# Successful S4U2Self -> S4U2Proxy.
out = realm.run(['./t_s4u', puser, pservice2])
+# Regression test for #8139: get a user ticket directly for service1 and
+# try krb5 -> S4U2Proxy.
+realm.kinit(realm.user_princ, None, ['-f', '-k', '-c', usercache,
+ '-t', userkeytab, '-S', service1])
+out = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
+ pservice1, pservice2])
+if 'auth1: user@' not in out or 'auth2: user@' not in out:
+ fail('krb5 -> s4u2proxy')
+
+# Simulate a krbtgt rollover and verify that the user ticket can still
+# be validated.
+realm.stop_kdc()
+newtgt_keys = ['2 aes128-cts', '1 aes128-cts']
+newtgt_princs = {'krbtgt/KRBTEST.COM': {'keys': newtgt_keys}}
+newtgt_conf = {'dbmodules': {'test': {'princs': newtgt_princs}}}
+newtgt_env = realm.special_env('newtgt', True, kdc_conf=newtgt_conf)
+realm.start_kdc(env=newtgt_env)
+out = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
+ pservice1, pservice2])
+if 'auth1: user@' not in out or 'auth2: user@' not in out:
+ fail('krb5 -> s4u2proxy')
+
+# Get a user ticket after the krbtgt rollover and verify that
+# S4U2Proxy delegation works (also a #8139 regression test).
+realm.kinit(realm.user_princ, None, ['-f', '-k', '-c', usercache,
+ '-t', userkeytab])
+out = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
+ pservice1, pservice2])
+if 'auth1: user@' not in out or 'auth2: user@' not in out:
+ fail('krb5 -> s4u2proxy')
+
success('S4U test cases')
projects / thirdparty / krb5.git / commitdiff
