source-git / krb5

Clone
Source Code
GIT

Blame src/tests/t_referral.py

c8 c8s master
  1.   c8
  2.   src
  3.   tests
  4.   t_referral.py
Blob History Raw
Packit Service 99d1c0 
from k5test import *
Packit Service 99d1c0
Packit Service 99d1c0 
# Create a pair of realms, where KRBTEST1.COM can authenticate to
Packit Service 99d1c0 
# REFREALM and has a domain-realm mapping for 'd' pointing to it.
Packit Service 99d1c0 
drealm = {'domain_realm': {'d': 'REFREALM'}}
Packit Service 99d1c0 
realm, refrealm = cross_realms(2, xtgts=((0,1),),
Packit Service 99d1c0 
                               args=({'kdc_conf': drealm},
Packit Service 99d1c0 
                                     {'realm': 'REFREALM',
Packit Service 99d1c0 
                                      'create_user': False}),
Packit Service 99d1c0 
                               create_host=False)
Packit Service 99d1c0 
refrealm.addprinc('a/x.d')
Packit Service 99d1c0
Packit Service 99d1c0 
savefile = os.path.join(realm.testdir, 'ccache.copy')
Packit Service 99d1c0 
os.rename(realm.ccache, savefile)
Packit Service 99d1c0
Packit Service 99d1c0 
# Get credentials and check that we got a referral to REFREALM.
Packit Service 99d1c0 
def testref(realm, nametype):
Packit Service 99d1c0 
    shutil.copyfile(savefile, realm.ccache)
Packit Service 99d1c0 
    realm.run(['./gcred', nametype, 'a/x.d@'])
Packit Service 99d1c0 
    out = realm.run([klist]).split('\n')
Packit Service 99d1c0 
    if len(out) != 8:
Packit Service 99d1c0 
        fail('unexpected number of lines in klist output')
Packit Service 99d1c0 
    if out[5].split()[4] != 'a/x.d@' or out[6].split()[2] != 'a/x.d@REFREALM':
Packit Service 99d1c0 
        fail('unexpected service principals in klist output')
Packit Service 99d1c0
Packit Service 99d1c0 
# Get credentials and check that we get an error, not a referral.
Packit Service 99d1c0 
def testfail(realm, nametype):
Packit Service 99d1c0 
    shutil.copyfile(savefile, realm.ccache)
Packit Service 99d1c0 
    realm.run(['./gcred', nametype, 'a/x.d@'], expected_code=1,
Packit Service 99d1c0 
              expected_msg='not found in Kerberos database')
Packit Service 99d1c0
Packit Service 99d1c0 
# Create a modified KDC environment and restart the KDC.
Packit Service 99d1c0 
def restart_kdc(realm, kdc_conf):
Packit Service 99d1c0 
    env = realm.special_env('extravars', True, kdc_conf=kdc_conf)
Packit Service 99d1c0 
    realm.stop_kdc()
Packit Service 99d1c0 
    realm.start_kdc(env=env)
Packit Service 99d1c0
Packit Service 99d1c0 
# With no KDC configuration besides [domain_realm], we should get a
Packit Service 99d1c0 
# referral for a NT-SRV-HST or NT-SRV-INST server name, but not an
Packit Service 99d1c0 
# NT-UNKNOWN or NT-PRINCIPAL server name.
Packit Service 99d1c0 
mark('[domain-realm] only')
Packit Service 99d1c0 
testref(realm, 'srv-hst')
Packit Service 99d1c0 
testref(realm, 'srv-inst')
Packit Service 99d1c0 
testfail(realm, 'principal')
Packit Service 99d1c0 
testfail(realm, 'unknown')
Packit Service 99d1c0
Packit Service 99d1c0 
# With host_based_services matching the first server name component
Packit Service 99d1c0 
# ("a"), we should get a referral for an NT-UNKNOWN server name.
Packit Service 99d1c0 
# host_based_services can appear in either [kdcdefaults] or the realm
Packit Service 99d1c0 
# section, with the realm values supplementing the kdcdefaults values.
Packit Service 99d1c0 
# NT-SRV-HST server names should be unaffected by host_based_services,
Packit Service 99d1c0 
# and NT-PRINCIPAL server names shouldn't get a referral regardless.
Packit Service 99d1c0 
mark('host_based_services')
Packit Service 99d1c0 
restart_kdc(realm, {'kdcdefaults': {'host_based_services': '*'}})
Packit Service 99d1c0 
testref(realm, 'unknown')
Packit Service 99d1c0 
testfail(realm, 'principal')
Packit Service 99d1c0 
restart_kdc(realm, {'kdcdefaults': {'host_based_services': ['b', 'a,c']}})
Packit Service 99d1c0 
testref(realm, 'unknown')
Packit Service 99d1c0 
restart_kdc(realm, {'realms': {'$realm': {'host_based_services': 'a b c'}}})
Packit Service 99d1c0 
testref(realm, 'unknown')
Packit Service 99d1c0 
restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'a'},
Packit Service 99d1c0 
                    'realms': {'$realm': {'host_based_services': 'b c'}}})
Packit Service 99d1c0 
testref(realm, 'unknown')
Packit Service 99d1c0 
restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'b,c'},
Packit Service 99d1c0 
                    'realms': {'$realm': {'host_based_services': 'a,b'}}})
Packit Service 99d1c0 
testref(realm, 'unknown')
Packit Service 99d1c0 
restart_kdc(realm, {'kdcdefaults': {'host_based_services': 'b,c'}})
Packit Service 99d1c0 
testfail(realm, 'unknown')
Packit Service 99d1c0 
testref(realm, 'srv-hst')
Packit Service 99d1c0
Packit Service 99d1c0 
# With no_host_referrals matching the first server name component, we
Packit Service 99d1c0 
# should not get a referral even for NT-SRV-HOST server names
Packit Service 99d1c0 
mark('no_host_referral')
Packit Service 99d1c0 
restart_kdc(realm, {'kdcdefaults': {'no_host_referral': '*'}})
Packit Service 99d1c0 
testfail(realm, 'srv-hst')
Packit Service 99d1c0 
restart_kdc(realm, {'kdcdefaults': {'no_host_referral': ['b', 'a,c']}})
Packit Service 99d1c0 
testfail(realm, 'srv-hst')
Packit Service 99d1c0 
restart_kdc(realm, {'realms': {'$realm': {'no_host_referral': 'a b c'}}})
Packit Service 99d1c0 
testfail(realm, 'srv-hst')
Packit Service 99d1c0 
restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'a'},
Packit Service 99d1c0 
                    'realms': {'$realm': {'no_host_referral': 'b c'}}})
Packit Service 99d1c0 
testfail(realm, 'srv-hst')
Packit Service 99d1c0 
restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'b,c'},
Packit Service 99d1c0 
                    'realms': {'$realm': {'no_host_referral': 'a,b'}}})
Packit Service 99d1c0 
testfail(realm, 'srv-hst')
Packit Service 99d1c0 
restart_kdc(realm, {'kdcdefaults': {'no_host_referral': 'b,c'}})
Packit Service 99d1c0 
testref(realm, 'srv-hst')
Packit Service 99d1c0
Packit Service 99d1c0 
# no_host_referrals should override host_based_services for NT-UNKNWON
Packit Service 99d1c0 
# server names.
Packit Service 99d1c0 
restart_kdc(realm, {'kdcdefaults': {'no_host_referral': '*',
Packit Service 99d1c0 
                                    'host_based_services': '*'}})
Packit Service 99d1c0 
testfail(realm, 'unknown')
Packit Service 99d1c0
Packit Service 99d1c0 
realm.stop()
Packit Service 99d1c0 
refrealm.stop()
Packit Service 99d1c0
Packit Service 99d1c0 
# Regression test for #7483: a KDC should not return a host referral
Packit Service 99d1c0 
# to its own realm.
Packit Service 99d1c0 
mark('#7483 regression test')
Packit Service 99d1c0 
drealm = {'domain_realm': {'d': 'KRBTEST.COM'}}
Packit Service 99d1c0 
realm = K5Realm(kdc_conf=drealm, create_host=False)
Packit Service 99d1c0 
out, trace = realm.run(['./gcred', 'srv-hst', 'a/x.d@'], expected_code=1,
Packit Service 99d1c0 
                       return_trace=True)
Packit Service 99d1c0 
if 'back to same realm' in trace:
Packit Service 99d1c0 
    fail('KDC returned referral to service realm')
Packit Service 99d1c0 
realm.stop()
Packit Service 99d1c0
Packit Service 99d1c0 
# Test client referrals.  Use the test KDB module for KRBTEST1.COM to
Packit Service 99d1c0 
# simulate referrals since our built-in modules do not support them.
Packit Service 99d1c0 
# No cross-realm TGTs are necessary.
Packit Service 99d1c0 
mark('client referrals')
Packit Service 99d1c0 
kdcconf = {'realms': {'$realm': {'database_module': 'test'}},
Packit Service 99d1c0 
           'dbmodules': {'test': {'db_library': 'test',
Packit Service 99d1c0 
                                  'alias': {'user': '@KRBTEST2.COM',
Packit Service 99d1c0 
                                            'abc@XYZ': '@KRBTEST2.COM'}}}}
Packit Service 99d1c0 
r1, r2 = cross_realms(2, xtgts=(),
Packit Service 99d1c0 
                      args=({'kdc_conf': kdcconf, 'create_kdb': False}, None),
Packit Service 99d1c0 
                      create_host=False)
Packit Service 99d1c0 
r2.addprinc('abc\@XYZ', 'pw')
Packit Service 99d1c0 
r1.start_kdc()
Packit Service 99d1c0 
r1.kinit('user', expected_code=1,
Packit Service 99d1c0 
         expected_msg='not found in Kerberos database')
Packit Service 99d1c0 
r1.kinit('user', password('user'), ['-C'])
Packit Service 99d1c0 
r1.klist('user@KRBTEST2.COM', 'krbtgt/KRBTEST2.COM')
Packit Service 99d1c0 
r1.kinit('abc@XYZ', 'pw', ['-E'])
Packit Service 99d1c0 
r1.klist('abc\@XYZ@KRBTEST2.COM', 'krbtgt/KRBTEST2.COM')
Packit Service 99d1c0
Packit Service 99d1c0 
# Test that disable_encrypted_timestamp persists across client
Packit Service 99d1c0 
# referrals.  (This test relies on SPAKE not being enabled by default
Packit Service 99d1c0 
# on the KDC.)
Packit Service 99d1c0 
r2.run([kadminl, 'modprinc', '+preauth', 'user'])
Packit Service 99d1c0 
msgs = ('Encrypted timestamp (for ')
Packit Service 99d1c0 
r1.kinit('user', password('user'), ['-C'], expected_trace=msgs)
Packit Service 99d1c0 
dconf = {'realms': {'$realm': {'disable_encrypted_timestamp': 'true'}}}
Packit Service 99d1c0 
denv = r1.special_env('disable_encts', False, krb5_conf=dconf)
Packit Service 99d1c0 
msgs = ('Ignoring encrypted timestamp because it is disabled',
Packit Service 99d1c0 
        '/Encrypted timestamp is disabled')
Packit Service 99d1c0 
r1.kinit('user', None, ['-C'], env=denv, expected_code=1, expected_trace=msgs,
Packit Service 99d1c0 
         expected_msg='Encrypted timestamp is disabled')
Packit Service 99d1c0
Packit Service 99d1c0 
success('KDC host referral tests')

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation