The Heimdal-specific krb5.kdc tests and the MIT Build (was: Re: More forest trust related patches)

Andrew Bartlett abartlet at
Fri Apr 10 00:28:26 MDT 2015

On Thu, 2015-04-09 at 12:05 +0200, Andreas Schneider wrote:
> On Wednesday 11 February 2015 18:07:17 Andrew Bartlett wrote:
> > Thanks, I'll take a look.
> > 
> > My concern recently working on our KDC has been that blackbox testing
> > doesn't trigger enough of the behaviours to be comprehensive.  That's
> > why I started writing specific tests.
> It would be great if they wouldn't be heimdal specefic :)

I totally agree.  I'm assuming giving all the effort put into cwrap,
that send_to_kdc plugin hooks (matching Heimdal) probably won't be
available in MIT any time soon, but that, and some way of using the
Heimdal ASN.1 parsing layer, would probably be the best way to get this
test coverage natively in an MIT build.

Alternately, we can #ifdef out the send_to_kdc hooks, ensure by some
other means that the right KDC is contacted, and still use the rest of
the tests, that just use standard krb5 functions.  When the tests are
added, they could test the trust case reasonably well (as trusts
probably don't really need packet-level verification). 

Finally, we could construct a build such that Samba is built twice, once
with internal Heimdal, once with MIT krb5, and the smbtorture binary is
used between then, like the old split Samba3/Samba4 days.  It's an ugly
hack, but given the bugs this found the the behaviour this now locks in,
matching Windows, a ugly way of running this test is still better
validation than not running it at all. 

Andrew Bartlett

Andrew Bartlett             
Authentication Developer, Samba Team
Samba Developer, Catalyst IT

More information about the samba-technical mailing list