[PATCH] Improve krb5 KDC tests, kdc behaviour

Andrew Bartlett abartlet at samba.org
Fri Jan 30 11:54:33 MST 2015


On Fri, 2015-01-30 at 17:45 +0100, Andreas Schneider wrote:
> On Friday 30 January 2015 17:44:12 Andrew Bartlett wrote:
> > Metze,
> > 
> > Attached is some improvements to our KDC test script, and a fix for our
> > KDC.
> 
> Andrew,
> 
> Please change
> 
> -	if (principal->name.name_string.len >= 2) {
> +	if (principal->name.name_type == KRB5_NT_PRINCIPAL
> +	    && principal->name.name_string.len >= 2) {
> 
> to
> 
> if (smb_krb5_principal_get_type(context, principal) == KRB5_NT_PRINCIPAL
>     && krb5_princ_size(context, principal) >= 2) {
> 

Thanks,

I'll do that on Monday.  I do realise this patch set is both a blessing
and a curse (to use an expression) for your efforts, because: 
 - it is the first time we have had a serious test suite for KDC
behaviour,
 - it imposes some quite strict behaviour expectations on both the krb5
libs and the KDC and
 - but it uses Heimdal-specific code (like the ASN.1 parser) and
functions that could be implemented in MIT (but are not) like the
send_to_kdc hooks to get there.

Asking to use the helper functions where available is quite reasonable,
and I'll do that.

All that said, it has been a very worthwhile effort, because we have
found some very interesting and subtle bugs along the way. 

My updated krb5-upn2 branch shows how we can test the canonicalize flag
for the TGS-REQ, shows that we need to fix our tests in that area, and
points to a direction for testing S4U2Self and S4U2Proxy behaviour,
which I think will become an even more important area in the future. 

Thanks,

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba




More information about the samba-technical mailing list