selftest: Work around existing CA certificates to get PKINIT tests working

This could be reverted in the future, but for now the certificate validation is not what
we are testing and this allows the heimdal upgrade to work.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

diff --git a/selftest/target/Samba.pm b/selftest/target/Samba.pm
index 6118f2e243ad053bddc682fe93922e5bc8a7dfdc..0d7e13b7e6697bf9bf8d347137422ff8ca43d8f8 100644 (file)
--- a/selftest/target/Samba.pm
+++ b/selftest/target/Samba.pm
@@ -362,26 +362,36 @@ sub mk_realms_stanza($$$$)
        my ($realm, $dnsname, $domain, $kdc_ipv4) = @_;
        my $lc_domain = lc($domain);
 
+       # The   pkinit_require_krbtgt_otherName = false
+       # is just because the certificates we have saved
+       # do not have the realm in the subjectAltName
+       # (specially encoded as a principal)
+       # per
+       # https://github.com/heimdal/heimdal/wiki/Setting-up-PK-INIT-and-Certificates
        my $realms_stanza = "
  $realm = {
   kdc = $kdc_ipv4:88
   admin_server = $kdc_ipv4:88
   default_domain = $dnsname
+  pkinit_require_krbtgt_otherName = false
  }
  $dnsname = {
   kdc = $kdc_ipv4:88
   admin_server = $kdc_ipv4:88
   default_domain = $dnsname
+  pkinit_require_krbtgt_otherName = false
  }
  $domain = {
   kdc = $kdc_ipv4:88
   admin_server = $kdc_ipv4:88
   default_domain = $dnsname
+  pkinit_require_krbtgt_otherName = false
  }
  $lc_domain = {
   kdc = $kdc_ipv4:88
   admin_server = $kdc_ipv4:88
   default_domain = $dnsname
+  pkinit_require_krbtgt_otherName = false
  }
 
 ";