diff options
| author | Isaac Boukris <iboukris@gmail.com> | 2019-03-12 21:59:55 +0200 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2019-09-09 00:04:33 -0400 |
| commit | e131d339b81a22bfc91ab96990c3be9e7779200e (patch) | |
| tree | 4531dc131896eac848a8952b7f41aad30f1d36e2 /src/tests/gssapi/t_s4u.py | |
| parent | c426ef2ca2ba45dbf96f5380cf7d153ec0679424 (diff) | |
| download | krb5-e131d339b81a22bfc91ab96990c3be9e7779200e.zip krb5-e131d339b81a22bfc91ab96990c3be9e7779200e.tar.gz krb5-e131d339b81a22bfc91ab96990c3be9e7779200e.tar.bz2 | |
S4U2Proxy evidence tickets needn't be forwardable
With the introduction of resource-based constrained delegation, the
absence of the forwardable flag no longer implies that a ticket cannot
be used for constrained delegation requests.
Instead, we should check in the PAC to see if the user is marked as
sensitive, and error out in that case rather than making a failed
request. But we don't always have access to the PAC and we currently
do not have the code to retrieve this attribute from the PAC.
Since krb5_get_credentials_for_proxy() no longer needs to look at the
decrypted ticket, change kvno to not require a keytab for constrained
delegation.
[ghudson@mit.edu: made minor style changes and commit message edits;
updated documentation]
ticket: 8479
Diffstat (limited to 'src/tests/gssapi/t_s4u.py')
| -rwxr-xr-x | src/tests/gssapi/t_s4u.py | 25 |
1 files changed, 11 insertions, 14 deletions
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py index 63183aa..dc871ae 100755 --- a/src/tests/gssapi/t_s4u.py +++ b/src/tests/gssapi/t_s4u.py @@ -47,23 +47,20 @@ if ('auth1: ' + realm.user_princ not in output or 'NOT_ALLOWED_TO_DELEGATE' not in output): fail('krb5 -> s4u2proxy (SPNEGO)') -# Try krb5 -> S4U2Proxy without forwardable user creds. This should -# result in no delegated credential being created by -# accept_sec_context. +# Try krb5 -> S4U2Proxy without forwardable user creds. realm.kinit(realm.user_princ, password('user'), ['-c', usercache]) -realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, pservice1, - pservice1, pservice2], expected_msg='no credential delegated') +output = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, pservice1, + pservice1, pservice2], expected_code=1) +if ('auth1: ' + realm.user_princ not in output or + 'EVIDENCE_TKT_NOT_FORWARDABLE' not in output): + fail('krb5 -> s4u2proxy not-forwardable') -# Try S4U2Self. Ask for an S4U2Proxy step; this won't happen because +# Try S4U2Self. Ask for an S4U2Proxy step; this won't succeed because # service/1 isn't allowed to get a forwardable S4U2Self ticket. -output = realm.run(['./t_s4u', puser, pservice2]) -if ('Warning: no delegated cred handle' not in output or - 'Source name:\t' + realm.user_princ not in output): - fail('s4u2self') -output = realm.run(['./t_s4u', '--spnego', puser, pservice2]) -if ('Warning: no delegated cred handle' not in output or - 'Source name:\t' + realm.user_princ not in output): - fail('s4u2self (SPNEGO)') +realm.run(['./t_s4u', puser, pservice2], expected_code=1, + expected_msg='EVIDENCE_TKT_NOT_FORWARDABLE') +realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1, + expected_msg='EVIDENCE_TKT_NOT_FORWARDABLE') # Correct that problem and try again. As above, the S4U2Proxy step # won't actually succeed since we don't support that in DB2. |