tests/krb5: Work around Samba’s incorrect krbtgt principal handling

These tests fail only because they are using the ‘krbtgt@REALM’ form of
the krbtgt principal that Samba doesn’t handle correctly.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py
index d54931724d14873993f8c0095fb1eeb59c68724c..3c61e2bde5514a0dceed1759943dc1dd47ec9f48 100755 (executable)
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -2978,10 +2978,16 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
         client_creds = self._get_creds(account_type=self.AccountType.USER,
                                        assigned_policy=client_policy)
 
+        # FIXME: we need to pass this parameter only because Samba doesn’t
+        # handle ‘krbtgt@REALM’ principals correctly (see
+        # https://bugzilla.samba.org/show_bug.cgi?id=15482).
+        krbtgt_sname = self.get_krbtgt_sname()
+
         # Show that authentication succeeds.
         self._armored_as_req(client_creds,
                              self.get_krbtgt_creds(),
-                             mach_tgt)
+                             mach_tgt,
+                             target_sname=krbtgt_sname)
 
         self.check_as_log(client_creds,
                           armor_creds=mach_creds,
@@ -3360,10 +3366,16 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
         client_creds = self._get_creds(account_type=self.AccountType.USER,
                                        assigned_policy=client_policy)
 
+        # FIXME: we need to pass this parameter only because Samba doesn’t
+        # handle ‘krbtgt@REALM’ principals correctly (see
+        # https://bugzilla.samba.org/show_bug.cgi?id=15482).
+        krbtgt_sname = self.get_krbtgt_sname()
+
         # Show that authentication succeeds.
         self._armored_as_req(client_creds,
                              self.get_krbtgt_creds(),
-                             mach_tgt)
+                             mach_tgt,
+                             target_sname=krbtgt_sname)
 
         self.check_as_log(client_creds,
                           armor_creds=mach_creds,
@@ -4357,10 +4369,16 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests):
             (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
         }
 
+        # FIXME: we need to pass this parameter only because Samba doesn’t
+        # handle ‘krbtgt@REALM’ principals correctly (see
+        # https://bugzilla.samba.org/show_bug.cgi?id=15482).
+        krbtgt_sname = self.get_krbtgt_sname()
+
         # Show that obtaining a service ticket with an AS‐REQ is allowed.
         self._armored_as_req(client_creds,
                           self.get_krbtgt_creds(),
                           mach_tgt,
+                          target_sname=krbtgt_sname,
                           expected_groups=expected_groups)
 
         self.check_as_log(client_creds,

diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index 28654042f78a0f2cd2cb5cc1fcbec2938fb2b80a..d1bed6fc74f3950e04b9710975c1f24204eb1c85 100755 (executable)
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -176,6 +176,7 @@ class KdcTgsBaseTests(KDCBaseTest):
                         target_creds,
                         armor_tgt,
                         *,
+                        target_sname=None,
                         expected_error=0,
                         expected_sname=None,
                         expect_edata=None,
@@ -191,9 +192,10 @@ class KdcTgsBaseTests(KDCBaseTest):
         client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
                                                  names=[client_username])
 
-        target_name = target_creds.get_username()
-        target_sname = self.PrincipalName_create(
-            name_type=NT_PRINCIPAL, names=[target_name])
+        if target_sname is None:
+            target_name = target_creds.get_username()
+            target_sname = self.PrincipalName_create(
+                name_type=NT_PRINCIPAL, names=[target_name])
         target_realm = target_creds.get_realm()
         target_decryption_key = self.TicketDecryptionKey_from_creds(
             target_creds)

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 986c2e9cc24f37ebe534bc6ac676d09927faf9df..96a70a953a067568c744efbff42bba6e1611a1e5 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -131,9 +131,3 @@
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_client_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_both_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\)
-#
-# Conditional ACE device restrictions
-#
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_present\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_groups_present\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_simple_as_req_client_policy_only\(ad_dc\)

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 5f5a4fa45ec530fe6f15864f594c57caee58c3ee..4586c0e0d6ae29d3ed79a5b9e9aac3f4547800a6 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -4066,13 +4066,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 #
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_invalid\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_not_present\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_present\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_device_info\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_groups_not_present\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_groups_present\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_resource_groups_present\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_resource_groups_present_to_service_no_sid_compression\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_resource_groups_present_to_service_sid_compression\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_well_known_groups_not_present\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_simple_as_req_client_and_target_policy\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_simple_as_req_client_policy_only\(ad_dc\)