From bba3b02b30503caa70c9e03890a6e30d51c6e660 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 26 Aug 2019 17:04:06 +0200 Subject: [PATCH 1/6] lib/krb5: rework [krb5_]rd_req_decoded_opt() to be more flexible This makes it easier to control the behavior without adding a new wrapper function each time. I'll add a KRB5_RD_REQ_NO_TRANSIT_CHECK flag and let gss_accept_sec_context() use krb5_rd_req_decoded_opt() in the following commits. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907 Signed-off-by: Stefan Metzmacher --- src/include/k5-int.h | 15 ++++++++++++++ src/lib/krb5/krb/rd_req_dec.c | 39 +++++++++++++++++++++++------------ src/lib/krb5/libkrb5.exports | 1 + src/lib/krb5_32.def | 1 + 4 files changed, 43 insertions(+), 13 deletions(-) diff --git a/src/include/k5-int.h b/src/include/k5-int.h index 77d7abce1..d9b2cdbaf 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -2121,6 +2121,21 @@ krb5_error_code KRB5_CALLCONV krb5_get_default_config_files(char ***filenames); void KRB5_CALLCONV krb5_free_config_files(char **filenames); +#define KRB5_RD_REQ_CHECK_VALID_FLAG (1 << 0) + +#define _KRB5_RD_REQ_VALID_FLAGS ( \ + KRB5_RD_REQ_CHECK_VALID_FLAG | \ + 0) + +krb5_error_code krb5_rd_req_decoded_opt(krb5_context context, + krb5_auth_context *auth_context, + const krb5_ap_req *req, + krb5_const_principal server, + krb5_keytab keytab, + krb5_flags *ap_req_options, + krb5_ticket **ticket, + unsigned int opt_flags); + krb5_error_code krb5_rd_req_decoded(krb5_context, krb5_auth_context *, const krb5_ap_req *, krb5_const_principal, krb5_keytab, krb5_flags *, krb5_ticket **); diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index 72bc8fe97..ba4d74572 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -441,11 +441,15 @@ decrypt_ticket(krb5_context context, const krb5_ap_req *req, #endif /* LEAN_CLIENT */ } -static krb5_error_code -rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, - const krb5_ap_req *req, krb5_const_principal server, - krb5_keytab keytab, krb5_flags *ap_req_options, - krb5_ticket **ticket, int check_valid_flag) +krb5_error_code +krb5_rd_req_decoded_opt(krb5_context context, + krb5_auth_context *auth_context, + const krb5_ap_req *req, + krb5_const_principal server, + krb5_keytab keytab, + krb5_flags *ap_req_options, + krb5_ticket **ticket, + unsigned int opt_flags) { krb5_error_code retval = 0; krb5_enctype *desired_etypes = NULL; @@ -454,6 +458,15 @@ rd_req_decoded_opt(krb5_context context, krb5_auth_context *auth_context, krb5_enctype *permitted_etypes = NULL; int permitted_etypes_len = 0; krb5_keyblock decrypt_key; + int check_valid_flag = 0; + + if (opt_flags & ~_KRB5_RD_REQ_VALID_FLAGS) { + return EINVAL; + } + + if (opt_flags & KRB5_RD_REQ_CHECK_VALID_FLAG) { + check_valid_flag = 1; + } decrypt_key.enctype = ENCTYPE_NULL; decrypt_key.contents = NULL; @@ -762,10 +775,10 @@ krb5_rd_req_decoded(krb5_context context, krb5_auth_context *auth_context, krb5_ticket **ticket) { krb5_error_code retval; - retval = rd_req_decoded_opt(context, auth_context, - req, server, keytab, - ap_req_options, ticket, - 1); /* check_valid_flag */ + retval = krb5_rd_req_decoded_opt(context, auth_context, + req, server, keytab, + ap_req_options, ticket, + KRB5_RD_REQ_CHECK_VALID_FLAG); return retval; } @@ -777,10 +790,10 @@ krb5_rd_req_decoded_anyflag(krb5_context context, krb5_flags *ap_req_options, krb5_ticket **ticket) { krb5_error_code retval; - retval = rd_req_decoded_opt(context, auth_context, - req, server, keytab, - ap_req_options, ticket, - 0); /* don't check_valid_flag */ + retval = krb5_rd_req_decoded_opt(context, auth_context, + req, server, keytab, + ap_req_options, ticket, + 0); /* don't check_valid_flag */ return retval; } diff --git a/src/lib/krb5/libkrb5.exports b/src/lib/krb5/libkrb5.exports index 55e263545..92bd4ac6e 100644 --- a/src/lib/krb5/libkrb5.exports +++ b/src/lib/krb5/libkrb5.exports @@ -516,6 +516,7 @@ krb5_rd_rep_dce krb5_rd_req krb5_rd_req_decoded krb5_rd_req_decoded_anyflag +krb5_rd_req_decoded_opt krb5_rd_safe krb5_read_message krb5_read_password diff --git a/src/lib/krb5_32.def b/src/lib/krb5_32.def index c327ceb15..2ce7dd0f9 100644 --- a/src/lib/krb5_32.def +++ b/src/lib/krb5_32.def @@ -489,3 +489,4 @@ EXPORTS ; new in 1.18 krb5int_c_deprecated_enctype @450 ; PRIVATE krb5_pac_get_client_info @451 + krb5_rd_req_decoded_opt @452 ; PRIVATE GSSAPI -- 2.17.1 From b53ad0220fe50522a3b06f05eb9ed54ae8935c5e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 26 Aug 2019 17:10:23 +0200 Subject: [PATCH 2/6] lib/krb5: add KRB5_RD_REQ_NO_TRANSIT_CHECK to krb5_]rd_req_decoded_opt() This will allow GSS_KRB5_CRED_NO_TRANSIT_CHECK_X to be implemented in the next commits. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907 Signed-off-by: Stefan Metzmacher --- src/include/k5-int.h | 2 ++ src/lib/krb5/krb/rd_req_dec.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/src/include/k5-int.h b/src/include/k5-int.h index d9b2cdbaf..e96489917 100644 --- a/src/include/k5-int.h +++ b/src/include/k5-int.h @@ -2122,9 +2122,11 @@ krb5_error_code KRB5_CALLCONV krb5_get_default_config_files(char ***filenames); void KRB5_CALLCONV krb5_free_config_files(char **filenames); #define KRB5_RD_REQ_CHECK_VALID_FLAG (1 << 0) +#define KRB5_RD_REQ_NO_TRANSIT_CHECK (1 << 1) #define _KRB5_RD_REQ_VALID_FLAGS ( \ KRB5_RD_REQ_CHECK_VALID_FLAG | \ + KRB5_RD_REQ_NO_TRANSIT_CHECK | \ 0) krb5_error_code krb5_rd_req_decoded_opt(krb5_context context, diff --git a/src/lib/krb5/krb/rd_req_dec.c b/src/lib/krb5/krb/rd_req_dec.c index ba4d74572..9f8ab107f 100644 --- a/src/lib/krb5/krb/rd_req_dec.c +++ b/src/lib/krb5/krb/rd_req_dec.c @@ -574,7 +574,7 @@ krb5_rd_req_decoded_opt(krb5_context context, /* Hierarchical Cross-Realm */ - { + if (!(opt_flags & KRB5_RD_REQ_NO_TRANSIT_CHECK)) { krb5_data * realm; krb5_transited * trans; -- 2.17.1 From 4305c7dd52b92667ec51c86867659a16f28d79c2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 26 Aug 2019 17:11:30 +0200 Subject: [PATCH 3/6] lib/gssapi/krb5: let kg_accept_krb5() use krb5_rd_req_decoded_opt() directly This makes it easier to implement GSS_KRB5_CRED_NO_TRANSIT_CHECK_X in the next commit. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907 Signed-off-by: Stefan Metzmacher --- src/lib/gssapi/krb5/accept_sec_context.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index c821cc830..f1cb198fc 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -469,6 +469,7 @@ kg_accept_krb5(minor_status, context_handle, krb5_authdata_context ad_context = NULL; krb5_principal accprinc = NULL; krb5_ap_req *request = NULL; + unsigned int opt_flags = KRB5_RD_REQ_CHECK_VALID_FLAG; code = krb5int_accessor (&kaccess, KRB5INT_ACCESS_VERSION); if (code) { @@ -641,8 +642,8 @@ kg_accept_krb5(minor_status, context_handle, } } - code = krb5_rd_req_decoded(context, &auth_context, request, accprinc, - cred->keytab, &ap_req_options, NULL); + code = krb5_rd_req_decoded_opt(context, &auth_context, request, accprinc, + cred->keytab, &ap_req_options, NULL, opt_flags); krb5_free_principal(context, accprinc); if (code) { -- 2.17.1 From 061fa29d1ad59b7f556e4586bcb60c4da77cc3ae Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 26 Aug 2019 17:12:56 +0200 Subject: [PATCH 4/6] TODO: heimal master first lib/gssapi/krb5: implement GSS_KRB5_CRED_NO_TRANSIT_CHECK_X The trust topology of active directory domains is only known to the [K]DCs. Domain members just rely on their trust to their primary domain. As long as the KDC generated a valid service ticket it should be accepted. Further verification is done by checking the signed PAC and use its content to construct an authorization token. Samba will use GSS_KRB5_CRED_NO_TRANSIT_CHECK_X and require a verified PAC. This avoids having a correctly configured [capaths] section in the krb5.conf. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907 Signed-off-by: Stefan Metzmacher --- src/lib/gssapi/krb5/accept_sec_context.c | 4 ++++ src/lib/gssapi/krb5/acquire_cred.c | 1 + src/lib/gssapi/krb5/gssapiP_krb5.h | 1 + src/lib/gssapi/krb5/gssapi_krb5.c | 28 ++++++++++++++++++++++++ src/lib/gssapi/krb5/gssapi_krb5.h | 12 ++++++++++ src/lib/gssapi/libgssapi_krb5.exports | 1 + src/lib/gssapi32.def | 2 ++ 7 files changed, 49 insertions(+) diff --git a/src/lib/gssapi/krb5/accept_sec_context.c b/src/lib/gssapi/krb5/accept_sec_context.c index f1cb198fc..3624884ec 100644 --- a/src/lib/gssapi/krb5/accept_sec_context.c +++ b/src/lib/gssapi/krb5/accept_sec_context.c @@ -642,6 +642,10 @@ kg_accept_krb5(minor_status, context_handle, } } + if (cred->no_transit_check) { + opt_flags |= KRB5_RD_REQ_NO_TRANSIT_CHECK; + } + code = krb5_rd_req_decoded_opt(context, &auth_context, request, accprinc, cred->keytab, &ap_req_options, NULL, opt_flags); diff --git a/src/lib/gssapi/krb5/acquire_cred.c b/src/lib/gssapi/krb5/acquire_cred.c index acc1868f8..136d0d49c 100644 --- a/src/lib/gssapi/krb5/acquire_cred.c +++ b/src/lib/gssapi/krb5/acquire_cred.c @@ -779,6 +779,7 @@ acquire_cred_context(krb5_context context, OM_uint32 *minor_status, #endif /* LEAN_CLIENT */ cred->destroy_ccache = 0; cred->suppress_ci_flags = 0; + cred->no_transit_check = 0; cred->ccache = NULL; code = k5_mutex_init(&cred->lock); diff --git a/src/lib/gssapi/krb5/gssapiP_krb5.h b/src/lib/gssapi/krb5/gssapiP_krb5.h index 2647434ba..10807ce7d 100644 --- a/src/lib/gssapi/krb5/gssapiP_krb5.h +++ b/src/lib/gssapi/krb5/gssapiP_krb5.h @@ -179,6 +179,7 @@ typedef struct _krb5_gss_cred_id_rec { unsigned int iakerb_mech : 1; unsigned int destroy_ccache : 1; unsigned int suppress_ci_flags : 1; + unsigned int no_transit_check : 1; /* keytab (accept) data */ krb5_keytab keytab; diff --git a/src/lib/gssapi/krb5/gssapi_krb5.c b/src/lib/gssapi/krb5/gssapi_krb5.c index f09cda007..e9107260c 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.c +++ b/src/lib/gssapi/krb5/gssapi_krb5.c @@ -124,8 +124,14 @@ * except the last in each value's encoding. */ +/* 1.2.752.43.13.29 */ #define NO_CI_FLAGS_X_OID_LENGTH 6 #define NO_CI_FLAGS_X_OID "\x2a\x85\x70\x2b\x0d\x1d" + +/* 1.2.752.43.13.31 */ +#define NO_TRANSIT_CHECK_X_OID_LENGTH 6 +#define NO_TRANSIT_CHECK_X_OID "\x2a\x85\x70\x2b\x0d\x1f" + #define GET_CRED_IMPERSONATOR_OID_LENGTH 11 #define GET_CRED_IMPERSONATOR_OID "\x2a\x86\x48\x86\xf7\x12\x01\x02\x02\x05\x0e" @@ -154,6 +160,7 @@ const gss_OID_desc krb5_gss_oid_array[] = { {GET_CRED_IMPERSONATOR_OID_LENGTH, GET_CRED_IMPERSONATOR_OID}, /* GSS_KRB5_NT_ENTERPRISE_NAME */ {10, "\052\206\110\206\367\022\001\002\002\006"}, + {NO_TRANSIT_CHECK_X_OID_LENGTH, NO_TRANSIT_CHECK_X_OID}, { 0, 0 } }; @@ -172,6 +179,7 @@ const gss_OID GSS_KRB5_NT_PRINCIPAL_NAME = &kg_oids[5]; const gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X = &kg_oids[7]; const gss_OID GSS_KRB5_GET_CRED_IMPERSONATOR = &kg_oids[8]; const gss_OID GSS_KRB5_NT_ENTERPRISE_NAME = &kg_oids[9]; +const gss_OID GSS_KRB5_CRED_NO_TRANSIT_CHECK_X = &kg_oids[10]; static const gss_OID_set_desc oidsets[] = { {1, &kg_oids[0]}, /* RFC OID */ @@ -504,6 +512,22 @@ no_ci_flags(OM_uint32 *minor_status, *minor_status = 0; return GSS_S_COMPLETE; } + +static OM_uint32 +no_transit_check(OM_uint32 *minor_status, + gss_cred_id_t *cred_handle, + const gss_OID desired_oid, + const gss_buffer_t value) +{ + krb5_gss_cred_id_t cred; + + cred = (krb5_gss_cred_id_t) *cred_handle; + cred->no_transit_check = 1; + + *minor_status = 0; + return GSS_S_COMPLETE; +} + /* * gssspi_set_cred_option() methods */ @@ -531,6 +555,10 @@ static struct { {NO_CI_FLAGS_X_OID_LENGTH, NO_CI_FLAGS_X_OID}, no_ci_flags }, + { + {NO_TRANSIT_CHECK_X_OID_LENGTH, NO_TRANSIT_CHECK_X_OID}, + no_transit_check + }, }; static OM_uint32 KRB5_CALLCONV diff --git a/src/lib/gssapi/krb5/gssapi_krb5.h b/src/lib/gssapi/krb5/gssapi_krb5.h index 84b415920..5cf1e5598 100644 --- a/src/lib/gssapi/krb5/gssapi_krb5.h +++ b/src/lib/gssapi/krb5/gssapi_krb5.h @@ -101,6 +101,18 @@ GSS_DLLIMP extern const gss_OID_desc krb5_gss_oid_array[]; */ GSS_DLLIMP extern const gss_OID GSS_KRB5_CRED_NO_CI_FLAGS_X; +/* + * + * This OID can be used with gss_set_cred_option() to suppress the + * checking of the transited realm array. Typically the caller + * requires a verified PAC and delegate the cross-realm verification + * to the [K]DC of an active directory domain. + * + * iso(1) member-body(2) Sweden(752) Stockholm University(43) Heimdal GSS-API + * Extensions(13) no_transit_check(31) + */ +GSS_DLLIMP extern const gss_OID GSS_KRB5_CRED_NO_TRANSIT_CHECK_X; + /* * This OID can be used with gss_inquire_cred_by_oid(0 to retrieve the * impersonator name (if any). diff --git a/src/lib/gssapi/libgssapi_krb5.exports b/src/lib/gssapi/libgssapi_krb5.exports index c292cb1af..af10bece1 100644 --- a/src/lib/gssapi/libgssapi_krb5.exports +++ b/src/lib/gssapi/libgssapi_krb5.exports @@ -11,6 +11,7 @@ GSS_C_NT_USER_NAME GSS_KRB5_NT_PRINCIPAL_NAME GSS_KRB5_NT_ENTERPRISE_NAME GSS_KRB5_CRED_NO_CI_FLAGS_X +GSS_KRB5_CRED_NO_TRANSIT_CHECK_X GSS_KRB5_GET_CRED_IMPERSONATOR GSS_C_MA_MECH_CONCRETE GSS_C_MA_MECH_PSEUDO diff --git a/src/lib/gssapi32.def b/src/lib/gssapi32.def index e6b1479bb..65eb32ec6 100644 --- a/src/lib/gssapi32.def +++ b/src/lib/gssapi32.def @@ -187,3 +187,5 @@ EXPORTS GSS_C_SEC_CONTEXT_SASL_SSF @149 DATA ; Added in 1.17 GSS_KRB5_NT_ENTERPRISE_NAME @150 DATA +; Added in 1.18 + GSS_KRB5_CRED_NO_TRANSIT_CHECK_X @151 DATA -- 2.17.1 From d5e8e8a726e96c98392dcdefe8bd1f7cd925b305 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 28 Aug 2019 16:01:41 +0200 Subject: [PATCH 5/6] src/tests/gssapi: add optional 'no_transit_check' argument to t_accname.c This will be used to test the GSS_KRB5_CRED_NO_TRANSIT_CHECK_X code path. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907 Signed-off-by: Stefan Metzmacher --- src/tests/gssapi/t_accname.c | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/src/tests/gssapi/t_accname.c b/src/tests/gssapi/t_accname.c index 30b5db54f..1dd1b4033 100644 --- a/src/tests/gssapi/t_accname.c +++ b/src/tests/gssapi/t_accname.c @@ -25,6 +25,7 @@ #include #include +#include #include "common.h" @@ -37,7 +38,7 @@ * call is unsuccessful, displays an error message. Exits with status 0 if all * operations are successful, or 1 if not. * - * Usage: ./t_accname targetname [acceptorname] + * Usage: ./t_accname targetname [acceptorname] [no_transit_check] */ int @@ -48,9 +49,11 @@ main(int argc, char *argv[]) gss_name_t target_name, acceptor_name = GSS_C_NO_NAME, real_acceptor_name; gss_buffer_desc namebuf; gss_ctx_id_t initiator_context, acceptor_context; + krb5_boolean no_transit_check = FALSE; - if (argc < 2 || argc > 3) { - fprintf(stderr, "Usage: %s targetname [acceptorname]\n", argv[0]); + if (argc < 2 || argc > 4) { +usage: + fprintf(stderr, "Usage: %s targetname [acceptorname] [no_transit_check]\n", argv[0]); return 1; } @@ -58,12 +61,26 @@ main(int argc, char *argv[]) target_name = import_name(argv[1]); if (argc >= 3) acceptor_name = import_name(argv[2]); + if (argc >= 4) { + if (strcmp(argv[3], "no_transit_check") != 0) { + goto usage; + } + no_transit_check = TRUE; + } /* Get acceptor cred. */ major = gss_acquire_cred(&minor, acceptor_name, GSS_C_INDEFINITE, GSS_C_NO_OID_SET, GSS_C_ACCEPT, &acceptor_cred, NULL, NULL); check_gsserr("gss_acquire_cred", major, minor); + if (no_transit_check) { + gss_buffer_desc empty_buffer = GSS_C_EMPTY_BUFFER; + + major = gss_set_cred_option(&minor, &acceptor_cred, + (gss_OID)GSS_KRB5_CRED_NO_TRANSIT_CHECK_X, + &empty_buffer); + check_gsserr("gss_set_cred_option(NO_TRANSIT_CHECK_X)", major, minor); + } flags = GSS_C_REPLAY_FLAG | GSS_C_SEQUENCE_FLAG; establish_contexts(&mech_krb5, GSS_C_NO_CREDENTIAL, acceptor_cred, -- 2.17.1 From 2b5fbe5c32a7a21cd0b5d03011573e0843b97b8f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 28 Aug 2019 16:13:04 +0200 Subject: [PATCH 6/6] src/tests/gssapi: add GSS_KRB5_CRED_NO_TRANSIT_CHECK_X test to t_gssapi.py BUG: https://bugzilla.samba.org/show_bug.cgi?id=12907 Signed-off-by: Stefan Metzmacher --- src/tests/gssapi/t_gssapi.py | 69 ++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py index 54d5cf549..a810bf059 100755 --- a/src/tests/gssapi/t_gssapi.py +++ b/src/tests/gssapi/t_gssapi.py @@ -118,6 +118,75 @@ r1.stop() r2.stop() r3.stop() +# +# Test the behavior of GSS_KRB5_CRED_NO_TRANSIT_CHECK_X +# First we define all possible capaths explicitly +# as capaths_all. This will be used by default. +# +# Then we define capaths_ax_first_hop, which +# has just the first hops from A.X to the others, +# this will allow the client code to get a service +# ticket for a service in D.X, but doesn't allow +# the acceptor part to pass the transited check. +# +capaths_all = { + 'capaths': { + 'A.X': { + 'D.X': ['B.X', 'C.X'], + 'C.X': ['B.X'], + 'B.X': ['.'], + }, + 'B.X': { + 'A.X': ['.'], + 'C.X': ['.'], + 'D.X': ['C.X'], + }, + 'C.X': { + 'D.X': ['.'], + 'B.X': ['.'], + 'A.X': ['B.X'], + }, + 'D.X': { + 'A.X': ['C.X', 'B.X'], + 'B.X': ['C.X'], + 'C.X': ['.'], + } + } +} +capaths_ax_first_hop = { + 'capaths': { + 'A.X': { + 'D.X': ['B.X'], + 'C.X': ['B.X'], + 'B.X': ['.'], + }, + } +} +r1args = { 'realm': 'A.X', 'krb5_conf': capaths_all, 'create_user': True } +r2args = { 'realm': 'B.X', 'krb5_conf': capaths_all } +r3args = { 'realm': 'C.X', 'krb5_conf': capaths_all } +r4args = { 'realm': 'D.X', 'krb5_conf': capaths_all, 'create_host': True } + +r1, r2, r3, r4 = cross_realms(4, xtgts=((0,1), (1,2), (2,3)), + create_user=False, create_host=False, + args=[r1args, r2args, r3args, r4args]) +os.rename(r4.keytab, r1.keytab) +# We create a special environment for the client on A.X +r1client = r1.special_env('client', False, krb5_conf=capaths_ax_first_hop) +# It will get a service ticket, but the acceptor fail to verify the +# transited path. +r1.run(['./t_accname', 'p:' + r4.host_princ, 'h:host'], + env=r1client, + expected_code=1, + expected_msg='Illegal cross-realm ticket') +# With GSS_KRB5_CRED_NO_TRANSIT_CHECK_X it bypasses the check +r1.run(['./t_accname', 'p:' + r4.host_princ, 'h:host', 'no_transit_check'], + env=r1client) +r1.stop() +r2.stop() +r3.stop() +r4.stop() + ### Test gss_inquire_cred behavior. realm = K5Realm() -- 2.17.1