tests/krb5: Add test for S4U2Self with wrong sname

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bac5f75059450898937be891e863826e1350b62c)

diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py
index 5f37525f3935d3cbb81b5dbaba6c732792f991da..2953766ef21fc7b63e476a58143bcfbd792db56d 100755 (executable)
--- a/python/samba/tests/krb5/s4u_tests.py
+++ b/python/samba/tests/krb5/s4u_tests.py
@@ -36,6 +36,7 @@ from samba.tests.krb5.raw_testcase import (
 from samba.tests.krb5.rfc4120_constants import (
     AES256_CTS_HMAC_SHA1_96,
     ARCFOUR_HMAC_MD5,
+    KDC_ERR_BADMATCH,
     KDC_ERR_BADOPTION,
     KDC_ERR_BAD_INTEGRITY,
     KDC_ERR_GENERIC,
@@ -243,7 +244,9 @@ class S4UKerberosTests(KDCBaseTest):
         client_dn = client_creds.get_dn()
         sid = self.get_objectSid(samdb, client_dn)
 
-        service_name = service_creds.get_username()[:-1]
+        service_name = kdc_dict.pop('service_name', None)
+        if service_name is None:
+            service_name = service_creds.get_username()[:-1]
         service_sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
                                                   names=['host', service_name])
 
@@ -474,6 +477,33 @@ class S4UKerberosTests(KDCBaseTest):
                 'expected_flags': 'forwardable'
             })
 
+    # Do an S4U2Self with the sname in the request different to that of the
+    # service. We expect an error.
+    def test_s4u2self_wrong_sname(self):
+        other_creds = self.get_cached_creds(
+            account_type=self.AccountType.COMPUTER,
+            opts={
+                'trusted_to_auth_for_delegation': True,
+                'id': 0
+            })
+        other_sname = other_creds.get_username()[:-1]
+
+        self._run_s4u2self_test(
+            {
+                'expected_error_mode': KDC_ERR_BADMATCH,
+                'expect_edata': False,
+                'client_opts': {
+                    'not_delegated': False
+                },
+                'service_opts': {
+                    'trusted_to_auth_for_delegation': True
+                },
+                'service_name': other_sname,
+                'kdc_options': 'forwardable',
+                'modify_service_tgt_fn': functools.partial(
+                    self.set_ticket_forwardable, flag=True)
+            })
+
     def _run_delegation_test(self, kdc_dict):
         client_opts = kdc_dict.pop('client_opts', None)
         client_creds = self.get_cached_creds(

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index bc644587319ef3b46ed1d3d8d65aa9be3e877671..483145f1473fc3c0338012a69a6dd9b7251a2da5 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -243,6 +243,7 @@
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_wrong_sname
 #
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required