selftest: Add certificate binding configuration

Configure the ad_dc and ad_dc_ntvfs test environments for pkinit certificate
binding tests:

ad_dc_ntvfs:
	strong certificate binding enforcement = compatibility
	certificate backdating compensation = 1500

To allow testing of compatibility mode

ad_dc:
	strong certificate binding enforcement = none

To test no enforcement, and to avoid breaking existing kerberos tests

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 8d30fefbab28f95c381b30525568414362990f9e..1ab178489b23f715498ba969063b7c1c84f412ae 100755 (executable)
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1700,6 +1700,9 @@ sub provision_ad_dc_ntvfs($$$)
        # needed for 'samba.tests.auth_log' tests
        server require schannel:LOCALDC\$ = no
        server schannel require seal:LOCALDC\$ = no
+
+       strong certificate binding enforcement = compatibility
+       certificate backdating compensation = 1500
        ";
        push (@{$extra_provision_options},
              "--base-schema=2008_R2",
@@ -2882,7 +2885,11 @@ sub _setup_ad_dc
 sub setup_ad_dc
 {
        my ($self, $path) = @_;
-       return _setup_ad_dc($self, $path, undef, undef, undef);
+       # Disable certificate binding enforcement, to avoid
+       # breaking kerberos tests
+       my $conf_opts = "strong certificate binding enforcement = none\n";
+
+       return _setup_ad_dc($self, $path, $conf_opts, undef, undef);
 }
 
 sub setup_ad_dc_smb1