From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Wed, 17 Dec 2025 02:19:55 +0000 (+1300)
Subject: pytest:krb5:ms_kile: adjust for 'require canonicalization'
X-Git-Tag: tdb-1.4.15~68
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e1757704e5d2563bcc0e32138c5ea10d28bba9e3;p=thirdparty%2Fsamba.git

pytest:krb5:ms_kile: adjust for 'require canonicalization'

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
---

diff --git a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
index 59be116a6bb..ba9abfe1e84 100755
--- a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
+++ b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
@@ -107,6 +107,12 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
             name_type=NT_SRV_INST, names=["krbtgt", realm])
 
         rep = self.as_req(cname, sname, realm, etype)
+        if self.require_canonicalization:
+            # we have not provided the canonicalize (or any other) kdcoption
+            # so preauth will fail.
+            self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
+            return
+
         self.check_pre_authentication(rep)
 
         # Do the next AS-REQ
@@ -172,6 +178,12 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
             self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
             return
 
+        if self.require_canonicalization:
+            # we have not provided the canonicalize (or any other) kdcoption
+            # so preauth will fail.
+            self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
+            return
+
         self.check_pre_authentication(rep)
 
         # Do the next AS-REQ
@@ -236,6 +248,12 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
             name_type=NT_SRV_INST, names=["krbtgt", realm])
 
         rep = self.as_req(cname, sname, realm, etype)
+        if self.require_canonicalization:
+            # we have not provided the canonicalize (or any other) kdcoption
+            # so preauth will fail.
+            self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
+            return
+
         self.check_pre_authentication(rep)
 
         # Do the next AS-REQ
@@ -313,6 +331,11 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
             # principal should not be found in this case
             self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
             return
+        if self.require_canonicalization:
+            # we have not provided the canonicalize (or any other) kdcoption
+            # so preauth will fail.
+            self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
+            return
 
         self.check_as_reply(rep)
         salt = "%s%s" % (realm.upper(), user_name)
@@ -371,6 +394,11 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
         if not self.uncanonicalized_implicit_dollar:
             self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
             return
+        if self.require_canonicalization:
+            # we have not provided the canonicalize (or any other) kdcoption
+            # so preauth will fail.
+            self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
+            return
 
         self.check_pre_authentication(rep)
 
@@ -440,6 +468,12 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
         if not self.uncanonicalized_implicit_dollar:
             self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
             return
+        if self.require_canonicalization:
+            # we have not provided the canonicalize (or any other) kdcoption
+            # so preauth will fail.
+            self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
+            return
+
         self.check_pre_authentication(rep)
 
         # Do the next AS-REQ
@@ -480,6 +514,12 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
             name_type=NT_SRV_INST, names=["krbtgt", realm])
 
         rep = self.as_req(cname, sname, realm, etype)
+        if self.require_canonicalization:
+            # we have not provided the canonicalize (or any other) kdcoption
+            # so preauth will fail.
+            self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
+            return
+
         self.check_pre_authentication(rep)
 
         # Do the next AS-REQ
@@ -544,6 +584,11 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
             name_type=NT_SRV_INST, names=["krbtgt", realm])
 
         rep = self.as_req(cname, sname, realm, etype)
+        if self.require_canonicalization:
+            # we have not provided the canonicalize (or any other) kdcoption
+            # so preauth will fail.
+            self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
+            return
         self.check_pre_authentication(rep)
 
         # Do the next AS-REQ
@@ -612,6 +657,11 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
         if not self.uncanonicalized_implicit_dollar:
             self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
             return
+        if self.require_canonicalization:
+            # we have not provided the canonicalize (or any other) kdcoption
+            # so preauth will fail.
+            self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
+            return
 
         self.check_pre_authentication(rep)
 
@@ -690,6 +740,11 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
         if not self.uncanonicalized_implicit_dollar:
             self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
             return
+        if self.require_canonicalization:
+            # we have not provided the canonicalize (or any other) kdcoption
+            # so preauth will fail.
+            self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
+            return
 
         self.check_as_reply(rep)
         salt = "%s%s" % (realm.upper(), user_name)
@@ -750,6 +805,11 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
         if not self.uncanonicalized_implicit_dollar:
             self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
             return
+        if self.require_canonicalization:
+            # we have not provided the canonicalize (or any other) kdcoption
+            # so preauth will fail.
+            self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
+            return
 
         self.check_pre_authentication(rep)
 
@@ -820,6 +880,12 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
         if not self.uncanonicalized_implicit_dollar:
             self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
             return
+        if self.require_canonicalization:
+            # we have not provided the canonicalize (or any other) kdcoption
+            # so preauth will fail.
+            self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN)
+            return
+
         self.check_pre_authentication(rep)
 
         # Do the next AS-REQ
diff --git a/selftest/knownfail.d/krb5-require-canon b/selftest/knownfail.d/krb5-require-canon
index 11710f4dc89..e797daf19ce 100644
--- a/selftest/knownfail.d/krb5-require-canon
+++ b/selftest/knownfail.d/krb5-require-canon
@@ -1,15 +1,3 @@
-^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_enterprise_principal_step_1_3\(schema_dc\)
-^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_enterprise_principal_step_4\(schema_dc\)
-^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_enterprise_principal_step_5\(schema_dc\)
-^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_enterprise_principal_step_6_a\(schema_dc\)
-^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_nt_enterprise_principal_step_6_b\(schema_dc\)
-^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_nt_principal_step_1\(schema_dc\)
-^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_nt_principal_step_2\(schema_dc\)
-^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_nt_principal_step_3\(schema_dc\)
-^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_nt_principal_step_4_a\(schema_dc\)
-^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_nt_principal_step_4_b\(schema_dc\)
-^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_nt_principal_step_4_c\(schema_dc\)
-^samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.samba\.tests\.krb5\.ms_kile_client_principal_lookup_tests\.MS_Kile_Client_Principal_Lookup_Tests\.test_nt_principal_step_6_c\(schema_dc\)
 ^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_as_req_enc_timestamp\(schema_dc\)
 ^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_as_req_enc_timestamp_aes128_rc4\(schema_dc\)
 ^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_as_req_enc_timestamp_mac\(schema_dc\)