27
27
realm = K5Realm(start_kadmind=False)
29
# Verify the default test realm credentials with the default keytab.
30
30
realm.run_as_server(['./t_vfy_increds'])
31
realm.run_as_server(['./t_vfy_increds', '-n'])
32
33
# Verify after updating the keytab (so the keytab contains an outdated
33
34
# version 1 key followed by an up-to-date version 2 key).
34
35
realm.run_kadminl('ktadd ' + realm.host_princ)
35
36
realm.run_as_server(['./t_vfy_increds'])
37
realm.run_as_server(['./t_vfy_increds', '-n'])
37
39
# Bump the host key without updating the keytab and make sure that
38
40
# verification fails as we expect it to.
39
41
realm.run_kadminl('change_password -randkey ' + realm.host_princ)
40
42
realm.run_as_server(['./t_vfy_increds'], expected_code=1)
42
# Remove the keytab and verify again. This should succeed because
43
# verify_ap_req_nofail is not set.
44
os.remove(realm.keytab)
45
realm.run_as_server(['./t_vfy_increds'])
47
# Try with verify_ap_req_nofail set and no keytab. This should fail.
43
realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1)
45
# Simulate a system where the hostname has changed and the keytab
46
# contains host service principals with a hostname that no longer
47
# matches. Verify after updating the keytab with a host service
48
# principal that has hostname that doesn't match the host running the
49
# test. Verify should succeed, with or without nofail.
50
realm.run_kadminl('addprinc -randkey host/wrong.hostname')
51
realm.run_kadminl('ktadd host/wrong.hostname')
52
realm.run_as_server(['./t_vfy_increds'])
53
realm.run_as_server(['./t_vfy_increds', '-n'])
55
# Remove the keytab and verify again. This should succeed if nofail
56
# is not set, and fail if it is set.
57
os.remove(realm.keytab)
58
realm.run_as_server(['./t_vfy_increds'])
59
realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1)
61
# Create an empty keytab file and verify again. This simulates a
62
# system where an admin ran "touch krb5.keytab" to work around a
63
# Solaris Kerberos bug where krb5_kt_default() fails if the keytab
64
# file doesn't exist. Verification should succeed in nofail is not
65
# set. (An empty keytab file appears as corrupt to keytab calls,
66
# causing a KRB5_KEYTAB_BADVNO error, so any tightening of the
67
# krb5_verify_init_creds semantics needs to take this into account.)
68
open(realm.keytab, 'w').close()
69
realm.run_as_server(['./t_vfy_increds'])
70
realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1)
71
os.remove(realm.keytab)
73
# Add an NFS service principal to keytab. Verify should ignore it by
74
# default (succeeding unless nofail is set), but should verify with it
75
# when it is specifically requested.
76
realm.run_kadminl('addprinc -randkey ' + realm.nfs_princ)
77
realm.run_kadminl('ktadd ' + realm.nfs_princ)
78
realm.run_as_server(['./t_vfy_increds'])
79
realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1)
80
realm.run_as_server(['./t_vfy_increds', realm.nfs_princ])
81
realm.run_as_server(['./t_vfy_increds', '-n', realm.nfs_princ])
83
# Invalidating the NFS keys in the keytab. We should get the same
84
# results with the default principal argument, but verification should
85
# now fail if we request it specifically.
86
realm.run_kadminl('change_password -randkey ' + realm.nfs_princ)
87
realm.run_as_server(['./t_vfy_increds'])
88
realm.run_as_server(['./t_vfy_increds', '-n'], expected_code=1)
89
realm.run_as_server(['./t_vfy_increds', realm.nfs_princ], expected_code=1)
90
realm.run_as_server(['./t_vfy_increds', '-n', realm.nfs_princ],
93
# Spot-check that verify_ap_req_nofail works equivalently to the
94
# programmatic nofail option.
49
96
conf = { 'server' : { 'libdefaults' : { 'verify_ap_req_nofail' : 'true' } } }
50
97
realm = K5Realm(start_kadmind=False, krb5_conf=conf)