Don't return a host referral to the service realm

A host referral to the same realm we just looked up the principal in
is useless at best and confusing to the client at worst.  Don't
respond with one in the KDC.

ticket: 7483
target_version: 1.11
tags: pullup

2 files changed, 22 insertions, 0 deletions

diff --git a/src/tests/Makefile.in b/src/tests/Makefile.in
index 8886959473..1eac9e66d1 100644
--- a/src/tests/Makefile.in
+++ b/src/tests/Makefile.in
@@ -82,6 +82,7 @@ check-pytests:: hist kdbtest
 	$(RUNPYTEST) $(srcdir)/t_stringattr.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_sesskeynego.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_crossrealm.py $(PYTESTFLAGS)
+	$(RUNPYTEST) $(srcdir)/t_referral.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_skew.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_keytab.py $(PYTESTFLAGS)
 	$(RUNPYTEST) $(srcdir)/t_pwhist.py $(PYTESTFLAGS)
diff --git a/src/tests/t_referral.py b/src/tests/t_referral.py
new file mode 100644
index 0000000000..6654d71e8e
--- /dev/null
+++ b/src/tests/t_referral.py
@@ -0,0 +1,21 @@
+#!/usr/bin/python
+from k5test import *
+
+# We should have a comprehensive suite of KDC host referral tests
+# here, based on the tests in the kdc_realm subdir.  For now, we just
+# have a regression test for #7483.
+
+# A KDC should not return a host referral to its own realm.
+krb5_conf = {'master': {'domain_realm': {'y': 'KRBTEST.COM'}}}
+kdc_conf = {'master': {'realms': {'$realm': {'host_based_services': 'x'}}}}
+realm = K5Realm(krb5_conf=krb5_conf, kdc_conf=kdc_conf, create_host=False)
+tracefile = os.path.join(realm.testdir, 'trace')
+realm.run_as_client(['env', 'KRB5_TRACE=' + tracefile, kvno, '-u', 'x/z.y@'],
+                    expected_code=1)
+f = open(tracefile, 'r')
+trace = f.read()
+f.close()
+if 'back to same realm' in trace:
+    fail('KDC returned referral to service realm')
+
+success('KDC host referral tests')