s4:test: fix kdc-canon-heimdal tests for 'require canonicalization'

The combination of the server 'require canonicalization' option with a
lack of a 'canonicalize' flag from the client will result in AS_REPs
with PRINCIPAL UNKNOWN.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

diff --git a/selftest/knownfail.d/krb5-require-canon b/selftest/knownfail.d/krb5-require-canon
index 1785bb7b0873bc68928c1070e9c294ab5d29fac4..a1f9b2b238904647f70eb3e3b8573d311bf2877f 100644 (file)
--- a/selftest/knownfail.d/krb5-require-canon
+++ b/selftest/knownfail.d/krb5-require-canon
@@ -1,19 +1,3 @@
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.samaccountname\.normal\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.samaccountname\.normal\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.samaccountname\.normal\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.samaccountname\.normal\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.samaccountname\.normal\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.samaccountname\.normal\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.samaccountname\.normal\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.samaccountname\.normal\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.samaccountname\.s4u2self\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.samaccountname\.s4u2self\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.samaccountname\.s4u2self\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.samaccountname\.s4u2self\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.samaccountname\.s4u2self\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.samaccountname\.s4u2self\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.samaccountname\.s4u2self\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.samaccountname\.s4u2self\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.removedollar\.normal\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.removedollar\.normal\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.removedollar\.normal\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.removedollar\.normal\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.removedollar\.normal\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.removedollar\.normal\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.removedollar\.normal\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.removedollar\.normal\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.removedollar\.s4u2self\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.removedollar\.s4u2self\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.removedollar\.s4u2self\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.removedollar\.s4u2self\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.removedollar\.s4u2self\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.removedollar\.s4u2self\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.removedollar\.s4u2self\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.removedollar\.s4u2self\(schema_dc:local\)
 ^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_enterprise_principal_step_1_3\(schema_dc\)
 ^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_enterprise_principal_step_4\(schema_dc\)
 ^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_enterprise_principal_step_5\(schema_dc\)

diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c
index 3a0fa0b854f8e13199942066e4ff82246f43664c..d05572bafb0399208cfab05e1ecd6d3400861f58 100644 (file)
--- a/source4/torture/krb5/kdc-canon-heimdal.c
+++ b/source4/torture/krb5/kdc-canon-heimdal.c
@@ -305,6 +305,9 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
        krb5_data in_data, enc_ticket;
        krb5_get_creds_opt opt;
 
+       bool require_canon = \
+               lpcfg_kdc_require_canonicalization(tctx->lp_ctx);
+
        bool implicit_dollar_requires_canonicalize = \
                ! lpcfg_kdc_name_match_implicit_dollar_without_canonicalization(
                        tctx->lp_ctx);
@@ -586,6 +589,17 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
                                         "krb5_get_init_creds_password "
                                         "(with no implicit dollar config)");
                return true;
+       } else if (require_canon && ! test_context->test_data->canonicalize) {
+               /*
+                * The server is requiring canonicalization, and we are not using it.
+                * This should always fail.
+                */
+               torture_assert_int_equal(tctx, k5ret,
+                                        KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN,
+                                        "Principal should not match with "
+                                        "'require canonicalization = yes' "
+                                        "when canonicalization is not used.");
+               return true;
        } else {
                assertion_message = talloc_asprintf(tctx,
                                                    "krb5_get_init_creds_password for %s failed: %s",
@@ -713,6 +727,18 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
        /* Confirm if we can get a ticket krbtgt/realm that we got back with the initial kinit */
        k5ret = krb5_get_creds(k5_context, opt, ccache, krbtgt_other, &server_creds);
 
+       if (require_canon && ! test_context->test_data->canonicalize) {
+               /*
+                * The server is requiring canonicalization, and we are not using it.
+                * This should always fail.
+                */
+               torture_assert_int_equal(tctx, k5ret,
+                                        KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN,
+                                        "Principal should not match with "
+                                        "'require canonicalization = yes' "
+                                        "when canonicalization is not used.");
+               return true;
+       }
        {
                /*
                 * In these situations, the code above does not store a