From 12df8538afa24e31fa4d0ee9498ab2b5a1feab16 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Love=20H=C3=B6rnquist=20=C3=85strand?= Date: Fri, 8 Jun 2007 01:42:05 +0000 Subject: [PATCH] use "roken.h" consitantly git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@21003 ec53bebd-3082-4978-b11e-865c3cabbd6b --- cf/Makefile.am.common | 5 ++- configure.in | 1 + kuser/kgetcred.c | 7 +++- lib/asn1/k5.asn1 | 20 ++++++++++++ lib/asn1/pkinit.asn1 | 2 +- lib/gssapi/ChangeLog | 4 +++ lib/gssapi/Makefile.am | 3 +- lib/gssapi/gssapi/gssapi.h | 65 +++++++++++++++++++++++++++++++++++++ lib/hx509/test_windows.in | 2 +- lib/krb5/get_cred.c | 45 +++++++++++++++++++------ lib/krb5/pkinit.c | 2 +- lib/krb5/rd_req.c | 17 +++++----- lib/roken/base64-test.c | 2 +- lib/roken/closefrom.c | 2 +- lib/roken/dumpdata.c | 2 +- lib/roken/ecalloc.c | 2 +- lib/roken/emalloc.c | 2 +- lib/roken/eread.c | 2 +- lib/roken/erealloc.c | 2 +- lib/roken/estrdup.c | 2 +- lib/roken/ewrite.c | 2 +- lib/roken/get_window_size.c | 2 +- lib/roken/getarg.c | 2 +- lib/roken/getusershell.c | 2 +- lib/roken/hex-test.c | 2 +- lib/roken/inet_ntop.c | 2 +- lib/roken/inet_pton.c | 2 +- lib/roken/net_read.c | 2 +- lib/roken/net_write.c | 2 +- lib/roken/parse_units.c | 2 +- lib/roken/roken_gethostby.c | 2 +- lib/roken/simple_exec.c | 2 +- lib/roken/snprintf.c | 2 +- lib/roken/socket.c | 2 +- lib/roken/socket_wrapper.c | 2 +- lib/roken/strcollect.c | 2 +- lib/roken/strlwr.c | 2 +- lib/roken/strndup.c | 2 +- lib/roken/strpool.c | 2 +- lib/roken/strupr.c | 2 +- lib/roken/test-mem.c | 2 +- lib/roken/unvis.c | 2 +- lib/roken/vis.c | 2 +- lib/roken/write_pid.c | 2 +- tests/kdc/check-referral.in | 43 ++++++++++++++++++++++-- tests/kdc/krb5.conf.in | 7 ++++ 46 files changed, 229 insertions(+), 58 deletions(-) diff --git a/cf/Makefile.am.common b/cf/Makefile.am.common index e87afdc87..48c705493 100644 --- a/cf/Makefile.am.common +++ b/cf/Makefile.am.common @@ -132,11 +132,14 @@ check-local:: echo "$$dashes"; \ fi -SUFFIXES += .x +SUFFIXES += .x .z .x.c: @cmp -s $< $@ 2> /dev/null || cp $< $@ +.z.c: + @cmp -s $< $@ 2> /dev/null || cp $< $@ + SUFFIXES += .1 .3 .5 .8 .cat1 .cat3 .cat5 .cat8 NROFF_MAN = groff -mandoc -Tascii diff --git a/configure.in b/configure.in index 4873d00a9..bdb8563df 100644 --- a/configure.in +++ b/configure.in @@ -464,6 +464,7 @@ AC_CONFIG_FILES(Makefile \ lib/roken/Makefile \ lib/sl/Makefile \ lib/vers/Makefile \ + lib/wind/Makefile \ kuser/Makefile \ kpasswd/Makefile \ kadmin/Makefile \ diff --git a/kuser/kgetcred.c b/kuser/kgetcred.c index f7e881f9d..9ad487561 100644 --- a/kuser/kgetcred.c +++ b/kuser/kgetcred.c @@ -41,9 +41,10 @@ static char *delegation_cred_str; static char *etype_str; static int transit_flag = 1; static int forwardable_flag; +static char *impersonate_str; +static int server_flag; static int version_flag; static int help_flag; -static char *impersonate_str; struct getargs args[] = { { "cache", 'c', arg_string, &cache_str, @@ -59,6 +60,7 @@ struct getargs args[] = { "encryption type to use", "enctype"}, { "impersonate", 0, arg_string, &impersonate_str, "client to impersonate", "principal"}, + { "server", 0, arg_flag, &server_flag }, { "version", 0, arg_flag, &version_flag }, { "help", 0, arg_flag, &help_flag } }; @@ -185,6 +187,9 @@ main(int argc, char **argv) if (ret) krb5_err (context, 1, ret, "krb5_parse_name %s", argv[0]); + if (server_flag) + server->name.name_type = KRB5_NT_SRV_INST; + ret = krb5_get_creds(context, opt, cache, server, &out); if (ret) krb5_err (context, 1, ret, "krb5_get_creds"); diff --git a/lib/asn1/k5.asn1 b/lib/asn1/k5.asn1 index 029722466..bf85d1ca2 100644 --- a/lib/asn1/k5.asn1 +++ b/lib/asn1/k5.asn1 @@ -649,6 +649,26 @@ PA-SvrReferralData ::= SEQUENCE { referred-realm [0] Realm } +-- Kerberos remote encryption + +K5REncEncryptDecryptREQ ::= SEQUENCE { + id [0] krb5int32, + encrypt [1] BOOLEAN, + principal [2] Principal, + kvno [3] krb5int32 OPTIONAL, + etype [4] krb5int32, + usage [5] krb5int32, + ivec [6] OCTET STRING OPTIONAL, + data [7] OCTET STRING +} + +K5REncEncryptDecryptREP ::= SEQUENCE { + id [0] krb5int32, + data [1] OCTET STRING, + error-code [2] krb5int32 OPTIONAL +} + + END -- etags -r '/\([A-Za-z][-A-Za-z0-9]*\).*::=/\1/' k5.asn1 diff --git a/lib/asn1/pkinit.asn1 b/lib/asn1/pkinit.asn1 index e89a7217a..3b9e51935 100644 --- a/lib/asn1/pkinit.asn1 +++ b/lib/asn1/pkinit.asn1 @@ -160,7 +160,7 @@ KDCDHKeyInfo-Win2k ::= SEQUENCE { ReplyKeyPack-Win2k ::= SEQUENCE { replyKey [0] EncryptionKey, - nonce [1] INTEGER (0..4294967295), + nonce [1] INTEGER (-2147483648..2147483647), ... } diff --git a/lib/gssapi/ChangeLog b/lib/gssapi/ChangeLog index c625100fb..411181836 100644 --- a/lib/gssapi/ChangeLog +++ b/lib/gssapi/ChangeLog @@ -1,3 +1,7 @@ +2007-06-04 Love Hörnquist Åstrand + + * ntlm/digest.c: Free memory when done. + 2007-06-02 Love Hörnquist Åstrand * test_ntlm.c: Test both with and without keyex. diff --git a/lib/gssapi/Makefile.am b/lib/gssapi/Makefile.am index 05dd6eac8..7783060f7 100644 --- a/lib/gssapi/Makefile.am +++ b/lib/gssapi/Makefile.am @@ -168,7 +168,8 @@ ntlmsrc = \ ntlm/process_context_token.c \ ntlm/release_cred.c \ ntlm/release_name.c \ - ntlm/digest.c + ntlm/digest.c \ + ntlm/winbind.c $(srcdir)/ntlm/ntlm-private.h: cd $(srcdir) && perl ../../cf/make-proto.pl -q -P comment -p ntlm/ntlm-private.h $(ntlmsrc) || rm -f ntlm/ntlm-private.h diff --git a/lib/gssapi/gssapi/gssapi.h b/lib/gssapi/gssapi/gssapi.h index 47c65edaf..13c7ddc07 100644 --- a/lib/gssapi/gssapi/gssapi.h +++ b/lib/gssapi/gssapi/gssapi.h @@ -798,6 +798,71 @@ gss_decapsulate_token(gss_buffer_t /* input_token */, gss_buffer_t /* output_token */); +/* + * GSS_Unwrap() with support for associated data. + * + * Notes: + * + * token_header_buffer contains the GSS-API token as + * received from the peer + * + * associated_data_buffer contains the complete data + * over which the checksum is to be verified; + * + * input_message_buffer contains the complete data to + * be decrypted if confidentiality was requested; + * + * input_message_buffer value must point into the value + * of associated_data_buffer (hence input_message_buffer + * just specifies a span within associated_data_buffer). + * + * On returning GSS_S_COMPLETE, output_message_buffer + * will contain input_message_buffer after unwrapping and; + * + * associated_data_buffer will have been authenticated + * + */ + +OM_uint32 +gss_unwrap_ex(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + const gss_buffer_t token_header_buffer, + const gss_buffer_t associated_data_buffer, + const gss_buffer_t input_message_buffer, + gss_buffer_t output_message_buffer, + int *conf_state, + gss_qop_t *qop_state); + +/* + * GSS_Wrap() with support for associated data. + * + * Notes: + * + * associated_data_buffer contains the complete data + * over which the checksum is to be verified; + * + * input_message_buffer contains the data to be + * encrypted if conf_req_flag == TRUE. + * + * On returning GSS_S_COMPLETE, output_token_buffer + * will contain the GSS-API tokenheader, and; + * + * output_message_buffer will contain input_message_buffer + * after wrapping (including any padding) + */ + +OM_uint32 +gss_wrap_ex(OM_uint32 *minor_status, + const gss_ctx_id_t context_handle, + int conf_req_flag, + gss_qop_t qop_req, + const gss_buffer_t associated_data_buffer, + const gss_buffer_t input_message_buffer, + int *conf_state, + gss_buffer_t output_token_buffer, + gss_buffer_t output_message_buffer); + + #ifdef __cplusplus } diff --git a/lib/hx509/test_windows.in b/lib/hx509/test_windows.in index 00c598cb4..58f278c6f 100644 --- a/lib/hx509/test_windows.in +++ b/lib/hx509/test_windows.in @@ -77,7 +77,7 @@ ${hxtool} issue-certificate \ --generate-key=rsa \ --subject="CN=User,DC=heimdal,DC=pki" \ --ms-upn="user@heimdal.pki" \ - --crl-uri="http://www.test.h5l.se/test-hemdal-pki-crl1.crl" \ + --crl-uri="http://people.su.se/~lha/wcrl.crl" \ --certificate="FILE:wuser.pem" \ --ca-certificate=FILE:wca.pem || exit 1 diff --git a/lib/krb5/get_cred.c b/lib/krb5/get_cred.c index d8b9df86e..ab936f4af 100644 --- a/lib/krb5/get_cred.c +++ b/lib/krb5/get_cred.c @@ -724,16 +724,41 @@ add_cred(krb5_context context, krb5_creds ***tgts, krb5_creds *tkt) /* get_cred(server) creds = cc_get_cred(server) - if(creds) return creds - tgt = cc_get_cred(krbtgt/server_realm@any_realm) - if(tgt) - return get_cred_tgt(server, tgt) - if(client_realm == server_realm) - return NULL - tgt = get_cred(krbtgt/server_realm@client_realm) - while(tgt_inst != server_realm) - tgt = get_cred(krbtgt/server_realm@tgt_inst) - return get_cred_tgt(server, tgt) + if(creds) + return creds + # XXX check referrals cache + try-realm = ca-paths + if (try-realm == NULL) + try_realm = client.realm; + server-realm = server.realm + tgt = find_cred(krbtgt/{try-realm}@ANY) + while (num-referrals++ < max-num-referrals) { + req-server = server.service@server_realm + creds = get_cred(tgt, req-server) + if (creds == NULL) + break + add-traversed(server_realm) + if (referral?(creds, secure?, &referral)) { + if (referral && check-name(creds, req-server)) + return NULL(bad-name) + if (tgt?(creds)) { + if (traversed-before(creds.realm)) + return NULL(eloop) + server_realm = creds.realm + tgt = creds + if (referral && referral.true-name) + server = referral.true-name + } else { + return creds + } + } else if (match(server, creds)) { + return creds + } else { + break + } + } + return NULL(enotfound) + */ static krb5_error_code diff --git a/lib/krb5/pkinit.c b/lib/krb5/pkinit.c index c0840225a..536398db0 100644 --- a/lib/krb5/pkinit.c +++ b/lib/krb5/pkinit.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2003 - 2006 Kungliga Tekniska Högskolan + * Copyright (c) 2003 - 2007 Kungliga Tekniska Högskolan * (Royal Institute of Technology, Stockholm, Sweden). * All rights reserved. * diff --git a/lib/krb5/rd_req.c b/lib/krb5/rd_req.c index 89c192183..3c792ca50 100644 --- a/lib/krb5/rd_req.c +++ b/lib/krb5/rd_req.c @@ -826,14 +826,15 @@ krb5_rd_req_ctx(krb5_context context, goto out; } - ret = krb5_verify_ap_req(context, - auth_context, - &ap_req, - server, - o->keyblock, - 0, - &o->ap_req_options, - &o->ticket); + ret = krb5_verify_ap_req2(context, + auth_context, + &ap_req, + server, + o->keyblock, + 0, + &o->ap_req_options, + &o->ticket, + KRB5_KU_AP_REQ_AUTH); if (ret) goto out; diff --git a/lib/roken/base64-test.c b/lib/roken/base64-test.c index e247884fd..69e73ae77 100644 --- a/lib/roken/base64-test.c +++ b/lib/roken/base64-test.c @@ -36,7 +36,7 @@ RCSID("$Id$"); #endif -#include +#include "roken.h" #include int diff --git a/lib/roken/closefrom.c b/lib/roken/closefrom.c index 19413d873..8bf99f860 100644 --- a/lib/roken/closefrom.c +++ b/lib/roken/closefrom.c @@ -43,7 +43,7 @@ RCSID("$Id$"); #include #endif -#include +#include "roken.h" int ROKEN_LIB_FUNCTION closefrom(int fd) diff --git a/lib/roken/dumpdata.c b/lib/roken/dumpdata.c index 41fb54328..6b61581cc 100644 --- a/lib/roken/dumpdata.c +++ b/lib/roken/dumpdata.c @@ -38,7 +38,7 @@ RCSID("$Id$"); #include -#include +#include "roken.h" /* * Write datablob to a filename, don't care about errors. diff --git a/lib/roken/ecalloc.c b/lib/roken/ecalloc.c index d0439d361..767d38387 100644 --- a/lib/roken/ecalloc.c +++ b/lib/roken/ecalloc.c @@ -39,7 +39,7 @@ RCSID("$Id$"); #include #include -#include +#include "roken.h" /* * Like calloc but never fails. diff --git a/lib/roken/emalloc.c b/lib/roken/emalloc.c index 8b8e1f8f7..2384f4c1c 100644 --- a/lib/roken/emalloc.c +++ b/lib/roken/emalloc.c @@ -39,7 +39,7 @@ RCSID("$Id$"); #include #include -#include +#include "roken.h" /* * Like malloc but never fails. diff --git a/lib/roken/eread.c b/lib/roken/eread.c index d370b40f5..134807c10 100644 --- a/lib/roken/eread.c +++ b/lib/roken/eread.c @@ -39,7 +39,7 @@ RCSID("$Id$"); #include #include -#include +#include "roken.h" /* * Like read but never fails (and never returns partial data). diff --git a/lib/roken/erealloc.c b/lib/roken/erealloc.c index d684481da..596f4c6be 100644 --- a/lib/roken/erealloc.c +++ b/lib/roken/erealloc.c @@ -39,7 +39,7 @@ RCSID("$Id$"); #include #include -#include +#include "roken.h" /* * Like realloc but never fails. diff --git a/lib/roken/estrdup.c b/lib/roken/estrdup.c index 0c6200c4b..541bb7a33 100644 --- a/lib/roken/estrdup.c +++ b/lib/roken/estrdup.c @@ -39,7 +39,7 @@ RCSID("$Id$"); #include #include -#include +#include "roken.h" /* * Like strdup but never fails. diff --git a/lib/roken/ewrite.c b/lib/roken/ewrite.c index d58ceb563..c5f6d7ce7 100644 --- a/lib/roken/ewrite.c +++ b/lib/roken/ewrite.c @@ -39,7 +39,7 @@ RCSID("$Id$"); #include #include -#include +#include "roken.h" /* * Like write but never fails (and never returns partial data). diff --git a/lib/roken/get_window_size.c b/lib/roken/get_window_size.c index 053e7e4f8..f75b42e2f 100644 --- a/lib/roken/get_window_size.c +++ b/lib/roken/get_window_size.c @@ -58,7 +58,7 @@ RCSID("$Id$"); #include #endif -#include +#include "roken.h" int ROKEN_LIB_FUNCTION get_window_size(int fd, struct winsize *wp) diff --git a/lib/roken/getarg.c b/lib/roken/getarg.c index 4455e9f1e..bd04bf5c2 100644 --- a/lib/roken/getarg.c +++ b/lib/roken/getarg.c @@ -39,7 +39,7 @@ RCSID("$Id$"); #include #include #include -#include +#include "roken.h" #include "getarg.h" #define ISFLAG(X) ((X).type == arg_flag || (X).type == arg_negative_flag) diff --git a/lib/roken/getusershell.c b/lib/roken/getusershell.c index 283bae294..00d5eb0e8 100644 --- a/lib/roken/getusershell.c +++ b/lib/roken/getusershell.c @@ -59,7 +59,7 @@ struct aud_rec; #ifdef HAVE_USERCONF_H #include #endif -#include +#include "roken.h" #ifndef _PATH_SHELLS #define _PATH_SHELLS "/etc/shells" diff --git a/lib/roken/hex-test.c b/lib/roken/hex-test.c index f3c7b5346..b9f330f56 100644 --- a/lib/roken/hex-test.c +++ b/lib/roken/hex-test.c @@ -37,7 +37,7 @@ RCSID("$Id$"); #endif -#include +#include "roken.h" #include int diff --git a/lib/roken/inet_ntop.c b/lib/roken/inet_ntop.c index 997e81245..f2d81d93a 100644 --- a/lib/roken/inet_ntop.c +++ b/lib/roken/inet_ntop.c @@ -36,7 +36,7 @@ RCSID("$Id$"); #endif -#include +#include "roken.h" /* * diff --git a/lib/roken/inet_pton.c b/lib/roken/inet_pton.c index 2ba8419df..e55630aea 100644 --- a/lib/roken/inet_pton.c +++ b/lib/roken/inet_pton.c @@ -36,7 +36,7 @@ RCSID("$Id$"); #endif -#include +#include "roken.h" int ROKEN_LIB_FUNCTION inet_pton(int af, const char *src, void *dst) diff --git a/lib/roken/net_read.c b/lib/roken/net_read.c index 9bbe24a2c..f1c96d116 100644 --- a/lib/roken/net_read.c +++ b/lib/roken/net_read.c @@ -40,7 +40,7 @@ RCSID("$Id$"); #include #include -#include +#include "roken.h" /* * Like read but never return partial data. diff --git a/lib/roken/net_write.c b/lib/roken/net_write.c index 8805354b5..e557332a7 100644 --- a/lib/roken/net_write.c +++ b/lib/roken/net_write.c @@ -40,7 +40,7 @@ RCSID("$Id$"); #include #include -#include +#include "roken.h" /* * Like write but never return partial data. diff --git a/lib/roken/parse_units.c b/lib/roken/parse_units.c index f94bd8e07..a68cb247f 100644 --- a/lib/roken/parse_units.c +++ b/lib/roken/parse_units.c @@ -39,7 +39,7 @@ RCSID("$Id$"); #include #include #include -#include +#include "roken.h" #include "parse_units.h" /* diff --git a/lib/roken/roken_gethostby.c b/lib/roken/roken_gethostby.c index 2ee685ce3..8bc6f6b80 100644 --- a/lib/roken/roken_gethostby.c +++ b/lib/roken/roken_gethostby.c @@ -36,7 +36,7 @@ RCSID("$Id$"); #endif -#include +#include "roken.h" #undef roken_gethostbyname #undef roken_gethostbyaddr diff --git a/lib/roken/simple_exec.c b/lib/roken/simple_exec.c index 9cc33e754..e45ba6b6b 100644 --- a/lib/roken/simple_exec.c +++ b/lib/roken/simple_exec.c @@ -49,7 +49,7 @@ RCSID("$Id$"); #endif #include -#include +#include "roken.h" #define EX_NOEXEC 126 #define EX_NOTFOUND 127 diff --git a/lib/roken/snprintf.c b/lib/roken/snprintf.c index a2a936ca9..eb70c33df 100644 --- a/lib/roken/snprintf.c +++ b/lib/roken/snprintf.c @@ -43,7 +43,7 @@ RCSID("$Id$"); #include #include #include -#include +#include "roken.h" #include enum format_flags { diff --git a/lib/roken/socket.c b/lib/roken/socket.c index 2acc1fbc1..61e3fe1f6 100644 --- a/lib/roken/socket.c +++ b/lib/roken/socket.c @@ -36,7 +36,7 @@ RCSID("$Id$"); #endif -#include +#include "roken.h" #include /* diff --git a/lib/roken/socket_wrapper.c b/lib/roken/socket_wrapper.c index f27a39b15..db970311c 100644 --- a/lib/roken/socket_wrapper.c +++ b/lib/roken/socket_wrapper.c @@ -88,7 +88,7 @@ #include #include #include -#include +#include "roken.h" #include "socket_wrapper.h" diff --git a/lib/roken/strcollect.c b/lib/roken/strcollect.c index ad08f3ba4..e17befd00 100644 --- a/lib/roken/strcollect.c +++ b/lib/roken/strcollect.c @@ -40,7 +40,7 @@ RCSID("$Id$"); #include #include #include -#include +#include "roken.h" enum { initial = 10, increment = 5 }; diff --git a/lib/roken/strlwr.c b/lib/roken/strlwr.c index e74f1c12c..121424115 100644 --- a/lib/roken/strlwr.c +++ b/lib/roken/strlwr.c @@ -38,7 +38,7 @@ RCSID("$Id$"); #include #include -#include +#include "roken.h" #ifndef HAVE_STRLWR char * ROKEN_LIB_FUNCTION diff --git a/lib/roken/strndup.c b/lib/roken/strndup.c index cf34051f9..95dd4ef2e 100644 --- a/lib/roken/strndup.c +++ b/lib/roken/strndup.c @@ -38,7 +38,7 @@ RCSID("$Id$"); #include #include -#include +#include "roken.h" #ifndef HAVE_STRNDUP char * ROKEN_LIB_FUNCTION diff --git a/lib/roken/strpool.c b/lib/roken/strpool.c index b4dde03ee..9b8697089 100644 --- a/lib/roken/strpool.c +++ b/lib/roken/strpool.c @@ -38,7 +38,7 @@ RCSID("$Id$"); #include #include -#include +#include "roken.h" struct rk_strpool { char *str; diff --git a/lib/roken/strupr.c b/lib/roken/strupr.c index 4dc06676a..b40b768be 100644 --- a/lib/roken/strupr.c +++ b/lib/roken/strupr.c @@ -38,7 +38,7 @@ RCSID("$Id$"); #include #include -#include +#include "roken.h" #ifndef HAVE_STRUPR char * ROKEN_LIB_FUNCTION diff --git a/lib/roken/test-mem.c b/lib/roken/test-mem.c index 42bfe7c57..1edb718a5 100644 --- a/lib/roken/test-mem.c +++ b/lib/roken/test-mem.c @@ -40,7 +40,7 @@ #include #include #include -#include +#include "roken.h" #include "test-mem.h" diff --git a/lib/roken/unvis.c b/lib/roken/unvis.c index 2add8730e..ab907bb80 100644 --- a/lib/roken/unvis.c +++ b/lib/roken/unvis.c @@ -34,7 +34,7 @@ #include RCSID("$Id$"); #endif -#include +#include "roken.h" #ifndef _DIAGASSERT #define _DIAGASSERT(X) #endif diff --git a/lib/roken/vis.c b/lib/roken/vis.c index 55a4d76c6..40af7c3be 100644 --- a/lib/roken/vis.c +++ b/lib/roken/vis.c @@ -67,7 +67,7 @@ #include RCSID("$Id$"); #endif -#include +#include "roken.h" #ifndef _DIAGASSERT #define _DIAGASSERT(X) #endif diff --git a/lib/roken/write_pid.c b/lib/roken/write_pid.c index 5e4cf2369..c8296e441 100644 --- a/lib/roken/write_pid.c +++ b/lib/roken/write_pid.c @@ -39,7 +39,7 @@ RCSID("$Id$"); #include #include #include -#include +#include "roken.h" #include "roken.h" diff --git a/tests/kdc/check-referral.in b/tests/kdc/check-referral.in index f718ee6e2..f2f61f61b 100644 --- a/tests/kdc/check-referral.in +++ b/tests/kdc/check-referral.in @@ -43,8 +43,12 @@ testfailed="echo test failed; cat messages.log; exit 1" # If there is no useful db support compile in, disable test ../db/have-db || exit 77 +exit 77 + R=TEST.H5L.SE -R2=TEST2.H5L.SE +R2=SUB.TEST.H5L.SE + +service=ldap/host.sub.test.h5l.se port=@port@ @@ -59,7 +63,6 @@ kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache" kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache --no-unlog" - KRB5_CONFIG="${objdir}/krb5.conf" export KRB5_CONFIG @@ -84,6 +87,8 @@ ${kadmin} \ ${kadmin} add -p foo --use-defaults foo@${R} || exit 1 ${kadmin} modify --alias=alias1 --alias=alias2 foo@${R} || exit 1 +${kadmin} add -p foo --use-defaults ${service}@${R2} || exit 1 + ${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1 ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1 @@ -107,6 +112,14 @@ trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT ec=0 +echo "Getting client (no canon)"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we go back right principal" +${klist} | grep "Principal: foo@${R}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + echo "Getting client alias1 tickets"; > messages.log ${kinit} --canonicalize \ --password-file=${objdir}/foopassword alias1@${R}@${R} || \ @@ -141,6 +154,32 @@ echo "Remove alias" ${kadmin} modify --alias= foo@${R} || { ec=1 ; eval "${testfailed}"; } +echo "Getting client for ${service}@${R} (kdc referral)" +> messages.log +${kinit} --password-file=${objdir}/foopassword foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --server ${service}@${R} || + { ec=1 ; eval "${testfailed}"; } +${klist} +echo "checking that we go back right principal" +${klist} | grep "${service}@${R2}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + +echo "Getting client for ${service}@${R2} (client side guessing)" +> messages.log +${kinit} --password-file=${objdir}/foopassword foo@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --server ${service}@${R2} || + { ec=1 ; eval "${testfailed}"; } +${klist} +echo "checking that we go back right principal" +${klist} | grep "${service}@${R2}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${kdestroy} + + + echo "killing kdc (${kdcpid})" kill $kdcpid || exit 1 diff --git a/tests/kdc/krb5.conf.in b/tests/kdc/krb5.conf.in index 58202ce80..4aed3484e 100644 --- a/tests/kdc/krb5.conf.in +++ b/tests/kdc/krb5.conf.in @@ -11,10 +11,17 @@ TEST.H5L.SE = { kdc = localhost:@port@ } + SUB.TEST.H5L.SE = { + kdc = localhost:@port@ + } TEST2.H5L.SE = { kdc = localhost:@port@ } +[domain_realms] + .sub.test.h5l.se = SUB.TEST.H5L.SE + + [kdc] enable-digest = true digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2