tests: add S4U2Proxy tests with TGS evidence ticket
This was broken with KRB5SignedPath but now that we switch to PAC we get it fixed without KDC changes, so we can just test it. See also PR #599 from where these tests were taken.
This commit is contained in:

committed by
Luke Howard

parent
b2f9bb67d7
commit
7645f3c086
@@ -835,7 +835,7 @@ ${kgetcred} \
|
||||
${server}@${R} && \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
|
||||
echo "test constrained delegation"; > messages.log
|
||||
echo "test constrained delegation (evidence from impersonation)"; > messages.log
|
||||
${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${kgetcred} \
|
||||
@@ -853,6 +853,27 @@ ${kgetcred} \
|
||||
bar@${R} 2>/dev/null && \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
|
||||
echo "test constrained delegation evidence (evidence from TGS)"; > messages.log
|
||||
echo bar > ${objdir}/barpassword
|
||||
${kinit} --cache=${icache} --forwardable --password-file=${objdir}/barpassword bar@${R} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${kgetcred} --cache=${icache} --out-cache=${ocache} ${ps} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${kgetcred} \
|
||||
--out-cache=${o2cache} \
|
||||
--delegation-credential-cache=${ocache} \
|
||||
${server}@${R} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
echo " try using the credential"
|
||||
${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
echo " negative check"
|
||||
${kgetcred} \
|
||||
--out-cache=${o2cache} \
|
||||
--delegation-credential-cache=${ocache} \
|
||||
bar@${R} 2>/dev/null && \
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
|
||||
echo "test constrained delegation impersonation (non forward)"; > messages.log
|
||||
rm -f ocache.krb5
|
||||
${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \
|
||||
|
Reference in New Issue
Block a user