From cede7ccb322d9975010cf65aa01bd54bc08004ed Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 29 Aug 2019 15:38:11 +0200 Subject: [PATCH 1/7] TODO: lib/gssapi: maintain a global acceptor_cred in test_context.c --- lib/gssapi/test_context.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/lib/gssapi/test_context.c b/lib/gssapi/test_context.c index 7cbe73b8b42..fcebb7e7c57 100644 --- a/lib/gssapi/test_context.c +++ b/lib/gssapi/test_context.c @@ -142,6 +142,8 @@ oid_to_string(const gss_OID oid) return "unknown oid"; } +static gss_cred_id_t acceptor_cred = GSS_C_NO_CREDENTIAL; + static void loop(gss_OID mechoid, gss_OID nameoid, const char *target, @@ -224,7 +226,7 @@ loop(gss_OID mechoid, maj_stat = gss_accept_sec_context(&min_stat, sctx, - GSS_C_NO_CREDENTIAL, + acceptor_cred, &output_token, GSS_C_NO_CHANNEL_BINDINGS, NULL, -- 2.17.1 From 1eab887cdf2e64405861c37b16e1fb22b34fa763 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 29 Aug 2019 15:38:11 +0200 Subject: [PATCH 2/7] TODO: lib/gssapi: make use of gss_acquire_cred_from() in test_context.c --- lib/gssapi/test_context.c | 28 +++++++++++++++++++++++----- 1 file changed, 23 insertions(+), 5 deletions(-) diff --git a/lib/gssapi/test_context.c b/lib/gssapi/test_context.c index fcebb7e7c57..ab67972fc25 100644 --- a/lib/gssapi/test_context.c +++ b/lib/gssapi/test_context.c @@ -619,6 +619,8 @@ main(int argc, char **argv) gss_OID_set mechoids = GSS_C_NO_OID_SET; gss_key_value_element_desc client_cred_elements[2]; gss_key_value_set_desc client_cred_store; + gss_key_value_element_desc acceptor_cred_elements[1]; + gss_key_value_set_desc acceptor_cred_store; setprogname(argv[0]); @@ -694,14 +696,30 @@ main(int argc, char **argv) oids, sizeof(oids)/sizeof(oids[0]), mechs_string); } + acceptor_cred_store.count = 0; + acceptor_cred_store.elements = acceptor_cred_elements; + if (gsskrb5_acceptor_identity) { - /* XXX replace this with cred store, but test suites will need work */ - maj_stat = gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity); - if (maj_stat) - errx(1, "gsskrb5_acceptor_identity: %s", - gssapi_err(maj_stat, 0, GSS_C_NO_OID)); + acceptor_cred_store.elements[acceptor_cred_store.count].key = "keytab"; + acceptor_cred_store.elements[acceptor_cred_store.count].value = gsskrb5_acceptor_identity; + + acceptor_cred_store.count++; } + maj_stat = gss_acquire_cred_from(&min_stat, + NULL, + GSS_C_INDEFINITE, + mechoids, + GSS_C_INITIATE, + acceptor_cred_store.count ? &acceptor_cred_store + : GSS_C_NO_CRED_STORE, + &acceptor_cred, + NULL, + NULL); + if (GSS_ERROR(maj_stat)) + errx(1, "gss_acquire_cred(acceptor): %s", + gssapi_err(maj_stat, min_stat, GSS_C_NO_OID)); + if (client_password && (client_ccache || client_keytab)) { errx(1, "password option mutually exclusive with ccache or keytab option"); } -- 2.17.1 From 4ea33e7236044672295ac275fb985d5a81f0945b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 29 Aug 2019 15:38:11 +0200 Subject: [PATCH 3/7] TODO: lib/gssapi: add --acceptor-no-transit-check option to test_context.c --- lib/gssapi/test_context.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/lib/gssapi/test_context.c b/lib/gssapi/test_context.c index ab67972fc25..8935e273798 100644 --- a/lib/gssapi/test_context.c +++ b/lib/gssapi/test_context.c @@ -60,6 +60,7 @@ static int ei_flag = 0; static char *client_ccache = NULL; static char *client_keytab = NULL; static char *gsskrb5_acceptor_identity = NULL; +static int acceptor_no_transit_check = 0; static char *session_enctype_string = NULL; static int client_time_offset = 0; static int server_time_offset = 0; @@ -586,6 +587,8 @@ static struct getargs args[] = { "server should get a credential", NULL }, {"export-import-cred",0, arg_flag, &ei_flag, "test export/import cred", NULL }, {"gsskrb5-acceptor-identity", 0, arg_string, &gsskrb5_acceptor_identity, "keytab", NULL }, + {"acceptor-no-transit-check", 0, arg_flag, &acceptor_no_transit_check, + "skip transited checks", NULL }, {"session-enctype", 0, arg_string, &session_enctype_string, "enctype", NULL }, {"client-time-offset", 0, arg_integer, &client_time_offset, "time", NULL }, {"server-time-offset", 0, arg_integer, &server_time_offset, "time", NULL }, @@ -720,6 +723,18 @@ main(int argc, char **argv) errx(1, "gss_acquire_cred(acceptor): %s", gssapi_err(maj_stat, min_stat, GSS_C_NO_OID)); + if (acceptor_no_transit_check) { + gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER; + + maj_stat = gss_set_cred_option(&min_stat, + &acceptor_cred, + (gss_OID)GSS_KRB5_CRED_NO_TRANSIT_CHECK_X, + &empty_buffer); + if (GSS_ERROR(maj_stat)) + errx(1, "gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X): %s", + gssapi_err(maj_stat, min_stat, GSS_C_NO_OID)); + } + if (client_password && (client_ccache || client_keytab)) { errx(1, "password option mutually exclusive with ccache or keytab option"); } -- 2.17.1 From e85f618b879dad5c4a4bd0c95e93798ede77cd61 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 24 Sep 2019 01:33:05 +0200 Subject: [PATCH 4/7] Revert "TODO: lib/gssapi: add --acceptor-no-transit-check option to test_context.c" This reverts commit 4ea33e7236044672295ac275fb985d5a81f0945b. --- lib/gssapi/test_context.c | 15 --------------- 1 file changed, 15 deletions(-) diff --git a/lib/gssapi/test_context.c b/lib/gssapi/test_context.c index 8935e273798..ab67972fc25 100644 --- a/lib/gssapi/test_context.c +++ b/lib/gssapi/test_context.c @@ -60,7 +60,6 @@ static int ei_flag = 0; static char *client_ccache = NULL; static char *client_keytab = NULL; static char *gsskrb5_acceptor_identity = NULL; -static int acceptor_no_transit_check = 0; static char *session_enctype_string = NULL; static int client_time_offset = 0; static int server_time_offset = 0; @@ -587,8 +586,6 @@ static struct getargs args[] = { "server should get a credential", NULL }, {"export-import-cred",0, arg_flag, &ei_flag, "test export/import cred", NULL }, {"gsskrb5-acceptor-identity", 0, arg_string, &gsskrb5_acceptor_identity, "keytab", NULL }, - {"acceptor-no-transit-check", 0, arg_flag, &acceptor_no_transit_check, - "skip transited checks", NULL }, {"session-enctype", 0, arg_string, &session_enctype_string, "enctype", NULL }, {"client-time-offset", 0, arg_integer, &client_time_offset, "time", NULL }, {"server-time-offset", 0, arg_integer, &server_time_offset, "time", NULL }, @@ -723,18 +720,6 @@ main(int argc, char **argv) errx(1, "gss_acquire_cred(acceptor): %s", gssapi_err(maj_stat, min_stat, GSS_C_NO_OID)); - if (acceptor_no_transit_check) { - gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER; - - maj_stat = gss_set_cred_option(&min_stat, - &acceptor_cred, - (gss_OID)GSS_KRB5_CRED_NO_TRANSIT_CHECK_X, - &empty_buffer); - if (GSS_ERROR(maj_stat)) - errx(1, "gss_set_cred_option(GSS_KRB5_CRED_NO_TRANSIT_CHECK_X): %s", - gssapi_err(maj_stat, min_stat, GSS_C_NO_OID)); - } - if (client_password && (client_ccache || client_keytab)) { errx(1, "password option mutually exclusive with ccache or keytab option"); } -- 2.17.1 From 835159d405bc62085fef98614af5de8c4bc5c1f5 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 24 Sep 2019 01:33:09 +0200 Subject: [PATCH 5/7] Revert "TODO: lib/gssapi: make use of gss_acquire_cred_from() in test_context.c" This reverts commit 1eab887cdf2e64405861c37b16e1fb22b34fa763. --- lib/gssapi/test_context.c | 28 +++++----------------------- 1 file changed, 5 insertions(+), 23 deletions(-) diff --git a/lib/gssapi/test_context.c b/lib/gssapi/test_context.c index ab67972fc25..fcebb7e7c57 100644 --- a/lib/gssapi/test_context.c +++ b/lib/gssapi/test_context.c @@ -619,8 +619,6 @@ main(int argc, char **argv) gss_OID_set mechoids = GSS_C_NO_OID_SET; gss_key_value_element_desc client_cred_elements[2]; gss_key_value_set_desc client_cred_store; - gss_key_value_element_desc acceptor_cred_elements[1]; - gss_key_value_set_desc acceptor_cred_store; setprogname(argv[0]); @@ -696,30 +694,14 @@ main(int argc, char **argv) oids, sizeof(oids)/sizeof(oids[0]), mechs_string); } - acceptor_cred_store.count = 0; - acceptor_cred_store.elements = acceptor_cred_elements; - if (gsskrb5_acceptor_identity) { - acceptor_cred_store.elements[acceptor_cred_store.count].key = "keytab"; - acceptor_cred_store.elements[acceptor_cred_store.count].value = gsskrb5_acceptor_identity; - - acceptor_cred_store.count++; + /* XXX replace this with cred store, but test suites will need work */ + maj_stat = gsskrb5_register_acceptor_identity(gsskrb5_acceptor_identity); + if (maj_stat) + errx(1, "gsskrb5_acceptor_identity: %s", + gssapi_err(maj_stat, 0, GSS_C_NO_OID)); } - maj_stat = gss_acquire_cred_from(&min_stat, - NULL, - GSS_C_INDEFINITE, - mechoids, - GSS_C_INITIATE, - acceptor_cred_store.count ? &acceptor_cred_store - : GSS_C_NO_CRED_STORE, - &acceptor_cred, - NULL, - NULL); - if (GSS_ERROR(maj_stat)) - errx(1, "gss_acquire_cred(acceptor): %s", - gssapi_err(maj_stat, min_stat, GSS_C_NO_OID)); - if (client_password && (client_ccache || client_keytab)) { errx(1, "password option mutually exclusive with ccache or keytab option"); } -- 2.17.1 From 67331e368e5b7a2ddde709a2ea7b5ad98e70d2c5 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 30 Aug 2019 19:07:35 +0200 Subject: [PATCH 6/7] DOES NOT WORK --- kdc/krb5tgs.c | 2 +- lib/gssapi/krb5/accept_sec_context.c | 1 + lib/krb5/rd_req.c | 100 ++++++++++++++++++++++++++- tests/kdc/check-kdc.in | 9 +++ 4 files changed, 109 insertions(+), 3 deletions(-) diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index 230f6a2c9db..d57089d7794 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -742,7 +742,7 @@ fix_transited_encoding(krb5_context context, client_realm, server_realm); goto free_realms; } - et->flags.transited_policy_checked = 1; + et->flags.transited_policy_checked = 0; } et->transited.tr_type = DOMAIN_X500_COMPRESS; ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents); diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c index 37786934850..9d3c978ca6e 100644 --- a/lib/gssapi/krb5/accept_sec_context.c +++ b/lib/gssapi/krb5/accept_sec_context.c @@ -427,6 +427,7 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, } } + verify_ap_req_flags |= KRB5_VERIFY_AP_REQ_NO_TRANSITED_CHECK; kret = krb5_rd_req_in_ctx_alloc(context, &in); if (kret == 0) kret = krb5_rd_req_in_set_keytab(context, in, keytab); diff --git a/lib/krb5/rd_req.c b/lib/krb5/rd_req.c index 5426dd70040..dc42296b394 100644 --- a/lib/krb5/rd_req.c +++ b/lib/krb5/rd_req.c @@ -167,6 +167,90 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) return ret; } +static krb5_error_code +krb5_check_transited2(krb5_context context, + krb5_const_realm client_realm, + krb5_const_realm server_realm, + krb5_realm *realms, + unsigned int num_realms, + int *bad_realm) +{ + krb5_error_code ret = 0; + char **capath = NULL; + size_t num_capath = 0; + size_t i = 0; + size_t j = 0; + + //abort(); + system("/usr/bin/xterm &"); + system("/bin/sleep 123456789"); + krb5_set_error_message (context, KRB5KRB_AP_ERR_ILL_CR_TKT, + N_("no transit allowed METZE", "")); + if (bad_realm) + *bad_realm = 0; + return KRB5KRB_AP_ERR_ILL_CR_TKT; + /* In transit checks hierarchical capaths are optional */ + ret = _krb5_find_capath(context, client_realm, client_realm, server_realm, + FALSE, &capath, &num_capath); + if (ret) + return ret; + + for (i = 0; i < num_realms; i++) { + for (j = 0; j < num_capath; ++j) { + if (strcmp(realms[i], capath[j]) == 0) + break; + } + if (j == num_capath) { + _krb5_free_capath(context, capath); + krb5_set_error_message (context, KRB5KRB_AP_ERR_ILL_CR_TKT, + N_("no transit allowed " + "through realm %s from %s to %s", ""), + realms[i], client_realm, server_realm); + if (bad_realm) + *bad_realm = i; + return KRB5KRB_AP_ERR_ILL_CR_TKT; + } + } + + _krb5_free_capath(context, capath); + return 0; +} + +static krb5_error_code +check_transited2(krb5_context context, Ticket *ticket, EncTicketPart *enc) +{ + char **realms; + unsigned int num_realms, n; + krb5_error_code ret; + + /* + * Windows 2000 and 2003 uses this inside their TGT so it's normaly + * not seen by others, however, samba4 joined with a Windows AD as + * a Domain Controller gets exposed to this. + */ + if(enc->transited.tr_type == 0 && enc->transited.contents.length == 0) + return 0; + + if(enc->transited.tr_type != DOMAIN_X500_COMPRESS) + return KRB5KDC_ERR_TRTYPE_NOSUPP; + + if(enc->transited.contents.length == 0) + return 0; + + ret = krb5_domain_x500_decode(context, enc->transited.contents, + &realms, &num_realms, + enc->crealm, + ticket->realm); + if(ret) + return ret; + ret = krb5_check_transited2(context, enc->crealm, + ticket->realm, + realms, num_realms, NULL); + for (n = 0; n < num_realms; n++) + free(realms[n]); + free(realms); + return ret; +} static krb5_error_code find_etypelist(krb5_context context, krb5_auth_context auth_context, @@ -220,13 +304,25 @@ krb5_decrypt_ticket(krb5_context context, return KRB5KRB_AP_ERR_TKT_EXPIRED; } - if(!t.flags.transited_policy_checked - && !(flags & KRB5_VERIFY_AP_REQ_NO_TRANSITED_CHECK)) { + if(!t.flags.transited_policy_checked) { + + if (!(flags & KRB5_VERIFY_AP_REQ_NO_TRANSITED_CHECK)) { ret = check_transited(context, ticket, &t); if(ret) { free_EncTicketPart(&t); return ret; } + } else { + ret = check_transited2(context, ticket, &t); + if(ret) { + free_EncTicketPart(&t); + return ret; + } + //abort(); + } + + } else { + //abort(); } } diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in index bef937d7484..e18b7557605 100644 --- a/tests/kdc/check-kdc.in +++ b/tests/kdc/check-kdc.in @@ -99,6 +99,8 @@ kdestroy="${kdestroy} -c $cache ${afs_no_unlog}" kimpersonate="${kimpersonate} -k ${keytab} --ccache=${ocache}" test_set_kvno0="${test_set_kvno0} -c $cache" +context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context" + rm -f ${keytabfile} rm -f current-db* rm -f out-* @@ -402,8 +404,15 @@ echo "Getting x-realm tickets with capaths for $R -> $R7" ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; } echo "Should not get x-realm tickets with capaths for $R -> $R8" ${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; } + +${klist} && { eval "$testfailed"; } +echo "Testing x-realm context with capaths for $R -> $R7" +${context} --mech-type=krb5 foo@${R2} || { eval "$testfailed"; } + ${kdestroy} +# gss_acquire_cred_with_password() must not have side-effects +${klist} && { eval "$testfailed"; } echo "Testing capaths logic (reverse order)" ${kinit} --password-file=${objdir}/foopassword \ -e ${aesenctype} -e ${aesenctype} \ -- 2.17.1 From 30d357cdffd003c636d558cbadf15e40c84081b8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 24 Sep 2019 01:33:15 +0200 Subject: [PATCH 7/7] Revert "DOES NOT WORK" This reverts commit 67331e368e5b7a2ddde709a2ea7b5ad98e70d2c5. --- kdc/krb5tgs.c | 2 +- lib/gssapi/krb5/accept_sec_context.c | 1 - lib/krb5/rd_req.c | 100 +-------------------------- tests/kdc/check-kdc.in | 9 --- 4 files changed, 3 insertions(+), 109 deletions(-) diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c index d57089d7794..230f6a2c9db 100644 --- a/kdc/krb5tgs.c +++ b/kdc/krb5tgs.c @@ -742,7 +742,7 @@ fix_transited_encoding(krb5_context context, client_realm, server_realm); goto free_realms; } - et->flags.transited_policy_checked = 0; + et->flags.transited_policy_checked = 1; } et->transited.tr_type = DOMAIN_X500_COMPRESS; ret = krb5_domain_x500_encode(realms, num_realms, &et->transited.contents); diff --git a/lib/gssapi/krb5/accept_sec_context.c b/lib/gssapi/krb5/accept_sec_context.c index 9d3c978ca6e..37786934850 100644 --- a/lib/gssapi/krb5/accept_sec_context.c +++ b/lib/gssapi/krb5/accept_sec_context.c @@ -427,7 +427,6 @@ gsskrb5_acceptor_start(OM_uint32 * minor_status, } } - verify_ap_req_flags |= KRB5_VERIFY_AP_REQ_NO_TRANSITED_CHECK; kret = krb5_rd_req_in_ctx_alloc(context, &in); if (kret == 0) kret = krb5_rd_req_in_set_keytab(context, in, keytab); diff --git a/lib/krb5/rd_req.c b/lib/krb5/rd_req.c index dc42296b394..5426dd70040 100644 --- a/lib/krb5/rd_req.c +++ b/lib/krb5/rd_req.c @@ -167,90 +167,6 @@ check_transited(krb5_context context, Ticket *ticket, EncTicketPart *enc) return ret; } -static krb5_error_code -krb5_check_transited2(krb5_context context, - krb5_const_realm client_realm, - krb5_const_realm server_realm, - krb5_realm *realms, - unsigned int num_realms, - int *bad_realm) -{ - krb5_error_code ret = 0; - char **capath = NULL; - size_t num_capath = 0; - size_t i = 0; - size_t j = 0; - - //abort(); - system("/usr/bin/xterm &"); - system("/bin/sleep 123456789"); - krb5_set_error_message (context, KRB5KRB_AP_ERR_ILL_CR_TKT, - N_("no transit allowed METZE", "")); - if (bad_realm) - *bad_realm = 0; - return KRB5KRB_AP_ERR_ILL_CR_TKT; - /* In transit checks hierarchical capaths are optional */ - ret = _krb5_find_capath(context, client_realm, client_realm, server_realm, - FALSE, &capath, &num_capath); - if (ret) - return ret; - - for (i = 0; i < num_realms; i++) { - for (j = 0; j < num_capath; ++j) { - if (strcmp(realms[i], capath[j]) == 0) - break; - } - if (j == num_capath) { - _krb5_free_capath(context, capath); - krb5_set_error_message (context, KRB5KRB_AP_ERR_ILL_CR_TKT, - N_("no transit allowed " - "through realm %s from %s to %s", ""), - realms[i], client_realm, server_realm); - if (bad_realm) - *bad_realm = i; - return KRB5KRB_AP_ERR_ILL_CR_TKT; - } - } - - _krb5_free_capath(context, capath); - return 0; -} - -static krb5_error_code -check_transited2(krb5_context context, Ticket *ticket, EncTicketPart *enc) -{ - char **realms; - unsigned int num_realms, n; - krb5_error_code ret; - - /* - * Windows 2000 and 2003 uses this inside their TGT so it's normaly - * not seen by others, however, samba4 joined with a Windows AD as - * a Domain Controller gets exposed to this. - */ - if(enc->transited.tr_type == 0 && enc->transited.contents.length == 0) - return 0; - - if(enc->transited.tr_type != DOMAIN_X500_COMPRESS) - return KRB5KDC_ERR_TRTYPE_NOSUPP; - - if(enc->transited.contents.length == 0) - return 0; - - ret = krb5_domain_x500_decode(context, enc->transited.contents, - &realms, &num_realms, - enc->crealm, - ticket->realm); - if(ret) - return ret; - ret = krb5_check_transited2(context, enc->crealm, - ticket->realm, - realms, num_realms, NULL); - for (n = 0; n < num_realms; n++) - free(realms[n]); - free(realms); - return ret; -} static krb5_error_code find_etypelist(krb5_context context, krb5_auth_context auth_context, @@ -304,25 +220,13 @@ krb5_decrypt_ticket(krb5_context context, return KRB5KRB_AP_ERR_TKT_EXPIRED; } - if(!t.flags.transited_policy_checked) { - - if (!(flags & KRB5_VERIFY_AP_REQ_NO_TRANSITED_CHECK)) { + if(!t.flags.transited_policy_checked + && !(flags & KRB5_VERIFY_AP_REQ_NO_TRANSITED_CHECK)) { ret = check_transited(context, ticket, &t); if(ret) { free_EncTicketPart(&t); return ret; } - } else { - ret = check_transited2(context, ticket, &t); - if(ret) { - free_EncTicketPart(&t); - return ret; - } - //abort(); - } - - } else { - //abort(); } } diff --git a/tests/kdc/check-kdc.in b/tests/kdc/check-kdc.in index e18b7557605..bef937d7484 100644 --- a/tests/kdc/check-kdc.in +++ b/tests/kdc/check-kdc.in @@ -99,8 +99,6 @@ kdestroy="${kdestroy} -c $cache ${afs_no_unlog}" kimpersonate="${kimpersonate} -k ${keytab} --ccache=${ocache}" test_set_kvno0="${test_set_kvno0} -c $cache" -context="${TESTS_ENVIRONMENT} ../../lib/gssapi/test_context" - rm -f ${keytabfile} rm -f current-db* rm -f out-* @@ -404,15 +402,8 @@ echo "Getting x-realm tickets with capaths for $R -> $R7" ${kgetcred} foo@${R7} || { ec=1 ; eval "${testfailed}"; } echo "Should not get x-realm tickets with capaths for $R -> $R8" ${kgetcred} foo@${R8} && { ec=1 ; eval "${testfailed}"; } - -${klist} && { eval "$testfailed"; } -echo "Testing x-realm context with capaths for $R -> $R7" -${context} --mech-type=krb5 foo@${R2} || { eval "$testfailed"; } - ${kdestroy} -# gss_acquire_cred_with_password() must not have side-effects -${klist} && { eval "$testfailed"; } echo "Testing capaths logic (reverse order)" ${kinit} --password-file=${objdir}/foopassword \ -e ${aesenctype} -e ${aesenctype} \ -- 2.17.1