More verbose checks, disable check that no longer works with referrals.

git-svn-id: svn://svn.h5l.se/heimdal/trunk/heimdal@22721 ec53bebd-3082-4978-b11e-865c3cabbd6b

tests/kdc/check-kdc.in

@@ -196,6 +196,9 @@ ${kinit} --password-file=${objdir}/foopassword foo@$R || { ec=1 ; eval "${testfa
 for a in $enctypes; do
 	echo "Getting cross realm tickets ($a)"; > messages.log
 	${kgetcred} -e $a ${server2}@${R2} || { ec=1 ; eval "${testfailed}"; }
+	echo "  checking we we got back right ticket"
+	${klist} | grep ${server2}@ > /dev/null || { ec=1 ; eval "${testfailed}"; }
+	echo "  checking if ticket is useful"
 	./ap-req ${server2}@${R2} ${keytab} ${cache} || \
 		{ ec=1 ; eval "${testfailed}"; }
 	${kdestroy} --credential=${server2}@${R2}
@@ -233,15 +236,19 @@ echo "try getting ticket with deleted user"; > messages.log
 ${kgetcred} ${server}@${R} 2> /dev/null && { ec=1 ; eval "${testfailed}"; }
 ${kdestroy}
 
-echo "cross realm case (removed user)"; > messages.log
-${kinit} --password-file=${objdir}/foopassword remove2@$R2 || \
-	{ ec=1 ; eval "${testfailed}"; }
-${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \
-	{ ec=1 ; eval "${testfailed}"; }
-${kadmin} delete remove2@${R2} || exit 1
-${kgetcred} ${server}@${R} 2> /dev/null || \
-	{ ec=1 ; eval "${testfailed}"; }
-${kdestroy}
+# This test no longer works since referrals make the client pass by
+# the user's own KDC on the way over to the server's KDC.
+#
+#
+#echo "cross realm case (deleted user)"; > messages.log
+#${kinit} --password-file=${objdir}/foopassword remove2@$R2 || \
+#	{ ec=1 ; eval "${testfailed}"; }
+#${kgetcred} krbtgt/${R}@${R2} 2> /dev/null || \
+#	{ ec=1 ; eval "${testfailed}"; }
+#${kadmin} delete remove2@${R2} || exit 1
+#${kgetcred} ${server}@${R} 2> /dev/null || \
+#	{ ec=1 ; eval "${testfailed}"; }
+#${kdestroy}
 
 echo "rename user"; > messages.log
 ${kadmin} add -p foo --use-defaults rename@${R} || exit 1
@@ -362,15 +369,19 @@ ${kgetcred_imp} --impersonate=bar@${R} ${ps} || \
 	{ ec=1 ; eval "${testfailed}"; }
 ./ap-req ${ps} ${keytab} ${ocache} || \
 	{ ec=1 ; eval "${testfailed}"; }
+echo "  negative check"
 ${kgetcred_imp} --impersonate=bar@${R} foo@${R} 2>/dev/null && \
 	{ ec=1 ; eval "${testfailed}"; }
-echo test constrained delegation
+
+echo "test constrained delegation"; > messages.log
 ${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
 	{ ec=1 ; eval "${testfailed}"; }
 ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} ${server}@${R} || \
 	{ ec=1 ; eval "${testfailed}"; }
+echo "  try using the credential"
 ./ap-req ${server}@${R} ${keytab} ${o2cache} || \
 	{ ec=1 ; eval "${testfailed}"; }
+echo "  negative check"
 ${kgetcred} --out-cache=${o2cache} --delegation-credential-cache=${ocache} bar@${R} 2>/dev/null && \
 	{ ec=1 ; eval "${testfailed}"; }