mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
selftest: Add new test to run krb5.kdc.canon against a user with an SPN for a UPN
The failures in this test compared with Windows Server 1709 are added to knownfail. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
This commit is contained in:
parent
a6182bd951
commit
71ba7cb9b1
16
selftest/knownfail.d/kdc-spn-is-upn
Normal file
16
selftest/knownfail.d/kdc-spn-is-upn
Normal file
@ -0,0 +1,16 @@
|
||||
^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.no-win2k.spn.normal
|
||||
^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.no-win2k.spn.normal
|
||||
^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.no-win2k.spn.normal
|
||||
^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.no-win2k.spn.normal
|
||||
^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.win2k.spn.normal
|
||||
^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.win2k.spn.normal
|
||||
^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.win2k.spn.normal
|
||||
^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.win2k.spn.normal
|
||||
^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.no-win2k.spn.s4u2self
|
||||
^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.no-win2k.spn.s4u2self
|
||||
^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.no-win2k.spn.s4u2self
|
||||
^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.no-win2k.spn.s4u2self
|
||||
^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.win2k.spn.s4u2self
|
||||
^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.win2k.spn.s4u2self
|
||||
^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.win2k.spn.s4u2self
|
||||
^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.win2k.spn.s4u2self
|
@ -815,6 +815,7 @@ sub get_running_env($)
|
||||
my @exported_envvars = (
|
||||
# domain stuff
|
||||
"DOMAIN",
|
||||
"DNSNAME",
|
||||
"REALM",
|
||||
"DOMSID",
|
||||
|
||||
|
@ -747,6 +747,7 @@ nogroup:x:65534:nobody
|
||||
DOMAIN => $ctx->{domain},
|
||||
USERNAME => $ctx->{username},
|
||||
REALM => $ctx->{realm},
|
||||
DNSNAME => $ctx->{dnsname},
|
||||
SAMSID => $ctx->{samsid},
|
||||
PASSWORD => $ctx->{password},
|
||||
LDAPDIR => $ctx->{ldapdir},
|
||||
@ -866,6 +867,28 @@ userPrincipalName: testdenied_upn\@$ctx->{realm}.upn
|
||||
";
|
||||
close(LDIF);
|
||||
|
||||
$samba_tool_cmd = "";
|
||||
$samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
|
||||
$samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
|
||||
$samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
|
||||
. " user create --configfile=$ctx->{smb_conf} testupnspn $ctx->{password}";
|
||||
unless (system($samba_tool_cmd) == 0) {
|
||||
warn("Unable to add testupnspn user: \n$samba_tool_cmd\n");
|
||||
return undef;
|
||||
}
|
||||
|
||||
my $user_dn = "cn=testupnspn,cn=users,$base_dn";
|
||||
open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
|
||||
print LDIF "dn: $user_dn
|
||||
changetype: modify
|
||||
replace: userPrincipalName
|
||||
userPrincipalName: http/testupnspn.$ctx->{dnsname}\@$ctx->{realm}
|
||||
replace: servicePrincipalName
|
||||
servicePrincipalName: http/testupnspn.$ctx->{dnsname}
|
||||
-
|
||||
";
|
||||
close(LDIF);
|
||||
|
||||
$samba_tool_cmd = "";
|
||||
$samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
|
||||
$samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
|
||||
|
@ -1080,6 +1080,12 @@ plansmbtorture4testsuite('krb5.kdc', "rodc", ['ncacn_np:$SERVER_IP', "-k", "yes"
|
||||
env = "promoted_dc"
|
||||
plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--realm=$REALM'],
|
||||
"samba4.krb5.kdc with specified account")
|
||||
plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-Utestupnspn%$PASSWORD', '--workgroup=$DOMAIN', '--realm=$REALM',
|
||||
'--option=torture:expect_machine_account=true',
|
||||
'--option=torture:krb5-upn=http/testupnspn.$DNSNAME@$REALM',
|
||||
'--option=torture:krb5-hostname=testupnspn.$DNSNAME',
|
||||
'--option=torture:krb5-service=http'],
|
||||
"samba4.krb5.kdc with account having identical UPN and SPN")
|
||||
|
||||
|
||||
for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]:
|
||||
|
Loading…
Reference in New Issue
Block a user