selftest: test forwardable flag in cross-realm with s4u2proxy

Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
author: Isaac Boukris <iboukris@gmail.com> 2020-05-09 16:26:45 +0200
committer: Andrew Bartlett <abartlet@samba.org> 2020-06-12 20:42:38 +0000
commit: fb7dfdbe8f94f7f053d67832e7f28a751136d733 (patch)
tree: 5f3923ddbbfab0b134eab2f7cae12ef88bf3bd6e /testprogs
parent: 9b302a57ff0d4c3a373f762f2ad4daf736b0853b (diff)
download: samba-fb7dfdbe8f94f7f053d67832e7f28a751136d733.tar.gz
1 files changed, 14 insertions, 3 deletions
diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh
index c6ada54e85b..c63eeaa2e30 100755
--- a/testprogs/blackbox/test_s4u_heimdal.sh
+++ b/testprogs/blackbox/test_s4u_heimdal.sh
@@ -12,8 +12,13 @@ USERNAME=$2
 PASSWORD=$3
 REALM=$4
 DOMAIN=$5
-PREFIX=$6
-shift 6
+TRUST_SERVER=$6
+TRUST_USERNAME=$7
+TRUST_PASSWORD=$8
+TRUST_REALM=$9
+TRUST_DOMAIN=${10}
+PREFIX=${11}
+shift 11
 failed=0
 
 
@@ -39,7 +44,7 @@ export KRB5CCNAME
 rm -rf $KRB5CCNAME_PATH
 
 princ=test_impersonate_princ
-impersonator=test_impersonator
+impersonator=test_impersonator.$REALM
 target="CIFS/$SERVER.$REALM"
 
 
@@ -72,6 +77,12 @@ testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmp
 testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1`
 testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
 
+echo $TRUST_PASSWORD > $PREFIX/tmppassfile
+testit "kinit trust user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
+testit "get a ticket to impersonator for trust user" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1`
+testit "test S4U2Proxy evidence ticket obtained by TGS of trust user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
+
+echo $PASSWORD > $PREFIX/tmppassfile
 testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=`expr $failed + 1`
 testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1`
 testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1`
author	Isaac Boukris <iboukris@gmail.com>	2020-05-09 16:26:45 +0200
committer	Andrew Bartlett <abartlet@samba.org>	2020-06-12 20:42:38 +0000
commit	fb7dfdbe8f94f7f053d67832e7f28a751136d733 (patch)
tree	5f3923ddbbfab0b134eab2f7cae12ef88bf3bd6e /testprogs
parent	9b302a57ff0d4c3a373f762f2ad4daf736b0853b (diff)
download	samba-fb7dfdbe8f94f7f053d67832e7f28a751136d733.tar.gz