From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 5 Nov 2025 03:14:12 +0000 (+1300)
Subject: s4/torture:kdc-canon understands no-implicit-dollar setting
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7e45ca3868e1efb2b54e55e2f1030a84f9c65426;p=thirdparty%2Fsamba.git

s4/torture:kdc-canon understands no-implicit-dollar setting

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
---

diff --git a/selftest/knownfail.d/krb5-no-dollar b/selftest/knownfail.d/krb5-no-dollar
index 827ffb54041..eec4a2816ac 100644
--- a/selftest/knownfail.d/krb5-no-dollar
+++ b/selftest/knownfail.d/krb5-no-dollar
@@ -1,3 +1,11 @@
+^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.removedollar\.normal\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.removedollar\.normal\(ad_dc_ntvfs:local\)
+^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.removedollar\.normal\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.removedollar\.normal\(ad_dc_ntvfs:local\)
+^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.removedollar\.normal\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.removedollar\.normal\(ad_dc_ntvfs:local\)
+^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.removedollar\.normal\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.removedollar\.normal\(ad_dc_ntvfs:local\)
+^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.removedollar\.s4u2self\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.removedollar\.s4u2self\(ad_dc_ntvfs:local\)
+^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.removedollar\.s4u2self\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.removedollar\.s4u2self\(ad_dc_ntvfs:local\)
+^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.removedollar\.s4u2self\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.removedollar\.s4u2self\(ad_dc_ntvfs:local\)
+^samba4\.krb5\.kdc\ with\ machine\ account\ no\ dollar\ extension\.canon\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.removedollar\.s4u2self\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.removedollar\.s4u2self\(ad_dc_ntvfs:local\)
 ^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_enterprise_principal_step_5\(ad_dc_ntvfs\)
 ^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_nt_principal_step_2\(ad_dc_ntvfs\)
 ^samba\.tests\.krb5\.alias_tests\.samba\.tests\.krb5\.alias_tests\.AliasTests\.test_create_alias_delete\(ad_dc_ntvfs\)
diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c
index a64c73d809e..0dd67a92fc7 100644
--- a/source4/torture/krb5/kdc-canon-heimdal.c
+++ b/source4/torture/krb5/kdc-canon-heimdal.c
@@ -302,6 +302,10 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
 	krb5_data in_data, enc_ticket;
 	krb5_get_creds_opt opt;
 
+	bool implicit_dollar_requires_canonicalize = \
+		! lpcfg_kdc_name_match_implicit_dollar_without_canonicalization(
+			tctx->lp_ctx);
+
 	const char *spn = NULL;
 	const char *spn_real_realm = NULL;
 	const char *upn = torture_setting_string(tctx, "krb5-upn", "");
@@ -536,6 +540,20 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
 					 "krb5_get_init_creds_password");
 		/* We can't proceed with more checks */
 		return true;
+	} else if (implicit_dollar_requires_canonicalize &&
+		   test_context->test_data->removedollar &&
+		   ! test_context->test_data->canonicalize) {
+		/*
+		 * We are trying to match "foo" to "foo$", but we the
+		 * server is configured to not make that match without
+		 * canonicalization.
+		 */
+		torture_assert_int_equal(tctx, k5ret,
+					 KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN,
+					 "Got wrong error_code from "
+					 "krb5_get_init_creds_password "
+					 "(with no implicit dollar config)");
+		return true;
 	} else {
 		assertion_message = talloc_asprintf(tctx,
 						    "krb5_get_init_creds_password for %s failed: %s",