From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 19 Oct 2023 03:23:32 +0000 (+1300)
Subject: tests/krb5: Work around Samba’s incorrect krbtgt principal handling
X-Git-Tag: talloc-2.4.2~1203
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0f5033a1e76a0e079b6dc1859f2cb2d9110e1b1f;p=thirdparty%2Fsamba.git

tests/krb5: Work around Samba’s incorrect krbtgt principal handling

These tests fail only because they are using the ‘krbtgt@REALM’ form of
the krbtgt principal that Samba doesn’t handle correctly.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py
index d54931724d1..3c61e2bde55 100755
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -2978,10 +2978,16 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
         client_creds = self._get_creds(account_type=self.AccountType.USER,
                                        assigned_policy=client_policy)
 
+        # FIXME: we need to pass this parameter only because Samba doesnât
+        # handle âkrbtgt@REALMâ principals correctly (see
+        # https://bugzilla.samba.org/show_bug.cgi?id=15482).
+        krbtgt_sname = self.get_krbtgt_sname()
+
         # Show that authentication succeeds.
         self._armored_as_req(client_creds,
                              self.get_krbtgt_creds(),
-                             mach_tgt)
+                             mach_tgt,
+                             target_sname=krbtgt_sname)
 
         self.check_as_log(client_creds,
                           armor_creds=mach_creds,
@@ -3360,10 +3366,16 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
         client_creds = self._get_creds(account_type=self.AccountType.USER,
                                        assigned_policy=client_policy)
 
+        # FIXME: we need to pass this parameter only because Samba doesnât
+        # handle âkrbtgt@REALMâ principals correctly (see
+        # https://bugzilla.samba.org/show_bug.cgi?id=15482).
+        krbtgt_sname = self.get_krbtgt_sname()
+
         # Show that authentication succeeds.
         self._armored_as_req(client_creds,
                              self.get_krbtgt_creds(),
-                             mach_tgt)
+                             mach_tgt,
+                             target_sname=krbtgt_sname)
 
         self.check_as_log(client_creds,
                           armor_creds=mach_creds,
@@ -4357,10 +4369,16 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests):
             (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs),
         }
 
+        # FIXME: we need to pass this parameter only because Samba doesnât
+        # handle âkrbtgt@REALMâ principals correctly (see
+        # https://bugzilla.samba.org/show_bug.cgi?id=15482).
+        krbtgt_sname = self.get_krbtgt_sname()
+
         # Show that obtaining a service ticket with an ASâREQ is allowed.
         self._armored_as_req(client_creds,
                           self.get_krbtgt_creds(),
                           mach_tgt,
+                          target_sname=krbtgt_sname,
                           expected_groups=expected_groups)
 
         self.check_as_log(client_creds,
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index 28654042f78..d1bed6fc74f 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -176,6 +176,7 @@ class KdcTgsBaseTests(KDCBaseTest):
                         target_creds,
                         armor_tgt,
                         *,
+                        target_sname=None,
                         expected_error=0,
                         expected_sname=None,
                         expect_edata=None,
@@ -191,9 +192,10 @@ class KdcTgsBaseTests(KDCBaseTest):
         client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
                                                  names=[client_username])
 
-        target_name = target_creds.get_username()
-        target_sname = self.PrincipalName_create(
-            name_type=NT_PRINCIPAL, names=[target_name])
+        if target_sname is None:
+            target_name = target_creds.get_username()
+            target_sname = self.PrincipalName_create(
+                name_type=NT_PRINCIPAL, names=[target_name])
         target_realm = target_creds.get_realm()
         target_decryption_key = self.TicketDecryptionKey_from_creds(
             target_creds)
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 986c2e9cc24..96a70a953a0 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -131,9 +131,3 @@
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_client_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_both_from_rodc\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_without_aa_asserted_identity_client_from_rodc\(ad_dc\)
-#
-# Conditional ACE device restrictions
-#
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_present\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_groups_present\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_simple_as_req_client_policy_only\(ad_dc\)
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 5f5a4fa45ec..4586c0e0d6a 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -4066,13 +4066,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 #
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_invalid\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_not_present\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_claims_present\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_device_info\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_groups_not_present\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_groups_present\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_resource_groups_present\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_resource_groups_present_to_service_no_sid_compression\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_resource_groups_present_to_service_sid_compression\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.DeviceRestrictionTests.test_pac_well_known_groups_not_present\(ad_dc\)
 ^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_simple_as_req_client_and_target_policy\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.TgsReqServicePolicyTests.test_simple_as_req_client_policy_only\(ad_dc\)