selftest: Add new test to run krb5.kdc.canon against a user with an SPN for a UPN

The failures in this test compared with Windows Server 1709 are added to
knownfail.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

diff --git a/selftest/knownfail.d/kdc-spn-is-upn b/selftest/knownfail.d/kdc-spn-is-upn
new file mode 100644 (file)
index 0000000..9225ec2
--- /dev/null
+++ b/selftest/knownfail.d/kdc-spn-is-upn
@@ -0,0 +1,16 @@
+^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.no-win2k.spn.normal
+^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.no-win2k.spn.normal
+^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.no-win2k.spn.normal
+^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.no-win2k.spn.normal
+^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.win2k.spn.normal
+^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.win2k.spn.normal
+^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.win2k.spn.normal
+^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.win2k.spn.normal
+^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.no-win2k.spn.s4u2self
+^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.no-win2k.spn.s4u2self
+^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.no-win2k.spn.s4u2self
+^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.no-win2k.spn.s4u2self
+^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.lc-user.krb5-realm.win2k.spn.s4u2self
+^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.lc-user.krb5-realm.win2k.spn.s4u2self
+^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.lc-realm.uc-user.krb5-realm.win2k.spn.s4u2self
+^samba4.krb5.kdc with account having identical UPN and SPN.canon.no-enterprise.uc-realm.uc-user.krb5-realm.win2k.spn.s4u2self

diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index 7eb5f74b3ef828c18515647c635b91be2084ab04..3ee266c4d0ac9e94c74d132d4c12e5c5b620696e 100755 (executable)
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -815,6 +815,7 @@ sub get_running_env($)
 my @exported_envvars = (
        # domain stuff
        "DOMAIN",
+       "DNSNAME",
        "REALM",
        "DOMSID",
 

diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index fb4fcc6e566c43b8ff7ffcada0fbeb4609cf28d2..68038fb518339312331e8f23fb9505dec49ef7b1 100755 (executable)
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -747,6 +747,7 @@ nogroup:x:65534:nobody
                DOMAIN => $ctx->{domain},
                USERNAME => $ctx->{username},
                REALM => $ctx->{realm},
+               DNSNAME => $ctx->{dnsname},
                SAMSID => $ctx->{samsid},
                PASSWORD => $ctx->{password},
                LDAPDIR => $ctx->{ldapdir},
@@ -866,6 +867,28 @@ userPrincipalName: testdenied_upn\@$ctx->{realm}.upn
 ";
        close(LDIF);
 
+       $samba_tool_cmd = "";
+       $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+       $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";
+       $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+           . " user create --configfile=$ctx->{smb_conf} testupnspn $ctx->{password}";
+       unless (system($samba_tool_cmd) == 0) {
+               warn("Unable to add testupnspn user: \n$samba_tool_cmd\n");
+               return undef;
+       }
+
+       my $user_dn = "cn=testupnspn,cn=users,$base_dn";
+       open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
+       print LDIF "dn: $user_dn
+changetype: modify
+replace: userPrincipalName
+userPrincipalName: http/testupnspn.$ctx->{dnsname}\@$ctx->{realm}
+replace: servicePrincipalName
+servicePrincipalName: http/testupnspn.$ctx->{dnsname}
+-
+";
+       close(LDIF);
+
        $samba_tool_cmd = "";
        $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
        $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" ";

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index cb78dd001b99997a06f5d0199e7694e2ad36b2c5..8c3547d846983d1f9e192ed5a954eacef96cf755 100755 (executable)
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -1080,6 +1080,12 @@ plansmbtorture4testsuite('krb5.kdc', "rodc", ['ncacn_np:$SERVER_IP', "-k", "yes"
 env = "promoted_dc"
 plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-U$USERNAME%$PASSWORD', '--workgroup=$DOMAIN', '--realm=$REALM'],
                          "samba4.krb5.kdc with specified account")
+plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-Utestupnspn%$PASSWORD', '--workgroup=$DOMAIN', '--realm=$REALM',
+                                           '--option=torture:expect_machine_account=true',
+                                           '--option=torture:krb5-upn=http/testupnspn.$DNSNAME@$REALM',
+                                           '--option=torture:krb5-hostname=testupnspn.$DNSNAME',
+                                           '--option=torture:krb5-service=http'],
+                         "samba4.krb5.kdc with account having identical UPN and SPN")
 
 
 for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: