diff options
Diffstat (limited to 'src/tests/gssapi/t_gssapi.py')
-rwxr-xr-x | src/tests/gssapi/t_gssapi.py | 24 |
1 files changed, 23 insertions, 1 deletions
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py index ff2e248..1af6f31 100755 --- a/src/tests/gssapi/t_gssapi.py +++ b/src/tests/gssapi/t_gssapi.py @@ -8,8 +8,9 @@ for realm in multipass_realms(): realm.run(['./t_iov', '-s', 'p:' + realm.host_princ]) realm.run(['./t_pcontok', 'p:' + realm.host_princ]) +realm = K5Realm(krb5_conf={'libdefaults': {'rdns': 'false'}}) + # Test gss_add_cred(). -realm = K5Realm() realm.run(['./t_add_cred']) ### Test acceptor name behavior. @@ -60,6 +61,27 @@ realm.run(['./t_accname', 'p:host/-nomatch-', 'h:host@%s' % socket.gethostname()], expected_code=1, expected_msg=' not found in keytab') +# If possible, test with an acceptor name requiring fallback to match +# against a keytab entry. Forward-canonicalize the hostname, relying +# on the rdns=false realm setting. +try: + ai = socket.getaddrinfo(hostname, None, 0, 0, 0, socket.AI_CANONNAME) + (family, socktype, proto, canonname, sockaddr) = ai[0] +except socket.gaierror: + canonname = hostname +if canonname != hostname: + os.rename(realm.keytab, realm.keytab + '.save') + canonprinc = 'host/' + canonname + realm.run([kadminl, 'addprinc', '-randkey', canonprinc]) + realm.extract_keytab(canonprinc, realm.keytab) + # Use the canonical name for the initiator's target name, since + # host/hostname exists in the KDB (but not the keytab). + realm.run(['./t_accname', 'h:host@' + canonname, 'h:host@' + hostname]) + os.rename(realm.keytab + '.save', realm.keytab) +else: + skipped('GSS acceptor name fallback test', + '%s does not canonicalize to a different name' % hostname) + # Test krb5_gss_import_cred. realm.run(['./t_imp_cred', 'p:service1/barack']) realm.run(['./t_imp_cred', 'p:service1/barack', 'service1/barack']) |