tests/krb5: Add tests for constrained delegation with RODC-issued tickets

This works as long as both tickets are issued by the same RODC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py
index f2012b3e935f27ccfae452fe648571e7e005cc46..d2cfdf770e3670af7205bbef2c3e1c335c40ea53 100755 (executable)
--- a/python/samba/tests/krb5/s4u_tests.py
+++ b/python/samba/tests/krb5/s4u_tests.py
@@ -1471,6 +1471,49 @@ class S4UKerberosTests(KDCBaseTest):
                 'modify_client_tkt_fn': self.rc4_pac_checksums,
             })
 
+    def test_constrained_delegation_rodc_issued(self):
+        self._run_delegation_test(
+            {
+                # Test that RODC-issued constrained delegation tickets are
+                # accepted.
+                'expected_error_mode': 0,
+                'allow_delegation': True,
+                # Both tickets must be signed by the same RODC.
+                'modify_client_tkt_fn': self.signed_by_rodc,
+                'modify_service_tgt_fn': self.issued_by_rodc,
+                'client_opts': {
+                    'allowed_replication_mock': True,
+                    'revealed_to_mock_rodc': True,
+                },
+                'service1_opts': {
+                    'allowed_replication_mock': True,
+                    'revealed_to_mock_rodc': True,
+                },
+            })
+
+    def test_rbcd_rodc_issued(self):
+        self.skip_unless_fl2008()
+
+        self._run_delegation_test(
+            {
+                # Test that RODC-issued constrained delegation tickets are
+                # accepted.
+                'expected_error_mode': 0,
+                'allow_rbcd': True,
+                'pac_options': '0001',  # supports RBCD
+                # Both tickets must be signed by the same RODC.
+                'modify_client_tkt_fn': self.signed_by_rodc,
+                'modify_service_tgt_fn': self.issued_by_rodc,
+                'client_opts': {
+                    'allowed_replication_mock': True,
+                    'revealed_to_mock_rodc': True,
+                },
+                'service1_opts': {
+                    'allowed_replication_mock': True,
+                    'revealed_to_mock_rodc': True,
+                },
+            })
+
     def remove_pac_checksum(self, ticket, checksum):
         checksum_keys = self.get_krbtgt_checksum_key()
 

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 008fea552f610af6327c5563a361ad2a4720046d..cc818e4040d0a085058871b843118105ce8317d7 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -38,6 +38,7 @@
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_a
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_b
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_rodc_issued
 #
 # https://bugzilla.samba.org/show_bug.cgi?id=14886: Tests for accounts not revealed to the RODC
 #

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 1bf672d4178be839ba609bc9bbf1195ee2919118..9168afacb66c9cc1f93f16f466e44c3dfa95f21d 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -1514,6 +1514,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 #
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_authentication_asserted_identity.fl2003dc:local
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_rc4_client_checksum.fl2003dc:local
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_rodc_issued.fl2003dc:local
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_service_asserted_identity.fl2003dc:local
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_asserted_identity.fl2003dc:local
 #

diff --git a/selftest/knownfail_mit_kdc_pre_1_20 b/selftest/knownfail_mit_kdc_pre_1_20
index e866dfd1126bd719f305f1045dbd6fbfc6b408d4..358c3c20e8e7c7334f870adf113ddefd9f8edf56 100644 (file)
--- a/selftest/knownfail_mit_kdc_pre_1_20
+++ b/selftest/knownfail_mit_kdc_pre_1_20
@@ -193,5 +193,6 @@ samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.Simple
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd\(
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_existing_delegation_info\(
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required\(
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_rodc_issued\(
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum\(
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum\(