s4:torture: Remove netbios realm and lowercase realm tests

Tests for these are already present in
samba.tests.krb5.as_canonicalization_tests. These tests cause problems
with an upgraded Heimdal version, and we want to stop supporting
non-canonical realm names, so this commit removes them.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

1 files changed, 10 insertions, 97 deletions

diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c
index 000181e9f2e..ae31b6fd973 100644
--- a/source4/torture/krb5/kdc-canon-heimdal.c
+++ b/source4/torture/krb5/kdc-canon-heimdal.c
@@ -38,9 +38,7 @@
 
 #define TEST_CANONICALIZE     0x0000001
 #define TEST_ENTERPRISE       0x0000002
-#define TEST_UPPER_REALM      0x0000004
 #define TEST_UPPER_USERNAME   0x0000008
-#define TEST_NETBIOS_REALM    0x0000010
 #define TEST_WIN2K            0x0000020
 #define TEST_UPN              0x0000040
 #define TEST_S4U2SELF         0x0000080
@@ -57,9 +55,7 @@ struct test_data {
 	const char *real_username;
 	bool canonicalize;
 	bool enterprise;
-	bool upper_realm;
 	bool upper_username;
-	bool netbios_realm;
 	bool win2k;
 	bool upn;
 	bool other_upn_suffix;
@@ -324,11 +320,7 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
 		torture_skip(tctx, "--option=torture:run_removedollar_test=true not specified");
 	}
 
-	if (test_data->netbios_realm) {
-		test_data->realm = test_data->real_domain;
-	} else {
-		test_data->realm = test_data->real_realm;
-	}
+	test_data->realm = test_data->real_realm;
 
 	if (test_data->upn) {
 		char *p;
@@ -360,20 +352,14 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
 		 * with a valid domain, without adding even more
 		 * combinations
 		 */
-		if (test_data->netbios_realm == false) {
-			test_data->realm = p;
-		}
+		test_data->realm = p;
 	}
 
 	ok = torture_krb5_init_context_canon(tctx, test_data, &test_context);
 	torture_assert(tctx, ok, "torture_krb5_init_context failed");
 	k5_context = test_context->smb_krb5_context->krb5_context;
 
-	if (test_data->upper_realm) {
-		test_data->realm = strupper_talloc(test_data, test_data->realm);
-	} else {
-		test_data->realm = strlower_talloc(test_data, test_data->realm);
-	}
+	test_data->realm = strupper_talloc(test_data, test_data->realm);
 	if (test_data->upper_username) {
 		test_data->username = strupper_talloc(test_data, test_data->username);
 	} else {
@@ -532,13 +518,7 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
 					     password, NULL, NULL, 0,
 					     NULL, krb_options);
 
-	if (test_data->netbios_realm && test_data->upn) {
-		torture_assert_int_equal(tctx, k5ret,
-					 KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN,
-					 "Got wrong error_code from krb5_get_init_creds_password");
-		/* We can't proceed with more checks */
-		return true;
-	} else if (test_context->test_data->as_req_spn
+	if (test_context->test_data->as_req_spn
 		   && !test_context->test_data->spn_is_upn) {
 		torture_assert_int_equal(tctx, k5ret,
 					 KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN,
@@ -673,30 +653,7 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
 	/* Confirm if we can get a ticket krbtgt/realm that we got back with the initial kinit */
 	k5ret = krb5_get_creds(k5_context, opt, ccache, krbtgt_other, &server_creds);
 
-	if (test_data->canonicalize == false
-	    && test_data->netbios_realm && test_data->upper_realm) {
-		/*
-		 * In these situations, the code above does store a
-		 * principal in the credentials cache matching what
-		 * krb5_get_creds() needs, so the test succeds, with no packets.
-		 *
-		 */
-		assertion_message = talloc_asprintf(tctx,
-						    "krb5_get_creds for %s failed with: %s",
-						    krbtgt_other_string,
-						    smb_get_krb5_error_message(k5_context, k5ret,
-									       tctx));
-
-		torture_assert_int_equal(tctx, k5ret, 0, assertion_message);
-		torture_assert_int_equal(tctx,
-					 test_context->packet_count,
-					 0, "Expected krb5_get_creds not to send packets");
-	} else if (test_data->canonicalize == false
-		   && (test_data->upper_realm == false || test_data->netbios_realm == true)) {
-		torture_assert_int_equal(tctx, k5ret, KRB5_CC_NOTFOUND,
-					 "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
-	} else {
-
+	{
 		/*
 		 * In these situations, the code above does not store a
 		 * principal in the credentials cache matching what
@@ -755,11 +712,7 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
 	 * krb5_get_creds() needs, so the test fails.
 	 *
 	 */
-	if (test_data->canonicalize == false
-	    && (test_data->upper_realm == false || test_data->netbios_realm == true)) {
-		torture_assert_int_equal(tctx, k5ret, KRB5_CC_NOTFOUND,
-					 "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
-	} else {
+	{
 		assertion_message = talloc_asprintf(tctx,
 						    "krb5_get_creds for %s failed: %s",
 						    principal_string,
@@ -901,17 +854,6 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
 	}
 
 	/*
-	 * Only in these cases would the above code have needed to
-	 * send packets to the network
-	 */
-	if (test_data->canonicalize == false
-	    && (test_data->upper_realm == false || test_data->netbios_realm == true)) {
-		torture_assert(tctx,
-			       test_context->packet_count > 0,
-			       "Expected krb5_mk_req_exact to send packets");
-	}
-
-	/*
 	 * Confirm gettting a ticket to pass to the server, running
 	 * the TEST_TGS_REQ_HOST, TEST_TGS_REQ_HOST_SRV_INST, TEST_TGS_REQ_HOST_SRV_HST stage
 	 *
@@ -922,7 +864,6 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
 	 */
 
 	if (*test_data->krb5_service && *test_data->krb5_hostname) {
-		bool implied_canonicalize;
 		krb5_principal host_principal_srv_inst;
 		/*
 		 * This tries to guess when the krb5 libs will ask for a
@@ -942,23 +883,7 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
 				    &in_data, ccache,
 				    &enc_ticket);
 
-		implied_canonicalize = test_data->canonicalize;
-		if (test_data->spn_is_upn && (test_data->upn || test_data->as_req_spn)) {
-			implied_canonicalize = true;
-		}
-
-		if (implied_canonicalize == false
-		    && (test_data->upper_realm == false || test_data->netbios_realm == true)) {
-			torture_assert_int_equal(tctx, k5ret, KRB5_CC_NOTFOUND,
-						 "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
-		} else if (test_data->spn_is_upn
-			   && test_data->canonicalize == false
-			   && test_data->upper_realm == false
-			   && test_data->upper_username == true
-			   && test_data->upn) {
-			torture_assert_int_equal(tctx, k5ret, KRB5_CC_NOTFOUND,
-						 "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
-		} else {
+		{
 			assertion_message = talloc_asprintf(tctx,
 							    "krb5_mk_req for %s/%s failed: %s",
 							    test_data->krb5_service,
@@ -1003,11 +928,7 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
 					  &in_data, ccache,
 					  &enc_ticket);
 		krb5_free_principal(k5_context, host_principal_srv_inst);
-		if (test_data->canonicalize == false
-		    && (test_data->upper_realm == false || test_data->netbios_realm == true)) {
-			torture_assert_int_equal(tctx, k5ret, KRB5_CC_NOTFOUND,
-						 "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
-		} else {
+		{
 			assertion_message = talloc_asprintf(tctx,
 							    "krb5_mk_req for %s/%s KRB5_NT_SRV_INST failed: %s",
 							    test_data->krb5_service,
@@ -1048,11 +969,7 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *
 					  &in_data, ccache,
 					  &enc_ticket);
 		krb5_free_principal(k5_context, host_principal_srv_inst);
-		if (test_data->canonicalize == false
-		    && (test_data->upper_realm == false || test_data->netbios_realm == true)) {
-			torture_assert_int_equal(tctx, k5ret, KRB5_CC_NOTFOUND,
-						 "krb5_get_creds should have failed with KRB5_CC_NOTFOUND");
-		} else {
+		{
 			assertion_message = talloc_asprintf(tctx,
 							    "krb5_mk_req for %s/%s KRB5_NT_SRV_INST failed: %s",
 							    test_data->krb5_service,
@@ -1109,12 +1026,10 @@ struct torture_suite *torture_krb5_canon(TALLOC_CTX *mem_ctx)
 	suite->description = talloc_strdup(suite, "Kerberos Canonicalisation tests");
 
 	for (i = 0; i < TEST_ALL; i++) {
-		char *name = talloc_asprintf(suite, "%s.%s.%s.%s.%s.%s.%s.%s",
+		char *name = talloc_asprintf(suite, "%s.%s.%s.%s.%s.%s",
 					     (i & TEST_CANONICALIZE) ? "canon" : "no-canon",
 					     (i & TEST_ENTERPRISE) ? "enterprise" : "no-enterprise",
-					     (i & TEST_UPPER_REALM) ? "uc-realm" : "lc-realm",
 					     (i & TEST_UPPER_USERNAME) ? "uc-user" : "lc-user",
-					     (i & TEST_NETBIOS_REALM) ? "netbios-realm" : "krb5-realm",
 					     (i & TEST_WIN2K) ? "win2k" : "no-win2k",
 					     (i & TEST_UPN) ? "upn" :
 					     ((i & TEST_AS_REQ_SPN) ? "spn" : 
@@ -1147,9 +1062,7 @@ struct torture_suite *torture_krb5_canon(TALLOC_CTX *mem_ctx)
 						samba_cmdline_get_creds());
 		test_data->canonicalize = (i & TEST_CANONICALIZE) != 0;
 		test_data->enterprise = (i & TEST_ENTERPRISE) != 0;
-		test_data->upper_realm = (i & TEST_UPPER_REALM) != 0;
 		test_data->upper_username = (i & TEST_UPPER_USERNAME) != 0;
-		test_data->netbios_realm = (i & TEST_NETBIOS_REALM) != 0;
 		test_data->win2k = (i & TEST_WIN2K) != 0;
 		test_data->upn = (i & TEST_UPN) != 0;
 		test_data->s4u2self = (i & TEST_S4U2SELF) != 0;