ( test_data , test_data - > username ) ;
2015-01-21 07:27:09 +03:00
} else {
2015-02-02 05:01:40 +03:00
test_data - > username = talloc_strdup ( test_data , test_data - > username ) ;
2015-01-21 07:27:09 +03:00
}
2015-03-27 16:41:19 +03:00
if ( test_data - > removedollar ) {
char * p ;
p = strchr_m ( test_data - > username , ' $ ' ) ;
torture_assert ( tctx , p ! = NULL , talloc_asprintf ( tctx ,
" username[%s] contains no '$' \n " ,
test_data - > username ) ) ;
* p = ' \0 ' ;
}
2017-11-16 04:01:56 +03:00
spn = talloc_asprintf ( test_data , " %s/%s@%s " ,
test_data - > krb5_service ,
test_data - > krb5_hostname ,
test_data - > realm ) ;
spn_real_realm = talloc_asprintf ( test_data , " %s/%s@%s " ,
test_data - > krb5_service ,
test_data - > krb5_hostname ,
test_data - > real_realm ) ;
2021-12-03 01:58:40 +03:00
if ( ! test_data - > canonicalize & & test_data - > enterprise ) {
torture_skip ( tctx ,
" This test combination "
" is skipped intentionally " ) ;
}
2017-11-16 04:01:56 +03:00
if ( test_data - > as_req_spn ) {
if ( test_data - > enterprise ) {
torture_skip ( tctx ,
" This test combination "
" is skipped intentionally " ) ;
}
principal_string = spn ;
} else {
principal_string = talloc_asprintf ( test_data ,
" %s@%s " ,
test_data - > username ,
test_data - > realm ) ;
}
2016-06-02 11:14:25 +03:00
2017-11-16 04:01:56 +03:00
test_data - > spn_is_upn
= ( strcasecmp ( upn , spn ) = = 0 ) ;
2016-06-02 11:14:25 +03:00
/*
2015-01-21 07:27:09 +03:00
* If we are set to canonicalize , we get back the fixed UPPER
* case realm , and the real username ( ie matching LDAP
2016-06-02 11:14:25 +03:00
* samAccountName )
2015-01-21 07:27:09 +03:00
*
* Otherwise , if we are set to enterprise , we
2016-06-02 11:14:25 +03:00
* get back the whole principal as - sent
2015-01-21 07:27:09 +03:00
*
* Finally , if we are not set to canonicalize , we get back the
* fixed UPPER case realm , but the as - sent username
*/
2017-11-16 04:01:56 +03:00
if ( test_data - > as_req_spn & & ! test_data - > spn_is_upn ) {
expected_principal_string = spn ;
} else if ( test_data - > canonicalize ) {
2015-02-02 02:18:23 +03:00
expected_principal_string = talloc_asprintf ( test_data ,
" %s@%s " ,
test_data - > real_username ,
test_data - > real_realm ) ;
2017-11-16 04:01:56 +03:00
} else if ( test_data - > as_req_spn & & test_data - > spn_is_upn ) {
expected_principal_string = spn_real_realm ;
2015-01-21 07:27:09 +03:00
} else {
2015-02-02 02:18:23 +03:00
expected_principal_string = talloc_asprintf ( test_data ,
" %s@%s " ,
2015-02-02 05:01:40 +03:00
test_data - > username ,
2015-02-02 02:18:23 +03:00
test_data - > real_realm ) ;
2015-01-21 07:27:09 +03:00
}
2016-06-02 11:14:25 +03:00
2015-01-21 07:27:09 +03:00
if ( test_data - > enterprise ) {
principal_flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE ;
} else {
2015-01-23 06:43:48 +03:00
if ( test_data - > upn & & test_data - > other_upn_suffix ) {
torture_skip ( tctx , " UPN test for UPN with other UPN suffix only runs with enterprise principals " ) ;
}
2015-01-21 07:27:09 +03:00
principal_flags = 0 ;
}
if ( test_data - > canonicalize ) {
expected_principal_flags = 0 ;
} else {
expected_principal_flags = principal_flags ;
}
torture_assert_int_equal ( tctx ,
2015-02-02 02:18:23 +03:00
krb5_parse_name_flags ( k5_context ,
2015-01-21 07:27:09 +03:00
principal_string ,
principal_flags ,
& principal ) ,
0 , " krb5_parse_name_flags failed " ) ;
torture_assert_int_equal ( tctx ,
2015-02-02 02:18:23 +03:00
krb5_parse_name_flags ( k5_context ,
2015-01-21 07:27:09 +03:00
expected_principal_string ,
expected_principal_flags ,
& expected_principal ) ,
0 , " krb5_parse_name_flags failed " ) ;
2017-11-16 04:01:56 +03:00
if ( test_data - > as_req_spn ) {
if ( test_data - > upn ) {
krb5_principal_set_type ( k5_context ,
principal ,
KRB5_NT_PRINCIPAL ) ;
krb5_principal_set_type ( k5_context ,
expected_principal ,
KRB5_NT_PRINCIPAL ) ;
} else {
krb5_principal_set_type ( k5_context ,
principal ,
KRB5_NT_SRV_HST ) ;
krb5_principal_set_type ( k5_context ,
expected_principal ,
KRB5_NT_SRV_HST ) ;
}
}
2015-03-11 05:58:36 +03:00
torture_assert_int_equal ( tctx ,
krb5_unparse_name ( k5_context ,
expected_principal ,
& expected_unparse_principal_string ) ,
0 , " krb5_unparse_name failed " ) ;
2015-02-02 02:18:23 +03:00
/*
* Prepare a AS - REQ and run the TEST_AS_REQ tests
*
*/
test_context - > packet_count = 0 ;
2016-06-02 11:14:25 +03:00
/*
2015-01-21 07:27:09 +03:00
* Set the canonicalize flag if this test requires it
*/
torture_assert_int_equal ( tctx ,
2015-02-02 02:18:23 +03:00
krb5_get_init_creds_opt_alloc ( k5_context , & krb_options ) ,
2015-01-21 07:27:09 +03:00
0 , " krb5_get_init_creds_opt_alloc failed " ) ;
2016-06-02 11:14:25 +03:00
2015-01-21 07:27:09 +03:00
torture_assert_int_equal ( tctx ,
2015-02-02 02:18:23 +03:00
krb5_get_init_creds_opt_set_canonicalize ( k5_context ,
krb_options ,
test_data - > canonicalize ) ,
2015-01-21 07:27:09 +03:00
0 , " krb5_get_init_creds_opt_set_canonicalize failed " ) ;
2015-01-23 04:38:51 +03:00
torture_assert_int_equal ( tctx ,
2015-02-02 02:18:23 +03:00
krb5_get_init_creds_opt_set_win2k ( k5_context ,
krb_options ,
test_data - > win2k ) ,
2015-01-23 04:38:51 +03:00
0 , " krb5_get_init_creds_opt_set_win2k failed " ) ;
2015-02-02 02:18:23 +03:00
k5ret = krb5_get_init_creds_password ( k5_context , & my_creds , principal ,
2015-01-21 07:27:09 +03:00
password , NULL , NULL , 0 ,
NULL , krb_options ) ;
2016-06-02 11:14:25 +03:00
2021-12-22 06:08:43 +03:00
if ( test_context - > test_data - > as_req_spn
2017-11-16 04:01:56 +03:00
& & ! test_context - > test_data - > spn_is_upn ) {
torture_assert_int_equal ( tctx , k5ret ,
KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN ,
" Got wrong error_code from "
" krb5_get_init_creds_password " ) ;
/* We can't proceed with more checks */
return true ;
2015-01-23 06:43:48 +03:00
} else {
assertion_message = talloc_asprintf ( tctx ,
" krb5_get_init_creds_password for %s failed: %s " ,
principal_string ,
2015-02-02 02:18:23 +03:00
smb_get_krb5_error_message ( k5_context , k5ret , tctx ) ) ;
2015-01-23 06:43:48 +03:00
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
}
2016-06-02 11:14:25 +03:00
2015-02-03 05:22:52 +03:00
torture_assert ( tctx ,
test_context - > packet_count > 1 ,
" Expected krb5_get_init_creds_password to send more packets " ) ;
2015-01-21 07:27:09 +03:00
/*
* Assert that the reply was with the correct type of
* principal , depending on the flags we set
*/
2021-12-03 01:58:40 +03:00
if ( test_data - > canonicalize = = false & & test_data - > as_req_spn ) {
2017-11-16 04:01:56 +03:00
torture_assert_int_equal ( tctx ,
krb5_principal_get_type ( k5_context ,
my_creds . client ) ,
KRB5_NT_SRV_HST ,
" smb_krb5_init_context gave incorrect client->name.name_type " ) ;
2015-01-21 07:27:09 +03:00
} else {
torture_assert_int_equal ( tctx ,
2015-02-02 02:18:23 +03:00
krb5_principal_get_type ( k5_context ,
my_creds . client ) ,
KRB5_NT_PRINCIPAL ,
2015-01-21 07:27:09 +03:00
" smb_krb5_init_context gave incorrect client->name.name_type " ) ;
}
2015-02-02 02:18:23 +03:00
2015-01-21 07:27:09 +03:00
torture_assert_int_equal ( tctx ,
2015-02-02 02:18:23 +03:00
krb5_unparse_name ( k5_context ,
2015-01-21 07:27:09 +03:00
my_creds . client , & got_principal_string ) , 0 ,
" krb5_unparse_name failed " ) ;
assertion_message = talloc_asprintf ( tctx ,
" krb5_get_init_creds_password returned a different principal %s to what was expected %s " ,
got_principal_string , expected_principal_string ) ;
2023-05-10 04:06:18 +03:00
krb5_xfree ( got_principal_string ) ;
2015-02-02 02:18:23 +03:00
torture_assert ( tctx , krb5_principal_compare ( k5_context ,
2015-01-21 07:27:09 +03:00
my_creds . client , expected_principal ) ,
assertion_message ) ;
2015-02-02 02:18:23 +03:00
2015-01-23 04:28:56 +03:00
2015-01-21 07:27:09 +03:00
torture_assert_int_equal ( tctx ,
2015-02-02 02:18:23 +03:00
krb5_principal_get_type ( k5_context ,
2015-01-21 07:27:09 +03:00
my_creds . server ) , KRB5_NT_SRV_INST ,
2015-01-23 04:28:56 +03:00
" smb_krb5_init_context gave incorrect server->name.name_type " ) ;
2015-02-02 02:18:23 +03:00
2015-01-23 04:28:56 +03:00
torture_assert_int_equal ( tctx ,
2015-02-02 02:18:23 +03:00
krb5_principal_get_num_comp ( k5_context ,
2015-01-23 04:28:56 +03:00
my_creds . server ) , 2 ,
" smb_krb5_init_context gave incorrect number of components in my_creds.server->name " ) ;
2015-01-21 07:27:09 +03:00
2015-02-02 02:18:23 +03:00
torture_assert_str_equal ( tctx ,
krb5_principal_get_comp_string ( k5_context ,
my_creds . server , 0 ) ,
2015-01-21 07:27:09 +03:00
" krbtgt " ,
" smb_krb5_init_context gave incorrect my_creds.server->name.name_string[0] " ) ;
2021-12-03 01:58:40 +03:00
if ( test_data - > canonicalize ) {
2015-02-02 02:18:23 +03:00
torture_assert_str_equal ( tctx ,
krb5_principal_get_comp_string ( k5_context ,
my_creds . server , 1 ) ,
2015-01-23 04:28:56 +03:00
test_data - > real_realm ,
2015-02-02 02:18:23 +03:00
2015-01-23 04:28:56 +03:00
" smb_krb5_init_context gave incorrect my_creds.server->name.name_string[1] " ) ;
} else {
2015-02-02 02:18:23 +03:00
torture_assert_str_equal ( tctx ,
krb5_principal_get_comp_string ( k5_context ,
my_creds . server , 1 ) ,
2015-01-30 02:31:10 +03:00
test_data - > realm ,
2015-02-02 02:18:23 +03:00
2015-01-23 04:28:56 +03:00
" smb_krb5_init_context gave incorrect my_creds.server->name.name_string[1] " ) ;
}
2015-02-02 02:18:23 +03:00
torture_assert_str_equal ( tctx ,
krb5_principal_get_realm ( k5_context ,
my_creds . server ) ,
2015-01-23 04:28:56 +03:00
test_data - > real_realm ,
" smb_krb5_init_context gave incorrect my_creds.server->realm " ) ;
2015-01-30 02:31:10 +03:00
/* Store the result of the 'kinit' above into a memory ccache */
cc_name = talloc_asprintf ( tctx , " MEMORY:%s " , test_data - > test_name ) ;
2015-02-02 02:18:23 +03:00
torture_assert_int_equal ( tctx , krb5_cc_resolve ( k5_context , cc_name ,
2015-01-30 02:31:10 +03:00
& ccache ) ,
0 , " krb5_cc_resolve failed " ) ;
2015-02-02 02:18:23 +03:00
torture_assert_int_equal ( tctx , krb5_cc_initialize ( k5_context ,
2015-01-30 02:31:10 +03:00
ccache , my_creds . client ) ,
0 , " krb5_cc_initialize failed " ) ;
2015-02-02 02:18:23 +03:00
torture_assert_int_equal ( tctx , krb5_cc_store_cred ( k5_context ,
2015-01-30 02:31:10 +03:00
ccache , & my_creds ) ,
0 , " krb5_cc_store_cred failed " ) ;
2015-02-03 05:22:52 +03:00
/*
* Prepare a TGS - REQ and run the TEST_TGS_REQ_KRBTGT_CANON tests
*
* This tests krb5_get_creds behaviour , which allows us to set
* the KRB5_GC_CANONICALIZE option against the krbtgt / principal
*/
krbtgt_other_string = talloc_asprintf ( test_data , " krbtgt/%s@%s " , test_data - > real_domain , test_data - > real_realm ) ;
torture_assert_int_equal ( tctx ,
krb5_make_principal ( k5_context , & krbtgt_other ,
test_data - > real_realm , " krbtgt " ,
test_data - > real_domain , NULL ) ,
0 , " krb5_make_principal failed " ) ;
test_context - > packet_count = 0 ;
torture_assert_int_equal ( tctx ,
krb5_get_creds_opt_alloc ( k5_context , & opt ) ,
0 , " krb5_get_creds_opt_alloc " ) ;
krb5_get_creds_opt_add_options ( k5_context ,
opt ,
KRB5_GC_CANONICALIZE ) ;
krb5_get_creds_opt_add_options ( k5_context ,
opt ,
KRB5_GC_NO_STORE ) ;
/* Confirm if we can get a ticket krbtgt/realm that we got back with the initial kinit */
k5ret = krb5_get_creds ( k5_context , opt , ccache , krbtgt_other , & server_creds ) ;
2021-12-22 06:08:43 +03:00
{
2015-02-03 05:22:52 +03:00
/*
* In these situations , the code above does not store a
* principal in the credentials cache matching what
* krb5_get_creds ( ) needs without talking to the KDC , so the
* test fails with looping detected because when we set
* canonicalize we confuse the client libs .
*
*/
assertion_message = talloc_asprintf ( tctx ,
" krb5_get_creds for %s should have failed with looping detected: %s " ,
krbtgt_other_string ,
smb_get_krb5_error_message ( k5_context , k5ret ,
tctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , KRB5_GET_IN_TKT_LOOP , assertion_message ) ;
torture_assert_int_equal ( tctx ,
test_context - > packet_count ,
2 , " Expected krb5_get_creds to send packets " ) ;
}
2015-02-02 02:18:23 +03:00
/*
* Prepare a TGS - REQ and run the TEST_TGS_REQ_CANON tests
*
* This tests krb5_get_creds behaviour , which allows us to set
* the KRB5_GC_CANONICALIZE option
*/
test_context - > packet_count = 0 ;
2015-01-30 08:17:16 +03:00
torture_assert_int_equal ( tctx ,
2015-02-02 02:18:23 +03:00
krb5_get_creds_opt_alloc ( k5_context , & opt ) ,
2015-01-30 08:17:16 +03:00
0 , " krb5_get_creds_opt_alloc " ) ;
2015-02-02 02:18:23 +03:00
krb5_get_creds_opt_add_options ( k5_context ,
2015-01-30 08:17:16 +03:00
opt ,
KRB5_GC_CANONICALIZE ) ;
2015-02-03 05:22:52 +03:00
krb5_get_creds_opt_add_options ( k5_context ,
opt ,
KRB5_GC_NO_STORE ) ;
2015-03-09 01:12:01 +03:00
if ( test_data - > s4u2self ) {
torture_assert_int_equal ( tctx ,
krb5_get_creds_opt_set_impersonate ( k5_context ,
opt ,
principal ) ,
0 , " krb5_get_creds_opt_set_impersonate failed " ) ;
}
2015-01-30 08:17:16 +03:00
/* Confirm if we can get a ticket to our own name */
2015-02-02 02:18:23 +03:00
k5ret = krb5_get_creds ( k5_context , opt , ccache , principal , & server_creds ) ;
2015-01-30 08:17:16 +03:00
2015-02-02 02:18:23 +03:00
/*
* In these situations , the code above does not store a
* principal in the credentials cache matching what
* krb5_get_creds ( ) needs , so the test fails .
*
*/
2021-12-22 06:08:43 +03:00
{
2015-01-30 08:17:16 +03:00
assertion_message = talloc_asprintf ( tctx ,
" krb5_get_creds for %s failed: %s " ,
principal_string ,
2015-02-02 02:18:23 +03:00
smb_get_krb5_error_message ( k5_context , k5ret ,
tctx ) ) ;
2015-01-30 08:17:16 +03:00
2015-02-02 02:18:23 +03:00
/*
* Only machine accounts ( strictly , accounts with a
* servicePrincipalName ) can expect this test to succeed
*/
2015-02-02 05:01:40 +03:00
if ( torture_setting_bool ( tctx , " expect_machine_account " , false )
2017-11-16 04:01:56 +03:00
& & ( test_data - > enterprise
| | test_data - > spn_is_upn
| | test_data - > upn = = false ) ) {
2015-01-30 08:17:16 +03:00
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
2015-02-02 02:18:23 +03:00
torture_assert_int_equal ( tctx , krb5_cc_store_cred ( k5_context ,
2015-01-30 08:17:16 +03:00
ccache , server_creds ) ,
0 , " krb5_cc_store_cred failed " ) ;
torture_assert_int_equal ( tctx ,
2015-02-02 02:18:23 +03:00
krb5_free_creds ( k5_context ,
2015-01-30 08:17:16 +03:00
server_creds ) ,
0 , " krb5_free_cred_contents failed " ) ;
2022-01-06 06:42:33 +03:00
torture_assert_int_equal ( tctx ,
test_context - > packet_count ,
1 , " Expected krb5_get_creds to send one packet " ) ;
2015-01-30 08:17:16 +03:00
} else {
2015-02-02 02:18:23 +03:00
torture_assert_int_equal ( tctx , k5ret , KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN ,
assertion_message ) ;
2022-01-06 06:42:33 +03:00
/* Account for get_cred_kdc_capath() and get_cred_kdc_referral() fallback */
torture_assert_int_equal ( tctx ,
test_context - > packet_count ,
2 , " Expected krb5_get_creds to send 2 packets " ) ;
2015-01-30 08:17:16 +03:00
}
}
2015-02-02 02:18:23 +03:00
2015-01-30 08:17:16 +03:00
/*
2023-08-03 16:42:18 +03:00
* Confirm getting a ticket to pass to the server , running
2015-02-02 02:18:23 +03:00
* either the TEST_TGS_REQ or TEST_SELF_TRUST_TGS_REQ stage .
2015-01-30 08:17:16 +03:00
*
* This triggers the client to attempt to get a
* cross - realm ticket between the alternate names of
* the server , and we need to confirm that behaviour .
*
*/
2015-02-02 02:18:23 +03:00
test_context - > packet_count = 0 ;
torture_assert_int_equal ( tctx , krb5_auth_con_init ( k5_context , & auth_context ) ,
2015-01-30 02:31:10 +03:00
0 , " krb5_auth_con_init failed " ) ;
in_data . length = 0 ;
2015-02-02 02:18:23 +03:00
k5ret = krb5_mk_req_exact ( k5_context ,
2015-01-30 02:31:10 +03:00
& auth_context ,
2015-03-11 05:58:36 +03:00
AP_OPTS_USE_SUBKEY ,
2015-01-30 02:31:10 +03:00
principal ,
& in_data , ccache ,
& enc_ticket ) ;
assertion_message = talloc_asprintf ( tctx ,
" krb5_mk_req_exact for %s failed: %s " ,
principal_string ,
2015-02-02 02:18:23 +03:00
smb_get_krb5_error_message ( k5_context , k5ret , tctx ) ) ;
/*
* Only machine accounts ( strictly , accounts with a
* servicePrincipalName ) can expect this test to succeed
*/
2017-11-16 04:01:56 +03:00
if ( torture_setting_bool ( tctx , " expect_machine_account " , false )
& & ( test_data - > enterprise | |
( test_context - > test_data - > as_req_spn
| | test_context - > test_data - > spn_is_upn )
| | test_data - > upn = = false ) ) {
2015-03-11 05:58:36 +03:00
DATA_BLOB client_to_server ;
2015-01-30 02:31:10 +03:00
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
2015-03-11 05:58:36 +03:00
client_to_server = data_blob_const ( enc_ticket . data , enc_ticket . length ) ;
2017-11-16 04:01:56 +03:00
/* This is very weird */
if ( test_data - > canonicalize = = false
& & test_context - > test_data - > as_req_spn
& & test_context - > test_data - > spn_is_upn
& & test_context - > test_data - > s4u2self ) {
torture_assert ( tctx ,
test_accept_ticket ( tctx ,
2020-12-02 19:24:22 +03:00
samba_cmdline_get_creds ( ) ,
2017-11-16 04:01:56 +03:00
spn_real_realm ,
client_to_server ) ,
" test_accept_ticket failed - failed to accept the ticket we just created " ) ;
} else if ( test_data - > canonicalize = = true
& & test_context - > test_data - > as_req_spn
& & test_context - > test_data - > spn_is_upn
& & test_context - > test_data - > s4u2self ) {
torture_assert ( tctx ,
test_accept_ticket ( tctx ,
2020-12-02 19:24:22 +03:00
samba_cmdline_get_creds ( ) ,
2022-01-06 06:42:33 +03:00
expected_principal_string ,
2017-11-16 04:01:56 +03:00
client_to_server ) ,
" test_accept_ticket failed - failed to accept the ticket we just created " ) ;
} else if ( test_data - > canonicalize = = true
& & test_data - > enterprise = = false
& & test_context - > test_data - > upn
& & test_context - > test_data - > spn_is_upn
& & test_context - > test_data - > s4u2self ) {
torture_assert ( tctx ,
test_accept_ticket ( tctx ,
2020-12-02 19:24:22 +03:00
samba_cmdline_get_creds ( ) ,
2022-01-06 06:42:33 +03:00
expected_principal_string ,
2017-11-16 04:01:56 +03:00
client_to_server ) ,
" test_accept_ticket failed - failed to accept the ticket we just created " ) ;
} else if ( test_data - > canonicalize = = false
& & test_context - > test_data - > upn
& & test_context - > test_data - > spn_is_upn
& & test_context - > test_data - > s4u2self ) {
const char * accept_expected_principal_string
= talloc_asprintf ( test_data ,
" %s@%s " ,
test_data - > username ,
test_data - > real_realm ) ;
torture_assert ( tctx ,
test_accept_ticket ( tctx ,
2020-12-02 19:24:22 +03:00
samba_cmdline_get_creds ( ) ,
2017-11-16 04:01:56 +03:00
accept_expected_principal_string ,
client_to_server ) ,
" test_accept_ticket failed - failed to accept the ticket we just created " ) ;
} else {
torture_assert ( tctx ,
test_accept_ticket ( tctx ,
2020-12-02 19:24:22 +03:00
samba_cmdline_get_creds ( ) ,
2017-11-16 04:01:56 +03:00
expected_unparse_principal_string ,
client_to_server ) ,
" test_accept_ticket failed - failed to accept the ticket we just created " ) ;
}
2015-03-11 05:58:36 +03:00
krb5_data_free ( & enc_ticket ) ;
2015-01-30 02:31:10 +03:00
} else {
2015-02-02 02:18:23 +03:00
torture_assert_int_equal ( tctx , k5ret , KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN ,
assertion_message ) ;
2015-01-30 02:31:10 +03:00
}
2015-02-05 05:49:40 +03:00
/*
2023-08-03 16:42:18 +03:00
* Confirm getting a ticket to pass to the server , running
2015-02-05 06:44:23 +03:00
* the TEST_TGS_REQ_HOST , TEST_TGS_REQ_HOST_SRV_INST , TEST_TGS_REQ_HOST_SRV_HST stage
2015-02-05 05:49:40 +03:00
*
* This triggers the client to attempt to get a
* cross - realm ticket between the alternate names of
* the server , and we need to confirm that behaviour .
*
*/
if ( * test_data - > krb5_service & & * test_data - > krb5_hostname ) {
2015-02-05 06:44:23 +03:00
krb5_principal host_principal_srv_inst ;
2015-02-05 05:49:40 +03:00
/*
* This tries to guess when the krb5 libs will ask for a
* cross - realm ticket , and when they will just ask the KDC
* directly .
*/
test_context - > packet_count = 0 ;
torture_assert_int_equal ( tctx , krb5_auth_con_init ( k5_context , & auth_context ) ,
0 , " krb5_auth_con_init failed " ) ;
in_data . length = 0 ;
k5ret = krb5_mk_req ( k5_context ,
& auth_context ,
0 ,
test_data - > krb5_service ,
test_data - > krb5_hostname ,
& in_data , ccache ,
& enc_ticket ) ;
2021-12-22 06:08:43 +03:00
{
2015-02-05 05:49:40 +03:00
assertion_message = talloc_asprintf ( tctx ,
2015-02-05 06:44:23 +03:00
" krb5_mk_req for %s/%s failed: %s " ,
test_data - > krb5_service ,
2017-11-16 04:01:56 +03:00
test_data - > krb5_hostname ,
2015-02-05 06:44:23 +03:00
smb_get_krb5_error_message ( k5_context , k5ret , tctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
2017-11-16 04:01:56 +03:00
if ( test_data - > spn_is_upn = = false ) {
/*
* Only in these cases would the above
* code have needed to send packets to
* the network
*/
torture_assert ( tctx ,
test_context - > packet_count > 0 ,
" Expected krb5_get_creds to send packets " ) ;
}
2015-02-05 06:44:23 +03:00
}
test_context - > packet_count = 0 ;
torture_assert_int_equal ( tctx ,
krb5_make_principal ( k5_context , & host_principal_srv_inst ,
test_data - > real_realm ,
strupper_talloc ( tctx , test_data - > krb5_service ) ,
test_data - > krb5_hostname ,
NULL ) ,
0 , " krb5_make_principal failed " ) ;
krb5_principal_set_type ( k5_context , host_principal_srv_inst , KRB5_NT_SRV_INST ) ;
torture_assert_int_equal ( tctx , krb5_auth_con_init ( k5_context , & auth_context ) ,
0 , " krb5_auth_con_init failed " ) ;
in_data . length = 0 ;
k5ret = krb5_mk_req_exact ( k5_context ,
& auth_context ,
0 ,
host_principal_srv_inst ,
& in_data , ccache ,
& enc_ticket ) ;
krb5_free_principal ( k5_context , host_principal_srv_inst ) ;
2021-12-22 06:08:43 +03:00
{
2015-02-05 06:44:23 +03:00
assertion_message = talloc_asprintf ( tctx ,
" krb5_mk_req for %s/%s KRB5_NT_SRV_INST failed: %s " ,
test_data - > krb5_service ,
test_data - > krb5_hostname ,
smb_get_krb5_error_message ( k5_context , k5ret , tctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
/*
* Only in these cases would the above code have needed to
* send packets to the network
*/
torture_assert ( tctx ,
test_context - > packet_count > 0 ,
" Expected krb5_get_creds to send packets " ) ;
}
test_context - > packet_count = 0 ;
torture_assert_int_equal ( tctx ,
krb5_make_principal ( k5_context , & host_principal_srv_inst ,
test_data - > real_realm ,
test_data - > krb5_service ,
strupper_talloc ( tctx , test_data - > krb5_hostname ) ,
NULL ) ,
0 , " krb5_make_principal failed " ) ;
krb5_principal_set_type ( k5_context , host_principal_srv_inst , KRB5_NT_SRV_HST ) ;
torture_assert_int_equal ( tctx , krb5_auth_con_init ( k5_context , & auth_context ) ,
0 , " krb5_auth_con_init failed " ) ;
in_data . length = 0 ;
k5ret = krb5_mk_req_exact ( k5_context ,
& auth_context ,
0 ,
host_principal_srv_inst ,
& in_data , ccache ,
& enc_ticket ) ;
krb5_free_principal ( k5_context , host_principal_srv_inst ) ;
2021-12-22 06:08:43 +03:00
{
2015-02-05 06:44:23 +03:00
assertion_message = talloc_asprintf ( tctx ,
" krb5_mk_req for %s/%s KRB5_NT_SRV_INST failed: %s " ,
test_data - > krb5_service ,
test_data - > krb5_hostname ,
2015-02-05 05:49:40 +03:00
smb_get_krb5_error_message ( k5_context , k5ret , tctx ) ) ;
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
/*
* Only in these cases would the above code have needed to
* send packets to the network
*/
torture_assert ( tctx ,
test_context - > packet_count > 0 ,
" Expected krb5_get_creds to send packets " ) ;
}
2015-02-03 05:22:52 +03:00
}
2015-02-02 02:18:23 +03:00
/*
2023-08-03 16:42:18 +03:00
* Confirm getting a ticket for the same krbtgt / realm that we
2015-02-02 02:18:23 +03:00
* got back with the initial ticket , running the
* TEST_TGS_REQ_KRBTGT stage .
*
*/
test_context - > packet_count = 0 ;
2015-01-30 02:31:10 +03:00
in_data . length = 0 ;
2015-02-02 02:18:23 +03:00
k5ret = krb5_mk_req_exact ( k5_context ,
2015-01-30 02:31:10 +03:00
& auth_context ,
0 ,
my_creds . server ,
& in_data , ccache ,
& enc_ticket ) ;
assertion_message = talloc_asprintf ( tctx ,
" krb5_mk_req_exact for %s failed: %s " ,
principal_string ,
2015-02-02 02:18:23 +03:00
smb_get_krb5_error_message ( k5_context , k5ret , tctx ) ) ;
2015-01-30 02:31:10 +03:00
torture_assert_int_equal ( tctx , k5ret , 0 , assertion_message ) ;
2015-02-02 02:18:23 +03:00
krb5_free_principal ( k5_context , principal ) ;
2015-02-02 05:01:40 +03:00
krb5_get_init_creds_opt_free ( k5_context , krb_options ) ;
2015-02-02 02:18:23 +03:00
torture_assert_int_equal ( tctx , krb5_free_cred_contents ( k5_context , & my_creds ) ,
2015-01-30 02:31:10 +03:00
0 , " krb5_free_cred_contents failed " ) ;
2015-01-21 07:27:09 +03:00
return true ;
}
struct torture_suite * torture_krb5_canon ( TALLOC_CTX * mem_ctx )
{
unsigned int i ;
struct torture_suite * suite = torture_suite_create ( mem_ctx , " canon " ) ;
suite - > description = talloc_strdup ( suite , " Kerberos Canonicalisation tests " ) ;
for ( i = 0 ; i < TEST_ALL ; i + + ) {
2021-12-22 06:08:43 +03:00
char * name = talloc_asprintf ( suite , " %s.%s.%s.%s.%s.%s " ,
2015-01-21 07:27:09 +03:00
( i & TEST_CANONICALIZE ) ? " canon " : " no-canon " ,
( i & TEST_ENTERPRISE ) ? " enterprise " : " no-enterprise " ,
( i & TEST_UPPER_USERNAME ) ? " uc-user " : " lc-user " ,
2015-01-23 06:43:48 +03:00
( i & TEST_WIN2K ) ? " win2k " : " no-win2k " ,
2017-11-16 04:01:56 +03:00
( i & TEST_UPN ) ? " upn " :
( ( i & TEST_AS_REQ_SPN ) ? " spn " :
( ( i & TEST_REMOVEDOLLAR ) ? " removedollar " : " samaccountname " ) ) ,
2020-05-07 18:17:12 +03:00
( i & TEST_S4U2SELF ) ? " s4u2self " : " normal " ) ;
2017-11-16 04:01:56 +03:00
struct torture_suite * sub_suite = torture_suite_create ( mem_ctx , name ) ;
2015-01-23 06:43:48 +03:00
struct test_data * test_data = talloc_zero ( suite , struct test_data ) ;
2017-11-16 04:01:56 +03:00
if ( i & TEST_UPN ) {
if ( i & TEST_AS_REQ_SPN ) {
continue ;
}
}
if ( ( i & TEST_UPN ) | | ( i & TEST_AS_REQ_SPN ) ) {
if ( i & TEST_REMOVEDOLLAR ) {
continue ;
}
}
2015-01-30 02:31:10 +03:00
test_data - > test_name = name ;
2015-02-02 02:18:23 +03:00
test_data - > real_realm
2017-05-10 02:10:03 +03:00
= strupper_talloc ( test_data ,
cli_credentials_get_realm (
2020-12-02 19:24:22 +03:00
samba_cmdline_get_creds ( ) ) ) ;
2017-05-10 02:10:03 +03:00
test_data - > real_domain = cli_credentials_get_domain (
2020-12-02 19:24:22 +03:00
samba_cmdline_get_creds ( ) ) ;
2017-05-10 02:10:03 +03:00
test_data - > username = cli_credentials_get_username (
2020-12-02 19:24:22 +03:00
samba_cmdline_get_creds ( ) ) ;
2017-05-10 02:10:03 +03:00
test_data - > real_username = cli_credentials_get_username (
2020-12-02 19:24:22 +03:00
samba_cmdline_get_creds ( ) ) ;
2015-01-21 07:27:09 +03:00
test_data - > canonicalize = ( i & TEST_CANONICALIZE ) ! = 0 ;
test_data - > enterprise = ( i & TEST_ENTERPRISE ) ! = 0 ;
test_data - > upper_username = ( i & TEST_UPPER_USERNAME ) ! = 0 ;
2015-01-23 04:38:51 +03:00
test_data - > win2k = ( i & TEST_WIN2K ) ! = 0 ;
2015-01-23 06:43:48 +03:00
test_data - > upn = ( i & TEST_UPN ) ! = 0 ;
2015-03-09 01:12:01 +03:00
test_data - > s4u2self = ( i & TEST_S4U2SELF ) ! = 0 ;
2015-03-27 16:41:19 +03:00
test_data - > removedollar = ( i & TEST_REMOVEDOLLAR ) ! = 0 ;
2017-11-16 04:01:56 +03:00
test_data - > as_req_spn = ( i & TEST_AS_REQ_SPN ) ! = 0 ;
torture_suite_add_simple_tcase_const ( sub_suite , name , torture_krb5_as_req_canon ,
2015-01-21 07:27:09 +03:00
test_data ) ;
2017-11-16 04:01:56 +03:00
torture_suite_add_suite ( suite , sub_suite ) ;
2016-06-02 11:14:25 +03:00
2015-01-21 07:27:09 +03:00
}
return suite ;
}
