diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2021-12-06 11:10:01 +1300 |
|---|---|---|
| committer | Joseph Sutton <jsutton@samba.org> | 2022-01-19 20:50:35 +0000 |
| commit | b59687a762fec30f9954282f3b587f24903d710d (patch) | |
| tree | 22de927b9c8fe9750c5002ca5f62599e71a0a9da | |
| parent | 7679d596c5f1c57e8c6316b64097dc36530ac70e (diff) | |
| download | samba-b59687a762fec30f9954282f3b587f24903d710d.tar.gz | |
s4:torture: Adapt LSA tests to newer Heimdal version
The Heimdal upgrade results in some changes that affect these tests. The
cname is now non-NULL in certain circumstances, the IO counts are
different due to a change between the ordering of capaths and referrals,
some requests no longer fail, and referral tickets are not cached
anymore, and so cannot be checked.
NOTE: THIS COMMIT WON'T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
| -rw-r--r-- | source4/torture/rpc/lsa.c | 110 |
1 files changed, 110 insertions, 0 deletions
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c index 010a253961e..d430ee57108 100644 --- a/source4/torture/rpc/lsa.c +++ b/source4/torture/rpc/lsa.c @@ -3226,12 +3226,16 @@ static bool check_pw_with_krb5(struct torture_context *tctx, const char *error_string = NULL; const char *workstation = cli_credentials_get_workstation(credentials); const char *password = cli_credentials_get_password(credentials); +#ifndef USING_EMBEDDED_HEIMDAL const struct samr_Password *nthash = NULL; const struct samr_Password *old_nthash = NULL; +#endif const char *old_password = cli_credentials_get_old_password(credentials); +#ifndef USING_EMBEDDED_HEIMDAL int kvno = cli_credentials_get_kvno(credentials); int expected_kvno = 0; krb5uint32 t_kvno = 0; +#endif const char *host = torture_setting_string(tctx, "host", NULL); krb5_error_code k5ret; krb5_boolean k5ok; @@ -3259,8 +3263,10 @@ static bool check_pw_with_krb5(struct torture_context *tctx, realm = cli_credentials_get_realm(credentials); trusted_realm_name = strupper_talloc(tctx, trusted_dns_name); +#ifndef USING_EMBEDDED_HEIMDAL nthash = cli_credentials_get_nt_hash(credentials, ctx); old_nthash = cli_credentials_get_old_nt_hash(credentials, ctx); +#endif k5ret = smb_krb5_init_context(ctx, tctx->lp_ctx, &ctx->smb_krb5_context); torture_assert_int_equal(tctx, k5ret, 0, "smb_krb5_init_context failed"); @@ -3346,7 +3352,14 @@ static bool check_pw_with_krb5(struct torture_context *tctx, torture_assert_int_equal(tctx, KRB5_ERROR_CODE(&ctx->error), 68, assertion_message); torture_assert(tctx, ctx->error.crealm != NULL, assertion_message); torture_assert_str_equal(tctx, *ctx->error.crealm, trusted_realm_name, assertion_message); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert(tctx, ctx->error.cname != NULL, assertion_message); + torture_assert_int_equal(tctx, ctx->error.cname->name_type, KRB5_NT_ENTERPRISE_PRINCIPAL, assertion_message); + torture_assert_int_equal(tctx, ctx->error.cname->name_string.len, 1, assertion_message); + torture_assert_str_equal(tctx, ctx->error.cname->name_string.val[0], upn_realm_string, assertion_message); +#else torture_assert(tctx, ctx->error.cname == NULL, assertion_message); +#endif torture_assert_str_equal(tctx, ctx->error.realm, realm, assertion_message); ZERO_STRUCT(ctx->counts); @@ -3371,7 +3384,14 @@ static bool check_pw_with_krb5(struct torture_context *tctx, torture_assert_int_equal(tctx, KRB5_ERROR_CODE(&ctx->error), 68, assertion_message); torture_assert(tctx, ctx->error.crealm != NULL, assertion_message); torture_assert_str_equal(tctx, *ctx->error.crealm, trusted_realm_name, assertion_message); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert(tctx, ctx->error.cname != NULL, assertion_message); + torture_assert_int_equal(tctx, ctx->error.cname->name_type, KRB5_NT_ENTERPRISE_PRINCIPAL, assertion_message); + torture_assert_int_equal(tctx, ctx->error.cname->name_string.len, 1, assertion_message); + torture_assert_str_equal(tctx, ctx->error.cname->name_string.val[0], upn_dns_string, assertion_message); +#else torture_assert(tctx, ctx->error.cname == NULL, assertion_message); +#endif torture_assert_str_equal(tctx, ctx->error.realm, realm, assertion_message); ZERO_STRUCT(ctx->counts); @@ -3396,7 +3416,14 @@ static bool check_pw_with_krb5(struct torture_context *tctx, torture_assert_int_equal(tctx, KRB5_ERROR_CODE(&ctx->error), 68, assertion_message); torture_assert(tctx, ctx->error.crealm != NULL, assertion_message); torture_assert_str_equal(tctx, *ctx->error.crealm, trusted_realm_name, assertion_message); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert(tctx, ctx->error.cname != NULL, assertion_message); + torture_assert_int_equal(tctx, ctx->error.cname->name_type, KRB5_NT_ENTERPRISE_PRINCIPAL, assertion_message); + torture_assert_int_equal(tctx, ctx->error.cname->name_string.len, 1, assertion_message); + torture_assert_str_equal(tctx, ctx->error.cname->name_string.val[0], upn_netbios_string, assertion_message); +#else torture_assert(tctx, ctx->error.cname == NULL, assertion_message); +#endif torture_assert_str_equal(tctx, ctx->error.realm, realm, assertion_message); torture_comment(tctx, "(%s:%s) password[%s] old_password[%s]\n", @@ -3558,7 +3585,11 @@ static bool check_pw_with_krb5(struct torture_context *tctx, trusted->trust_type, trusted->trust_attributes, ctx->counts.io, ctx->counts.errors, ctx->counts.ok); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert_int_equal(tctx, k5ret, 0, assertion_message); +#else torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message); +#endif torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message); torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message); @@ -3576,6 +3607,9 @@ static bool check_pw_with_krb5(struct torture_context *tctx, k5ret, smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context, k5ret, ctx)); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message); +#else torture_assert_int_equal(tctx, k5ret, 0, assertion_message); k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context, @@ -3645,6 +3679,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx, smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context, k5ret, ctx)); torture_assert_int_equal(tctx, k5ret, 0, assertion_message); +#endif /* Confirm if we can do a TGS for krbtgt/trusted_dns no CANON */ ZERO_STRUCT(ctx->counts); @@ -3665,12 +3700,21 @@ static bool check_pw_with_krb5(struct torture_context *tctx, trusted->trust_attributes, ctx->counts.io, ctx->counts.errors, ctx->counts.ok); torture_assert_int_equal(tctx, k5ret, 0, assertion_message); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message); + torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message); +#else torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message); torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message); +#endif k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context, ctx->krbtgt_trust_dns_creds->server, +#ifdef USING_EMBEDDED_HEIMDAL + ctx->krbtgt_trust_dns); +#else ctx->krbtgt_trust_realm); +#endif torture_assert(tctx, k5ok, assertion_message); type = smb_krb5_principal_get_type(ctx->smb_krb5_context->krb5_context, ctx->krbtgt_trust_dns_creds->server); @@ -3690,6 +3734,9 @@ static bool check_pw_with_krb5(struct torture_context *tctx, k5ret, smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context, k5ret, ctx)); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message); +#else torture_assert_int_equal(tctx, k5ret, 0, assertion_message); k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context, @@ -3712,6 +3759,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx, smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context, k5ret, ctx)); torture_assert_int_equal(tctx, k5ret, 0, assertion_message); +#endif /* Confirm if we can do a TGS for krbtgt/NETBIOS with CANON */ ZERO_STRUCT(ctx->counts); @@ -3731,7 +3779,11 @@ static bool check_pw_with_krb5(struct torture_context *tctx, trusted->trust_type, trusted->trust_attributes, ctx->counts.io, ctx->counts.errors, ctx->counts.ok); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert_int_equal(tctx, k5ret, 0, assertion_message); +#else torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message); +#endif torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message); torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message); @@ -3749,6 +3801,9 @@ static bool check_pw_with_krb5(struct torture_context *tctx, k5ret, smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context, k5ret, ctx)); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message); +#else torture_assert_int_equal(tctx, k5ret, 0, assertion_message); k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context, @@ -3771,6 +3826,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx, smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context, k5ret, ctx)); torture_assert_int_equal(tctx, k5ret, 0, assertion_message); +#endif /* Confirm if we can do a TGS for krbtgt/NETBIOS no CANON */ ZERO_STRUCT(ctx->counts); @@ -3791,12 +3847,21 @@ static bool check_pw_with_krb5(struct torture_context *tctx, trusted->trust_attributes, ctx->counts.io, ctx->counts.errors, ctx->counts.ok); torture_assert_int_equal(tctx, k5ret, 0, assertion_message); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message); + torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message); +#else torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message); torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message); +#endif k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context, ctx->krbtgt_trust_netbios_creds->server, +#ifdef USING_EMBEDDED_HEIMDAL + ctx->krbtgt_trust_netbios); +#else ctx->krbtgt_trust_realm); +#endif torture_assert(tctx, k5ok, assertion_message); type = smb_krb5_principal_get_type(ctx->smb_krb5_context->krb5_context, ctx->krbtgt_trust_netbios_creds->server); @@ -3816,6 +3881,9 @@ static bool check_pw_with_krb5(struct torture_context *tctx, k5ret, smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context, k5ret, ctx)); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message); +#else torture_assert_int_equal(tctx, k5ret, 0, assertion_message); k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context, @@ -3838,6 +3906,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx, smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context, k5ret, ctx)); torture_assert_int_equal(tctx, k5ret, 0, assertion_message); +#endif cifs_trust_dns_string = talloc_asprintf(ctx, "cifs/%s@%s", trusted_dns_name, realm); @@ -3866,8 +3935,13 @@ static bool check_pw_with_krb5(struct torture_context *tctx, trusted->trust_attributes, ctx->counts.io, ctx->counts.errors, ctx->counts.ok); torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message); + torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message); +#else torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message); torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message); +#endif /* Confirm if we have the referral ticket in the cache */ krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context, @@ -3883,6 +3957,9 @@ static bool check_pw_with_krb5(struct torture_context *tctx, k5ret, smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context, k5ret, ctx)); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message); +#else torture_assert_int_equal(tctx, k5ret, 0, assertion_message); k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context, @@ -3905,6 +3982,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx, smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context, k5ret, ctx)); torture_assert_int_equal(tctx, k5ret, 0, assertion_message); +#endif cifs_trust_netbios_string = talloc_asprintf(ctx, "cifs/%s@%s", trusted_netbios_name, realm); @@ -3933,8 +4011,13 @@ static bool check_pw_with_krb5(struct torture_context *tctx, trusted->trust_attributes, ctx->counts.io, ctx->counts.errors, ctx->counts.ok); torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message); + torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message); +#else torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message); torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message); +#endif /* Confirm if we have the referral ticket in the cache */ krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context, @@ -3950,6 +4033,9 @@ static bool check_pw_with_krb5(struct torture_context *tctx, k5ret, smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context, k5ret, ctx)); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message); +#else torture_assert_int_equal(tctx, k5ret, 0, assertion_message); k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context, @@ -3972,6 +4058,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx, smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context, k5ret, ctx)); torture_assert_int_equal(tctx, k5ret, 0, assertion_message); +#endif drs_trust_dns_string = talloc_asprintf(ctx, "E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s@%s", @@ -4001,8 +4088,13 @@ static bool check_pw_with_krb5(struct torture_context *tctx, trusted->trust_attributes, ctx->counts.io, ctx->counts.errors, ctx->counts.ok); torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message); + torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message); +#else torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message); torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message); +#endif /* Confirm if we have the referral ticket in the cache */ krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context, @@ -4018,6 +4110,9 @@ static bool check_pw_with_krb5(struct torture_context *tctx, k5ret, smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context, k5ret, ctx)); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message); +#else torture_assert_int_equal(tctx, k5ret, 0, assertion_message); k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context, @@ -4040,6 +4135,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx, smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context, k5ret, ctx)); torture_assert_int_equal(tctx, k5ret, 0, assertion_message); +#endif drs_trust_netbios_string = talloc_asprintf(ctx, "E3514235-4B06-11D1-AB04-00C04FC2DCD2/%s/%s@%s", @@ -4069,8 +4165,13 @@ static bool check_pw_with_krb5(struct torture_context *tctx, trusted->trust_attributes, ctx->counts.io, ctx->counts.errors, ctx->counts.ok); torture_assert_int_equal(tctx, k5ret, KRB5_KDC_UNREACH, assertion_message); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message); + torture_assert_int_equal(tctx, ctx->counts.ok, 2, assertion_message); +#else torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message); torture_assert_int_equal(tctx, ctx->counts.ok, 1, assertion_message); +#endif /* Confirm if we have the referral ticket in the cache */ krb5_free_cred_contents(ctx->smb_krb5_context->krb5_context, @@ -4086,6 +4187,9 @@ static bool check_pw_with_krb5(struct torture_context *tctx, k5ret, smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context, k5ret, ctx)); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert_int_equal(tctx, k5ret, KRB5_CC_END, assertion_message); +#else torture_assert_int_equal(tctx, k5ret, 0, assertion_message); k5ok = krb5_principal_compare(ctx->smb_krb5_context->krb5_context, @@ -4108,6 +4212,7 @@ static bool check_pw_with_krb5(struct torture_context *tctx, smb_get_krb5_error_message(ctx->smb_krb5_context->krb5_context, k5ret, ctx)); torture_assert_int_equal(tctx, k5ret, 0, assertion_message); +#endif four_trust_dns_string = talloc_asprintf(ctx, "four/tree/two/%s@%s", trusted_dns_name, realm); @@ -4136,8 +4241,13 @@ static bool check_pw_with_krb5(struct torture_context *tctx, trusted->trust_attributes, ctx->counts.io, ctx->counts.errors, ctx->counts.ok); torture_assert_int_equal(tctx, k5ret, KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, assertion_message); +#ifdef USING_EMBEDDED_HEIMDAL + torture_assert_int_equal(tctx, ctx->counts.io, 2, assertion_message); + torture_assert_int_equal(tctx, ctx->counts.error_io, 2, assertion_message); +#else torture_assert_int_equal(tctx, ctx->counts.io, 1, assertion_message); torture_assert_int_equal(tctx, ctx->counts.error_io, 1, assertion_message); +#endif torture_assert_int_equal(tctx, KRB5_ERROR_CODE(&ctx->error), 7, assertion_message); /* Confirm if we have no referral ticket in the cache */ |