From 7645f3c08649b44ea03820a254da2d8d8d35ba31 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sun, 9 Jun 2019 22:51:55 +0000 Subject: [PATCH] tests: add S4U2Proxy tests with TGS evidence ticket This was broken with KRB5SignedPath but now that we switch to PAC we get it fixed without KDC changes, so we can just test it. See also PR #599 from where these tests were taken. --- tests/kdc/check-kdc.in | 23 ++++++++++++++++++++++- 1 file changed, 22 insertions(+), 1 deletion(-) diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in index 7007c6dde..abaebeab1 100644 --- a/tests/kdc/check-kdc.in +++ b/tests/kdc/check-kdc.in @@ -835,7 +835,7 @@ ${kgetcred} \ ${server}@${R} && \ { ec=1 ; eval "${testfailed}"; } -echo "test constrained delegation"; > messages.log +echo "test constrained delegation (evidence from impersonation)"; > messages.log ${kgetcred_imp} --forward --impersonate=bar@${R} ${ps} || \ { ec=1 ; eval "${testfailed}"; } ${kgetcred} \ @@ -853,6 +853,27 @@ ${kgetcred} \ bar@${R} 2>/dev/null && \ { ec=1 ; eval "${testfailed}"; } +echo "test constrained delegation evidence (evidence from TGS)"; > messages.log +echo bar > ${objdir}/barpassword +${kinit} --cache=${icache} --forwardable --password-file=${objdir}/barpassword bar@${R} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} --cache=${icache} --out-cache=${ocache} ${ps} || \ + { ec=1 ; eval "${testfailed}"; } +${kgetcred} \ + --out-cache=${o2cache} \ + --delegation-credential-cache=${ocache} \ + ${server}@${R} || \ + { ec=1 ; eval "${testfailed}"; } +echo " try using the credential" +${test_ap_req} ${server}@${R} ${keytab} ${o2cache} || \ + { ec=1 ; eval "${testfailed}"; } +echo " negative check" +${kgetcred} \ + --out-cache=${o2cache} \ + --delegation-credential-cache=${ocache} \ + bar@${R} 2>/dev/null && \ + { ec=1 ; eval "${testfailed}"; } + echo "test constrained delegation impersonation (non forward)"; > messages.log rm -f ocache.krb5 ${kimpersonate} -s ${ps} -c bar@${R} -t ${aesenctype} || \