torture: Extend krb5.kdc test to confirm correct RODC proxy behaviour

The RODC should answer some requests locally, and others it should defer to the main DC.

We can tell which KDC we talk do by the KVNO of the encrypted parts that are returned
to the KDC.

Pair-programmed-with: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Garming Sam <garming@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

2 files changed, 26 insertions, 5 deletions

diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 7604d2a71e..94cb152350 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -551,13 +551,17 @@ for env in ["dc", "s4member", "rodc", "promoted_dc", "plugin_s4_dc", "s3member"]
 for env in ["dc", "rodc", "promoted_dc", "plugin_s4_dc", "fl2000dc", "fl2003dc", "fl2008r2dc"]:
     plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-U$USERNAME@$REALM%$PASSWORD', '--workgroup=$DOMAIN'],
                              "samba4.krb5.kdc with specified account")
-    plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-Utestallowed@$REALM%$PASSWORD', '--workgroup=$DOMAIN'],
-                             "samba4.krb5.kdc with account ALLOWED permission to replicate to an RODC")
     plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-Utestdenied@$REALM%$PASSWORD', '--workgroup=$DOMAIN'],
                              "samba4.krb5.kdc with account DENIED permission to replicate to an RODC")
-    plansmbtorture4testsuite('krb5.kdc', "%s:local" % env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-P', '--workgroup=$DOMAIN'],
-                             "samba4.krb5.kdc with machine account")
+    if env == "rodc":
+        extra_options = ['--option=torture:expect_rodc=true']
+    else:
+        extra_options = []
 
+    plansmbtorture4testsuite('krb5.kdc', "%s:local" % env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-P', '--workgroup=$DOMAIN'] + extra_options,
+                             "samba4.krb5.kdc with machine account")
+    plansmbtorture4testsuite('krb5.kdc', env, ['ncacn_np:$SERVER_IP', "-k", "yes", '-Utestallowed@$REALM%$PASSWORD', '--workgroup=$DOMAIN'] + extra_options,
+                             "samba4.krb5.kdc with account ALLOWED permission to replicate to an RODC")
 
 # TODO: Verifying the databases really should be a part of the
 # environment teardown.
diff --git a/source4/torture/krb5/kdc.c b/source4/torture/krb5/kdc.c
index edf1ecdc74..4f760018d7 100644
--- a/source4/torture/krb5/kdc.c
+++ b/source4/torture/krb5/kdc.c
@@ -96,7 +96,24 @@ static bool torture_krb5_post_recv_test(struct torture_krb5_context *test_contex
 						 decode_AS_REP(recv_buf->data, recv_buf->length, &test_context->as_rep, &used), 0,
 						 "decode_AS_REP failed");
 			torture_assert_int_equal(test_context->tctx, used, recv_buf->length, "length mismatch");
-			torture_assert_int_equal(test_context->tctx, test_context->as_rep.pvno, 5, "Got wrong as_rep->pvno");
+			torture_assert_int_equal(test_context->tctx,
+						 test_context->as_rep.pvno, 5,
+						 "Got wrong as_rep->pvno");
+			torture_assert_int_equal(test_context->tctx,
+						 test_context->as_rep.ticket.tkt_vno, 5,
+						 "Got wrong as_rep->ticket.tkt_vno");
+			torture_assert(test_context->tctx,
+				       test_context->as_rep.ticket.enc_part.kvno,
+				       "Did not get a KVNO in test_context->as_rep.ticket.enc_part.kvno");
+			if (torture_setting_bool(test_context->tctx, "expect_rodc", false)) {
+				torture_assert_int_not_equal(test_context->tctx,
+							     *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
+							     0, "Did not get a RODC number in the KVNO");
+			} else {
+				torture_assert_int_equal(test_context->tctx,
+							 *test_context->as_rep.ticket.enc_part.kvno & 0xFFFF0000,
+							 0, "Unexpecedly got a RODC number in the KVNO");
+			}
 			free_AS_REP(&test_context->as_rep);
 		}
 		torture_assert(test_context->tctx, test_context->packet_count < 3, "too many packets");