[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Fri Jun 12 22:11:12 UTC 2020


The branch, master has been updated
       via  7655a0298e5 db-glue.c: set forwardable flag on cross-realm tgt tickets
       via  fb7dfdbe8f9 selftest: test forwardable flag in cross-realm with s4u2proxy
       via  9b302a57ff0 selftest: test forwardable flag in cross-realm tgt tickets
       via  a823cc1e8bc selftest: allow EncASRepPart to be encoded as EncTGSRepPart
       via  8fdff19c546 heimdal: apply disallow-forwardable on server in TGS request
       via  197f97bc13c selftest: add test for disallowed-forwardable server
      from  eae301e1206 samba-tool dns query --help: Someone forgot 'PTR' from the list of record types

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 7655a0298e5f55582bf48ec776d8cd8b79fb5dd9
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Tue Jan 14 13:16:02 2020 +0100

    db-glue.c: set forwardable flag on cross-realm tgt tickets
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233
    
    Match Windows behavior and allow the forwardable flag to be
    set in cross-realm tickets. We used to allow forwardable to
    any server, but now that we apply disallow-forwardable policy
    in heimdal we need to explicitly allow in the corss-realm case
    (and remove the workaround we have for it the MIT plugin).
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Fri Jun 12 22:10:34 UTC 2020 on sn-devel-184

commit fb7dfdbe8f94f7f053d67832e7f28a751136d733
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Sat May 9 16:26:45 2020 +0200

    selftest: test forwardable flag in cross-realm with s4u2proxy
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 9b302a57ff0d4c3a373f762f2ad4daf736b0853b
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Wed May 6 15:54:55 2020 +0200

    selftest: test forwardable flag in cross-realm tgt tickets
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit a823cc1e8bc9a68a7e662022705039397a5df7e1
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Thu May 7 01:25:36 2020 +0200

    selftest: allow EncASRepPart to be encoded as EncTGSRepPart
    
    that's how MIT kdc encodes it, clients accept both.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 8fdff19c5461315556014d25d237a958edeed1a2
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Mon Jan 13 23:42:54 2020 +0100

    heimdal: apply disallow-forwardable on server in TGS request
    
    upstream commit: 839b073facd2aecda6740224d73e560bc79965dc
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 197f97bc13c513ae6ae2b4129b23489081f63c64
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Sun Jan 19 16:24:24 2020 +0100

    selftest: add test for disallowed-forwardable server
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233
    
    Signed-off-by: Isaac Boukris <iboukris at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 python/samba/tests/krb5/simple_tests.py            |  7 ++++-
 .../krb5/{simple_tests.py => xrealm_tests.py}      | 25 ++++++++++++------
 python/samba/tests/usage.py                        |  1 +
 source4/heimdal/kdc/krb5tgs.c                      |  6 +++++
 source4/kdc/db-glue.c                              |  3 +++
 source4/kdc/mit_samba.c                            |  5 ----
 source4/selftest/tests.py                          |  4 ++-
 testprogs/blackbox/test_s4u_heimdal.sh             | 30 ++++++++++++++++++----
 8 files changed, 61 insertions(+), 20 deletions(-)
 copy python/samba/tests/krb5/{simple_tests.py => xrealm_tests.py} (88%)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py
index c9998c4d2db..236fbda1cd5 100755
--- a/python/samba/tests/krb5/simple_tests.py
+++ b/python/samba/tests/krb5/simple_tests.py
@@ -115,7 +115,12 @@ class SimpleKerberosTests(RawKerberosTest):
 
         usage = 3
         enc_part2 = key.decrypt(usage, rep['enc-part']['cipher'])
-        enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart())
+
+        # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26
+        try:
+            enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart())
+        except Exception:
+            enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart())
 
         # TGS Request
         service_creds = self.get_service_creds(allow_missing_password=True)
diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/xrealm_tests.py
similarity index 88%
copy from python/samba/tests/krb5/simple_tests.py
copy to python/samba/tests/krb5/xrealm_tests.py
index c9998c4d2db..64064b8a670 100755
--- a/python/samba/tests/krb5/simple_tests.py
+++ b/python/samba/tests/krb5/xrealm_tests.py
@@ -24,18 +24,19 @@ os.environ["PYTHONUNBUFFERED"] = "1"
 
 from samba.tests.krb5.raw_testcase import RawKerberosTest
 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
+import samba.tests
 
 global_asn1_print = False
 global_hexdump = False
 
-class SimpleKerberosTests(RawKerberosTest):
+class XrealmKerberosTests(RawKerberosTest):
 
     def setUp(self):
-        super(SimpleKerberosTests, self).setUp()
+        super(XrealmKerberosTests, self).setUp()
         self.do_asn1_print = global_asn1_print
         self.do_hexdump = global_hexdump
 
-    def test_simple(self):
+    def test_xrealm(self):
         user_creds = self.get_user_creds()
         user = user_creds.get_username()
         realm = user_creds.get_realm()
@@ -115,13 +116,17 @@ class SimpleKerberosTests(RawKerberosTest):
 
         usage = 3
         enc_part2 = key.decrypt(usage, rep['enc-part']['cipher'])
-        enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart())
 
-        # TGS Request
-        service_creds = self.get_service_creds(allow_missing_password=True)
-        service_name = service_creds.get_username()
+        # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26
+        try:
+            enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart())
+        except Exception:
+            enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart())
+
+        # TGS Request (for cross-realm TGT)
+        trust_realm = samba.tests.env_get_var_value('TRUST_REALM')
+        sname = self.PrincipalName_create(name_type=2, names=["krbtgt", trust_realm])
 
-        sname = self.PrincipalName_create(name_type=2, names=["host", service_name])
         kdc_options = krb5_asn1.KDCOptions('forwardable')
         till = self.get_KerberosTime(offset=36000)
         ticket = rep['ticket']
@@ -161,6 +166,10 @@ class SimpleKerberosTests(RawKerberosTest):
         enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher'])
         enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart())
 
+        # Check the forwardable flag
+        fwd_pos = len(tuple(krb5_asn1.TicketFlags('forwardable'))) -1
+        assert(krb5_asn1.TicketFlags(enc_part2['flags'])[fwd_pos])
+
         return
 
 
diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py
index 58053474e03..89b5e957407 100644
--- a/python/samba/tests/usage.py
+++ b/python/samba/tests/usage.py
@@ -88,6 +88,7 @@ EXCLUDE_USAGE = {
     'python/samba/tests/krb5/kcrypto.py',
     'python/samba/tests/krb5/simple_tests.py',
     'python/samba/tests/krb5/s4u_tests.py',
+    'python/samba/tests/krb5/xrealm_tests.py',
 }
 
 EXCLUDE_HELP = {
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 53d0eaf935b..b76726cdd64 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -866,6 +866,12 @@ tgs_make_reply(krb5_context context,
     et.flags.anonymous   = tgt->flags.anonymous;
     et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
 
+    /* See MS-KILE 3.3.5.1 */
+    if (!server->entry.flags.forwardable)
+        et.flags.forwardable = 0;
+    if (!server->entry.flags.proxiable)
+        et.flags.proxiable = 0;
+
     if(rspac->length) {
 	/*
 	 * No not need to filter out the any PAC from the
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 023ae7b580d..27728dab904 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1556,6 +1556,9 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
 
 	entry_ex->entry.max_renew = NULL;
 
+	/* Match Windows behavior and allow forwardable flag in cross-realm. */
+	entry_ex->entry.flags.forwardable = 1;
+
 	ret = samba_kdc_sort_encryption_keys(entry_ex);
 	if (ret != 0) {
 		krb5_clear_error_message(context);
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 5a4f6e73e97..54dcd545ea1 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -304,11 +304,6 @@ fetch_referral_principal:
 
 	sdb_free_entry(&sentry);
 
-	if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) {
-		kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE;
-		kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE;
-	}
-
 done:
 	krb5_free_principal(ctx->context, referral_principal);
 	referral_principal = NULL;
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 211a56e689a..39502236f21 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -488,7 +488,7 @@ if have_heimdal_support:
     plantestsuite("samba4.blackbox.kinit_trust", "fl2003dc:local", [os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external", "arcfour-hmac-md5"])
     plantestsuite("samba4.blackbox.export.keytab", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_heimdal.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4])
     plantestsuite("samba4.blackbox.kpasswd", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"])
-    plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local", [os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', configuration])
+    plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local", [os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', configuration])
 else:
     plantestsuite("samba4.blackbox.kinit", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient4, configuration])
     plantestsuite("samba4.blackbox.kinit", "fl2000dc:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient3, configuration])
@@ -769,6 +769,8 @@ planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests",
                                 'SERVICE_PASSWORD':'$PASSWORD',
                                 'FOR_USER':'$USERNAME'})
 
+planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests")
+
 for env in ["ad_dc", smbv1_disabled_testenv]:
     planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'])
     planoldpythontestsuite(env + ":local", "samba.tests.ntacls_backup",
diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh
index 0e12c7ec096..c63eeaa2e30 100755
--- a/testprogs/blackbox/test_s4u_heimdal.sh
+++ b/testprogs/blackbox/test_s4u_heimdal.sh
@@ -12,8 +12,13 @@ USERNAME=$2
 PASSWORD=$3
 REALM=$4
 DOMAIN=$5
-PREFIX=$6
-shift 6
+TRUST_SERVER=$6
+TRUST_USERNAME=$7
+TRUST_PASSWORD=$8
+TRUST_REALM=$9
+TRUST_DOMAIN=${10}
+PREFIX=${11}
+shift 11
 failed=0
 
 
@@ -39,7 +44,7 @@ export KRB5CCNAME
 rm -rf $KRB5CCNAME_PATH
 
 princ=test_impersonate_princ
-impersonator=test_impersonator
+impersonator=test_impersonator.$REALM
 target="CIFS/$SERVER.$REALM"
 
 
@@ -54,7 +59,7 @@ testit "set not-delegated flag" $samba_tool user sensitive $princ on || failed=`
 
 
 echo $PASSWORD > $PREFIX/tmppassfile
-testit "kinit with password" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1`
+testit "kinit impersonator" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1`
 
 testit "test S4U2Self with normal user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=${USERNAME} $impersonator || failed=`expr $failed + 1`
 testit "test S4U2Proxy with normal user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
@@ -68,6 +73,21 @@ testit "unset not-delegated flag" $samba_tool user sensitive $princ off || faile
 testit "test S4U2Self after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1`
 testit "test S4U2Proxy after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
 
+testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1`
+testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1`
+testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
 
-rm -f $ocache $PREFIX/tmpccache tmppassfile
+echo $TRUST_PASSWORD > $PREFIX/tmppassfile
+testit "kinit trust user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
+testit "get a ticket to impersonator for trust user" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1`
+testit "test S4U2Proxy evidence ticket obtained by TGS of trust user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
+
+echo $PASSWORD > $PREFIX/tmppassfile
+testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=`expr $failed + 1`
+testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1`
+testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1`
+testit_expect_failure "test S4U2Proxy using received ticket" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
+
+
+rm -f $ocache $PREFIX/tmpccache $PREFIX/tmppassfile
 exit $failed


-- 
Samba Shared Repository



More information about the samba-cvs mailing list