From 778029c1dc443b87f4ed4b9d2c613d0e6fc45b0d Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 24 Nov 2021 12:10:45 +1300
Subject: [PATCH] tests/krb5: Add tests for TGS requests with a non-TGT

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 python/samba/tests/krb5/kdc_tgs_tests.py | 51 ++++++++++++++++++++++++
 selftest/knownfail_mit_kdc               |  2 +
 2 files changed, 53 insertions(+)

diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index f5f091610ac..52297c963e8 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -40,6 +40,7 @@ from samba.tests.krb5.rfc4120_constants import (
     KDC_ERR_BADMATCH,
     KDC_ERR_GENERIC,
     KDC_ERR_MODIFIED,
+    KDC_ERR_NOT_US,
     KDC_ERR_POLICY,
     KDC_ERR_C_PRINCIPAL_UNKNOWN,
     KDC_ERR_S_PRINCIPAL_UNKNOWN,
@@ -1234,6 +1235,56 @@ class KdcTgsTests(KDCBaseTest):
                         expected_error=(KDC_ERR_GENERIC,
                                         KDC_ERR_S_PRINCIPAL_UNKNOWN))
 
+    def test_tgs_service_ticket(self):
+        creds = self._get_creds()
+        tgt = self._get_tgt(creds)
+
+        service_creds = self.get_service_creds()
+        service_ticket = self.get_service_ticket(tgt, service_creds)
+
+        self._run_tgs(service_ticket,
+                      expected_error=(KDC_ERR_NOT_US, KDC_ERR_POLICY))
+
+    def test_renew_service_ticket(self):
+        creds = self._get_creds()
+        tgt = self._get_tgt(creds)
+
+        service_creds = self.get_service_creds()
+        service_ticket = self.get_service_ticket(tgt, service_creds)
+
+        service_ticket = self.modified_ticket(
+            service_ticket,
+            modify_fn=self._modify_renewable,
+            checksum_keys=self.get_krbtgt_checksum_key())
+
+        self._renew_tgt(service_ticket,
+                        expected_error=KDC_ERR_POLICY)
+
+    def test_validate_service_ticket(self):
+        creds = self._get_creds()
+        tgt = self._get_tgt(creds)
+
+        service_creds = self.get_service_creds()
+        service_ticket = self.get_service_ticket(tgt, service_creds)
+
+        service_ticket = self.modified_ticket(
+            service_ticket,
+            modify_fn=self._modify_invalid,
+            checksum_keys=self.get_krbtgt_checksum_key())
+
+        self._validate_tgt(service_ticket,
+                           expected_error=KDC_ERR_POLICY)
+
+    def test_s4u2self_service_ticket(self):
+        creds = self._get_creds()
+        tgt = self._get_tgt(creds)
+
+        service_creds = self.get_service_creds()
+        service_ticket = self.get_service_ticket(tgt, service_creds)
+
+        self._s4u2self(service_ticket, creds,
+                       expected_error=(KDC_ERR_NOT_US, KDC_ERR_POLICY))
+
     def test_user2user_service_ticket(self):
         creds = self._get_creds()
         tgt = self._get_tgt(creds)
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 2aa7fb2b370..8f8b0b18f18 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -381,6 +381,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_service_ticket
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_existing
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_nonexisting
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac
@@ -442,6 +443,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_service_ticket
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_existing
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_nonexisting
 #