tests: add S4U2Proxy tests with TGS evidence ticket

This was broken with KRB5SignedPath but now that we switch to PAC
we get it fixed without KDC changes, so we can just test it.

See also PR #599 from where these tests were taken.
This commit is contained in:
Isaac Boukris
2019-06-09 22:51:55 +00:00
committed by Luke Howard
parent b2f9bb67d7
commit 7645f3c086

View File

@@ -835,7 +835,7 @@ ${kgetcred} \
${server}@${R} && \
{ ec=1 ; eval "${testfailed}"; }
echo "test constrained delegation"; > messages.log
echo "test constrained delegation (evidence from impersonation)"; > messages.log
${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
{ ec=1 ; eval "${testfailed}"; }
${kgetcred} \
@@ -853,6 +853,27 @@ ${kgetcred} \
bar@${R} 2>/dev/null && \
{ ec=1 ; eval "${testfailed}"; }
echo "test constrained delegation evidence (evidence from TGS)"; > messages.log
echo bar > ${objdir}/barpassword
${kinit} --cache=${icache} --forwardable --password-file=${objdir}/barpassword bar@${R} || \
{ ec=1 ; eval "${testfailed}"; }
${kgetcred} --cache=${icache} --out-cache=${ocache} ${ps} || \
{ ec=1 ; eval "${testfailed}"; }
${kgetcred} \
--out-cache=${o2cache} \
--delegation-credential-cache=${ocache} \
${server}@${R} || \
{ ec=1 ; eval "${testfailed}"; }
echo " try using the credential"
${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
{ ec=1 ; eval "${testfailed}"; }
echo " negative check"
${kgetcred} \
--out-cache=${o2cache} \
--delegation-credential-cache=${ocache} \
bar@${R} 2>/dev/null && \
{ ec=1 ; eval "${testfailed}"; }
echo "test constrained delegation impersonation (non forward)"; > messages.log
rm -f ocache.krb5
${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \