Make cross-realm S4U2Self work

When sending a S4U2Self query to a foreign realm, send an enterprise
server principal so that the foreign KDC can identify the home realm
of the server principal.

To make this work, adjust the memory management of
krb5_get_self_cred_from_kdc().  s4u_creds is now a shallow copy of
in_creds which owns no memory.  A new variable eprinc owns the
enterprise form of the server principal, constructed using a new
helper function convert_to_enterprise().  Since we have to set the
server realm for KDC-REQ encoding to work, a new temporary variable
sprinc holds a shallow copy of *eprinc with the realm pointing to the
realm we are currently querying.

Based on a patch by Sumit Bose.

ticket: 7790

1 files changed, 17 insertions, 0 deletions

diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index 5a2b807..7366e39 100755
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -142,4 +142,21 @@ out = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
 if 'auth1: user@' not in out or 'auth2: user@' not in out:
     fail('krb5 -> s4u2proxy')
 
+realm.stop()
+
+# Exercise cross-realm S4U2Self.  The query in the foreign realm will
+# fail, but we can check that the right server principal was used.
+r1, r2 = cross_realms(2, create_user=False)
+r1.run([kinit, '-k', r1.host_princ])
+out = r1.run(['./t_s4u', 'p:' + r2.host_princ], expected_code=1)
+if 'Server not found in Kerberos database' not in out:
+    fail('cross-realm s4u2self (t_s4u output)')
+r1.stop()
+r2.stop()
+with open(os.path.join(r2.testdir, 'kdc.log')) as f:
+    kdclog = f.read()
+exp_princ = r1.host_princ.replace('/', '\\/').replace('@', '\\@')
+if ('for %s@%s, Server not found' % (exp_princ, r2.realm)) not in kdclog:
+    fail('cross-realm s4u2self (kdc log)')
+
 success('S4U test cases')