[PATCH] Improve krb5 KDC tests, kdc behaviour
Andrew Bartlett
abartlet at samba.org
Fri Jan 30 11:54:33 MST 2015
On Fri, 2015-01-30 at 17:45 +0100, Andreas Schneider wrote:
> On Friday 30 January 2015 17:44:12 Andrew Bartlett wrote:
> > Metze,
> >
> > Attached is some improvements to our KDC test script, and a fix for our
> > KDC.
>
> Andrew,
>
> Please change
>
> - if (principal->name.name_string.len >= 2) {
> + if (principal->name.name_type == KRB5_NT_PRINCIPAL
> + && principal->name.name_string.len >= 2) {
>
> to
>
> if (smb_krb5_principal_get_type(context, principal) == KRB5_NT_PRINCIPAL
> && krb5_princ_size(context, principal) >= 2) {
>
Thanks,
I'll do that on Monday. I do realise this patch set is both a blessing
and a curse (to use an expression) for your efforts, because:
- it is the first time we have had a serious test suite for KDC
behaviour,
- it imposes some quite strict behaviour expectations on both the krb5
libs and the KDC and
- but it uses Heimdal-specific code (like the ASN.1 parser) and
functions that could be implemented in MIT (but are not) like the
send_to_kdc hooks to get there.
Asking to use the helper functions where available is quite reasonable,
and I'll do that.
All that said, it has been a very worthwhile effort, because we have
found some very interesting and subtle bugs along the way.
My updated krb5-upn2 branch shows how we can test the canonicalize flag
for the TGS-REQ, shows that we need to fix our tests in that area, and
points to a direction for testing S4U2Self and S4U2Proxy behaviour,
which I think will become an even more important area in the future.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list