kdc: Implement hard and soft principal aliases

We introduced a notion of soft vs. hard aliases in the previous commit
(hdb: Distinguish soft and hard principal aliases).

This commit corrects existing test cases and adds new test cases.

Soft aliases allow for the configuration of referrals using HDB entries.

Hard aliases are like copies of the aliased HDB entries.  These are
useful for renaming principals (and realms).

See the preceding commit.

tests/gss/krb5.conf.in

@@ -45,6 +45,7 @@ include @srcdirabs@/include-krb5.conf
         enable_virtual_hostbased_princs = true
         virtual_hostbased_princ_mindots = 1
         virtual_hostbased_princ_maxdots = 3
+        same_realm_aliases_are_soft = true
 
 [logging]
 	kdc = 0-/FILE:@objdir@/messages.log

tests/kdc/check-kdc.in

@@ -238,11 +238,11 @@ ${kadmin} ext -k ${keytab} ${rps} || exit 1
 
 ${kadmin} add -p kaka --use-defaults ${server2}@${R2} || exit 1
 ${kadmin} ext -k ${keytab} ${server2}@${R2} || exit 1
-${kadmin} add -p foo  --use-defaults referral-placeholder@${R5} || exit 1
-${kadmin} add_alias referral-placeholder@${R5} ${server3}@${R} || exit 1
+${kadmin} add -p foo  --use-defaults WELLKNOWN/REFERRALS/TARGET@${R5} || exit 1
+${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${server3}@${R} || exit 1
 ${kadmin5} add -p kaka --use-defaults ${server3}@${R5} || exit 1
 ${kadmin5} ext -k ${keytab} ${server3}@${R5} || exit 1
-${kadmin} add_alias referral-placeholder@${R5} ${namespace}@${R} || exit 1
+${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R5} ${namespace}@${R} || exit 1
 ${kadmin5} add -p kaka --use-defaults ${server5}@${R5} || exit 1
 ${kadmin5} ext -k ${keytab} ${server5}@${R5} || exit 1
 ${kadmin} add -p kaka --use-defaults ${serverip}@${R} || exit 1

tests/kdc/check-referral.in

@@ -45,7 +45,8 @@ ${have_db} || exit 77
 R=TEST.H5L.SE
 R2=SUB.TEST.H5L.SE
 
-service=ldap/host.sub.test.h5l.se:389
+service1=ldap/host.test.h5l.se:389
+service2=ldap/host.sub.test.h5l.se:389
 
 port=@port@
 
@@ -64,6 +65,9 @@ keytab="FILE:${keytabfile}"
 KRB5_CONFIG="${objdir}/krb5.conf"
 export KRB5_CONFIG
 
+KRB5CCNAME=$cache
+export KRB5CCNAME
+
 rm -f ${keytabfile}
 rm -f current-db*
 rm -f out-*
@@ -84,11 +88,25 @@ ${kadmin} \
     --realm-max-renewable-life=1month \
     ${R2} || exit 1
 
+${kadmin} add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R} || exit 1
+${kadmin} add -r --use-defaults WELLKNOWN/REFERRALS/TARGET@${R2} || exit 1
+
 ${kadmin} add -p foo --use-defaults foo@${R} || exit 1
 ${kadmin} modify --alias=alias1 --alias=alias2 foo@${R} || exit 1
+${kadmin} add_alias foo@${R} foo@${R2} || exit 1
 ${kadmin} get foo@${R} | grep alias1@${R} >/dev/null || exit 1
 
-${kadmin} add -p foo --use-defaults  ${service}@${R2} || exit 1
+${kadmin} add -p foo --use-defaults  ${service2}@${R2} || exit 1
+${kadmin} add_alias ${service2}@${R2}  ${service1}@${R} || exit 1
+${kadmin} get ${service2}@${R2} | grep ${service1}@${R} >/dev/null || exit 1
+
+# Create two host principals in their respective realms
+${kadmin} add -p foo --use-defaults  host/foohost.test.h5l.se@${R} || exit 1
+${kadmin} add -p foo --use-defaults  host/barhost.sub.test.h5l.se@${R2} || exit 1
+
+# Create soft aliases (referrals) for them in the other realm
+${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R2} host/barhost.sub.test.h5l.se@${R} || exit 1
+${kadmin} add_alias WELLKNOWN/REFERRALS/TARGET@${R} host/foohost.test.h5l.se@${R2} || exit 1
 
 ${kadmin} add -p foo --use-defaults bar@${R} || exit 1
 ${kadmin} add -p foo --use-defaults 'baz\@realm.foo@'${R} || exit 1
@@ -187,6 +205,20 @@ ${klist} | grep "Principal: alias1@${R}" > /dev/null || \
 echo "checking that we got back right principal inside the PAC"
 ${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \
 	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service2}@${R2} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service1}@${R} || { ec=1 ; eval "${testfailed}"; }
+
+echo "Getting client foo@${R2} tickets (non canon case)"; > messages.log
+${kinit} --password-file=${objdir}/foopassword foo@${R2} || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal"
+${klist} | grep "Principal: foo@${R2}" > /dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+echo "checking that we got back right principal inside the PAC"
+${test_ap_req} krbtgt/${R}@${R} ${keytab} ${cache} || \
+	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service2}@${R2} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} ${service1}@${R} || { ec=1 ; eval "${testfailed}"; }
 
 echo "Getting client alias2 tickets (removed)"; > messages.log
 ${kadmin} modify --alias=alias1 foo@${R} || { ec=1 ; eval "${testfailed}"; }
@@ -200,25 +232,30 @@ ${kadmin} modify --alias= foo@${R} || { ec=1 ; eval "${testfailed}"; }
 
 echo "Test server referrals"
 
-echo "Getting client for ${service}@${R} (tgs kdc referral)"
+echo "Getting client for ${service2}@${R} (tgs kdc referral)"
 > messages.log
 ${kinit} --password-file=${objdir}/foopassword foo@${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
-${kgetcred} --canonicalize ${service}@${R} ||
-	{ ec=1 ; eval "${testfailed}"; }
+${kgetcred} --canonicalize ${service2}@${R} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} host/foohost.test.h5l.se@${R} || { ec=1 ; eval "${testfailed}"; }
+${kgetcred} host/barhost.sub.test.h5l.se@ || { ec=1 ; eval "${testfailed}"; }
 echo "checking that we got back right principal"
-${klist} | grep "${service}@${R2}" > /dev/null || \
+${klist} | grep "${service2}@${R2}" > /dev/null || \
+	{ ec=1 ; eval "${testfailed}"; }
+${klist} | grep "host/barhost.sub.test.h5l.se@TEST.H5L.SE" > /dev/null && \
+	{ ec=1 ; eval "${testfailed}"; }
+${klist} | grep "host/barhost.sub.test.h5l.se@SUB.TEST.H5L.SE" > /dev/null || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kdestroy}
 
-echo "Getting client for ${service}@${R2} (tgs client side guessing)"
+echo "Getting client for ${service2}@${R2} (tgs client side guessing)"
 > messages.log
 ${kinit} --password-file=${objdir}/foopassword foo@${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
-${kgetcred} ${service}@${R2} ||
+${kgetcred} ${service2}@${R2} ||
 	{ ec=1 ; eval "${testfailed}"; }
 echo "checking that we got back right principal"
-${klist} | grep "${service}@${R2}" > /dev/null || \
+${klist} | grep "${service2}@${R2}" > /dev/null || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kdestroy}