diff options
| author | Greg Hudson <ghudson@mit.edu> | 2014-04-28 03:58:32 -0400 |
|---|---|---|
| committer | Greg Hudson <ghudson@mit.edu> | 2014-05-07 12:56:15 -0400 |
| commit | eba8c4909ec7ba0d7054d5d1b1061319e9970cc7 (patch) | |
| tree | b10c91ffb967d767546c8fa87c105a712b116494 /src/tests/gssapi/t_gssapi.py | |
| parent | 035eb79b3f250b690502c66aaf664410b1d0e7e0 (diff) | |
| download | krb5-eba8c4909ec7ba0d7054d5d1b1061319e9970cc7.tar.gz krb5-eba8c4909ec7ba0d7054d5d1b1061319e9970cc7.tar.xz krb5-eba8c4909ec7ba0d7054d5d1b1061319e9970cc7.zip | |
Improve krb5_rd_req decryption failure errors
When krb5_rd_req cannot decrypt a ticket, try to produce the most
helpful diagnostic we can, and return an error code which corresponds
to the most applicable Kerberos protocol error. Add a trace log
containing the error message for ticket decryption failures, in case
the application server does not log it.
Add new tests to cover krb5_rd_req error messages and adjust existing
tests to match the new messages. Also adjust svc_auth_gssapi.c to
look for KRB5KRB_AP_ERR_NOT_US instead of KRB5KRB_AP_WRONG_PRINC.
ticket: 7232
Diffstat (limited to 'src/tests/gssapi/t_gssapi.py')
| -rwxr-xr-x | src/tests/gssapi/t_gssapi.py | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py index 106910d8f..29d334edd 100755 --- a/src/tests/gssapi/t_gssapi.py +++ b/src/tests/gssapi/t_gssapi.py @@ -37,7 +37,7 @@ output = realm.run(['./t_accname', 'p:service2/calvin']) if 'service2/calvin' not in output: fail('Expected service1/barack in t_accname output') output = realm.run(['./t_accname', 'p:service2/dwight'], expected_code=1) -if 'Wrong principal in request' not in output: +if ' not found in keytab' not in output: fail('Expected error message not seen in t_accname output') # Test with acceptor name containing service only, including @@ -48,14 +48,14 @@ if 'service1/abraham' not in output: fail('Expected service1/abraham in t_accname output') output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service2'], expected_code=1) -if 'Wrong principal in request' not in output: +if ' not found in keytab' not in output: fail('Expected error message not seen in t_accname output') output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service2']) if 'service2/calvin' not in output: fail('Expected service2/calvin in t_accname output') output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'], expected_code=1) -if 'Wrong principal in request' not in output: +if ' found in keytab but does not match server principal' not in output: fail('Expected error message not seen in t_accname output') # Test with acceptor name containing service and host. Use the @@ -68,7 +68,7 @@ if realm.host_princ not in output: output = realm.run(['./t_accname', 'p:host/-nomatch-', 'h:host@%s' % socket.gethostname()], expected_code=1) -if 'Wrong principal in request' not in output: +if ' not found in keytab' not in output: fail('Expected error message not seen in t_accname output') # Test krb5_gss_import_cred. @@ -76,7 +76,7 @@ realm.run(['./t_imp_cred', 'p:service1/barack']) realm.run(['./t_imp_cred', 'p:service1/barack', 'service1/barack']) realm.run(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham']) output = realm.run(['./t_imp_cred', 'p:service2/dwight'], expected_code=1) -if 'Wrong principal in request' not in output: +if ' not found in keytab' not in output: fail('Expected error message not seen in t_imp_cred output') # Test credential store extension. |