diff options
author | Isaac Boukris <iboukris@gmail.com> | 2018-10-15 18:33:15 +0300 |
---|---|---|
committer | Greg Hudson <ghudson@mit.edu> | 2018-10-23 16:44:02 -0400 |
commit | 0b872730081f01d0d2b6f78675bb5c74604cef62 (patch) | |
tree | e6bea7500dc8c5581e68cbfaad1087b1e1186845 /src/tests/gssapi/t_s4u.py | |
parent | a7020d32cf4c7692aec1903e7818d779713ecd43 (diff) | |
download | krb5-0b872730081f01d0d2b6f78675bb5c74604cef62.zip krb5-0b872730081f01d0d2b6f78675bb5c74604cef62.tar.gz krb5-0b872730081f01d0d2b6f78675bb5c74604cef62.tar.bz2 |
Add GSS_KRB5_NT_ENTERPRISE_NAME name type
Add a new name-type OID which causes a string to be imported as an
enterprise name. This is useful for authenticating and impersonating
users with their UPN names.
Resurrect t_imp_name test to exercise importing of the new name OID.
Also add a test using the new name in cross-realm protocol transition,
to exercise s4u_identify_user() with multiple realms.
[ghudson@mit.edu: added Windows export entry; adjusted comments and
test code; edited commit message]
ticket: 8756 (new)
Diffstat (limited to 'src/tests/gssapi/t_s4u.py')
-rwxr-xr-x | src/tests/gssapi/t_s4u.py | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py index eb9545d..fd29e1a 100755 --- a/src/tests/gssapi/t_s4u.py +++ b/src/tests/gssapi/t_s4u.py @@ -143,14 +143,16 @@ realm.stop() mark('cross-realm S4U2Self') testprincs = {'krbtgt/SREALM': {'keys': 'aes128-cts'}, 'krbtgt/UREALM': {'keys': 'aes128-cts'}, - 'user': {'keys': 'aes128-cts'}} + 'user': {'keys': 'aes128-cts', 'flags': '+preauth'}} kdcconf1 = {'realms': {'$realm': {'database_module': 'test'}}, 'dbmodules': {'test': {'db_library': 'test', - 'princs': testprincs }}} + 'princs': testprincs, + 'alias': {'enterprise@abc': '@UREALM'}}}} kdcconf2 = {'realms': {'$realm': {'database_module': 'test'}}, 'dbmodules': {'test': {'db_library': 'test', 'princs': testprincs, - 'alias': {'user@SREALM': '@SREALM'}}}} + 'alias': {'user@SREALM': '@SREALM', + 'enterprise@abc': 'user'}}}} r1, r2 = cross_realms(2, xtgts=(), args=({'realm': 'SREALM', 'kdc_conf': kdcconf1}, {'realm': 'UREALM', 'kdc_conf': kdcconf2}), @@ -175,6 +177,24 @@ msgs = ('Getting credentials user@UREALM -> user@SREALM', r1.run(['./t_s4u', 'p:' + r2.user_princ, '-', r1.keytab], env=no_default, expected_trace=msgs) +# Test realm identification of enterprise principal names ([MS-S4U] +# 3.1.5.1.1.1). Attach a bogus realm to the enterprise name to verify +# that we start at the server realm. +mark('cross-realm S4U2Self with enterprise name') +msgs = ('Getting initial credentials for enterprise\\@abc@SREALM', + 'Processing preauth types: PA-FOR-X509-USER (130)', + 'Sending unauthenticated request', + '/Realm not local to KDC', + 'Following referral to realm UREALM', + 'Processing preauth types: PA-FOR-X509-USER (130)', + 'Sending unauthenticated request', + '/Additional pre-authentication required', + '/Generic preauthentication failure', + 'Getting credentials enterprise\\@abc@UREALM -> user@SREALM', + 'TGS reply is for enterprise\@abc@UREALM -> user@SREALM') +r1.run(['./t_s4u', 'e:enterprise@abc@NOREALM', '-', r1.keytab], + expected_trace=msgs) + r1.stop() r2.stop() |