From: Andreas Schneider Date: Wed, 16 Dec 2020 14:18:26 +0000 (+0100) Subject: s4:torture: Pass the pkinit ccache via a torture variable X-Git-Tag: tevent-0.11.0~359 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=092d26af6adda3d1c476e869f48a2a76065658aa;p=thirdparty%2Fsamba.git s4:torture: Pass the pkinit ccache via a torture variable Mixing -Uuser%password and --krb5-ccache doesn't really work on the cmdline as -U overwrited the ccache. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett --- diff --git a/source4/torture/rpc/remote_pac.c b/source4/torture/rpc/remote_pac.c index 2894badc8e9..6e956d57dde 100644 --- a/source4/torture/rpc/remote_pac.c +++ b/source4/torture/rpc/remote_pac.c @@ -162,7 +162,8 @@ static bool test_PACVerify(struct torture_context *tctx, { NTSTATUS status; bool ok; - bool pkinit_in_use = torture_setting_bool(tctx, "pkinit_in_use", false); + const char *pkinit_ccache = torture_setting_string(tctx, "pkinit_ccache", NULL); + bool pkinit_in_use = pkinit_ccache != NULL; bool expect_pac_upn_dns_info = torture_setting_bool(tctx, "expect_pac_upn_dns_info", true); size_t num_pac_buffers; struct gensec_security *gensec_client_context; @@ -186,20 +187,61 @@ static bool test_PACVerify(struct torture_context *tctx, "Testing PAC Verify (secure_channel_type: %d, machine: %s, negotiate_flags: 0x%08x\n", secure_channel_type, test_machine_name, negotiate_flags); - /* - * Copy the credentials in order to use a different MEMORY krb5 ccache - * for each client/server setup. The MEMORY cache identifier is a - * pointer to the creds container. If we copy it the pointer changes and - * we will get a new clean memory cache. - */ - client_creds = cli_credentials_shallow_copy(tmp_ctx, - popt_get_cmdline_credentials()); - torture_assert(tctx, client_creds, "Failed to copy of credentials"); - if (!pkinit_in_use) { - /* Invalidate the gss creds container to allocate a new MEMORY ccache */ + if (pkinit_in_use) { + struct cli_credentials *tmp_creds = NULL; + const char *error_string = NULL; + int rc; + + torture_comment(tctx, + "Using pkinit_ccache=%s\n", + pkinit_ccache); + + tmp_creds = cli_credentials_init(tctx); + torture_assert(tctx, tmp_creds, "Failed to create credentials"); + + rc = cli_credentials_set_ccache(tmp_creds, + tctx->lp_ctx, + pkinit_ccache, + CRED_SPECIFIED, + &error_string); + torture_assert_int_equal(tctx, + rc, + 0, + "cli_credentials_set_ccache failed"); + cli_credentials_set_kerberos_state(tmp_creds, + CRED_USE_KERBEROS_REQUIRED, + CRED_SPECIFIED); + + /* + * Copy the credentials in order to use a different MEMORY krb5 + * ccache for each client/server setup. The MEMORY cache + * identifier is a pointer to the creds container. If we copy + * it the pointer changes and we will get a new clean memory + * cache. + */ + client_creds = + cli_credentials_shallow_copy(tmp_ctx, tmp_creds); + torture_assert(tctx, + client_creds, + "Failed to copy of credentials"); + } else { + /* + * Copy the credentials in order to use a different MEMORY krb5 + * ccache for each client/server setup. The MEMORY cache + * identifier is a pointer to the creds container. If we copy + * it the pointer changes and we will get a new clean memory + * cache. + */ + client_creds = + cli_credentials_shallow_copy(tmp_ctx, + popt_get_cmdline_credentials()); + torture_assert(tctx, + client_creds, + "Failed to copy of credentials"); cli_credentials_invalidate_ccache(client_creds, CRED_SPECIFIED); } + server_creds = cli_credentials_shallow_copy(tmp_ctx, credentials); torture_assert(tctx, server_creds, "Failed to copy of credentials"); diff --git a/testprogs/blackbox/test_pkinit_pac_heimdal.sh b/testprogs/blackbox/test_pkinit_pac_heimdal.sh index 12205398365..45edb7e6cb4 100755 --- a/testprogs/blackbox/test_pkinit_pac_heimdal.sh +++ b/testprogs/blackbox/test_pkinit_pac_heimdal.sh @@ -46,7 +46,7 @@ USER_PRINCIPAL_NAME=`echo "${USERNAME}@${REALM}" | tr A-Z a-z` PKUSER="--pk-user=FILE:$PREFIX/pkinit/USER-${USER_PRINCIPAL_NAME}-cert.pem,$PREFIX/pkinit/USER-${USER_PRINCIPAL_NAME}-private-key.pem" testit "STEP1 kinit with pkinit (name specified) " $samba4kinit $enctype --request-pac --renewable $PKUSER $USERNAME@$REALM || failed=`expr $failed + 1` -testit "STEP1 remote.pac verification" $smbtorture4 ncacn_np:$SERVER rpc.pac --workgroup=$DOMAIN -U$USERNAME%$PASSWORD --krb5-ccache=$KRB5CCNAME --option=torture:pkinit_in_use=yes || failed=`expr $failed + 1` +testit "STEP1 remote.pac verification" $smbtorture4 ncacn_np:$SERVER rpc.pac --workgroup=$DOMAIN -U$USERNAME%$PASSWORD --option=torture:pkinit_ccache=$KRB5CCNAME || failed=`expr $failed + 1` rm -f $PASSFILE_PATH rm -f $KRB5CCNAME_PATH