kdc: cross realm s4u2self handling
Isaac Boukris
iboukris at gmail.com
Tue Sep 18 12:12:18 EDT 2018
Hello Greg, all,
I've been working lately on cross-realm s4u2self in samba code and
would like to consult about MIT's current handling and possibly needed
changes.
See last emails on samba-technical thread (it's a long one, spans over
a few months):
https://lists.samba.org/archive/samba-technical/2018-September/130044.html
Heimdal and Samba PRs:
https://github.com/heimdal/heimdal/pull/403
https://github.com/samba-team/samba/pull/204
In short, for cross-realm s4u2self requests we need a way to sign and
verify the PAC including the realm, that is user at realm for a regular
principal name, and user at realm@realm for an enterprise one.
See attached prove-of-concept patches for mit-krb5 and samba with
which cross-realm s4u2self works both ways (tested manually against
windows too).
I'd like to start with the last commit in the MIT patch, which
partially reverts 8a9909ff9ef6b51c5ed09ead6713888fbb34072f commit,
that I don't fully understand.
In cross-realm s4u2self, a service starts by requesting the ticket
from a KDC in the impersonated principal's realm, and then follows
back referrals to its own realm.
The kdc code handles this correctly in several places apart of this
error when is_referral is true, introduced by the above commit.
I think it even contradicts the below sections in 'do_tgs_req.c':
if (isflagset(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION) &&
!isflagset(c_flags, KRB5_KDB_FLAG_CROSS_REALM))
enc_tkt_reply.client = s4u_x509_user->user_id.user;
else
enc_tkt_reply.client = subject_tkt->client;
This code is a bit tricky as usually KRB5_KDB_FLAG_CROSS_REALM means
that the client is not in local realm so he probably came with a
referral tgt, but not necessarily that we are currently issuing a
referral.
But in cross-realm s4u2self, since the tgt-client and the server are
the same principal, it means we are issuing a referral and that's
exactly what this code is checking in order to set the returned cname
and crealm.
However, with the above commit we won't reach here in case of referral
as we'd error out before.
BTW, I think using the new is_referral instead of
KRB5_KDB_FLAG_CROSS_REALM in this code would be clearer and more
correct (as it is based on db lookup).
Thought?
Thank you!
-------------- next part --------------
From 865cdde3d93c492b2ce8f5ad6f898c39b2a086d7 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Wed, 12 Sep 2018 16:32:57 +0300
Subject: [PATCH 1/4] kdb: fix sign_authdata() API comments
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
src/include/kdb.h | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/include/kdb.h b/src/include/kdb.h
index 5615329c0..7f11829de 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -1257,14 +1257,15 @@ typedef struct _kdb_vftabl {
*
* flags: The flags used to look up the client principal.
*
- * client_princ: For S4U2Proxy TGS requests, the client principal
- * requested by the service; for regular TGS requests, the
+ * client_princ: For S4U2Self and S4U2Proxy TGS requests, the client
+ * principal requested by the service; for regular TGS requests, the
* possibly-canonicalized client principal.
*
* client: The DB entry of the client. For S4U2Self, this will be the DB
* entry for the client principal requested by the service).
*
- * server: The DB entry of the service principal.
+ * server: The DB entry of the service principal, or of a cross-realm
+ * krbtgt principal in case of referral.
*
* krbtgt: For TGS requests, the DB entry of the server of the ticket in
* the PA-TGS-REQ padata; this is usually a local or cross-realm krbtgt
--
2.14.3
From 144add29a4da46a7bb2786884c11b1b5f187423e Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Mon, 17 Sep 2018 00:27:33 +0300
Subject: [PATCH 2/4] wip: let sign pac with realm for cross realm s4u2self
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
src/include/krb5/krb5.hin | 6 ++++++
src/lib/krb5/krb/pac_sign.c | 19 ++++++++++++++++---
src/lib/krb5/libkrb5.exports | 1 +
3 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 384bb838f..e406ede3e 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -8299,6 +8299,12 @@ krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
krb5_const_principal principal, const krb5_keyblock *server_key,
const krb5_keyblock *privsvr_key, krb5_data *data);
+krb5_error_code KRB5_CALLCONV
+krb5_pac_sign_ex(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
+ krb5_const_principal principal,
+ const krb5_keyblock *server_key,
+ const krb5_keyblock *privsvr_key, krb5_data *data,
+ krb5_boolean with_realm);
/**
* Allow the appplication to override the profile's allow_weak_crypto setting.
*
diff --git a/src/lib/krb5/krb/pac_sign.c b/src/lib/krb5/krb/pac_sign.c
index c94899c96..ee9fda192 100644
--- a/src/lib/krb5/krb/pac_sign.c
+++ b/src/lib/krb5/krb/pac_sign.c
@@ -33,7 +33,8 @@ static krb5_error_code
k5_insert_client_info(krb5_context context,
krb5_pac pac,
krb5_timestamp authtime,
- krb5_const_principal principal)
+ krb5_const_principal principal,
+ krb5_boolean with_realm)
{
krb5_error_code ret;
krb5_data client_info;
@@ -48,7 +49,7 @@ k5_insert_client_info(krb5_context context,
return k5_pac_validate_client(context, pac, authtime, principal);
}
- ret = krb5_unparse_name_flags(context, principal,
+ ret = krb5_unparse_name_flags(context, principal, with_realm ? 0 :
KRB5_PRINCIPAL_UNPARSE_NO_REALM,
&princ_name_utf8);
if (ret != 0)
@@ -182,6 +183,17 @@ krb5_error_code KRB5_CALLCONV
krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
krb5_const_principal principal, const krb5_keyblock *server_key,
const krb5_keyblock *privsvr_key, krb5_data *data)
+{
+ return krb5_pac_sign_ex(context, pac, authtime, principal, server_key,
+ privsvr_key, data, 0);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_pac_sign_ex(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
+ krb5_const_principal principal,
+ const krb5_keyblock *server_key,
+ const krb5_keyblock *privsvr_key, krb5_data *data,
+ krb5_boolean with_realm)
{
krb5_error_code ret;
krb5_data server_cksum, privsvr_cksum;
@@ -192,7 +204,8 @@ krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
data->data = NULL;
if (principal != NULL) {
- ret = k5_insert_client_info(context, pac, authtime, principal);
+ ret = k5_insert_client_info(context, pac, authtime, principal,
+ with_realm);
if (ret != 0)
return ret;
}
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index 622bc3673..cbc6bd15f 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -486,6 +486,7 @@ krb5_pac_get_types
krb5_pac_init
krb5_pac_parse
krb5_pac_sign
+krb5_pac_sign_ex
krb5_pac_verify
krb5_parse_name
krb5_parse_name_flags
--
2.14.3
From 9a4a54620d3887864308b1e2b309a65f43ee06c4 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Mon, 20 Aug 2018 16:18:50 +0300
Subject: [PATCH 3/4] wip: let verify pac with realm for cross realm s4u2self
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
src/include/krb5/krb5.hin | 6 ++++++
src/lib/krb5/krb/authdata.h | 7 +++++++
src/lib/krb5/krb/pac.c | 33 ++++++++++++++++++++++++++++++---
src/lib/krb5/libkrb5.exports | 1 +
4 files changed, 44 insertions(+), 3 deletions(-)
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index e406ede3e..3beb5e8f1 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -8276,6 +8276,12 @@ krb5_pac_verify(krb5_context context, const krb5_pac pac,
krb5_timestamp authtime, krb5_const_principal principal,
const krb5_keyblock *server, const krb5_keyblock *privsvr);
+krb5_error_code KRB5_CALLCONV
+krb5_pac_verify_ex(krb5_context context, const krb5_pac pac,
+ krb5_timestamp authtime, krb5_const_principal principal,
+ const krb5_keyblock *server, const krb5_keyblock *privsvr,
+ krb5_boolean with_realm);
+
/**
* Sign a PAC.
*
diff --git a/src/lib/krb5/krb/authdata.h b/src/lib/krb5/krb/authdata.h
index 1e5c08426..aec6ff542 100644
--- a/src/lib/krb5/krb/authdata.h
+++ b/src/lib/krb5/krb/authdata.h
@@ -92,6 +92,13 @@ k5_pac_validate_client(krb5_context context,
krb5_timestamp authtime,
krb5_const_principal principal);
+krb5_error_code
+k5_pac_validate_client_ex(krb5_context context,
+ const krb5_pac pac,
+ krb5_timestamp authtime,
+ krb5_const_principal principal,
+ krb5_boolean with_realm);
+
krb5_error_code
k5_pac_add_buffer(krb5_context context,
krb5_pac pac,
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index c9b5de30a..17a72b56e 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -404,6 +404,17 @@ k5_pac_validate_client(krb5_context context,
const krb5_pac pac,
krb5_timestamp authtime,
krb5_const_principal principal)
+{
+ return k5_pac_validate_client_ex(context, pac, authtime,
+ principal, 0);
+}
+
+krb5_error_code
+k5_pac_validate_client_ex(krb5_context context,
+ const krb5_pac pac,
+ krb5_timestamp authtime,
+ krb5_const_principal principal,
+ krb5_boolean with_realm)
{
krb5_error_code ret;
krb5_data client_info;
@@ -413,7 +424,7 @@ k5_pac_validate_client(krb5_context context,
krb5_ui_2 pac_princname_length;
int64_t pac_nt_authtime;
krb5_principal pac_principal;
- int flags;
+ int flags = 0;
ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO,
&client_info);
@@ -443,7 +454,8 @@ k5_pac_validate_client(krb5_context context,
/* Parse the UTF-8 name as an enterprise principal if we are matching
* against one; otherwise parse it as a regular principal with no realm. */
- flags = KRB5_PRINCIPAL_PARSE_NO_REALM;
+ if (!with_realm)
+ flags |= KRB5_PRINCIPAL_PARSE_NO_REALM;
if (principal->type == KRB5_NT_ENTERPRISE_PRINCIPAL)
flags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
ret = krb5_parse_name_flags(context, pac_princname, flags, &pac_principal);
@@ -458,6 +470,7 @@ k5_pac_validate_client(krb5_context context,
!krb5_principal_compare_flags(context,
pac_principal,
principal,
+ with_realm ? 0 :
KRB5_PRINCIPAL_COMPARE_IGNORE_REALM))
ret = KRB5KRB_AP_WRONG_PRINC;
@@ -622,6 +635,19 @@ krb5_pac_verify(krb5_context context,
krb5_const_principal principal,
const krb5_keyblock *server,
const krb5_keyblock *privsvr)
+{
+ return krb5_pac_verify_ex(context, pac, authtime, principal,
+ server, privsvr, 0);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_pac_verify_ex(krb5_context context,
+ const krb5_pac pac,
+ krb5_timestamp authtime,
+ krb5_const_principal principal,
+ const krb5_keyblock *server,
+ const krb5_keyblock *privsvr,
+ krb5_boolean with_realm)
{
krb5_error_code ret;
@@ -638,7 +664,8 @@ krb5_pac_verify(krb5_context context,
}
if (principal != NULL) {
- ret = k5_pac_validate_client(context, pac, authtime, principal);
+ ret = k5_pac_validate_client_ex(context, pac, authtime,
+ principal, with_realm);
if (ret != 0)
return ret;
}
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index cbc6bd15f..00aaacc1c 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -488,6 +488,7 @@ krb5_pac_parse
krb5_pac_sign
krb5_pac_sign_ex
krb5_pac_verify
+krb5_pac_verify_ex
krb5_parse_name
krb5_parse_name_flags
krb5_prepend_error_message
--
2.14.3
From e5533baa0ba7dff75defcb8f0368e2fdc2d36f95 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Tue, 18 Sep 2018 15:16:20 +0300
Subject: [PATCH 4/4] wip: allow s4u2self cross realm referrals
need to understand commit 8a9909ff9ef6b51c5ed09ead6713888fbb34072f
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
src/kdc/do_tgs_req.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index bf2178125..5f5c6830b 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -290,7 +290,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
goto cleanup;
if (s4u_x509_user != NULL) {
setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
- if (is_referral) {
+ if (0 && is_referral) {
/* The requesting server appears to no longer exist, and we found
* a referral instead. Treat this as a server lookup failure. */
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
--
2.14.3
-------------- next part --------------
From 70579084392138486907642ae80eee575b4fc725 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Tue, 18 Sep 2018 16:55:26 +0300
Subject: [PATCH 1/6] mit-kdc: fix cross realm s4u2self handling
According to MS-SFU 3.2.5.x, in a s4u2self referral ticket,
the PAC_CLIENT_INFO field may include the realm, so we need
to account for this before verifying and signing the PAC.
Note: this change requires upstream changes.
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
source4/kdc/mit-kdb/kdb_samba_policies.c | 73 ++++++++++++++++++++++----------
1 file changed, 51 insertions(+), 22 deletions(-)
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index 81ac73582e0..0ad667b0fee 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -192,7 +192,8 @@ static krb5_error_code ks_verify_pac(krb5_context context,
krb5_keyblock *krbtgt_key,
krb5_timestamp authtime,
krb5_authdata **tgt_auth_data,
- krb5_pac *pac)
+ krb5_pac *pac,
+ krb5_boolean with_realm)
{
struct mit_samba_context *mit_ctx;
krb5_authdata **authdata = NULL;
@@ -249,12 +250,13 @@ static krb5_error_code ks_verify_pac(krb5_context context,
server_key,
krbtgt_key);
} else {
- code = krb5_pac_verify(context,
- ipac,
- authtime,
- client_princ,
- krbtgt_key,
- NULL);
+ code = krb5_pac_verify_ex(context,
+ ipac,
+ authtime,
+ client_princ,
+ krbtgt_key,
+ NULL,
+ with_realm);
}
if (code != 0) {
goto done;
@@ -303,28 +305,52 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
{
krb5_const_principal ks_client_princ;
krb5_authdata **authdata = NULL;
+ krb5_boolean verify_realm = false;
+ krb5_boolean sign_realm = false;
+ krb5_boolean reget_pac;
krb5_boolean is_as_req;
krb5_error_code code;
krb5_pac pac = NULL;
krb5_data pac_data;
/* Prefer canonicalised name from client entry */
- if (client != NULL) {
- ks_client_princ = client->princ;
- } else {
- ks_client_princ = client_princ;
- }
+ ks_client_princ = client ? client->princ : client_princ;
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
- if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
- code = ks_get_pac(context, client, client_key, &pac);
- if (code != 0) {
- goto done;
+ reget_pac = !is_as_req;
+
+ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
+
+ /* Match for_user principal */
+ ks_client_princ = client_princ;
+
+ if (client != NULL) {
+ /* The PAC in the tgt is of the impersonating
+ * service principal, so we discard it.
+ * If we must verify it, then we'll need to change
+ * the API to provide us with the tgt-client principal
+ * (server->princ could work but only if the service
+ * is in local realm, otherwise it is the cross-realm
+ * trust principal) */
+ reget_pac = false;
+ }
+ else {
+ /* Cross realm s4u2self tickets include the realm */
+ verify_realm = true;
}
+
+ /* If the tgt-client is not from local realm, then neither
+ * is the service, so we are issuing a referral. */
+ if (flags & KRB5_KDB_FLAG_CROSS_REALM) {
+
+ /* Cross realm s4u2self tickets include the realm */
+ sign_realm = true;
+ }
+
}
- if (!is_as_req) {
+ if (reget_pac) {
code = ks_verify_pac(context,
flags,
ks_client_princ,
@@ -335,14 +361,17 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krbtgt_key,
authtime,
tgt_auth_data,
- &pac);
+ &pac,
+ verify_realm);
if (code != 0) {
goto done;
}
}
- if (pac == NULL && client != NULL) {
-
+ if (client != NULL &&
+ ((is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) ||
+ (!is_as_req && pac == NULL)))
+ {
code = ks_get_pac(context, client, client_key, &pac);
if (code != 0) {
goto done;
@@ -354,8 +383,8 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
goto done;
}
- code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
- server_key, krbtgt_key, &pac_data);
+ code = krb5_pac_sign_ex(context, pac, authtime, ks_client_princ,
+ server_key, krbtgt_key, &pac_data, sign_realm);
if (code != 0) {
DBG_ERR("krb5_pac_sign failed: %d\n", code);
goto done;
--
2.14.3
From fb2f729203b3daac8c37f30030452248a490dcf4 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Mon, 22 Jan 2018 18:40:17 +0000
Subject: [PATCH 2/6] net-ads-search: use specified user when given
This fixes 'net ads search -U' on a domain controller.
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
source3/utils/net_ads.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index afe47dad839..d050964dd5e 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -305,7 +305,8 @@ retry:
}
}
- status = ads_connect(ads);
+ status = c->opt_user_specified ? ads_connect_user_creds(ads) :
+ ads_connect(ads);
if (!ADS_ERR_OK(status)) {
--
2.14.3
From c06deadcd5946abf91940298b04fa85f0380b967 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Mon, 23 Jul 2018 13:28:18 +0300
Subject: [PATCH 3/6] net-ads-search: fix using machine account on a domain
controller
Set opt_user_specified to true once setting the machine name at
opt_user_name. This helps for the net tool to work on a DC with
machine credentials (-P), by acquiring credentials for host$@realm
(same as on domain member) instead of trying to acquire creds
for lp_workgroup()@realm and failing.
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
source3/utils/net_util.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
index a84b4f5500e..0a15ff0274f 100644
--- a/source3/utils/net_util.c
+++ b/source3/utils/net_util.c
@@ -279,6 +279,7 @@ int net_use_krb_machine_account(struct net_context *c)
return -1;
}
c->opt_user_name = user_name;
+ c->opt_user_specified = true;
return 0;
}
--
2.14.3
From 8515d5accb254af20c9f02d456957acf250bd787 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Sat, 18 Aug 2018 15:32:43 +0300
Subject: [PATCH 4/6] mit-kdc: fix kinit test on system lacking ldbsearch
By fixing bindir variable name.
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
testprogs/blackbox/test_kinit_mit.sh | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh
index dabf9915ed1..370542536e1 100755
--- a/testprogs/blackbox/test_kinit_mit.sh
+++ b/testprogs/blackbox/test_kinit_mit.sh
@@ -32,13 +32,13 @@ samba_enableaccount="$samba_tool user enable"
machineaccountccache="$samba_srcdir/scripting/bin/machineaccountccache"
ldbmodify="ldbmodify"
-if [ -x "$samba4bindir/ldbmodify" ]; then
- ldbmodify="$samba4bindir/ldbmodify"
+if [ -x "$samba_bindir/ldbmodify" ]; then
+ ldbmodify="$samba_bindir/ldbmodify"
fi
ldbsearch="ldbsearch"
-if [ -x "$samba4bindir/ldbsearch" ]; then
- ldbsearch="$samba4bindir/ldbsearch"
+if [ -x "$samba_bindir/ldbsearch" ]; then
+ ldbsearch="$samba_bindir/ldbsearch"
fi
. `dirname $0`/subunit.sh
--
2.14.3
From 790c56705ce2d5e96de76c5de7a0c4fcfaff9084 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Sun, 16 Sep 2018 19:29:28 +0300
Subject: [PATCH 5/6] mit-kdc: add basic in-realm s4u2self test
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
testprogs/blackbox/test_kinit_mit.sh | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh
index 370542536e1..435151e2bf8 100755
--- a/testprogs/blackbox/test_kinit_mit.sh
+++ b/testprogs/blackbox/test_kinit_mit.sh
@@ -25,6 +25,7 @@ samba_kinit=kinit
samba_kdestroy=kdestroy
samba_kpasswd=kpasswd
+net_tool="$samba_bindir/net -s $SMB_CONF_PATH"
samba_tool="$samba_bindir/samba-tool"
samba_texpect="$samba_bindir/texpect"
@@ -299,6 +300,14 @@ test_smbclient "Test machine account login with kerberos ccache" 'ls' -k yes ||
testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
+###########################################################
+### Test S4U2Self with net-ads-kerberos-pac
+###########################################################
+
+rm -f $KRB5CCNAME_PATH
+testit "dump pac of local machine" $VALGRIND $net_tool -P ads kerberos pac dump || failed=`expr $failed + 1`
+testit "dump pac via impersonate" $VALGRIND $net_tool -P ads kerberos pac dump impersonate=$USERNAME@$REALM || failed=`expr $failed + 1`
+
### Cleanup
$samba_kdestroy
--
2.14.3
From f5aad614c67e7627316f61b23ae185c7e3a1e8f3 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Tue, 18 Sep 2018 17:23:53 +0300
Subject: [PATCH 6/6] mit-kdc: add s4u2self cross-realm test
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
testprogs/blackbox/test_kinit_trusts_mit.sh | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/testprogs/blackbox/test_kinit_trusts_mit.sh b/testprogs/blackbox/test_kinit_trusts_mit.sh
index 6696f441363..86d5062083d 100755
--- a/testprogs/blackbox/test_kinit_trusts_mit.sh
+++ b/testprogs/blackbox/test_kinit_trusts_mit.sh
@@ -36,6 +36,7 @@ samba_kpasswd=kpasswd
samba_tool="$samba_bindir/samba-tool"
samba_texpect="$samba_bindir/texpect"
+net_tool="$samba4bindir/net -s $SMB_CONF_PATH"
smbclient="$samba_bindir/smbclient"
wbinfo="$samba_bindir/wbinfo"
@@ -128,6 +129,13 @@ testit "wbinfo check outgoing trust pw" $VALGRIND $wbinfo --check-secret --domai
test_smbclient "Test user login with the changed outgoing secret" 'ls' -k yes -U$USERNAME@$REALM%$PASSWORD || failed=`expr $failed + 1`
+###########################################################
+### Test cross realm S4U2Self
+###########################################################
+# Notice that it doesn't require an SPN and it works with
+# external trust too (not forest only) because the MIT library
+# converts the server name to an enterprise name.
+testit "dump pac via impersonate with trust" $VALGRIND $net_tool -P ads kerberos pac dump impersonate=$TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
### Cleanup
$samba_kdestroy
--
2.14.3
More information about the krbdev
mailing list