struct dom_sid *builtin_domain;
+ struct dom_sid *ai_auth_authority = NULL;
+ struct dom_sid *ai_service = NULL;
+ size_t ai_auth_authority_count = 0;
+ size_t ai_service_count = 0;
+ bool ok;
+
TALLOC_CTX *tmp_ctx = talloc_new(tctx);
torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed");
s4u2self_session_info->info->account_name, "Account name differs for S4U2Self");
torture_assert_str_equal(tctx, netlogon_user_info_dc->info->full_name == NULL ? "" : netlogon_user_info_dc->info->full_name, kinit_session_info->info->full_name, "Full name differs for kinit-based PAC");
torture_assert_str_equal(tctx, netlogon_user_info_dc->info->full_name == NULL ? "" : netlogon_user_info_dc->info->full_name, s4u2self_session_info->info->full_name, "Full name differs for S4U2Self");
- torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, kinit_session_info->torture->num_dc_sids, "Different numbers of domain groups for kinit-based PAC");
- torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, s4u2self_session_info->torture->num_dc_sids, "Different numbers of domain groups for S4U2Self");
builtin_domain = dom_sid_parse_talloc(tmp_ctx, SID_BUILTIN);
+ /* KRB5 might have an additional sid, the asserted identity */
+ ai_auth_authority = dom_sid_parse_talloc(
+ tmp_ctx,
+ SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY);
+
+ ai_service = dom_sid_parse_talloc(
+ tmp_ctx,
+ SID_SERVICE_ASSERTED_IDENTITY);
+
+ ai_auth_authority_count = 0;
+ ai_service_count = 0;
for (i = 0; i < kinit_session_info->torture->num_dc_sids; i++) {
+ ok = dom_sid_equal(&kinit_session_info->torture->dc_sids[i],
+ ai_auth_authority);
+ if (ok) {
+ ai_auth_authority_count++;
+ }
+
+ ok = dom_sid_equal(&kinit_session_info->torture->dc_sids[i],
+ ai_service);
+ if (ok) {
+ ai_service_count++;
+ }
+ }
+
+ torture_assert_int_equal(tctx, ai_auth_authority_count, 1,
+ "Kinit authority asserted identity should be (1)");
+ torture_assert_int_equal(tctx, ai_service_count, 0,
+ "Kinit service asserted identity should be (0)");
+
+ ai_auth_authority_count = 0;
+ ai_service_count = 0;
+ for (i = 0; i < s4u2self_session_info->torture->num_dc_sids; i++) {
+ ok = dom_sid_equal(&s4u2self_session_info->torture->dc_sids[i],
+ ai_auth_authority);
+ if (ok) {
+ ai_auth_authority_count++;
+ }
+
+ ok = dom_sid_equal(&s4u2self_session_info->torture->dc_sids[i],
+ ai_service);
+ if (ok) {
+ ai_service_count++;
+ }
+ }
+
+ torture_assert_int_equal(tctx, ai_auth_authority_count, 0,
+ "S4U2Self authority asserted identity should be (0)");
+ torture_assert_int_equal(tctx, ai_service_count, 1,
+ "S4U2Self service asserted identity should be (1)");
+
+ torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, kinit_session_info->torture->num_dc_sids - 1, "Different numbers of domain groups for kinit-based PAC");
+ torture_assert_int_equal(tctx, netlogon_user_info_dc->num_sids, s4u2self_session_info->torture->num_dc_sids - 1, "Different numbers of domain groups for S4U2Self");
+
+ for (i = 0; i < netlogon_user_info_dc->num_sids; i++) {
torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &kinit_session_info->torture->dc_sids[i]), "Different domain groups for kinit-based PAC");
torture_assert(tctx, dom_sid_equal(&netlogon_user_info_dc->sids[i], &s4u2self_session_info->torture->dc_sids[i]), "Different domain groups for S4U2Self");
torture_assert(tctx, !dom_sid_in_domain(builtin_domain, &s4u2self_session_info->torture->dc_sids[i]), "Returned BUILTIN domain in groups for S4U2Self");
projects / thirdparty / samba.git / commitdiff
