Cross realm S4U2Self cont.
Isaac Boukris
iboukris at gmail.com
Tue Sep 18 14:42:17 UTC 2018
On Tue, Sep 4, 2018 at 8:10 PM, Isaac Boukris <iboukris at gmail.com> wrote:
> I have reworked the kdc fix as I said, see new patch attached and on gitlab:
> https://gitlab.com/samba-team/devel/samba/commits/iboukris_xrealm_s4u2self_new
Meanwhile on the MIT front, I managed to get both ways of the trust to
work, see attached prove-of-concept patches.
Notice the changes needed upstream, I'll start a discussion about it on krbdev.
Interestingly, the MIT variant works with external trust too (not
forest only), apparently due to the way it converts the server
principal to enterprise name (I wonder where are these details
documented).
We could do the same with heimdal and test that too, but we'd need a
better tool than net-ads-pac (I have a patch to make it support
enterprise-names but it's too ugly).
-------------- next part --------------
From 865cdde3d93c492b2ce8f5ad6f898c39b2a086d7 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Wed, 12 Sep 2018 16:32:57 +0300
Subject: [PATCH 1/4] kdb: fix sign_authdata() API comments
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
src/include/kdb.h | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/src/include/kdb.h b/src/include/kdb.h
index 5615329c0..7f11829de 100644
--- a/src/include/kdb.h
+++ b/src/include/kdb.h
@@ -1257,14 +1257,15 @@ typedef struct _kdb_vftabl {
*
* flags: The flags used to look up the client principal.
*
- * client_princ: For S4U2Proxy TGS requests, the client principal
- * requested by the service; for regular TGS requests, the
+ * client_princ: For S4U2Self and S4U2Proxy TGS requests, the client
+ * principal requested by the service; for regular TGS requests, the
* possibly-canonicalized client principal.
*
* client: The DB entry of the client. For S4U2Self, this will be the DB
* entry for the client principal requested by the service).
*
- * server: The DB entry of the service principal.
+ * server: The DB entry of the service principal, or of a cross-realm
+ * krbtgt principal in case of referral.
*
* krbtgt: For TGS requests, the DB entry of the server of the ticket in
* the PA-TGS-REQ padata; this is usually a local or cross-realm krbtgt
--
2.14.3
From 144add29a4da46a7bb2786884c11b1b5f187423e Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Mon, 17 Sep 2018 00:27:33 +0300
Subject: [PATCH 2/4] wip: let sign pac with realm for cross realm s4u2self
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
src/include/krb5/krb5.hin | 6 ++++++
src/lib/krb5/krb/pac_sign.c | 19 ++++++++++++++++---
src/lib/krb5/libkrb5.exports | 1 +
3 files changed, 23 insertions(+), 3 deletions(-)
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index 384bb838f..e406ede3e 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -8299,6 +8299,12 @@ krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
krb5_const_principal principal, const krb5_keyblock *server_key,
const krb5_keyblock *privsvr_key, krb5_data *data);
+krb5_error_code KRB5_CALLCONV
+krb5_pac_sign_ex(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
+ krb5_const_principal principal,
+ const krb5_keyblock *server_key,
+ const krb5_keyblock *privsvr_key, krb5_data *data,
+ krb5_boolean with_realm);
/**
* Allow the appplication to override the profile's allow_weak_crypto setting.
*
diff --git a/src/lib/krb5/krb/pac_sign.c b/src/lib/krb5/krb/pac_sign.c
index c94899c96..ee9fda192 100644
--- a/src/lib/krb5/krb/pac_sign.c
+++ b/src/lib/krb5/krb/pac_sign.c
@@ -33,7 +33,8 @@ static krb5_error_code
k5_insert_client_info(krb5_context context,
krb5_pac pac,
krb5_timestamp authtime,
- krb5_const_principal principal)
+ krb5_const_principal principal,
+ krb5_boolean with_realm)
{
krb5_error_code ret;
krb5_data client_info;
@@ -48,7 +49,7 @@ k5_insert_client_info(krb5_context context,
return k5_pac_validate_client(context, pac, authtime, principal);
}
- ret = krb5_unparse_name_flags(context, principal,
+ ret = krb5_unparse_name_flags(context, principal, with_realm ? 0 :
KRB5_PRINCIPAL_UNPARSE_NO_REALM,
&princ_name_utf8);
if (ret != 0)
@@ -182,6 +183,17 @@ krb5_error_code KRB5_CALLCONV
krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
krb5_const_principal principal, const krb5_keyblock *server_key,
const krb5_keyblock *privsvr_key, krb5_data *data)
+{
+ return krb5_pac_sign_ex(context, pac, authtime, principal, server_key,
+ privsvr_key, data, 0);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_pac_sign_ex(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
+ krb5_const_principal principal,
+ const krb5_keyblock *server_key,
+ const krb5_keyblock *privsvr_key, krb5_data *data,
+ krb5_boolean with_realm)
{
krb5_error_code ret;
krb5_data server_cksum, privsvr_cksum;
@@ -192,7 +204,8 @@ krb5_pac_sign(krb5_context context, krb5_pac pac, krb5_timestamp authtime,
data->data = NULL;
if (principal != NULL) {
- ret = k5_insert_client_info(context, pac, authtime, principal);
+ ret = k5_insert_client_info(context, pac, authtime, principal,
+ with_realm);
if (ret != 0)
return ret;
}
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index 622bc3673..cbc6bd15f 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -486,6 +486,7 @@ krb5_pac_get_types
krb5_pac_init
krb5_pac_parse
krb5_pac_sign
+krb5_pac_sign_ex
krb5_pac_verify
krb5_parse_name
krb5_parse_name_flags
--
2.14.3
From 9a4a54620d3887864308b1e2b309a65f43ee06c4 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Mon, 20 Aug 2018 16:18:50 +0300
Subject: [PATCH 3/4] wip: let verify pac with realm for cross realm s4u2self
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
src/include/krb5/krb5.hin | 6 ++++++
src/lib/krb5/krb/authdata.h | 7 +++++++
src/lib/krb5/krb/pac.c | 33 ++++++++++++++++++++++++++++++---
src/lib/krb5/libkrb5.exports | 1 +
4 files changed, 44 insertions(+), 3 deletions(-)
diff --git a/src/include/krb5/krb5.hin b/src/include/krb5/krb5.hin
index e406ede3e..3beb5e8f1 100644
--- a/src/include/krb5/krb5.hin
+++ b/src/include/krb5/krb5.hin
@@ -8276,6 +8276,12 @@ krb5_pac_verify(krb5_context context, const krb5_pac pac,
krb5_timestamp authtime, krb5_const_principal principal,
const krb5_keyblock *server, const krb5_keyblock *privsvr);
+krb5_error_code KRB5_CALLCONV
+krb5_pac_verify_ex(krb5_context context, const krb5_pac pac,
+ krb5_timestamp authtime, krb5_const_principal principal,
+ const krb5_keyblock *server, const krb5_keyblock *privsvr,
+ krb5_boolean with_realm);
+
/**
* Sign a PAC.
*
diff --git a/src/lib/krb5/krb/authdata.h b/src/lib/krb5/krb/authdata.h
index 1e5c08426..aec6ff542 100644
--- a/src/lib/krb5/krb/authdata.h
+++ b/src/lib/krb5/krb/authdata.h
@@ -92,6 +92,13 @@ k5_pac_validate_client(krb5_context context,
krb5_timestamp authtime,
krb5_const_principal principal);
+krb5_error_code
+k5_pac_validate_client_ex(krb5_context context,
+ const krb5_pac pac,
+ krb5_timestamp authtime,
+ krb5_const_principal principal,
+ krb5_boolean with_realm);
+
krb5_error_code
k5_pac_add_buffer(krb5_context context,
krb5_pac pac,
diff --git a/src/lib/krb5/krb/pac.c b/src/lib/krb5/krb/pac.c
index c9b5de30a..17a72b56e 100644
--- a/src/lib/krb5/krb/pac.c
+++ b/src/lib/krb5/krb/pac.c
@@ -404,6 +404,17 @@ k5_pac_validate_client(krb5_context context,
const krb5_pac pac,
krb5_timestamp authtime,
krb5_const_principal principal)
+{
+ return k5_pac_validate_client_ex(context, pac, authtime,
+ principal, 0);
+}
+
+krb5_error_code
+k5_pac_validate_client_ex(krb5_context context,
+ const krb5_pac pac,
+ krb5_timestamp authtime,
+ krb5_const_principal principal,
+ krb5_boolean with_realm)
{
krb5_error_code ret;
krb5_data client_info;
@@ -413,7 +424,7 @@ k5_pac_validate_client(krb5_context context,
krb5_ui_2 pac_princname_length;
int64_t pac_nt_authtime;
krb5_principal pac_principal;
- int flags;
+ int flags = 0;
ret = k5_pac_locate_buffer(context, pac, KRB5_PAC_CLIENT_INFO,
&client_info);
@@ -443,7 +454,8 @@ k5_pac_validate_client(krb5_context context,
/* Parse the UTF-8 name as an enterprise principal if we are matching
* against one; otherwise parse it as a regular principal with no realm. */
- flags = KRB5_PRINCIPAL_PARSE_NO_REALM;
+ if (!with_realm)
+ flags |= KRB5_PRINCIPAL_PARSE_NO_REALM;
if (principal->type == KRB5_NT_ENTERPRISE_PRINCIPAL)
flags |= KRB5_PRINCIPAL_PARSE_ENTERPRISE;
ret = krb5_parse_name_flags(context, pac_princname, flags, &pac_principal);
@@ -458,6 +470,7 @@ k5_pac_validate_client(krb5_context context,
!krb5_principal_compare_flags(context,
pac_principal,
principal,
+ with_realm ? 0 :
KRB5_PRINCIPAL_COMPARE_IGNORE_REALM))
ret = KRB5KRB_AP_WRONG_PRINC;
@@ -622,6 +635,19 @@ krb5_pac_verify(krb5_context context,
krb5_const_principal principal,
const krb5_keyblock *server,
const krb5_keyblock *privsvr)
+{
+ return krb5_pac_verify_ex(context, pac, authtime, principal,
+ server, privsvr, 0);
+}
+
+krb5_error_code KRB5_CALLCONV
+krb5_pac_verify_ex(krb5_context context,
+ const krb5_pac pac,
+ krb5_timestamp authtime,
+ krb5_const_principal principal,
+ const krb5_keyblock *server,
+ const krb5_keyblock *privsvr,
+ krb5_boolean with_realm)
{
krb5_error_code ret;
@@ -638,7 +664,8 @@ krb5_pac_verify(krb5_context context,
}
if (principal != NULL) {
- ret = k5_pac_validate_client(context, pac, authtime, principal);
+ ret = k5_pac_validate_client_ex(context, pac, authtime,
+ principal, with_realm);
if (ret != 0)
return ret;
}
diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports
index cbc6bd15f..00aaacc1c 100644
--- a/src/lib/krb5/libkrb5.exports
+++ b/src/lib/krb5/libkrb5.exports
@@ -488,6 +488,7 @@ krb5_pac_parse
krb5_pac_sign
krb5_pac_sign_ex
krb5_pac_verify
+krb5_pac_verify_ex
krb5_parse_name
krb5_parse_name_flags
krb5_prepend_error_message
--
2.14.3
From e5533baa0ba7dff75defcb8f0368e2fdc2d36f95 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Tue, 18 Sep 2018 15:16:20 +0300
Subject: [PATCH 4/4] wip: allow s4u2self cross realm referrals
need to understand commit 8a9909ff9ef6b51c5ed09ead6713888fbb34072f
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
src/kdc/do_tgs_req.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index bf2178125..5f5c6830b 100644
--- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
@@ -290,7 +290,7 @@ process_tgs_req(krb5_kdc_req *request, krb5_data *pkt,
goto cleanup;
if (s4u_x509_user != NULL) {
setflag(c_flags, KRB5_KDB_FLAG_PROTOCOL_TRANSITION);
- if (is_referral) {
+ if (0 && is_referral) {
/* The requesting server appears to no longer exist, and we found
* a referral instead. Treat this as a server lookup failure. */
errcode = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN;
--
2.14.3
-------------- next part --------------
From 70579084392138486907642ae80eee575b4fc725 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Tue, 18 Sep 2018 16:55:26 +0300
Subject: [PATCH 1/6] mit-kdc: fix cross realm s4u2self handling
According to MS-SFU 3.2.5.x, in a s4u2self referral ticket,
the PAC_CLIENT_INFO field may include the realm, so we need
to account for this before verifying and signing the PAC.
Note: this change requires upstream changes.
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
source4/kdc/mit-kdb/kdb_samba_policies.c | 73 ++++++++++++++++++++++----------
1 file changed, 51 insertions(+), 22 deletions(-)
diff --git a/source4/kdc/mit-kdb/kdb_samba_policies.c b/source4/kdc/mit-kdb/kdb_samba_policies.c
index 81ac73582e0..0ad667b0fee 100644
--- a/source4/kdc/mit-kdb/kdb_samba_policies.c
+++ b/source4/kdc/mit-kdb/kdb_samba_policies.c
@@ -192,7 +192,8 @@ static krb5_error_code ks_verify_pac(krb5_context context,
krb5_keyblock *krbtgt_key,
krb5_timestamp authtime,
krb5_authdata **tgt_auth_data,
- krb5_pac *pac)
+ krb5_pac *pac,
+ krb5_boolean with_realm)
{
struct mit_samba_context *mit_ctx;
krb5_authdata **authdata = NULL;
@@ -249,12 +250,13 @@ static krb5_error_code ks_verify_pac(krb5_context context,
server_key,
krbtgt_key);
} else {
- code = krb5_pac_verify(context,
- ipac,
- authtime,
- client_princ,
- krbtgt_key,
- NULL);
+ code = krb5_pac_verify_ex(context,
+ ipac,
+ authtime,
+ client_princ,
+ krbtgt_key,
+ NULL,
+ with_realm);
}
if (code != 0) {
goto done;
@@ -303,28 +305,52 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
{
krb5_const_principal ks_client_princ;
krb5_authdata **authdata = NULL;
+ krb5_boolean verify_realm = false;
+ krb5_boolean sign_realm = false;
+ krb5_boolean reget_pac;
krb5_boolean is_as_req;
krb5_error_code code;
krb5_pac pac = NULL;
krb5_data pac_data;
/* Prefer canonicalised name from client entry */
- if (client != NULL) {
- ks_client_princ = client->princ;
- } else {
- ks_client_princ = client_princ;
- }
+ ks_client_princ = client ? client->princ : client_princ;
is_as_req = ((flags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) != 0);
- if (is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) {
- code = ks_get_pac(context, client, client_key, &pac);
- if (code != 0) {
- goto done;
+ reget_pac = !is_as_req;
+
+ if (flags & KRB5_KDB_FLAG_PROTOCOL_TRANSITION) {
+
+ /* Match for_user principal */
+ ks_client_princ = client_princ;
+
+ if (client != NULL) {
+ /* The PAC in the tgt is of the impersonating
+ * service principal, so we discard it.
+ * If we must verify it, then we'll need to change
+ * the API to provide us with the tgt-client principal
+ * (server->princ could work but only if the service
+ * is in local realm, otherwise it is the cross-realm
+ * trust principal) */
+ reget_pac = false;
+ }
+ else {
+ /* Cross realm s4u2self tickets include the realm */
+ verify_realm = true;
}
+
+ /* If the tgt-client is not from local realm, then neither
+ * is the service, so we are issuing a referral. */
+ if (flags & KRB5_KDB_FLAG_CROSS_REALM) {
+
+ /* Cross realm s4u2self tickets include the realm */
+ sign_realm = true;
+ }
+
}
- if (!is_as_req) {
+ if (reget_pac) {
code = ks_verify_pac(context,
flags,
ks_client_princ,
@@ -335,14 +361,17 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
krbtgt_key,
authtime,
tgt_auth_data,
- &pac);
+ &pac,
+ verify_realm);
if (code != 0) {
goto done;
}
}
- if (pac == NULL && client != NULL) {
-
+ if (client != NULL &&
+ ((is_as_req && (flags & KRB5_KDB_FLAG_INCLUDE_PAC)) ||
+ (!is_as_req && pac == NULL)))
+ {
code = ks_get_pac(context, client, client_key, &pac);
if (code != 0) {
goto done;
@@ -354,8 +383,8 @@ krb5_error_code kdb_samba_db_sign_auth_data(krb5_context context,
goto done;
}
- code = krb5_pac_sign(context, pac, authtime, ks_client_princ,
- server_key, krbtgt_key, &pac_data);
+ code = krb5_pac_sign_ex(context, pac, authtime, ks_client_princ,
+ server_key, krbtgt_key, &pac_data, sign_realm);
if (code != 0) {
DBG_ERR("krb5_pac_sign failed: %d\n", code);
goto done;
--
2.14.3
From fb2f729203b3daac8c37f30030452248a490dcf4 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Mon, 22 Jan 2018 18:40:17 +0000
Subject: [PATCH 2/6] net-ads-search: use specified user when given
This fixes 'net ads search -U' on a domain controller.
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
source3/utils/net_ads.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index afe47dad839..d050964dd5e 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -305,7 +305,8 @@ retry:
}
}
- status = ads_connect(ads);
+ status = c->opt_user_specified ? ads_connect_user_creds(ads) :
+ ads_connect(ads);
if (!ADS_ERR_OK(status)) {
--
2.14.3
From c06deadcd5946abf91940298b04fa85f0380b967 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Mon, 23 Jul 2018 13:28:18 +0300
Subject: [PATCH 3/6] net-ads-search: fix using machine account on a domain
controller
Set opt_user_specified to true once setting the machine name at
opt_user_name. This helps for the net tool to work on a DC with
machine credentials (-P), by acquiring credentials for host$@realm
(same as on domain member) instead of trying to acquire creds
for lp_workgroup()@realm and failing.
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
source3/utils/net_util.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
index a84b4f5500e..0a15ff0274f 100644
--- a/source3/utils/net_util.c
+++ b/source3/utils/net_util.c
@@ -279,6 +279,7 @@ int net_use_krb_machine_account(struct net_context *c)
return -1;
}
c->opt_user_name = user_name;
+ c->opt_user_specified = true;
return 0;
}
--
2.14.3
From 8515d5accb254af20c9f02d456957acf250bd787 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Sat, 18 Aug 2018 15:32:43 +0300
Subject: [PATCH 4/6] mit-kdc: fix kinit test on system lacking ldbsearch
By fixing bindir variable name.
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
testprogs/blackbox/test_kinit_mit.sh | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh
index dabf9915ed1..370542536e1 100755
--- a/testprogs/blackbox/test_kinit_mit.sh
+++ b/testprogs/blackbox/test_kinit_mit.sh
@@ -32,13 +32,13 @@ samba_enableaccount="$samba_tool user enable"
machineaccountccache="$samba_srcdir/scripting/bin/machineaccountccache"
ldbmodify="ldbmodify"
-if [ -x "$samba4bindir/ldbmodify" ]; then
- ldbmodify="$samba4bindir/ldbmodify"
+if [ -x "$samba_bindir/ldbmodify" ]; then
+ ldbmodify="$samba_bindir/ldbmodify"
fi
ldbsearch="ldbsearch"
-if [ -x "$samba4bindir/ldbsearch" ]; then
- ldbsearch="$samba4bindir/ldbsearch"
+if [ -x "$samba_bindir/ldbsearch" ]; then
+ ldbsearch="$samba_bindir/ldbsearch"
fi
. `dirname $0`/subunit.sh
--
2.14.3
From 790c56705ce2d5e96de76c5de7a0c4fcfaff9084 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Sun, 16 Sep 2018 19:29:28 +0300
Subject: [PATCH 5/6] mit-kdc: add basic in-realm s4u2self test
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
testprogs/blackbox/test_kinit_mit.sh | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/testprogs/blackbox/test_kinit_mit.sh b/testprogs/blackbox/test_kinit_mit.sh
index 370542536e1..435151e2bf8 100755
--- a/testprogs/blackbox/test_kinit_mit.sh
+++ b/testprogs/blackbox/test_kinit_mit.sh
@@ -25,6 +25,7 @@ samba_kinit=kinit
samba_kdestroy=kdestroy
samba_kpasswd=kpasswd
+net_tool="$samba_bindir/net -s $SMB_CONF_PATH"
samba_tool="$samba_bindir/samba-tool"
samba_texpect="$samba_bindir/texpect"
@@ -299,6 +300,14 @@ test_smbclient "Test machine account login with kerberos ccache" 'ls' -k yes ||
testit "reset password policies" $VALGRIND $samba_tool domain passwordsettings set $ADMIN_LDBMODIFY_CONFIG --complexity=default --history-length=default --min-pwd-length=default --min-pwd-age=default --max-pwd-age=default || failed=`expr $failed + 1`
+###########################################################
+### Test S4U2Self with net-ads-kerberos-pac
+###########################################################
+
+rm -f $KRB5CCNAME_PATH
+testit "dump pac of local machine" $VALGRIND $net_tool -P ads kerberos pac dump || failed=`expr $failed + 1`
+testit "dump pac via impersonate" $VALGRIND $net_tool -P ads kerberos pac dump impersonate=$USERNAME@$REALM || failed=`expr $failed + 1`
+
### Cleanup
$samba_kdestroy
--
2.14.3
From f5aad614c67e7627316f61b23ae185c7e3a1e8f3 Mon Sep 17 00:00:00 2001
From: Isaac Boukris <iboukris at gmail.com>
Date: Tue, 18 Sep 2018 17:23:53 +0300
Subject: [PATCH 6/6] mit-kdc: add s4u2self cross-realm test
Signed-off-by: Isaac Boukris <iboukris at gmail.com>
---
testprogs/blackbox/test_kinit_trusts_mit.sh | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/testprogs/blackbox/test_kinit_trusts_mit.sh b/testprogs/blackbox/test_kinit_trusts_mit.sh
index 6696f441363..86d5062083d 100755
--- a/testprogs/blackbox/test_kinit_trusts_mit.sh
+++ b/testprogs/blackbox/test_kinit_trusts_mit.sh
@@ -36,6 +36,7 @@ samba_kpasswd=kpasswd
samba_tool="$samba_bindir/samba-tool"
samba_texpect="$samba_bindir/texpect"
+net_tool="$samba4bindir/net -s $SMB_CONF_PATH"
smbclient="$samba_bindir/smbclient"
wbinfo="$samba_bindir/wbinfo"
@@ -128,6 +129,13 @@ testit "wbinfo check outgoing trust pw" $VALGRIND $wbinfo --check-secret --domai
test_smbclient "Test user login with the changed outgoing secret" 'ls' -k yes -U$USERNAME@$REALM%$PASSWORD || failed=`expr $failed + 1`
+###########################################################
+### Test cross realm S4U2Self
+###########################################################
+# Notice that it doesn't require an SPN and it works with
+# external trust too (not forest only) because the MIT library
+# converts the server name to an enterprise name.
+testit "dump pac via impersonate with trust" $VALGRIND $net_tool -P ads kerberos pac dump impersonate=$TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
### Cleanup
$samba_kdestroy
--
2.14.3
More information about the samba-technical
mailing list