24
24
from k5test import *
26
26
# Create two independent realms (no cross-realm TGTs).
27
r1 = K5Realm(start_kadmind=False, create_user=False)
28
r2 = K5Realm(start_kadmind=False, create_user=False, realm='KRBTEST2.COM',
29
testdir=os.path.join(r1.testdir, 'r2'), portbase=62000)
27
r1 = K5Realm(create_user=False)
28
r2 = K5Realm(create_user=False, realm='KRBTEST2.COM', portbase=62000,
29
testdir=os.path.join(r1.testdir, 'r2'))
31
host1 = 'p:' + r1.host_princ
32
host2 = 'p:' + r2.host_princ
31
34
# gsserver specifies the target as a GSS name. The resulting
32
35
# principal will have the host-based type, but the realm won't be
33
36
# known before the client cache is selected (since k5test realms have
34
37
# no domain-realm mapping by default).
35
gssserver = 'gss:host@' + hostname
38
gssserver = 'h:host@' + hostname
37
40
# refserver specifies the target as a principal in the referral realm.
38
41
# The principal won't be treated as a host principal by the
39
42
# .k5identity rules since it has unknown type.
40
refserver = 'host/' + hostname + '@'
43
refserver = 'p:host/' + hostname + '@'
42
45
# Make each realm's keytab contain entries for both realm's servers.
43
46
#r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' %
45
48
#r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' %
46
49
# (r1.keytab, r2.keytab, ktutil)])
51
# Verify that we can't get initiator creds with no credentials in the
53
output = r1.run_as_client(['./t_ccselect', host1, '-'], expected_code=1)
54
if 'No Kerberos credentials available' not in output:
55
fail('Expected error not seen in output when no credentials available')
48
57
# Make a directory collection and use it for client commands in both realms.
49
58
ccdir = os.path.join(r1.testdir, 'cc')
50
59
ccname = 'DIR:' + ccdir
52
60
r1.env_client['KRB5CCNAME'] = ccname
53
61
r2.env_client['KRB5CCNAME'] = ccname
69
77
r2.kinit(zaphod, password('zaphod'))
71
79
# Check that we can find a cache for a specified client principal.
72
output = r1.run_as_client(['./t_ccselect', r1.host_princ, alice])
80
output = r1.run_as_client(['./t_ccselect', host1, 'p:' + alice])
73
81
if output != (alice + '\n'):
74
82
fail('alice not chosen when specified')
75
output = r2.run_as_client(['./t_ccselect', r2.host_princ, zaphod])
83
output = r2.run_as_client(['./t_ccselect', host2, 'p:' + zaphod])
76
84
if output != (zaphod + '\n'):
77
85
fail('zaphod not chosen when specified')
79
87
# Check that we can guess a cache based on the service realm.
80
output = r1.run_as_client(['./t_ccselect', r1.host_princ])
88
output = r1.run_as_client(['./t_ccselect', host1])
81
89
if output != (alice + '\n'):
82
90
fail('alice not chosen as default initiator cred for server in r1')
83
output = r1.run_as_client(['./t_ccselect', r1.host_princ, '-'])
91
output = r1.run_as_client(['./t_ccselect', host1, '-'])
84
92
if output != (alice + '\n'):
85
93
fail('alice not chosen as default initiator name for server in r1')
86
output = r2.run_as_client(['./t_ccselect', r2.host_princ])
94
output = r2.run_as_client(['./t_ccselect', host2])
87
95
if output != (zaphod + '\n'):
88
96
fail('zaphod not chosen as default initiator cred for server in r1')
89
output = r2.run_as_client(['./t_ccselect', r2.host_princ, '-'])
97
output = r2.run_as_client(['./t_ccselect', host2, '-'])
90
98
if output != (zaphod + '\n'):
91
99
fail('zaphod not chosen as default initiator name for server in r1')
105
113
k5id.write('%s service=ho*t host=%s\n' % (zaphod, hostname))
106
114
k5id.write('noprinc service=bogus')
108
output = r1.run_as_client(['./t_ccselect', r1.host_princ])
116
output = r1.run_as_client(['./t_ccselect', host1])
109
117
if output != (alice + '\n'):
110
118
fail('alice not chosen via .k5identity realm line.')
111
119
output = r2.run_as_client(['./t_ccselect', gssserver])
114
122
output = r1.run_as_client(['./t_ccselect', refserver])
115
123
if output != (bob + '\n'):
116
124
fail('bob not chosen via primary cache when no .k5identity line matches.')
117
output = r1.run_as_client(['./t_ccselect', 'gss:bogus@' + hostname],
125
output = r1.run_as_client(['./t_ccselect', 'h:bogus@' + hostname],
119
if 'does not match desired' not in output:
127
if 'Can\'t find client principal noprinc' not in output:
120
128
fail('Expected error not seen when k5identity selects bad principal.')
122
success('GSSAPI credential selection tests.')
130
success('GSSAPI credential selection tests')