From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Date: Thu, 4 Dec 2025 23:04:59 +0000 (+1300)
Subject: s4:test: fix kdc-heimdal simple tests for 'require canonicalization'
X-Git-Tag: tdb-1.4.15~71
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f64ba78b8b79152cf67bc69b41d27b806675c310;p=thirdparty%2Fsamba.git

s4:test: fix kdc-heimdal simple tests for 'require canonicalization'

The client doesn't request canonicalization here, so we always expect
its AS_REP to be C_PRINCIPAL_UNKNOWN.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
---

diff --git a/selftest/knownfail.d/krb5-require-canon b/selftest/knownfail.d/krb5-require-canon
index dfc08806e86..1785bb7b087 100644
--- a/selftest/knownfail.d/krb5-require-canon
+++ b/selftest/knownfail.d/krb5-require-canon
@@ -1,13 +1,3 @@
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.as\-req\-cmdline\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.as\-req\-pac\-request\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.as\-req\-break\-pw\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.as\-req\-clock\-skew\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.as\-req\-aes\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.as\-req\-rc4\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.as\-req\-aes\-rc4\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.as\-req\-change\-server\-in\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.as\-req\-change\-server\-out\(schema_dc:local\)
-^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.as\-req\-change\-server\-both\(schema_dc:local\)
 ^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.samaccountname\.normal\.no\-canon\.no\-enterprise\.lc\-user\.no\-win2k\.samaccountname\.normal\(schema_dc:local\)
 ^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.samaccountname\.normal\.no\-canon\.no\-enterprise\.uc\-user\.no\-win2k\.samaccountname\.normal\(schema_dc:local\)
 ^samba4\.krb5\.kdc\ with\ machine\ account\ require\ canonicalization\.canon\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.samaccountname\.normal\.no\-canon\.no\-enterprise\.lc\-user\.win2k\.samaccountname\.normal\(schema_dc:local\)
diff --git a/source4/torture/krb5/kdc-heimdal.c b/source4/torture/krb5/kdc-heimdal.c
index d6659778491..dba4df5b7ac 100644
--- a/source4/torture/krb5/kdc-heimdal.c
+++ b/source4/torture/krb5/kdc-heimdal.c
@@ -30,6 +30,7 @@
 #include "source4/auth/kerberos/kerberos.h"
 #include "source4/auth/kerberos/kerberos_util.h"
 #include "lib/util/util_net.h"
+#include "param/param.h"
 
 #define krb5_is_app_tag(dat,tag)                          \
        ((dat != NULL) && (dat)->length &&                \
@@ -327,6 +328,20 @@ static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_contex
 	KRB_ERROR error;
 	size_t used;
 	bool ok;
+	bool require_canon = lpcfg_kdc_require_canonicalization(
+		test_context->tctx->lp_ctx);
+
+	if (require_canon) {
+		torture_comment(test_context->tctx, "require_canon\n");
+		ok = torture_check_krb5_error(test_context,
+					      recv_buf,
+					      KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN,
+					      false);
+		torture_assert(test_context->tctx,
+			       ok,
+			       "canonicalization required");
+		return true;
+	}
 
 	switch (test_context->test)
 	{
@@ -741,7 +756,7 @@ static bool torture_krb5_as_req_creds(struct torture_context *tctx,
 	krb5_get_init_creds_opt *krb_options = NULL;
 	const char *realm;
 	const char *krb5_hostname = torture_setting_string(tctx, "krb5-hostname", "");
-
+	bool require_canon = lpcfg_kdc_require_canonicalization(tctx->lp_ctx);
 
 	ok = torture_krb5_init_context(tctx, test, &smb_krb5_context);
 	torture_assert(tctx, ok, "torture_krb5_init_context failed");
@@ -833,6 +848,20 @@ static bool torture_krb5_as_req_creds(struct torture_context *tctx,
 	k5ret = krb5_get_init_creds_password(smb_krb5_context->krb5_context, &my_creds, principal,
 					     password, NULL, NULL, 0,
 					     NULL, krb_options);
+
+	if (require_canon) {
+		/*
+		 * The clients in these requests are not using canonicalization, so
+		 * in all cases where the server has 'require canonicalization = yes',
+		 * the error code will be the same.
+		 */
+		torture_assert_int_equal(tctx,
+					 k5ret,
+					 KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN,
+					 "server requires client to ask for canonicalization");
+		return true;
+	}
+
 	krb5_get_init_creds_opt_free(smb_krb5_context->krb5_context, krb_options);
 
 	switch (test)