From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 23 Jun 2022 01:59:11 +0000 (+1200)
Subject: CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming trust
X-Git-Tag: samba-4.17.0rc1~268
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3029d9bf350e2ab34514975452def269efc3ed96;p=thirdparty%2Fsamba.git

CVE-2022-2031 testprogs: Add test for short-lived ticket across an incoming trust

We ensure that the KDC does not reject a TGS-REQ with our short-lived
TGT over an incoming trust.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
---

diff --git a/testprogs/blackbox/test_kinit_trusts_heimdal.sh b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
index 52b1ac6589c..29ea1c510ce 100755
--- a/testprogs/blackbox/test_kinit_trusts_heimdal.sh
+++ b/testprogs/blackbox/test_kinit_trusts_heimdal.sh
@@ -55,6 +55,10 @@ testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppa
 test_smbclient "Test login with user kerberos ccache" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
 rm -rf $KRB5CCNAME_PATH
 
+testit "kinit with password and two minute lifetime" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac --server=krbtgt/$REALM@$TRUST_REALM --lifetime=2m $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
+test_smbclient "Test login with user kerberos ccache and two minute lifetime" 'ls' "$unc" --use-krb5-ccache=$KRB5CCNAME || failed=`expr $failed + 1`
+rm -rf $KRB5CCNAME_PATH
+
 # Test with smbclient4
 smbclient="$samba4bindir/smbclient4"
 testit "kinit with password" $samba4kinit $enctype --password-file=$PREFIX/tmppassfile --request-pac $TRUST_USERNAME@$TRUST_REALM   || failed=`expr $failed + 1`
@@ -95,5 +99,5 @@ testit "wbinfo check outgoing trust pw" $VALGRIND $wbinfo --check-secret --domai
 
 test_smbclient "Test user login with the changed outgoing secret" 'ls' "$unc" --use-kerberos=required -U$USERNAME@$REALM%$PASSWORD || failed=`expr $failed + 1`
 
-rm -f $PREFIX/tmpccache tmpccfile tmppassfile tmpuserpassfile tmpuserccache
+rm -f $PREFIX/tmpccache $PREFIX/tmppassfile
 exit $failed