From 1746d2e84acee77ec88bf3f61eaa8f11cc1039a5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Petr=20=C5=A0pa=C4=8Dek?= Date: Fri, 16 Apr 2021 18:05:43 +0200 Subject: [PATCH] Add tests for the "tkey-gssapi-credential" option Four named instances in the "nsupdate" system test have GSS-TSIG support enabled. All of them currently use "tkey-gssapi-keytab". Configure two of them with "tkey-gssapi-credential" to test that option. As "tkey-gssapi-keytab" and "tkey-gssapi-credential" both provide the same functionality, no test modifications are required. The difference between the two options is that the value of "tkey-gssapi-keytab" is an explicit path to the keytab file to acquire credentials from, while the value of "tkey-gssapi-credential" is the name of the principal whose credentials should be used; those credentials are looked up in the keytab file expected by the Kerberos library, i.e. /etc/krb5.keytab by default. The path to the default keytab file can be overridden using by setting the KRB5_KTNAME environment variable. Utilize that variable to use existing keytab files with the "tkey-gssapi-credential" option. The KRB5_KTNAME environment variable should not interfere with the "tkey-gssapi-keytab" option. Nevertheless, rename one of the keytab files used with "tkey-gssapi-keytab" to something else than the contents of the KRB5_KTNAME environment variable in order to make sure that both "tkey-gssapi-keytab" and "tkey-gssapi-credential" are actually tested. --- bin/tests/system/conf.sh.common | 1 + bin/tests/system/conf.sh.in | 2 ++ bin/tests/system/nsupdate/krb/setup.sh | 2 +- bin/tests/system/nsupdate/ns10/named.conf.in | 2 +- ...dns.keytab => dns-other-than-KRB5_KTNAME.keytab} | Bin bin/tests/system/nsupdate/ns8/named.conf.in | 2 +- bin/tests/system/nsupdate/ns9/named.conf.in | 2 +- util/copyrights | 2 +- 8 files changed, 8 insertions(+), 5 deletions(-) rename bin/tests/system/nsupdate/ns8/{dns.keytab => dns-other-than-KRB5_KTNAME.keytab} (100%) diff --git a/bin/tests/system/conf.sh.common b/bin/tests/system/conf.sh.common index ac1845860f..07106836a3 100644 --- a/bin/tests/system/conf.sh.common +++ b/bin/tests/system/conf.sh.common @@ -713,6 +713,7 @@ export KEYGEN export KEYSETTOOL export KEYSIGNER export KRB5_CONFIG +export KRB5_KTNAME export MAKEJOURNAL export MDIG export NAMED diff --git a/bin/tests/system/conf.sh.in b/bin/tests/system/conf.sh.in index 9f4524b708..8b0621c052 100644 --- a/bin/tests/system/conf.sh.in +++ b/bin/tests/system/conf.sh.in @@ -71,6 +71,8 @@ PIPEQUERIES=$TOP_BUILDDIR/bin/tests/system/pipelined/pipequeries # we don't want a KRB5_CONFIG setting breaking the tests KRB5_CONFIG=/dev/null +# use local keytab instead of default /etc/krb5.keytab +KRB5_KTNAME=dns.keytab # # Construct the lists of tests to run diff --git a/bin/tests/system/nsupdate/krb/setup.sh b/bin/tests/system/nsupdate/krb/setup.sh index 3fef030bd1..150b2050f8 100644 --- a/bin/tests/system/nsupdate/krb/setup.sh +++ b/bin/tests/system/nsupdate/krb/setup.sh @@ -101,7 +101,7 @@ kinit -V -k -t krb5-machine.keytab -l ${lifetime}d -c krb5-machine.ccache host/m kinit -V -k -t ms-machine.keytab -l ${lifetime}d -c ms-machine.ccache 'machine$@EXAMPLE.COM' cp ns7-server.keytab ../ns7/dns.keytab -cp ns8-server.keytab ../ns8/dns.keytab +cp ns8-server.keytab ../ns8/dns-other-than-KRB5_KTNAME.keytab cp ns9-server.keytab ../ns9/dns.keytab cp ns10-server.keytab ../ns10/dns.keytab diff --git a/bin/tests/system/nsupdate/ns10/named.conf.in b/bin/tests/system/nsupdate/ns10/named.conf.in index 457d96b4f8..0e2fb06782 100644 --- a/bin/tests/system/nsupdate/ns10/named.conf.in +++ b/bin/tests/system/nsupdate/ns10/named.conf.in @@ -20,7 +20,7 @@ options { recursion no; notify yes; minimal-responses no; - tkey-gssapi-keytab "dns.keytab"; + tkey-gssapi-credential "DNS/ns10.example.com@EXAMPLE.COM"; }; key rndc_key { diff --git a/bin/tests/system/nsupdate/ns8/dns.keytab b/bin/tests/system/nsupdate/ns8/dns-other-than-KRB5_KTNAME.keytab similarity index 100% rename from bin/tests/system/nsupdate/ns8/dns.keytab rename to bin/tests/system/nsupdate/ns8/dns-other-than-KRB5_KTNAME.keytab diff --git a/bin/tests/system/nsupdate/ns8/named.conf.in b/bin/tests/system/nsupdate/ns8/named.conf.in index 92792db680..dac45d9141 100644 --- a/bin/tests/system/nsupdate/ns8/named.conf.in +++ b/bin/tests/system/nsupdate/ns8/named.conf.in @@ -20,7 +20,7 @@ options { recursion no; notify yes; minimal-responses no; - tkey-gssapi-keytab "dns.keytab"; + tkey-gssapi-keytab "dns-other-than-KRB5_KTNAME.keytab"; }; key rndc_key { diff --git a/bin/tests/system/nsupdate/ns9/named.conf.in b/bin/tests/system/nsupdate/ns9/named.conf.in index a65f069ac7..f95ea4ed26 100644 --- a/bin/tests/system/nsupdate/ns9/named.conf.in +++ b/bin/tests/system/nsupdate/ns9/named.conf.in @@ -20,7 +20,7 @@ options { recursion no; notify yes; minimal-responses no; - tkey-gssapi-keytab "dns.keytab"; + tkey-gssapi-credential "DNS/ns9.example.com@EXAMPLE.COM"; }; key rndc_key { diff --git a/util/copyrights b/util/copyrights index e1c7d591a7..92de9fbad9 100644 --- a/util/copyrights +++ b/util/copyrights @@ -654,7 +654,7 @@ ./bin/tests/system/nsupdate/ns6/named.args X 2018,2019,2020,2021 ./bin/tests/system/nsupdate/ns7/dns.keytab X 2018,2019,2020,2021 ./bin/tests/system/nsupdate/ns7/machine.ccache X 2018,2019,2020,2021 -./bin/tests/system/nsupdate/ns8/dns.keytab X 2018,2019,2020,2021 +./bin/tests/system/nsupdate/ns8/dns-other-than-KRB5_KTNAME.keytab X 2018,2019,2020,2021 ./bin/tests/system/nsupdate/ns8/machine.ccache X 2018,2019,2020,2021 ./bin/tests/system/nsupdate/ns9/dns.keytab X 2018,2019,2020,2021 ./bin/tests/system/nsupdate/ns9/machine.ccache X 2018,2019,2020,2021