Make it possible to renew aliased service tickets

We always allow aliases in the service principal when processing AS-REQs and TGS-REQs. If the ticket we issued is presented back to us in a TGS-REQ as a header ticket for renewal or similar, we should allow aliases when looking up its key to decode the AP-REQ. ticket: 7699 (new)
author: Greg Hudson <ghudson@mit.edu> 2013-08-29 11:15:02 -0400
committer: Greg Hudson <ghudson@mit.edu> 2013-08-29 11:15:02 -0400
commit: 81ceb5352dd3bc11a546d818107d0c4a896cee44 (patch)
tree: b81ef95c615e83db63ea078b573544bf78bd5d02 /src/tests
parent: ba31a9317bdef13d73e98afe493695601f91d134 (diff)
download: krb5-81ceb5352dd3bc11a546d818107d0c4a896cee44.tar.gz
krb5-81ceb5352dd3bc11a546d818107d0c4a896cee44.tar.xz
krb5-81ceb5352dd3bc11a546d818107d0c4a896cee44.zip
1 files changed, 8 insertions, 0 deletions
diff --git a/src/tests/t_kdb.py b/src/tests/t_kdb.py
index 7a9471f8a..70fe58a84 100644
--- a/src/tests/t_kdb.py
+++ b/src/tests/t_kdb.py
@@ -286,6 +286,14 @@ out = realm.run([klist])
 if 'tgtalias@KRBTEST.COM\n' not in out:
     fail('After fetching tgtalias, klist is missing it')
 
+# Make sure aliases work in header tickets.
+realm.run_kadminl('modprinc -maxrenewlife "3 hours" user')
+realm.run_kadminl('modprinc -maxrenewlife "3 hours" krbtgt/KRBTEST.COM')
+realm.kinit(realm.user_princ, password('user'), ['-l', '1h', '-r', '2h'])
+realm.run([kvno, 'alias'])
+realm.kinit(realm.user_princ, flags=['-R', '-S', 'alias'])
+realm.klist(realm.user_princ, 'alias@KRBTEST.COM')
+
 realm.stop()
 
 # Briefly test dump and load.
author	Greg Hudson <ghudson@mit.edu>	2013-08-29 11:15:02 -0400
committer	Greg Hudson <ghudson@mit.edu>	2013-08-29 11:15:02 -0400
commit	81ceb5352dd3bc11a546d818107d0c4a896cee44 (patch)
tree	b81ef95c615e83db63ea078b573544bf78bd5d02 /src/tests
parent	ba31a9317bdef13d73e98afe493695601f91d134 (diff)
download	krb5-81ceb5352dd3bc11a546d818107d0c4a896cee44.tar.gz krb5-81ceb5352dd3bc11a546d818107d0c4a896cee44.tar.xz krb5-81ceb5352dd3bc11a546d818107d0c4a896cee44.zip