From: Isaac Boukris Date: Sat, 9 May 2020 14:26:45 +0000 (+0200) Subject: selftest: test forwardable flag in cross-realm with s4u2proxy X-Git-Tag: ldb-2.2.0~136 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fb7dfdbe8f94f7f053d67832e7f28a751136d733;p=thirdparty%2Fsamba.git selftest: test forwardable flag in cross-realm with s4u2proxy Signed-off-by: Isaac Boukris Reviewed-by: Andrew Bartlett --- diff --git a/selftest/knownfail.d/s4u2p_fwd b/selftest/knownfail.d/s4u2p_fwd new file mode 100644 index 00000000000..63ade3eece0 --- /dev/null +++ b/selftest/knownfail.d/s4u2p_fwd @@ -0,0 +1,2 @@ +^samba4.blackbox.krb5.s4u.get a ticket to impersonator for trust user +^samba4.blackbox.krb5.s4u.test S4U2Proxy evidence ticket obtained by TGS of trust user diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index d0deeecbd23..39502236f21 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -488,7 +488,7 @@ if have_heimdal_support: plantestsuite("samba4.blackbox.kinit_trust", "fl2003dc:local", [os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external", "arcfour-hmac-md5"]) plantestsuite("samba4.blackbox.export.keytab", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_heimdal.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4]) plantestsuite("samba4.blackbox.kpasswd", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"]) - plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local", [os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', configuration]) + plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local", [os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', configuration]) else: plantestsuite("samba4.blackbox.kinit", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient4, configuration]) plantestsuite("samba4.blackbox.kinit", "fl2000dc:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient3, configuration]) diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh index c6ada54e85b..c63eeaa2e30 100755 --- a/testprogs/blackbox/test_s4u_heimdal.sh +++ b/testprogs/blackbox/test_s4u_heimdal.sh @@ -12,8 +12,13 @@ USERNAME=$2 PASSWORD=$3 REALM=$4 DOMAIN=$5 -PREFIX=$6 -shift 6 +TRUST_SERVER=$6 +TRUST_USERNAME=$7 +TRUST_PASSWORD=$8 +TRUST_REALM=$9 +TRUST_DOMAIN=${10} +PREFIX=${11} +shift 11 failed=0 @@ -39,7 +44,7 @@ export KRB5CCNAME rm -rf $KRB5CCNAME_PATH princ=test_impersonate_princ -impersonator=test_impersonator +impersonator=test_impersonator.$REALM target="CIFS/$SERVER.$REALM" @@ -72,6 +77,12 @@ testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmp testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` +echo $TRUST_PASSWORD > $PREFIX/tmppassfile +testit "kinit trust user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` +testit "get a ticket to impersonator for trust user" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` +testit "test S4U2Proxy evidence ticket obtained by TGS of trust user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + +echo $PASSWORD > $PREFIX/tmppassfile testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=`expr $failed + 1` testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1`