From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 17 Dec 2025 02:17:23 +0000 (+1300)
Subject: s4:test: fix kdc-canon-heimdal tests for 'require canonicalization'
X-Git-Tag: tdb-1.4.15~70
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=955ae6ba935545e862f6b0a8e66b76b27fd2fe14;p=thirdparty%2Fsamba.git

s4:test: fix kdc-canon-heimdal tests for 'require canonicalization'

The combination of the server 'require canonicalization' option with a
lack of a 'canonicalize' flag from the client will result in AS_REPs
with PRINCIPAL UNKNOWN.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
---

diff --git a/selftest/knownfail.d/krb5-require-canon b/selftest/knownfail.d/krb5-require-canon
index 1785bb7b087..a1f9b2b2389 100644
--- a/selftest/knownfail.d/krb5-require-canon
+++ b/selftest/knownfail.d/krb5-require-canon
@@ -1,19 +1,3 @@
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.samaccountname\.normal\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.samaccountname\.normal\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.samaccountname\.normal\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.samaccountname\.normal\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.samaccountname\.normal\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.samaccountname\.normal\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.samaccountname\.normal\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.samaccountname\.normal\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.samaccountname\.s4u2self\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.samaccountname\.s4u2self\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.samaccountname\.s4u2self\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.samaccountname\.s4u2self\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.samaccountname\.s4u2self\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.samaccountname\.s4u2self\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.samaccountname\.s4u2self\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.samaccountname\.s4u2self\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.removedollar\.normal\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.removedollar\.normal\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.removedollar\.normal\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.removedollar\.normal\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.removedollar\.normal\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.removedollar\.normal\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.removedollar\.normal\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.removedollar\.normal\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.removedollar\.s4u2self\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.removedollar\.s4u2self\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.removedollar\.s4u2self\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.removedollar\.s4u2self\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.removedollar\.s4u2self\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.removedollar\.s4u2self\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.removedollar\.s4u2self\.no\-canon\.no\-enterprise\.uc\-user\.win2k\.removedollar\.s4u2self\(schema_dc:local\)
 ^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_enterprise_principal_step_1_3\(schema_dc\)
 ^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_enterprise_principal_step_4\(schema_dc\)
 ^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_enterprise_principal_step_5\(schema_dc\)
diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c
index 3a0fa0b854f..d05572bafb0 100644
--- a/source4/torture/krb5/kdc-canon-heimdal.c
+++ b/source4/torture/krb5/kdc-canon-heimdal.c
@@ -305,6 +305,9 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
 	krb5_data in_data, enc_ticket;
 	krb5_get_creds_opt opt;
 
+	bool require_canon = \
+		lpcfg_kdc_require_canonicalization(tctx->lp_ctx);
+
 	bool implicit_dollar_requires_canonicalize = \
 		! lpcfg_kdc_name_match_implicit_dollar_without_canonicalization(
 			tctx->lp_ctx);
@@ -586,6 +589,17 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
 					 "krb5_get_init_creds_password "
 					 "(with no implicit dollar config)");
 		return true;
+	} else if (require_canon && ! test_context->test_data->canonicalize) {
+		/*
+		 * The server is requiring canonicalization, and we are not using it.
+		 * This should always fail.
+		 */
+		torture_assert_int_equal(tctx, k5ret,
+					 KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN,
+					 "Principal should not match with "
+					 "'require canonicalization = yes' "
+					 "when canonicalization is not used.");
+		return true;
 	} else {
 		assertion_message = talloc_asprintf(tctx,
 						    "krb5_get_init_creds_password for %s failed: %s",
@@ -713,6 +727,18 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
 	/* Confirm if we can get a ticket krbtgt/realm that we got back with the initial kinit */
 	k5ret = krb5_get_creds(k5_context, opt, ccache, krbtgt_other, &server_creds);
 
+	if (require_canon && ! test_context->test_data->canonicalize) {
+		/*
+		 * The server is requiring canonicalization, and we are not using it.
+		 * This should always fail.
+		 */
+		torture_assert_int_equal(tctx, k5ret,
+					 KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN,
+					 "Principal should not match with "
+					 "'require canonicalization = yes' "
+					 "when canonicalization is not used.");
+		return true;
+	}
 	{
 		/*
 		 * In these situations, the code above does not store a