tests/krb5: Add test requesting a TGT expiring post-2038

This demonstrates the behaviour of Windows 11 22H2 over Kerberos,
which changed to use a year 9999 date for a forever timetime in
tickets.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184

(backported from commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2)

[abartlet@samba.org Adapted from 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2
 as the kerberos tests have changed parameters in newer versions
 breaking the context]

diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index da2c0b9d09792b9247510fde503f146596b94663..0d9a771b80dceb875ad42d7d044e217b58ae0b4b 100755 (executable)
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -42,7 +42,7 @@ global_hexdump = False
 
 class AsReqBaseTest(KDCBaseTest):
     def _run_as_req_enc_timestamp(self, client_creds, sname=None,
-                                  expected_error=None,
+                                  expected_error=None, till=None,
                                   expected_pa_error=None, expect_pa_edata=None):
         client_account = client_creds.get_username()
         client_as_etypes = self.get_default_enctypes()
@@ -63,7 +63,8 @@ class AsReqBaseTest(KDCBaseTest):
         expected_sname = sname
         expected_salt = client_creds.get_salt()
 
-        till = self.get_KerberosTime(offset=36000)
+        if till is None:
+            till = self.get_KerberosTime(offset=36000)
 
         initial_etypes = client_as_etypes
         initial_kdc_options = krb5_asn1.KDCOptions('forwardable')
@@ -252,6 +253,14 @@ class AsReqKerberosTests(AsReqBaseTest):
                 sname=wrong_krbtgt_princ,
                 expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
 
+    # Test that we can make a request for a ticket expiring post-2038.
+    def test_future_till(self):
+        client_creds = self.get_client_creds()
+
+        self._run_as_req_enc_timestamp(
+            client_creds,
+            till='99990913024805Z')
+
 
 if __name__ == "__main__":
     global_asn1_print = False