krb5/krb5-master-spnego_error_messages.patch

commit 4faca53e3a8ee213d43da8998f6889e7bfd36248
Author: Greg Hudson <ghudson@mit.edu>
Date:   Wed Dec 18 16:03:16 2013 -0500

    Test SPNEGO error message in t_s4u.py
    
    Now that #7045 is fixed, we can check for the correct error message
    from t_s4u2proxy_krb5 with --spnego.
    
    ticket: 7045

diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index 67dc810..e4aa259 100644
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -30,12 +30,12 @@ if ('auth1: ' + realm.user_princ not in output or
     'NOT_ALLOWED_TO_DELEGATE' not in output):
     fail('krb5 -> s4u2proxy')
 
-# Again with SPNEGO.  Bug #7045 prevents us from checking the error
-# message, but we can at least exercise the code.
+# Again with SPNEGO.
 output = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache,
                     '-', pservice1, pservice2],
                    expected_code=1)
-if ('auth1: ' + realm.user_princ not in output):
+if ('auth1: ' + realm.user_princ not in output or
+    'NOT_ALLOWED_TO_DELEGATE' not in output):
     fail('krb5 -> s4u2proxy (SPNEGO)')
 
 # Try krb5 -> S4U2Proxy without forwardable user creds.  This should
@@ -66,10 +66,9 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output:
     fail('s4u2self')
 
 # Again with SPNEGO.  This uses SPNEGO for the initial authentication,
-# but still uses krb5 for S4U2Proxy (the delegated cred is returned as
+# but still uses krb5 for S4U2Proxy--the delegated cred is returned as
 # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred
-# directly rather than saving and reacquiring it) so bug #7045 does
-# not apply and we can verify the error message.
+# directly rather than saving and reacquiring it.
 output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1)
 if 'NOT_ALLOWED_TO_DELEGATE' not in output:
     fail('s4u2self')
Pull in fix to improve SPNEGO error messages - pull in fix from master to make reporting of errors encountered by the SPNEGO mechanism work better (RT#7045, part of #1043962) 2013-12-19 16:52:30 +00:00			`commit 4faca53e3a8ee213d43da8998f6889e7bfd36248`
			`Author: Greg Hudson <ghudson@mit.edu>`
			`Date: Wed Dec 18 16:03:16 2013 -0500`

			`Test SPNEGO error message in t_s4u.py`

			`Now that #7045 is fixed, we can check for the correct error message`
			`from t_s4u2proxy_krb5 with --spnego.`

			`ticket: 7045`

			`diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py`
			`index 67dc810..e4aa259 100644`
			`--- a/src/tests/gssapi/t_s4u.py`
			`+++ b/src/tests/gssapi/t_s4u.py`
			`@@ -30,12 +30,12 @@ if ('auth1: ' + realm.user_princ not in output or`
			`'NOT_ALLOWED_TO_DELEGATE' not in output):`
			`fail('krb5 -> s4u2proxy')`

			`-# Again with SPNEGO. Bug #7045 prevents us from checking the error`
			`-# message, but we can at least exercise the code.`
			`+# Again with SPNEGO.`
			`output = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache,`
			`'-', pservice1, pservice2],`
			`expected_code=1)`
			`-if ('auth1: ' + realm.user_princ not in output):`
			`+if ('auth1: ' + realm.user_princ not in output or`
			`+ 'NOT_ALLOWED_TO_DELEGATE' not in output):`
			`fail('krb5 -> s4u2proxy (SPNEGO)')`

			`# Try krb5 -> S4U2Proxy without forwardable user creds. This should`
			`@@ -66,10 +66,9 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output:`
			`fail('s4u2self')`

			`# Again with SPNEGO. This uses SPNEGO for the initial authentication,`
			`-# but still uses krb5 for S4U2Proxy (the delegated cred is returned as`
			`+# but still uses krb5 for S4U2Proxy--the delegated cred is returned as`
			`# a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred`
			`-# directly rather than saving and reacquiring it) so bug #7045 does`
			`-# not apply and we can verify the error message.`
			`+# directly rather than saving and reacquiring it.`
			`output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1)`
			`if 'NOT_ALLOWED_TO_DELEGATE' not in output:`
			`fail('s4u2self')`