diff --git a/selftest/knownfail.d/kdc-spn-is-upn b/selftest/knownfail.d/kdc-spn-is-upn new file mode 100644 index 00000000000..9225ec215df --- /dev/null +++ b/selftest/knownfail.d/kdc-spn-is-upn @@ -0,0 +1,16 @@ +^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.no-win2k.spn.normal +^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.no-win2k.spn.normal +^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.no-win2k.spn.normal +^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.no-win2k.spn.normal +^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.win2k.spn.normal +^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.win2k.spn.normal +^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.win2k.spn.normal +^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.win2k.spn.normal +^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.no-win2k.spn.s4u2self +^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.no-win2k.spn.s4u2self +^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.no-win2k.spn.s4u2self +^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.no-win2k.spn.s4u2self +^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.win2k.spn.s4u2self +^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.win2k.spn.s4u2self +^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.win2k.spn.s4u2self +^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.win2k.spn.s4u2self diff --git a/selftest/selftest.pl b/selftest/selftest.pl index 7eb5f74b3ef..3ee266c4d0a 100755 --- a/selftest/selftest.pl +++ b/selftest/selftest.pl @@ -815,6 +815,7 @@ sub get_running_env($) my @exported_envvars = ( # domain stuff "DOMAIN", + "DNSNAME", "REALM", "DOMSID", diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index fb4fcc6e566..68038fb5183 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -747,6 +747,7 @@ nogroup:x:65534:nobody DOMAIN => $ctx->{domain}, USERNAME => $ctx->{username}, REALM => $ctx->{realm}, + DNSNAME => $ctx->{dnsname}, SAMSID => $ctx->{samsid}, PASSWORD => $ctx->{password}, LDAPDIR => $ctx->{ldapdir}, @@ -866,6 +867,28 @@ userPrincipalName: testdenied_upn\@$ctx->{realm}.upn "; close(LDIF); + $samba_tool_cmd = ""; + $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; + $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool") + . " user create --configfile=$ctx->{smb_conf} testupnspn $ctx->{password}"; + unless (system($samba_tool_cmd) == 0) { + warn("Unable to add testupnspn user: \n$samba_tool_cmd\n"); + return undef; + } + + my $user_dn = "cn=testupnspn,cn=users,$base_dn"; + open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb"); + print LDIF "dn: $user_dn +changetype: modify +replace: userPrincipalName +userPrincipalName: http/testupnspn.$ctx->{dnsname}\@$ctx->{realm} +replace: servicePrincipalName +servicePrincipalName: http/testupnspn.$ctx->{dnsname} +- +"; + close(LDIF); + $samba_tool_cmd = ""; $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index cb78dd001b9..8c3547d8469 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1080,6 +1080,12 @@ plansmbtorture4testsuite('krb5.kdc', "rodc", ['ncacn_np:$SERVER_IP', "-k", "yes" env = "promoted_dc" plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--realm=$REALM'], "samba4.krb5.kdc with specified account") +plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-Utestupnspn%$PASSWORD', '--workgroup=$DOMAIN', '--realm=$REALM', + '--option=torture:expect_machine_account=true', + '--option=torture:krb5-upn=http/testupnspn.$DNSNAME@$REALM', + '--option=torture:krb5-hostname=testupnspn.$DNSNAME', + '--option=torture:krb5-service=http'], + "samba4.krb5.kdc with account having identical UPN and SPN") for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: