kdc: Honor no-auth-data-reqd on cross-real TGTs

Nowadays we use PACs instead of AD-SIGNEDPATH, so we want a PAC on every TGT, but we don't necessarily want PACs on cross-realm TGTs. Specifically, we don't interop well yet with AD when issuing cross-realm TGTs with AD realms as the destination realm (see #1091).
2023-05-17 21:17:13 -05:00
parent 8ac4266021
commit 27cdf81995
2 changed files with 47 additions and 5 deletions
--- a/tests/kdc/check-kdc.in
+++ b/tests/kdc/check-kdc.in
@@ -261,6 +261,7 @@ ${kadmin} ext -k ${keytab} ${alias1}@${R} || exit 1
 ${kadmin} modify --alias=${alias2}@${R} ${alias1}@${R}

 ${kadmin} add -p cross1 --use-defaults krbtgt/${R2}@${R} || exit 1
+${kadmin} modify --attributes=+no-auth-data-reqd krbtgt/${R2}@${R} || exit 1
 ${kadmin} add -p cross2 --use-defaults krbtgt/${R}@${R2} || exit 1

 ${kadmin} add -p cross1 --use-defaults krbtgt/${R3}@${R2} || exit 1
@@ -551,6 +552,20 @@ for a in $enctypes; do
 done
 ${kdestroy}

+echo "Getting client initial tickets with PAC"; > messages.log
+${kinit} --request-pac --password-file=${objdir}/foopassword foo@$R || \
+	{ ec=1 ; eval "${testfailed}"; }
+for a in $enctypes; do
+	echo "Getting tickets for PAC-less service principal ($a)"; > messages.log
+	${kgetcred} -e $a ${server4}@${R2} || { ec=1 ; eval "${testfailed}"; }
+	${test_ap_req} --verify-pac ${server4}@${R2} ${keytab} ${cache} && \
+		{ ec=1 ; eval "${testfailed}"; }
+	${test_ap_req} --no-verify-pac ${server4}@${R2} ${keytab} ${cache} || \
+		{ ec=1 ; eval "${testfailed}"; }
+	${kdestroy} --credential=${server4}@${R2}
+done
+${kdestroy}
+
 echo "Getting client authenticated anonymous initial tickets"; > messages.log
 ${kinit} -n --password-file=${objdir}/foopassword foo@$R || \
 	{ ec=1 ; eval "${testfailed}"; }
@@ -559,6 +574,8 @@ for a in $enctypes; do
 	${kgetcred} -e $a ${server}@${R} || { ec=1 ; eval "${testfailed}"; }
 	${test_ap_req} --no-verify-pac ${server}@${R} ${keytab} ${cache} || \
 		{ ec=1 ; eval "${testfailed}"; }
+	${test_ap_req} --verify-pac ${server}@${R} ${keytab} ${cache} && \
+		{ ec=1 ; eval "${testfailed}"; }
 	${kdestroy} --credential=${server}@${R}
 done
 ${kdestroy}
@@ -575,7 +592,7 @@ for a in $enctypes; do
 done
 ${kdestroy}

-echo "Getting client initial tickets for cross realm case"; > messages.log
+echo "Getting client initial tickets for cross realm case (no-auth-data-reqd for ${R2})"; > messages.log
 ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
 for a in $enctypes; do
 	echo "Getting cross realm tickets ($a)"; > messages.log
@@ -583,7 +600,24 @@ for a in $enctypes; do
 	echo "  checking we we got back right ticket"
 	${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
 	echo "  checking if ticket is useful"
-	${test_ap_req} ${server2}@${R2} ${keytab} ${cache} || \
+	${test_ap_req} --no-verify-pac ${server2}@${R2} ${keytab} ${cache} || \
+		{ ec=1 ; eval "${testfailed}"; }
+	${test_ap_req} --verify-pac ${server2}@${R2} ${keytab} ${cache} && \
+		{ ec=1 ; eval "${testfailed}"; }
+	${kdestroy} --credential=${server2}@${R2}
+done
+${kdestroy}
+
+echo "Getting client initial tickets for cross realm case (w/ PAC)"; > messages.log
+${kadmin} modify --attributes=-no-auth-data-reqd krbtgt/${R2}@${R} || exit 1
+${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfailed}"; }
+for a in $enctypes; do
+	echo "Getting cross realm tickets ($a)"; > messages.log
+	${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
+	echo "  checking we we got back right ticket"
+	${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
+	echo "  checking if ticket is useful"
+	${test_ap_req} --verify-pac ${server2}@${R2} ${keytab} ${cache} || \
 		{ ec=1 ; eval "${testfailed}"; }
 	${kdestroy} --credential=${server2}@${R2}
 done