krb5: Improve cccol sub naming; add gss_store_cred_into2()
- Formalize the TYPE:collection_name:subsidiary_name naming scheme for
ccaches in ccache collections
- KEYRING: ccaches are weird because they have one more optional field: the
"anchor", so rather than just assume a naming convention everywhere, we
add new functions as well
- Add krb5_cc_{resolve,default}_sub() that allows one to specify a
"subsidiary" ccache name in a collection separately from the
collection name
- Add krb5_cc_{resolve,default}_for() which take a principal name,
unparse it, and use it as the subsidiary ccache name (with colons
replaced)
- Make kinit use the new interfaces
- Add missing DIR ccache iteration functionality
- Revamps test_cc
- Add krb5_cc_get_collection() and krb5_cc_get_subsidiary()
- Bump the ccops SPI version number
- Add gss_store_cred_into2()
- Make MEMORY:anonymous not linked into the global MEMORY ccache
collection, and uses this for delegated cred handles
TBD:
- Split this up into a krb5 change and gss mech_krb5 change?
- Add krb5_cc_init_and_store() utility, per Greg's suggestion?
This commit is contained in:
Nicolas Williams
@@ -105,7 +105,7 @@ echo "initial ticket"
|
||||
${kinit} -c ${cache} --password-file=${objdir}/foopassword user@${R} || exitcode=1
|
||||
|
||||
echo "copy ccache with gss_store_cred"
|
||||
${test_add_store_cred} ${cache} ${cache2} || exit 1
|
||||
${test_add_store_cred} --default --overwrite --env ${cache} ${cache2} || exit 1
|
||||
${klist} -c ${cache2} || exit 1
|
||||
|
||||
echo "keytab"
|
||||
|
||||
@@ -53,6 +53,7 @@ nokeytab="FILE:no-such-keytab"
|
||||
cache="FILE:krb5ccfile"
|
||||
|
||||
kinit="${TESTS_ENVIRONMENT} ../../kuser/kinit -c $cache ${afs_no_afslog}"
|
||||
kdestroy="${TESTS_ENVIRONMENT} ../../kuser/kdestroy -c $cache"
|
||||
klist="${TESTS_ENVIRONMENT} ../../kuser/heimtools klist -c $cache"
|
||||
kgetcred="${TESTS_ENVIRONMENT} ../../kuser/kgetcred -c $cache"
|
||||
kadmin="${TESTS_ENVIRONMENT} ../../kadmin/kadmin -l -r $R"
|
||||
@@ -121,17 +122,23 @@ trap "kill ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
|
||||
testfailed="echo test failed; cat messages.log; exit 1"
|
||||
|
||||
echo "Test gss_acquire_cred_with_password" ; > messages.log
|
||||
${kdestroy}
|
||||
${context} --client-name=user1@${R} --client-password=u1 --mech-type=krb5 \
|
||||
host@lucid.test.h5l.se || { eval "$testfailed"; }
|
||||
${klist} && { eval "$testfailed"; }
|
||||
# These must fail (because wrong password)
|
||||
${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \
|
||||
host@lucid.test.h5l.se && { eval "$testfailed"; }
|
||||
${klist} && { eval "$testfailed"; }
|
||||
${context} --client-name=user1@${R} --client-password=u2 --mech-type='' \
|
||||
--mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
|
||||
${klist} && { eval "$testfailed"; }
|
||||
${context} --client-name=user1@${R} --client-password=u2 --mech-type=krb5 \
|
||||
--mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
|
||||
${klist} && { eval "$testfailed"; }
|
||||
${context} --client-name=user1@${R} --client-password=u2 --mech-type=all \
|
||||
--mech-types=krb5 host@lucid.test.h5l.se && { eval "$testfailed"; }
|
||||
${klist} && { eval "$testfailed"; }
|
||||
${context} --client-name=user1@${R} --client-password=u2 \
|
||||
--mech-type=krb5,ntlm --mech-types=krb5 host@lucid.test.h5l.se \
|
||||
&& { eval "$testfailed"; }
|
||||
|
||||
@@ -4,6 +4,7 @@ noinst_DATA = \
|
||||
an2ln-db.txt \
|
||||
kdc-tester4.json \
|
||||
krb5.conf \
|
||||
krb5-cccol.conf \
|
||||
krb5-authz.conf \
|
||||
krb5-authz2.conf \
|
||||
krb5-canon.conf \
|
||||
@@ -183,6 +184,13 @@ krb5.conf: krb5.conf.in Makefile
|
||||
-e 's,[@]kdc[@],,g' < $(srcdir)/krb5.conf.in > krb5.conf.tmp && \
|
||||
mv krb5.conf.tmp krb5.conf
|
||||
|
||||
krb5-cccol.conf: krb5-cccol.conf.in Makefile
|
||||
$(do_subst) \
|
||||
-e 's,[@]WEAK[@],false,g' \
|
||||
-e 's,[@]dk[@],,g' \
|
||||
-e 's,[@]kdc[@],,g' < $(srcdir)/krb5-cccol.conf.in > krb5-cccol.conf.tmp && \
|
||||
mv krb5-cccol.conf.tmp krb5-cccol.conf
|
||||
|
||||
krb5-authz.conf: krb5-authz.conf.in Makefile
|
||||
$(do_subst) < $(srcdir)/krb5-authz.conf.in > krb5-authz.conf.tmp && \
|
||||
mv krb5-authz.conf.tmp krb5-authz.conf
|
||||
|
||||
@@ -36,7 +36,7 @@ objdir="@objdir@"
|
||||
|
||||
. ${env_setup}
|
||||
|
||||
KRB5_CONFIG="${objdir}/krb5-cc.conf"
|
||||
KRB5_CONFIG="${objdir}/krb5.conf"
|
||||
export KRB5_CONFIG
|
||||
|
||||
unset KRB5CCNAME
|
||||
@@ -68,8 +68,6 @@ rm -f mkey.file*
|
||||
|
||||
> messages.log
|
||||
|
||||
cp "${objdir}/krb5.conf" "${objdir}/krb5-cc.conf"
|
||||
|
||||
echo Creating database
|
||||
${kadmin} \
|
||||
init \
|
||||
@@ -95,12 +93,7 @@ trap "kill -9 ${kdcpid}; echo signal killing kdc; exit 1;" EXIT
|
||||
|
||||
ec=0
|
||||
|
||||
(cat ${objdir}/krb5.conf ; \
|
||||
echo '' ; \
|
||||
echo '[libdefaults]' ; \
|
||||
echo " default_cc_type = SCC" ; \
|
||||
echo '' ) \
|
||||
> ${objdir}/krb5-cc.conf
|
||||
export KRB5CCNAME=SCC:${objdir}/sdb
|
||||
|
||||
${kswitch} -p foo@${R} 2>/dev/null && ${kdestroy}
|
||||
${kswitch} -p foo@${R} 2>/dev/null && ${kdestroy}
|
||||
@@ -114,8 +107,8 @@ ${klist} -l | grep foo@ >/dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
${kdestroy}
|
||||
|
||||
echo "getting both tickets"; > messages.log
|
||||
${kinit} -c SCC:1 foo@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||
${kinit} -c SCC:2 bar@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||
${kinit} -c ${KRB5CCNAME}:1 foo@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||
${kinit} -c ${KRB5CCNAME}:2 bar@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||
echo "switch foo"
|
||||
${kswitch} -p foo@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} | head -2 | grep foo@ >/dev/null || { ec=1 ; eval "${testfailed}"; }
|
||||
@@ -140,6 +133,22 @@ ${klist} -l | grep foo@ >/dev/null && { ec=1 ; eval "${testfailed}"; }
|
||||
echo "check that bar is gone"
|
||||
${klist} -l | grep bar@ >/dev/null && { ec=1 ; eval "${testfailed}"; }
|
||||
|
||||
echo "getting tickets (DIR)"; > messages.log
|
||||
KRB5_CONFIG="${objdir}/krb5-cccol.conf"
|
||||
export KRB5_CONFIG
|
||||
unset KRB5CCNAME
|
||||
rm -rf ${objdir}/kt ${objdir}/cc_dir
|
||||
mkdir ${objdir}/cc_dir || { ec=1 ; eval "${testfailed}"; }
|
||||
${kinit} foo@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||
${kinit} --no-change-default bar@${R} || { ec=1 ; eval "${testfailed}"; }
|
||||
primary=`cat ${objdir}/cc_dir/primary`
|
||||
[ "x$primary" = xtkt.foo@${R} ] || { ec=1 ; eval "${testfailed}"; }
|
||||
${klist} -l |
|
||||
grep "foo@TEST.H5L.SE.*FILE:${objdir}/cc_dir/tkt.foo@TEST.H5L.SE" > /dev/null ||
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
${klist} -l |
|
||||
grep "bar@TEST.H5L.SE.*FILE:${objdir}/cc_dir/tkt.bar@TEST.H5L.SE" > /dev/null ||
|
||||
{ ec=1 ; eval "${testfailed}"; }
|
||||
|
||||
echo "killing kdc (${kdcpid})"
|
||||
sh ${leaks_kill} kdc $kdcpid || exit 1
|
||||
|
||||
165
tests/kdc/krb5-cccol.conf.in
Normal file
165
tests/kdc/krb5-cccol.conf.in
Normal file
@@ -0,0 +1,165 @@
|
||||
[libdefaults]
|
||||
default_realm = TEST.H5L.SE TEST2.H5L.SE
|
||||
default_cc_collection = DIR:@objdir@/cc_dir/
|
||||
no-addresses = TRUE
|
||||
allow_weak_crypto = @WEAK@
|
||||
dns_lookup_kdc = no
|
||||
dns_lookup_realm = no
|
||||
|
||||
|
||||
[appdefaults]
|
||||
pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
|
||||
reconnect-min = 2s
|
||||
reconnect-backoff = 2s
|
||||
reconnect-max = 10s
|
||||
|
||||
[realms]
|
||||
TEST.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
admin_server = localhost:@admport@
|
||||
kpasswd_server = localhost:@pwport@
|
||||
}
|
||||
SUB.TEST.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
TEST2.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
kpasswd_server = localhost:@pwport@
|
||||
}
|
||||
TEST3.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
TEST4.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
SOME-REALM5.FR = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
SOME-REALM6.US = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
SOME-REALM7.UK = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
SOME-REALM8.UK = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
TEST-HTTP.H5L.SE = {
|
||||
kdc = http/localhost:@port@
|
||||
}
|
||||
H1.TEST.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
H2.TEST.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
H3.H2.TEST.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
H4.H2.TEST.H5L.SE = {
|
||||
kdc = localhost:@port@
|
||||
}
|
||||
|
||||
[domain_realm]
|
||||
.test.h5l.se = TEST.H5L.SE
|
||||
.sub.test.h5l.se = SUB.TEST.H5L.SE
|
||||
.h1.test.h5l.se = H1.TEST.H5L.SE
|
||||
.h2.test.h5l.se = H2.TEST.H5L.SE
|
||||
.h3.h2.test.h5l.se = H3.H2.TEST.H5L.SE
|
||||
.h4.h2.test.h5l.se = H4.H2.TEST.H5L.SE
|
||||
.example.com = TEST2.H5L.SE
|
||||
localhost = TEST.H5L.SE
|
||||
.localdomain = TEST.H5L.SE
|
||||
localdomain = TEST.H5L.SE
|
||||
.localdomain6 = TEST.H5L.SE
|
||||
localdomain6 = TEST.H5L.SE
|
||||
|
||||
|
||||
[kdc]
|
||||
enable-digest = true
|
||||
allow-anonymous = true
|
||||
digests_allowed = chap-md5,digest-md5,ntlm-v1,ntlm-v1-session,ntlm-v2,ms-chap-v2
|
||||
strict-nametypes = true
|
||||
|
||||
enable-http = true
|
||||
|
||||
enable-pkinit = true
|
||||
pkinit_identity = FILE:@srcdir@/../../lib/hx509/data/kdc.crt,@srcdir@/../../lib/hx509/data/kdc.key
|
||||
pkinit_anchors = FILE:@srcdir@/../../lib/hx509/data/ca.crt
|
||||
pkinit_pool = FILE:@srcdir@/../../lib/hx509/data/sub-ca.crt
|
||||
# pkinit_revoke = CRL:@srcdir@/../../lib/hx509/data/crl1.crl
|
||||
pkinit_mappings_file = @srcdir@/pki-mapping
|
||||
pkinit_allow_proxy_certificate = true
|
||||
|
||||
database = {
|
||||
label = {
|
||||
dbname = @db_type@:@objdir@/current-db@kdc@
|
||||
realm = TEST.H5L.SE
|
||||
mkey_file = @objdir@/mkey.file
|
||||
acl_file = @srcdir@/heimdal.acl
|
||||
log_file = @objdir@/current@kdc@.log
|
||||
}
|
||||
label2 = {
|
||||
dbname = @db_type@:@objdir@/current-db@kdc@
|
||||
realm = TEST2.H5L.SE
|
||||
mkey_file = @objdir@/mkey.file
|
||||
acl_file = @srcdir@/heimdal.acl
|
||||
log_file = @objdir@/current@kdc@.log
|
||||
}
|
||||
label3 = {
|
||||
dbname = sqlite:@objdir@/current-db@kdc@.sqlite3
|
||||
realm = SOME-REALM5.FR
|
||||
mkey_file = @objdir@/mkey.file
|
||||
acl_file = @srcdir@/heimdal.acl
|
||||
log_file = @objdir@/current@kdc@.log
|
||||
}
|
||||
}
|
||||
|
||||
signal_socket = @objdir@/signal
|
||||
iprop-stats = @objdir@/iprop-stats
|
||||
iprop-acl = @srcdir@/iprop-acl
|
||||
log-max-size = 40000
|
||||
|
||||
[hdb]
|
||||
db-dir = @objdir@
|
||||
|
||||
[logging]
|
||||
kdc = 0-/FILE:@objdir@/messages.log
|
||||
krb5 = 0-/FILE:@objdir@/messages.log
|
||||
default = 0-/FILE:@objdir@/messages.log
|
||||
|
||||
# If you are doing preformance measurements on OSX you want to change
|
||||
# the kdc LOG line from = to - below to keep the FILE open and avoid
|
||||
# open/write/close which is blocking (rdar:// ) on OSX.
|
||||
# kdc = 0-/FILE=@objdir@/messages.log
|
||||
|
||||
[kadmin]
|
||||
save-password = true
|
||||
default_key_rules = {
|
||||
*/des3-only@* = des3-cbc-sha1:pw-salt
|
||||
*/aes-only@* = aes256-cts-hmac-sha1-96:pw-salt
|
||||
}
|
||||
@dk@
|
||||
|
||||
[capaths]
|
||||
TEST.H5L.SE = {
|
||||
TEST2.H5L.SE = .
|
||||
SOME-REALM5.FR = 1
|
||||
TEST3.H5L.SE = TEST2.H5L.SE
|
||||
TEST4.H5L.SE = TEST2.H5L.SE
|
||||
TEST4.H5L.SE = TEST3.H5L.SE
|
||||
SOME-REALM6.US = SOME-REALM5.FR
|
||||
SOME-REALM7.UK = SOME-REALM6.US
|
||||
SOME-REALM7.UK = SOME-REALM5.FR
|
||||
SOME-REALM8.UK = SOME-REALM6.US
|
||||
}
|
||||
H4.H2.TEST.H5L.SE = {
|
||||
H1.TEST.H5L.SE = H3.H2.TEST.H5L.SE
|
||||
H1.TEST.H5L.SE = H2.TEST.H5L.SE
|
||||
H1.TEST.H5L.SE = TEST.H5L.SE
|
||||
|
||||
TEST.H5L.SE = H3.H2.TEST.H5L.SE
|
||||
TEST.H5L.SE = H2.TEST.H5L.SE
|
||||
|
||||
H2.TEST.H5L.SE = H3.H2.TEST.H5L.SE
|
||||
}
|
||||
Reference in New Issue
Block a user