|
Packit Service |
99d1c0 |
from k5test import *
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# Create a pair of realms, where KRBTEST1.COM can authenticate to
|
|
Packit Service |
99d1c0 |
# REFREALM and has a domain-realm mapping for 'd' pointing to it.
|
|
Packit Service |
99d1c0 |
drealm = {'domain_realm': {'d': 'REFREALM'}}
|
|
Packit Service |
99d1c0 |
realm, refrealm = cross_realms(2, xtgts=((0,1),),
|
|
Packit Service |
99d1c0 |
args=({'kdc_conf': drealm},
|
|
Packit Service |
99d1c0 |
{'realm': 'REFREALM',
|
|
Packit Service |
99d1c0 |
'create_user': False}),
|
|
Packit Service |
99d1c0 |
create_host=False)
|
|
Packit Service |
99d1c0 |
refrealm.addprinc('a/x.d')
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
savefile = os.path.join(realm.testdir, 'ccache.copy')
|
|
Packit Service |
99d1c0 |
os.rename(realm.ccache, savefile)
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# Get credentials and check that we got a referral to REFREALM.
|
|
Packit Service |
99d1c0 |
def testref(realm, nametype):
|
|
Packit Service |
99d1c0 |
shutil.copyfile(savefile, realm.ccache)
|
|
Packit Service |
99d1c0 |
realm.run(['./gcred', nametype, 'a/x.d@'])
|
|
Packit Service |
99d1c0 |
out = realm.run([klist]).split('\n')
|
|
Packit Service |
99d1c0 |
if len(out) != 8:
|
|
Packit Service |
99d1c0 |
fail('unexpected number of lines in klist output')
|
|
Packit Service |
99d1c0 |
if out[5].split()[4] != 'a/x.d@' or out[6].split()[2] != 'a/x.d@REFREALM':
|
|
Packit Service |
99d1c0 |
fail('unexpected service principals in klist output')
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# Get credentials and check that we get an error, not a referral.
|
|
Packit Service |
99d1c0 |
def testfail(realm, nametype):
|
|
Packit Service |
99d1c0 |
shutil.copyfile(savefile, realm.ccache)
|
|
Packit Service |
99d1c0 |
realm.run(['./gcred', nametype, 'a/x.d@'], expected_code=1,
|
|
Packit Service |
99d1c0 |
expected_msg='not found in Kerberos database')
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# Create a modified KDC environment and restart the KDC.
|
|
Packit Service |
99d1c0 |
def restart_kdc(realm, kdc_conf):
|
|
Packit Service |
99d1c0 |
env = realm.special_env('extravars', True, kdc_conf=kdc_conf)
|
|
Packit Service |
99d1c0 |
realm.stop_kdc()
|
|
Packit Service |
99d1c0 |
realm.start_kdc(env=env)
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# With no KDC configuration besides [domain_realm], we should get a
|
|
Packit Service |
99d1c0 |
# referral for a NT-SRV-HST or NT-SRV-INST server name, but not an
|
|
Packit Service |
99d1c0 |
# NT-UNKNOWN or NT-PRINCIPAL server name.
|
|
Packit Service |
99d1c0 |
mark('[domain-realm] only')
|
|
Packit Service |
99d1c0 |
testref(realm, 'srv-hst')
|
|
Packit Service |
99d1c0 |
testref(realm, 'srv-inst')
|
|
Packit Service |
99d1c0 |
testfail(realm, 'principal')
|
|
Packit Service |
99d1c0 |
testfail(realm, 'unknown')
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# With host_based_services matching the first server name component
|
|
Packit Service |
99d1c0 |
# ("a"), we should get a referral for an NT-UNKNOWN server name.
|
|
Packit Service |
99d1c0 |
# host_based_services can appear in either [kdcdefaults] or the realm
|
|
Packit Service |
99d1c0 |
# section, with the realm values supplementing the kdcdefaults values.
|
|
Packit Service |
99d1c0 |
# NT-SRV-HST server names should be unaffected by host_based_services,
|
|
Packit Service |
99d1c0 |
# and NT-PRINCIPAL server names shouldn't get a referral regardless.
|
|
Packit Service |
99d1c0 |
mark('host_based_services')
|
|
Packit Service |
99d1c0 |
restart_kdc(realm, {'kdcdefaults': {'host_based_services': '*'}})
|
|
Packit Service |
99d1c0 |
testref(realm, 'unknown')
|
|
Packit Service |
99d1c0 |
testfail(realm, 'principal')
|
|
Packit Service |
99d1c0 |
restart_kdc(realm, {'kdcdefaults': {'host_based_services': ['b', 'a,c']}})
|
|
Packit Service |
99d1c0 |
testref(realm, 'unknown')
|
|
Packit Service |
99d1c0 |
restart_kdc(realm, {'realms': {'$realm': {'host_based_services': 'a b c'}}})
|
|
Packit Service |
99d1c0 |
testref(realm, 'unknown')
|
|
Packit Service |
99d1c0 |
restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'a'},
|
|
Packit Service |
99d1c0 |
'realms': {'$realm': {'host_based_services': 'b c'}}})
|
|
Packit Service |
99d1c0 |
testref(realm, 'unknown')
|
|
Packit Service |
99d1c0 |
restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'b,c'},
|
|
Packit Service |
99d1c0 |
'realms': {'$realm': {'host_based_services': 'a,b'}}})
|
|
Packit Service |
99d1c0 |
testref(realm, 'unknown')
|
|
Packit Service |
99d1c0 |
restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'b,c'}})
|
|
Packit Service |
99d1c0 |
testfail(realm, 'unknown')
|
|
Packit Service |
99d1c0 |
testref(realm, 'srv-hst')
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# With no_host_referrals matching the first server name component, we
|
|
Packit Service |
99d1c0 |
# should not get a referral even for NT-SRV-HOST server names
|
|
Packit Service |
99d1c0 |
mark('no_host_referral')
|
|
Packit Service |
99d1c0 |
restart_kdc(realm, {'kdcdefaults': {'no_host_referral': '*'}})
|
|
Packit Service |
99d1c0 |
testfail(realm, 'srv-hst')
|
|
Packit Service |
99d1c0 |
restart_kdc(realm, {'kdcdefaults': {'no_host_referral': ['b', 'a,c']}})
|
|
Packit Service |
99d1c0 |
testfail(realm, 'srv-hst')
|
|
Packit Service |
99d1c0 |
restart_kdc(realm, {'realms': {'$realm': {'no_host_referral': 'a b c'}}})
|
|
Packit Service |
99d1c0 |
testfail(realm, 'srv-hst')
|
|
Packit Service |
99d1c0 |
restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'a'},
|
|
Packit Service |
99d1c0 |
'realms': {'$realm': {'no_host_referral': 'b c'}}})
|
|
Packit Service |
99d1c0 |
testfail(realm, 'srv-hst')
|
|
Packit Service |
99d1c0 |
restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'b,c'},
|
|
Packit Service |
99d1c0 |
'realms': {'$realm': {'no_host_referral': 'a,b'}}})
|
|
Packit Service |
99d1c0 |
testfail(realm, 'srv-hst')
|
|
Packit Service |
99d1c0 |
restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'b,c'}})
|
|
Packit Service |
99d1c0 |
testref(realm, 'srv-hst')
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# no_host_referrals should override host_based_services for NT-UNKNWON
|
|
Packit Service |
99d1c0 |
# server names.
|
|
Packit Service |
99d1c0 |
restart_kdc(realm, {'kdcdefaults': {'no_host_referral': '*',
|
|
Packit Service |
99d1c0 |
'host_based_services': '*'}})
|
|
Packit Service |
99d1c0 |
testfail(realm, 'unknown')
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
realm.stop()
|
|
Packit Service |
99d1c0 |
refrealm.stop()
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# Regression test for #7483: a KDC should not return a host referral
|
|
Packit Service |
99d1c0 |
# to its own realm.
|
|
Packit Service |
99d1c0 |
mark('#7483 regression test')
|
|
Packit Service |
99d1c0 |
drealm = {'domain_realm': {'d': 'KRBTEST.COM'}}
|
|
Packit Service |
99d1c0 |
realm = K5Realm(kdc_conf=drealm, create_host=False)
|
|
Packit Service |
99d1c0 |
out, trace = realm.run(['./gcred', 'srv-hst', 'a/x.d@'], expected_code=1,
|
|
Packit Service |
99d1c0 |
return_trace=True)
|
|
Packit Service |
99d1c0 |
if 'back to same realm' in trace:
|
|
Packit Service |
99d1c0 |
fail('KDC returned referral to service realm')
|
|
Packit Service |
99d1c0 |
realm.stop()
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# Test client referrals. Use the test KDB module for KRBTEST1.COM to
|
|
Packit Service |
99d1c0 |
# simulate referrals since our built-in modules do not support them.
|
|
Packit Service |
99d1c0 |
# No cross-realm TGTs are necessary.
|
|
Packit Service |
99d1c0 |
mark('client referrals')
|
|
Packit Service |
99d1c0 |
kdcconf = {'realms': {'$realm': {'database_module': 'test'}},
|
|
Packit Service |
99d1c0 |
'dbmodules': {'test': {'db_library': 'test',
|
|
Packit Service |
99d1c0 |
'alias': {'user': '@KRBTEST2.COM',
|
|
Packit Service |
99d1c0 |
'abc@XYZ': '@KRBTEST2.COM'}}}}
|
|
Packit Service |
99d1c0 |
r1, r2 = cross_realms(2, xtgts=(),
|
|
Packit Service |
99d1c0 |
args=({'kdc_conf': kdcconf, 'create_kdb': False}, None),
|
|
Packit Service |
99d1c0 |
create_host=False)
|
|
Packit Service |
99d1c0 |
r2.addprinc('abc\@XYZ', 'pw')
|
|
Packit Service |
99d1c0 |
r1.start_kdc()
|
|
Packit Service |
99d1c0 |
r1.kinit('user', expected_code=1,
|
|
Packit Service |
99d1c0 |
expected_msg='not found in Kerberos database')
|
|
Packit Service |
99d1c0 |
r1.kinit('user', password('user'), ['-C'])
|
|
Packit Service |
99d1c0 |
r1.klist('user@KRBTEST2.COM', 'krbtgt/KRBTEST2.COM')
|
|
Packit Service |
99d1c0 |
r1.kinit('abc@XYZ', 'pw', ['-E'])
|
|
Packit Service |
99d1c0 |
r1.klist('abc\@XYZ@KRBTEST2.COM', 'krbtgt/KRBTEST2.COM')
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
# Test that disable_encrypted_timestamp persists across client
|
|
Packit Service |
99d1c0 |
# referrals. (This test relies on SPAKE not being enabled by default
|
|
Packit Service |
99d1c0 |
# on the KDC.)
|
|
Packit Service |
99d1c0 |
r2.run([kadminl, 'modprinc', '+preauth', 'user'])
|
|
Packit Service |
99d1c0 |
msgs = ('Encrypted timestamp (for ')
|
|
Packit Service |
99d1c0 |
r1.kinit('user', password('user'), ['-C'], expected_trace=msgs)
|
|
Packit Service |
99d1c0 |
dconf = {'realms': {'$realm': {'disable_encrypted_timestamp': 'true'}}}
|
|
Packit Service |
99d1c0 |
denv = r1.special_env('disable_encts', False, krb5_conf=dconf)
|
|
Packit Service |
99d1c0 |
msgs = ('Ignoring encrypted timestamp because it is disabled',
|
|
Packit Service |
99d1c0 |
'/Encrypted timestamp is disabled')
|
|
Packit Service |
99d1c0 |
r1.kinit('user', None, ['-C'], env=denv, expected_code=1, expected_trace=msgs,
|
|
Packit Service |
99d1c0 |
expected_msg='Encrypted timestamp is disabled')
|
|
Packit Service |
99d1c0 |
|
|
Packit Service |
99d1c0 |
success('KDC host referral tests')
|