diff --git a/tests/gss/krb5.conf.in b/tests/gss/krb5.conf.in index aae031db6..01c4c2e7f 100644 --- a/tests/gss/krb5.conf.in +++ b/tests/gss/krb5.conf.in @@ -45,6 +45,7 @@ include @srcdirabs@/include-krb5.conf enable_virtual_hostbased_princs = true virtual_hostbased_princ_mindots = 1 virtual_hostbased_princ_maxdots = 3 + same_realm_aliases_are_soft = true [logging] kdc = 0-/FILE:@objdir@/messages.log diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in index e53293b24..7d2f4edc7 100644 --- a/tests/kdc/check-kdc.in +++ b/tests/kdc/check-kdc.in @@ -238,11 +238,11 @@ ${kadmin} ext -k ${keytab} ${rps} || exit 1 ${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1 ${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1 -${kadmin} add -p foo --use-defaults referral-placeholder@${R5} || exit 1 -${kadmin} add_alias referral-placeholder@${R5} ${server3}@${R} || exit 1 +${kadmin} add -p foo --use-defaults WELLKNOWN/REFERRALS/TARGET@${R5} || exit 1 +${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${server3}@${R} || exit 1 ${kadmin5} add -p kaka --use-defaults ${server3}@${R5} || exit 1 ${kadmin5} ext -k ${keytab} ${server3}@${R5} || exit 1 -${kadmin} add_alias referral-placeholder@${R5} ${namespace}@${R} || exit 1 +${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${namespace}@${R} || exit 1 ${kadmin5} add -p kaka --use-defaults ${server5}@${R5} || exit 1 ${kadmin5} ext -k ${keytab} ${server5}@${R5} || exit 1 ${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1 diff --git a/tests/kdc/check-referral.in b/tests/kdc/check-referral.in index 73c26c368..b62c2dc72 100644 --- a/tests/kdc/check-referral.in +++ b/tests/kdc/check-referral.in @@ -45,7 +45,8 @@ ${have_db} || exit 77 R=TEST.H5L.SE R2=SUB.TEST.H5L.SE -service=ldap/host.sub.test.h5l.se:389 +service1=ldap/host.test.h5l.se:389 +service2=ldap/host.sub.test.h5l.se:389 port=@port@ @@ -64,6 +65,9 @@ keytab="FILE:${keytabfile}" KRB5_CONFIG="${objdir}/krb5.conf" export KRB5_CONFIG +KRB5CCNAME=$cache +export KRB5CCNAME + rm -f ${keytabfile} rm -f current-db* rm -f out-* @@ -84,11 +88,25 @@ ${kadmin} \ --realm-max-renewable-life=1month \ ${R2} || exit 1 +${kadmin} add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R} || exit 1 +${kadmin} add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R2} || exit 1 + ${kadmin} add -p foo --use-defaults foo@${R} || exit 1 ${kadmin} modify --alias=alias1 --alias=alias2 foo@${R} || exit 1 +${kadmin} add_alias foo@${R} foo@${R2} || exit 1 ${kadmin} get foo@${R} | grep alias1@${R} >/dev/null || exit 1 -${kadmin} add -p foo --use-defaults ${service}@${R2} || exit 1 +${kadmin} add -p foo --use-defaults ${service2}@${R2} || exit 1 +${kadmin} add_alias ${service2}@${R2} ${service1}@${R} || exit 1 +${kadmin} get ${service2}@${R2} | grep ${service1}@${R} >/dev/null || exit 1 + +# Create two host principals in their respective realms +${kadmin} add -p foo --use-defaults host/foohost.test.h5l.se@${R} || exit 1 +${kadmin} add -p foo --use-defaults host/barhost.sub.test.h5l.se@${R2} || exit 1 + +# Create soft aliases (referrals) for them in the other realm +${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R2} host/barhost.sub.test.h5l.se@${R} || exit 1 +${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R} host/foohost.test.h5l.se@${R2} || exit 1 ${kadmin} add -p foo --use-defaults bar@${R} || exit 1 ${kadmin} add -p foo --use-defaults 'baz\@realm.foo@'${R} || exit 1 @@ -187,6 +205,20 @@ ${klist} | grep "Principal: alias1@${R}" > /dev/null || \ echo "checking that we got back right principal inside the PAC" ${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \ { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service2}@${R2} || { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service1}@${R} || { ec=1 ; eval "${testfailed}"; } + +echo "Getting client foo@${R2} tickets (non canon case)"; > messages.log +${kinit} --password-file=${objdir}/foopassword foo@${R2} || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal" +${klist} | grep "Principal: foo@${R2}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +echo "checking that we got back right principal inside the PAC" +${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service2}@${R2} || { ec=1 ; eval "${testfailed}"; } +${kgetcred} ${service1}@${R} || { ec=1 ; eval "${testfailed}"; } echo "Getting client alias2 tickets (removed)"; > messages.log ${kadmin} modify --alias=alias1 foo@${R} || { ec=1 ; eval "${testfailed}"; } @@ -200,25 +232,30 @@ ${kadmin} modify --alias= foo@${R} || { ec=1 ; eval "${testfailed}"; } echo "Test server referrals" -echo "Getting client for ${service}@${R} (tgs kdc referral)" +echo "Getting client for ${service2}@${R} (tgs kdc referral)" > messages.log ${kinit} --password-file=${objdir}/foopassword foo@${R} || \ { ec=1 ; eval "${testfailed}"; } -${kgetcred} --canonicalize ${service}@${R} || - { ec=1 ; eval "${testfailed}"; } +${kgetcred} --canonicalize ${service2}@${R} || { ec=1 ; eval "${testfailed}"; } +${kgetcred} host/foohost.test.h5l.se@${R} || { ec=1 ; eval "${testfailed}"; } +${kgetcred} host/barhost.sub.test.h5l.se@ || { ec=1 ; eval "${testfailed}"; } echo "checking that we got back right principal" -${klist} | grep "${service}@${R2}" > /dev/null || \ +${klist} | grep "${service2}@${R2}" > /dev/null || \ + { ec=1 ; eval "${testfailed}"; } +${klist} | grep "host/barhost.sub.test.h5l.se@TEST.H5L.SE" > /dev/null && \ + { ec=1 ; eval "${testfailed}"; } +${klist} | grep "host/barhost.sub.test.h5l.se@SUB.TEST.H5L.SE" > /dev/null || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy} -echo "Getting client for ${service}@${R2} (tgs client side guessing)" +echo "Getting client for ${service2}@${R2} (tgs client side guessing)" > messages.log ${kinit} --password-file=${objdir}/foopassword foo@${R} || \ { ec=1 ; eval "${testfailed}"; } -${kgetcred} ${service}@${R2} || +${kgetcred} ${service2}@${R2} || { ec=1 ; eval "${testfailed}"; } echo "checking that we got back right principal" -${klist} | grep "${service}@${R2}" > /dev/null || \ +${klist} | grep "${service2}@${R2}" > /dev/null || \ { ec=1 ; eval "${testfailed}"; } ${kdestroy}