[PATCH] Improve krb5 KDC tests, kdc behaviour

Andreas Schneider asn at samba.org
Fri Jan 30 12:33:48 MST 2015 

On Saturday 31 January 2015 07:54:33 Andrew Bartlett wrote:
> On Fri, 2015-01-30 at 17:45 +0100, Andreas Schneider wrote:
> > On Friday 30 January 2015 17:44:12 Andrew Bartlett wrote:
> > > Metze,
> > > 
> > > Attached is some improvements to our KDC test script, and a fix for our
> > > KDC.
> > 
> > Andrew,
> > 
> > Please change
> > 
> > -	if (principal->name.name_string.len >= 2) {
> > +	if (principal->name.name_type == KRB5_NT_PRINCIPAL
> > +	    && principal->name.name_string.len >= 2) {
> > 
> > to
> > 
> > if (smb_krb5_principal_get_type(context, principal) == KRB5_NT_PRINCIPAL
> > 
> >     && krb5_princ_size(context, principal) >= 2) {
> 
> Thanks,
> 
> I'll do that on Monday.  I do realise this patch set is both a blessing
> and a curse (to use an expression) for your efforts, because:
>  - it is the first time we have had a serious test suite for KDC
> behaviour,
>  - it imposes some quite strict behaviour expectations on both the krb5
> libs and the KDC and
>  - but it uses Heimdal-specific code (like the ASN.1 parser) and
> functions that could be implemented in MIT (but are not) like the
> send_to_kdc hooks to get there.
> 
> Asking to use the helper functions where available is quite reasonable,
> and I'll do that.

It makes it easier to rebase out MIT patchset which has quite some patchs

asn at magrathea:~/workspace/projects/samba/git> git w
## master-mit-kdc...origin/master [ahead 116]

> All that said, it has been a very worthwhile effort, because we have
> found some very interesting and subtle bugs along the way.
> 
> My updated krb5-upn2 branch shows how we can test the canonicalize flag
> for the TGS-REQ, shows that we need to fix our tests in that area, and
> points to a direction for testing S4U2Self and S4U2Proxy behaviour,
> which I think will become an even more important area in the future.

We probably need the same for MIT Kerberos but currently we still don't 
understand some things.

The current bug I'm trying to hunt down is that Kerberos auth works just fine 
as a user, but not with the machine account ...

kinit works but then gss_init_sec_context() in gensec_gssapi_update() fails 
with:

Matching credential not found

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org

More information about the samba-technical mailing list