From 2098124705cdc7abd5321e1dee32dc843547eab3 Mon Sep 17 00:00:00 2001 From: Greg Hudson Date: Wed, 8 Apr 2015 12:09:09 -0400 Subject: [PATCH] Add tests for client principal aliases Augment the LDAP KDB module tests to include client principal aliases as well as server principal aliases. Also revise the server principal alias tests to include an AS-REQ case. (This requires adjusting the subsequent test not to assume a ccache containing a TGT.) --- src/tests/t_kdb.py | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py index 56595db704..28c672ce34 100755 --- a/src/tests/t_kdb.py +++ b/src/tests/t_kdb.py @@ -274,7 +274,7 @@ realm.run([kvno, realm.host_princ]) realm.klist(realm.user_princ, realm.host_princ) # Test service principal aliases. -realm.addprinc('canon') +realm.addprinc('canon', password('canon')) ldap_modify('dn: krbPrincipalName=canon@KRBTEST.COM,cn=t1,cn=krb5\n' 'changetype: modify\n' 'add: krbPrincipalName\n' @@ -293,6 +293,8 @@ realm.run([kvno, 'canon']) out = realm.run([klist]) if 'alias@KRBTEST.COM\n' not in out or 'canon@KRBTEST.COM' not in out: fail('After fetching alias and canon, klist is missing one or both') +realm.kinit(realm.user_princ, password('user'), ['-S', 'alias']) +realm.klist(realm.user_princ, 'alias@KRBTEST.COM') # Make sure an alias to the local TGS is still treated like an alias. ldap_modify('dn: krbPrincipalName=krbtgt/KRBTEST.COM@KRBTEST.COM,' @@ -306,10 +308,9 @@ ldap_modify('dn: krbPrincipalName=krbtgt/KRBTEST.COM@KRBTEST.COM,' out = realm.run([kadminl, 'getprinc', 'tgtalias']) if 'Principal: krbtgt/KRBTEST.COM@KRBTEST.COM' not in out: fail('Could not fetch krbtgt through tgtalias') +realm.kinit(realm.user_princ, password('user')) realm.run([kvno, 'tgtalias']) -out = realm.run([klist]) -if 'tgtalias@KRBTEST.COM\n' not in out: - fail('After fetching tgtalias, klist is missing it') +realm.klist(realm.user_princ, 'tgtalias@KRBTEST.COM') # Make sure aliases work in header tickets. realm.run([kadminl, 'modprinc', '-maxrenewlife', '3 hours', 'user']) @@ -320,6 +321,18 @@ realm.run([kvno, 'alias']) realm.kinit(realm.user_princ, flags=['-R', '-S', 'alias']) realm.klist(realm.user_princ, 'alias@KRBTEST.COM') +# Test client principal aliases, with and without preauth. +realm.kinit('canon', password('canon')) +out = realm.kinit('alias', password('canon'), expected_code=1) +if 'not found in Kerberos database' not in out: + fail('Wrong error message for kinit to alias without -C flag') +realm.kinit('alias', password('canon'), ['-C']) +realm.run([kvno, 'alias']) +realm.klist('canon@KRBTEST.COM', 'alias@KRBTEST.COM') +realm.run([kadminl, 'modprinc', '+requires_preauth', 'canon']) +realm.kinit('canon', password('canon')) +realm.kinit('alias', password('canon'), ['-C']) + # Regression test for #7980 (fencepost when dividing keys up by kvno). realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts,aes128-cts', 'kvnoprinc']) -- 2.47.2