tests/krb5: Add test requesting a service ticket expiring post-2038

Windows 11 22H2 performs such requests, with year 9999.
The test fails with KDC_ERR_BAD_INTEGRITY on older
Heimdal versions, which are unable to verify a checksum
over the modified request body (due to a re-encoding failure).

REF: https://github.com/heimdal/heimdal/issues/1011

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197

[abartlet@samba.org Add knownfail for backport - as Samba
 4.15 and earlier fail this test, adapted commit
 67811e121fbef08337675d473390160793544719 to test
 paraemters in 4.15]

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(backported from commit 67811e121fbef08337675d473390160793544719)

diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index e876efe1a6dd160a112a9376f83eb3289693bf56..37a13ba9024262873c08a84eaa7f8b63c4c9cfc8 100755 (executable)
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -178,6 +178,7 @@ class KdcTgsBaseTests(KDCBaseTest):
                  sname=None,
                  srealm=None,
                  use_fast=False,
+                 till=None,
                  expect_claims=True,
                  etypes=None,
                  expected_ticket_etype=None,
@@ -294,6 +295,7 @@ class KdcTgsBaseTests(KDCBaseTest):
                                          cname=None,
                                          realm=srealm,
                                          sname=sname,
+                                         till_time=till,
                                          etypes=etypes,
                                          additional_tickets=additional_tickets)
         if expected_error:
@@ -2392,6 +2394,18 @@ class KdcTgsTests(KdcTgsBaseTests):
         self._run_tgs(tgt, expected_error=(KDC_ERR_TGT_REVOKED,
                                            KDC_ERR_C_PRINCIPAL_UNKNOWN))
 
+    # Test making a TGS request for a ticket expiring post-2038.
+    def test_tgs_req_future_till(self):
+        creds = self._get_creds()
+        tgt = self._get_tgt(creds)
+
+        target_creds = self.get_service_creds()
+        self._tgs_req(
+            tgt=tgt,
+            expected_error=0,
+            target_creds=target_creds,
+            till='99990913024805Z')
+
     def _modify_renewable(self, enc_part):
         # Set the renewable flag.
         enc_part = self.modify_ticket_flag(enc_part, 'renewable', value=True)

diff --git a/selftest/knownfail.d/windows11-22h2 b/selftest/knownfail.d/windows11-22h2
new file mode 100644 (file)
index 0000000..69980ce
--- /dev/null
+++ b/selftest/knownfail.d/windows11-22h2
@@ -0,0 +1,2 @@
+# This tests shows the new timestamp from Windows 11 22H2 which fails in this version
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_future_till
\ No newline at end of file