[28843] in CVS-changelog-for-Kerberos-V5
krb5 commit: Add tests for client principal aliases
daemon@ATHENA.MIT.EDU (Greg Hudson)
Mon Apr 13 17:43:46 2015
Date: Mon, 13 Apr 2015 17:43:42 -0400
From: Greg Hudson <ghudson@mit.edu>
Message-Id: <201504132143.t3DLhgOx027003@drugstore.mit.edu>
To: cvs-krb5@mit.edu
Reply-To: krbdev@mit.edu
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: cvs-krb5-bounces@mit.edu
https://github.com/krb5/krb5/commit/2098124705cdc7abd5321e1dee32dc843547eab3
commit 2098124705cdc7abd5321e1dee32dc843547eab3
Author: Greg Hudson <ghudson@mit.edu>
Date: Wed Apr 8 12:09:09 2015 -0400
Add tests for client principal aliases
Augment the LDAP KDB module tests to include client principal aliases
as well as server principal aliases. Also revise the server principal
alias tests to include an AS-REQ case. (This requires adjusting the
subsequent test not to assume a ccache containing a TGT.)
src/tests/t_kdb.py | 21 +++++++++++++++++----
1 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 56595db..28c672c 100755
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -274,7 +274,7 @@ realm.run([kvno, realm.host_princ])
realm.klist(realm.user_princ, realm.host_princ)
# Test service principal aliases.
-realm.addprinc('canon')
+realm.addprinc('canon', password('canon'))
ldap_modify('dn: krbPrincipalName=canon@KRBTEST.COM,cn=t1,cn=krb5\n'
'changetype: modify\n'
'add: krbPrincipalName\n'
@@ -293,6 +293,8 @@ realm.run([kvno, 'canon'])
out = realm.run([klist])
if 'alias@KRBTEST.COM\n' not in out or 'canon@KRBTEST.COM' not in out:
fail('After fetching alias and canon, klist is missing one or both')
+realm.kinit(realm.user_princ, password('user'), ['-S', 'alias'])
+realm.klist(realm.user_princ, 'alias@KRBTEST.COM')
# Make sure an alias to the local TGS is still treated like an alias.
ldap_modify('dn: krbPrincipalName=krbtgt/KRBTEST.COM@KRBTEST.COM,'
@@ -306,10 +308,9 @@ ldap_modify('dn: krbPrincipalName=krbtgt/KRBTEST.COM@KRBTEST.COM,'
out = realm.run([kadminl, 'getprinc', 'tgtalias'])
if 'Principal: krbtgt/KRBTEST.COM@KRBTEST.COM' not in out:
fail('Could not fetch krbtgt through tgtalias')
+realm.kinit(realm.user_princ, password('user'))
realm.run([kvno, 'tgtalias'])
-out = realm.run([klist])
-if 'tgtalias@KRBTEST.COM\n' not in out:
- fail('After fetching tgtalias, klist is missing it')
+realm.klist(realm.user_princ, 'tgtalias@KRBTEST.COM')
# Make sure aliases work in header tickets.
realm.run([kadminl, 'modprinc', '-maxrenewlife', '3 hours', 'user'])
@@ -320,6 +321,18 @@ realm.run([kvno, 'alias'])
realm.kinit(realm.user_princ, flags=['-R', '-S', 'alias'])
realm.klist(realm.user_princ, 'alias@KRBTEST.COM')
+# Test client principal aliases, with and without preauth.
+realm.kinit('canon', password('canon'))
+out = realm.kinit('alias', password('canon'), expected_code=1)
+if 'not found in Kerberos database' not in out:
+ fail('Wrong error message for kinit to alias without -C flag')
+realm.kinit('alias', password('canon'), ['-C'])
+realm.run([kvno, 'alias'])
+realm.klist('canon@KRBTEST.COM', 'alias@KRBTEST.COM')
+realm.run([kadminl, 'modprinc', '+requires_preauth', 'canon'])
+realm.kinit('canon', password('canon'))
+realm.kinit('alias', password('canon'), ['-C'])
+
# Regression test for #7980 (fencepost when dividing keys up by kvno).
realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts,aes128-cts',
'kvnoprinc'])
_______________________________________________
cvs-krb5 mailing list
cvs-krb5@mit.edu
https://mailman.mit.edu/mailman/listinfo/cvs-krb5
