[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Fri Jun 12 22:11:12 UTC 2020
The branch, master has been updated
via 7655a0298e5 db-glue.c: set forwardable flag on cross-realm tgt tickets
via fb7dfdbe8f9 selftest: test forwardable flag in cross-realm with s4u2proxy
via 9b302a57ff0 selftest: test forwardable flag in cross-realm tgt tickets
via a823cc1e8bc selftest: allow EncASRepPart to be encoded as EncTGSRepPart
via 8fdff19c546 heimdal: apply disallow-forwardable on server in TGS request
via 197f97bc13c selftest: add test for disallowed-forwardable server
from eae301e1206 samba-tool dns query --help: Someone forgot 'PTR' from the list of record types
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7655a0298e5f55582bf48ec776d8cd8b79fb5dd9
Author: Isaac Boukris <iboukris at gmail.com>
Date: Tue Jan 14 13:16:02 2020 +0100
db-glue.c: set forwardable flag on cross-realm tgt tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233
Match Windows behavior and allow the forwardable flag to be
set in cross-realm tickets. We used to allow forwardable to
any server, but now that we apply disallow-forwardable policy
in heimdal we need to explicitly allow in the corss-realm case
(and remove the workaround we have for it the MIT plugin).
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Jun 12 22:10:34 UTC 2020 on sn-devel-184
commit fb7dfdbe8f94f7f053d67832e7f28a751136d733
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sat May 9 16:26:45 2020 +0200
selftest: test forwardable flag in cross-realm with s4u2proxy
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9b302a57ff0d4c3a373f762f2ad4daf736b0853b
Author: Isaac Boukris <iboukris at gmail.com>
Date: Wed May 6 15:54:55 2020 +0200
selftest: test forwardable flag in cross-realm tgt tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a823cc1e8bc9a68a7e662022705039397a5df7e1
Author: Isaac Boukris <iboukris at gmail.com>
Date: Thu May 7 01:25:36 2020 +0200
selftest: allow EncASRepPart to be encoded as EncTGSRepPart
that's how MIT kdc encodes it, clients accept both.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8fdff19c5461315556014d25d237a958edeed1a2
Author: Isaac Boukris <iboukris at gmail.com>
Date: Mon Jan 13 23:42:54 2020 +0100
heimdal: apply disallow-forwardable on server in TGS request
upstream commit: 839b073facd2aecda6740224d73e560bc79965dc
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 197f97bc13c513ae6ae2b4129b23489081f63c64
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sun Jan 19 16:24:24 2020 +0100
selftest: add test for disallowed-forwardable server
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233
Signed-off-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/krb5/simple_tests.py | 7 ++++-
.../krb5/{simple_tests.py => xrealm_tests.py} | 25 ++++++++++++------
python/samba/tests/usage.py | 1 +
source4/heimdal/kdc/krb5tgs.c | 6 +++++
source4/kdc/db-glue.c | 3 +++
source4/kdc/mit_samba.c | 5 ----
source4/selftest/tests.py | 4 ++-
testprogs/blackbox/test_s4u_heimdal.sh | 30 ++++++++++++++++++----
8 files changed, 61 insertions(+), 20 deletions(-)
copy python/samba/tests/krb5/{simple_tests.py => xrealm_tests.py} (88%)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py
index c9998c4d2db..236fbda1cd5 100755
--- a/python/samba/tests/krb5/simple_tests.py
+++ b/python/samba/tests/krb5/simple_tests.py
@@ -115,7 +115,12 @@ class SimpleKerberosTests(RawKerberosTest):
usage = 3
enc_part2 = key.decrypt(usage, rep['enc-part']['cipher'])
- enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart())
+
+ # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26
+ try:
+ enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart())
+ except Exception:
+ enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart())
# TGS Request
service_creds = self.get_service_creds(allow_missing_password=True)
diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/xrealm_tests.py
similarity index 88%
copy from python/samba/tests/krb5/simple_tests.py
copy to python/samba/tests/krb5/xrealm_tests.py
index c9998c4d2db..64064b8a670 100755
--- a/python/samba/tests/krb5/simple_tests.py
+++ b/python/samba/tests/krb5/xrealm_tests.py
@@ -24,18 +24,19 @@ os.environ["PYTHONUNBUFFERED"] = "1"
from samba.tests.krb5.raw_testcase import RawKerberosTest
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
+import samba.tests
global_asn1_print = False
global_hexdump = False
-class SimpleKerberosTests(RawKerberosTest):
+class XrealmKerberosTests(RawKerberosTest):
def setUp(self):
- super(SimpleKerberosTests, self).setUp()
+ super(XrealmKerberosTests, self).setUp()
self.do_asn1_print = global_asn1_print
self.do_hexdump = global_hexdump
- def test_simple(self):
+ def test_xrealm(self):
user_creds = self.get_user_creds()
user = user_creds.get_username()
realm = user_creds.get_realm()
@@ -115,13 +116,17 @@ class SimpleKerberosTests(RawKerberosTest):
usage = 3
enc_part2 = key.decrypt(usage, rep['enc-part']['cipher'])
- enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart())
- # TGS Request
- service_creds = self.get_service_creds(allow_missing_password=True)
- service_name = service_creds.get_username()
+ # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26
+ try:
+ enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart())
+ except Exception:
+ enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart())
+
+ # TGS Request (for cross-realm TGT)
+ trust_realm = samba.tests.env_get_var_value('TRUST_REALM')
+ sname = self.PrincipalName_create(name_type=2, names=["krbtgt", trust_realm])
- sname = self.PrincipalName_create(name_type=2, names=["host", service_name])
kdc_options = krb5_asn1.KDCOptions('forwardable')
till = self.get_KerberosTime(offset=36000)
ticket = rep['ticket']
@@ -161,6 +166,10 @@ class SimpleKerberosTests(RawKerberosTest):
enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher'])
enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart())
+ # Check the forwardable flag
+ fwd_pos = len(tuple(krb5_asn1.TicketFlags('forwardable'))) -1
+ assert(krb5_asn1.TicketFlags(enc_part2['flags'])[fwd_pos])
+
return
diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py
index 58053474e03..89b5e957407 100644
--- a/python/samba/tests/usage.py
+++ b/python/samba/tests/usage.py
@@ -88,6 +88,7 @@ EXCLUDE_USAGE = {
'python/samba/tests/krb5/kcrypto.py',
'python/samba/tests/krb5/simple_tests.py',
'python/samba/tests/krb5/s4u_tests.py',
+ 'python/samba/tests/krb5/xrealm_tests.py',
}
EXCLUDE_HELP = {
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index 53d0eaf935b..b76726cdd64 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -866,6 +866,12 @@ tgs_make_reply(krb5_context context,
et.flags.anonymous = tgt->flags.anonymous;
et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate;
+ /* See MS-KILE 3.3.5.1 */
+ if (!server->entry.flags.forwardable)
+ et.flags.forwardable = 0;
+ if (!server->entry.flags.proxiable)
+ et.flags.proxiable = 0;
+
if(rspac->length) {
/*
* No not need to filter out the any PAC from the
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 023ae7b580d..27728dab904 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1556,6 +1556,9 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
entry_ex->entry.max_renew = NULL;
+ /* Match Windows behavior and allow forwardable flag in cross-realm. */
+ entry_ex->entry.flags.forwardable = 1;
+
ret = samba_kdc_sort_encryption_keys(entry_ex);
if (ret != 0) {
krb5_clear_error_message(context);
diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c
index 5a4f6e73e97..54dcd545ea1 100644
--- a/source4/kdc/mit_samba.c
+++ b/source4/kdc/mit_samba.c
@@ -304,11 +304,6 @@ fetch_referral_principal:
sdb_free_entry(&sentry);
- if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) {
- kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE;
- kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE;
- }
-
done:
krb5_free_principal(ctx->context, referral_principal);
referral_principal = NULL;
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 211a56e689a..39502236f21 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -488,7 +488,7 @@ if have_heimdal_support:
plantestsuite("samba4.blackbox.kinit_trust", "fl2003dc:local", [os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external", "arcfour-hmac-md5"])
plantestsuite("samba4.blackbox.export.keytab", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_heimdal.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4])
plantestsuite("samba4.blackbox.kpasswd", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"])
- plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local", [os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', configuration])
+ plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local", [os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', configuration])
else:
plantestsuite("samba4.blackbox.kinit", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient4, configuration])
plantestsuite("samba4.blackbox.kinit", "fl2000dc:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient3, configuration])
@@ -769,6 +769,8 @@ planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests",
'SERVICE_PASSWORD':'$PASSWORD',
'FOR_USER':'$USERNAME'})
+planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests")
+
for env in ["ad_dc", smbv1_disabled_testenv]:
planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"'])
planoldpythontestsuite(env + ":local", "samba.tests.ntacls_backup",
diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh
index 0e12c7ec096..c63eeaa2e30 100755
--- a/testprogs/blackbox/test_s4u_heimdal.sh
+++ b/testprogs/blackbox/test_s4u_heimdal.sh
@@ -12,8 +12,13 @@ USERNAME=$2
PASSWORD=$3
REALM=$4
DOMAIN=$5
-PREFIX=$6
-shift 6
+TRUST_SERVER=$6
+TRUST_USERNAME=$7
+TRUST_PASSWORD=$8
+TRUST_REALM=$9
+TRUST_DOMAIN=${10}
+PREFIX=${11}
+shift 11
failed=0
@@ -39,7 +44,7 @@ export KRB5CCNAME
rm -rf $KRB5CCNAME_PATH
princ=test_impersonate_princ
-impersonator=test_impersonator
+impersonator=test_impersonator.$REALM
target="CIFS/$SERVER.$REALM"
@@ -54,7 +59,7 @@ testit "set not-delegated flag" $samba_tool user sensitive $princ on || failed=`
echo $PASSWORD > $PREFIX/tmppassfile
-testit "kinit with password" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1`
+testit "kinit impersonator" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1`
testit "test S4U2Self with normal user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=${USERNAME} $impersonator || failed=`expr $failed + 1`
testit "test S4U2Proxy with normal user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
@@ -68,6 +73,21 @@ testit "unset not-delegated flag" $samba_tool user sensitive $princ off || faile
testit "test S4U2Self after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1`
testit "test S4U2Proxy after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
+testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1`
+testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1`
+testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
-rm -f $ocache $PREFIX/tmpccache tmppassfile
+echo $TRUST_PASSWORD > $PREFIX/tmppassfile
+testit "kinit trust user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1`
+testit "get a ticket to impersonator for trust user" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1`
+testit "test S4U2Proxy evidence ticket obtained by TGS of trust user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
+
+echo $PASSWORD > $PREFIX/tmppassfile
+testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=`expr $failed + 1`
+testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1`
+testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1`
+testit_expect_failure "test S4U2Proxy using received ticket" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1`
+
+
+rm -f $ocache $PREFIX/tmpccache $PREFIX/tmppassfile
exit $failed
--
Samba Shared Repository
More information about the samba-cvs
mailing list