[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Aug 18 23:21:01 UTC 2021
The branch, master has been updated
via 984a0db00c3 tests/krb5: Add FAST tests
via b7b62957bdc initial FAST tests
via aa2c221f4e1 tests/krb5: Check PADATA-FX-ERROR in reply
via 66e1eb58bed tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
via 0c857f67a3a tests/krb5: Check PADATA-PAC-OPTIONS in reply
via 29070e74baa tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
via ab4e7028a6a tests/krb5: Make check_rep_padata() also work for checking TGS replies
via 95b54078c2f tests/krb5: Check PADATA-FX-COOKIE in reply
via 2f7919db395 tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
via 44a44109db9 tests/krb5: Adjust reply padata checking depending on whether FAST was sent
via 056fb71832e tests/krb5: Check reply FAST padata if request included FAST
via 7a27b756219 tests/krb5: Check sname is krbtgt for FAST generic error
via dbe98005d58 tests/krb5: Add get_krbtgt_sname() method
via 5edbabeb26e tests/krb5: Remove unused variables
via 705e45e37f4 tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
via 79b9aac65b7 tests/krb5: Add check_rep_padata() method to check padata in reply
via 1389ba346df tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
via ea1ed63e881 tests/krb5: Include authdata in kdc_exchange_dict
via 2ee87dbf08e tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
via 0c029e780cf tests/krb5: Check encrypted-pa-data
via 99e3b909edf tests/krb5: Add methods to determine whether elements were included in the request
via dc7dac95ec5 tests/krb5: Add functions to get dicts of request padata
via d878bd6404d tests/krb5: Check FAST response
via 4ca05402b36 tests/krb5: Add method to verify ticket checksum for FAST
via b62488113f6 tests/krb5: Add method to check PA-FX-FAST-REPLY
via 16ce1a1d304 tests/krb5: Allow specifying parameters specific to the outer request body
via 0df385fc49c tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
via 5c2cd71ae70 tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
via d554b6dc0f4 tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
via 74f332c6f9e tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
via 08089406746 tests/krb5: Add methods to calculate keys for FAST
via aafc8689696 tests/krb5: Add method to generate FAST encrypted challenge padata
via 69a66c0d2a7 tests/krb5: Add more methods to create ASN1 objects for FAST
via ec702900295 tests/krb5: Add more ASN1 definitions for FAST
via 025737deb53 tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
via b6f96dd6395 tests/krb5: Ensure generated padata is not None
via 4824dd4e9f4 tests/krb5: Add generate_ap_req() method
via 4951a105b04 tests/krb5: Check nonce in EncKDCRepPart
via 6df0e406f1f tests/krb5: Make checking less strict
via 98dc19e8c81 tests/krb5: Check version number of obtained ticket
via 3d1066e9238 tests/krb5: Assert that more variables are not None
via ba3c92f77b2 tests/krb5: Ensure in assertElementPresent() that container elements are not empty
via 78818655505 tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
via 8fe9589da2d tests/krb5: Include kdc_options in kdc_exchange_dict
via 21c64fda8f9 tests/krb5: Always specify expected error code
via 28fb50f511f tests/krb5: Add check_reply() method to check for AS or TGS reply
via f5689bb8fab tests/krb5: Add method to calculate account salt
via 50d743bafc7 tests/krb5: Add more methods for obtaining machine and service credentials
via 4790b6b04ae tests/krb5: Allow specifying additional details when creating an account
via ce379edf2e1 tests/krb5: Use encryption with admin credentials
via bab7503e304 tests/krb5: Add get_EpochFromKerberosTime()
via fe8912e4a85 tests/krb5: Make _test_as_exchange() return value more consistent
via cb332d83008 tests/krb5: Add method to return dict containing padata elements
via f5a906f74f9 tests/krb5: Add get_enc_timestamp_pa_data_from_key()
via 2c80f7f851a tests/krb5: Refactor get_pa_data()
via a5e5f8fdfe8 tests/krb5: Allow cf2 to automatically use the enctype of the first key
via 17d5a267298 tests/krb5: Use credentials kvno when creating password key
via d6a242e2000 tests/krb5: Check Kerberos protocol version number
via 8194b2a2611 tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
via a0c6538a971 tests/krb5: Fix encpart_decryption_key with MIT KDC
via bad5f4ee5fd tests/krb5: Fix callback_dict parameter
via 67ff72395ce tests/krb5: Fix including enc-authorization-data
via a2b183c179e tests/krb5: Remove magic constants
via 41c3e410344 tests/krb5: Simplify Python syntax
via 38b3a361819 tests/krb5: Use more compact dict lookup
via 1320ac0f91a tests/krb5: Remove unneeded statements
via df6623363a7 tests/krb5: formatting
via 7013a8edd1f tests/krb5: Fix method name typo
via 9eb4c4b7b1c tests/krb5: Fix comment typo
via 4797ced8909 tests/krb5: Fix ms_kile_client_principal_lookup_test errors
via 6818d204897 pygensec: Don't modify Python bytes objects
via 814df05f8c1 pygensec: Fix memory leaks
from 4809f4a6ee9 registry: check for running as root in clustering mode
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 984a0db00c3f2e38b568a75eb1944f4d7bb7f854
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:58:44 2021 +1200
tests/krb5: Add FAST tests
Example command:
SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \
KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \
PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184
commit b7b62957bdce9929fabd3812b9378bdbd6c12966
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu Jun 10 09:56:58 2021 +1200
initial FAST tests
Currently incomplete, and tested only against MIT Kerberos.
[abartlet at samba.org
Originally "WIP inital FAST tests"
Samba's general policy that we don't push WIP patches, we polish
into a 'perfect' patch stream.
However, I think there are good reasons to keep this patch distinct
in this particular case.
Gary is being modest in titling this WIP (now removed from the title
to avoid confusion). They are not WIP in the normal sense of
partially or untested code or random unfinished thoughts. The primary
issue is that at that point where Gary had to finish up he had
trouble getting FAST support enabled on Windows, so couldn't test
against our standard reference. They are instead good, working
initial tests written against the RFC and tested against Samba's AD DC
in the mode backed by MIT Kerberos.
This preserves clear authorship for the two distinct bodies of work,
as in the next patch Joseph was able to extend and improve the tests
significantly. ]
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit aa2c221f4e1bfc3403de857e62eaeaee1577560c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:49:58 2021 +1200
tests/krb5: Check PADATA-FX-ERROR in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 66e1eb58bedf036ad25a868993d44480c4e0e055
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 11:50:16 2021 +1200
tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0c857f67a3a4a27aa4b799c9a61a1a1b59932c07
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:50:20 2021 +1200
tests/krb5: Check PADATA-PAC-OPTIONS in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 29070e74baa18d94642efcd36930b9bab216e10c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:29:39 2021 +1200
tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ab4e7028a6ac01eab9531c8a26507a912df54278
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 20:49:25 2021 +1200
tests/krb5: Make check_rep_padata() also work for checking TGS replies
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 95b54078c2f82179283dfc397c4ec1f36d5edfe7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:49:12 2021 +1200
tests/krb5: Check PADATA-FX-COOKIE in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 2f7919db395c24f6890ffe4ee46a5e34df95fccd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:36:56 2021 +1200
tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 44a44109db96eab08a3da3683c34446bc13b295b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:42:26 2021 +1200
tests/krb5: Adjust reply padata checking depending on whether FAST was sent
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 056fb71832e7aa16132c58ff393ab8b752ef6a93
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:31:39 2021 +1200
tests/krb5: Check reply FAST padata if request included FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 7a27b75621908a4a6449efaecb54eb20fa45aca0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:25:39 2021 +1200
tests/krb5: Check sname is krbtgt for FAST generic error
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit dbe98005d5873440063b91e56679937149535be7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:15:00 2021 +1200
tests/krb5: Add get_krbtgt_sname() method
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5edbabeb26e110648d4588c90843e4715ec1ac5c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:26:06 2021 +1200
tests/krb5: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 705e45e37f4752e283a80626be10c38b29232359
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:35:32 2021 +1200
tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 79b9aac65b7dbdc58275368eae9feb7d87bf6dab
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:21:14 2021 +1200
tests/krb5: Add check_rep_padata() method to check padata in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1389ba346df81c9ea1e1143c4e819212939f6aeb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:20:09 2021 +1200
tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ea1ed63e8819926db1cf15974009601c7d37e944
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:18:29 2021 +1200
tests/krb5: Include authdata in kdc_exchange_dict
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 2ee87dbf08e66e1dc812430026bfe214f9f5503d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:05:59 2021 +1200
tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
This is useful for testing the 'hide client names' FAST option.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0c029e780cf16a49c674593e8329eaf3b87aec69
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:34:49 2021 +1200
tests/krb5: Check encrypted-pa-data
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 99e3b909edf27c751b959a3d0b672ddd2b7140e2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:21:01 2021 +1200
tests/krb5: Add methods to determine whether elements were included in the request
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit dc7dac95ec509d90d8372005cd7b13fabd8e64c6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:20:44 2021 +1200
tests/krb5: Add functions to get dicts of request padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d878bd6404d26c8be45bb2016ec206ed79d4ef6e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:42:57 2021 +1200
tests/krb5: Check FAST response
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4ca05402b36ba13a987b07b2402906764d3cd49b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:10:13 2021 +1200
tests/krb5: Add method to verify ticket checksum for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b62488113f6053755f9be9faa9b757e7193074fa
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:04:37 2021 +1200
tests/krb5: Add method to check PA-FX-FAST-REPLY
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 16ce1a1d304b87ed5b390fb87a4542c7c9a484fb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:01:36 2021 +1200
tests/krb5: Allow specifying parameters specific to the outer request body
This is useful for testing FAST.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 0df385fc49cc2693c195209936a29e31216df16d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:33:24 2021 +1200
tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 5c2cd71ae704b853a886c8af5e3cf50b53af7f9e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:33:10 2021 +1200
tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d554b6dc0f4e14d154e487dc2a842321aa746155
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:19:46 2021 +1200
tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
This is needed for FAST.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 74f332c6f9e31b933837cefee69b219054970713
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 20:49:12 2021 +1200
tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
This method will also be useful in checking TGS-REP error replies.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 080894067469d60e2c71961c2d1c1990ba15b917
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 12:49:05 2021 +1200
tests/krb5: Add methods to calculate keys for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit aafc86896969d02ff1daecdf2668bfa642860082
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 12:47:18 2021 +1200
tests/krb5: Add method to generate FAST encrypted challenge padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 69a66c0d2a7ed415c8d8acdb8da0f2f3d1abf60d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:23:26 2021 +1200
tests/krb5: Add more methods to create ASN1 objects for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ec702900295100ae4e48ba57242eee6670bf30d6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:21:07 2021 +1200
tests/krb5: Add more ASN1 definitions for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 025737deb5325d25b2ae4c57583c24ae1d0eca33
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 13:59:36 2021 +1200
tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit b6f96dd6395a30e15fa906959cbe665757aaba8d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:06:35 2021 +1200
tests/krb5: Ensure generated padata is not None
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4824dd4e9f40abcbd4134b79e2b2b8fb960f47e7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 19:27:02 2021 +1200
tests/krb5: Add generate_ap_req() method
This method will be useful to generate an AP-REQ for use as FAST armor.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4951a105b0448854115a7ecc3d867be6f34b0dcf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 12:52:42 2021 +1200
tests/krb5: Check nonce in EncKDCRepPart
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 6df0e406f1f823bf4d65cd478eb6f2424b69adcc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:39:37 2021 +1200
tests/krb5: Make checking less strict
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 98dc19e8c817fc66e253e544874a45b17b8bfa7b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:34:19 2021 +1200
tests/krb5: Check version number of obtained ticket
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 3d1066e923815782036bd11524fda110a2528951
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:39:42 2021 +1200
tests/krb5: Assert that more variables are not None
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ba3c92f77b20e1e0d298cd92399dc69535739c27
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 10:37:48 2021 +1200
tests/krb5: Ensure in assertElementPresent() that container elements are not empty
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 78818655505b3183251940e86270cd40bae73206
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:06:15 2021 +1200
tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
This means that there can no longer be surprises where a test receives a
reply when it was expecting an error, or vice versa.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 8fe9589da2d8fe6f5c47770c618ebabe028f6a95
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 10:35:40 2021 +1200
tests/krb5: Include kdc_options in kdc_exchange_dict
Make kdc_options an element of kdc_exchange_dict instead of a parameter
to _generic_kdc_exchange(). This allows testing code to adjust the reply
checking based on the options that were specified in the request.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 21c64fda8f98d451e028ea483dbe351b1280390c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 10:32:52 2021 +1200
tests/krb5: Always specify expected error code
Now the expected error code is always determined by the test code itself
rather than by generic_check_as_error().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 28fb50f511f3f693709aa9b41c001d6a5f9c3329
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:19:04 2021 +1200
tests/krb5: Add check_reply() method to check for AS or TGS reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f5689bb8fab82d5fcbdbd3c63b86e7618834aac5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 22 16:22:09 2021 +1200
tests/krb5: Add method to calculate account salt
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 50d743bafc7aa9f7b4688bae652a501001e9fdbb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:19:57 2021 +1200
tests/krb5: Add more methods for obtaining machine and service credentials
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4790b6b04ae145a2ebb418dd734487a6ba28a30c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 11:25:55 2021 +1200
tests/krb5: Allow specifying additional details when creating an account
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit ce379edf2e135b105b18d35e24d732389de94291
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Aug 3 15:58:19 2021 +1200
tests/krb5: Use encryption with admin credentials
This ensures that account creation using admin credentials succeeds.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit bab7503e3043002b1422b00f40cd03a0a29538aa
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 22 16:27:17 2021 +1200
tests/krb5: Add get_EpochFromKerberosTime()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit fe8912e4a85c5fd614ad3079b041c0e1975958e3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:27:47 2021 +1200
tests/krb5: Make _test_as_exchange() return value more consistent
Always return the reply and the kdc_exchange_dict so that the caller has
more potentially useful information.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit cb332d83008aa97a60eaca9e008054f641d514d6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 12:51:54 2021 +1200
tests/krb5: Add method to return dict containing padata elements
This makes checking multiple padata elements easier.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit f5a906f74f9665a894db3c13722022f732180620
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:18:38 2021 +1200
tests/krb5: Add get_enc_timestamp_pa_data_from_key()
This makes it easier to create encrypted timestamp padata when the key
has already been obtained.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 2c80f7f851a7a4ffbcde2c42b2c383b683b67731
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:16:01 2021 +1200
tests/krb5: Refactor get_pa_data()
The function now returns a single padata object rather than a list,
making it easier to combine multiple padata elements into a request. The
new name 'get_enc_timestamp_pa_data' also makes it clearer as to what
the method generates.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a5e5f8fdfe8b6952592d7d682af893c79080826f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:24:52 2021 +1200
tests/krb5: Allow cf2 to automatically use the enctype of the first key
RFC6113 states: "Unless otherwise specified, the resulting enctype of
KRB-FX-CF2 is the enctype of k1." This change means the enctype no
longer has to be specified manually.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 17d5a267298ccd7272e86fd24c2c608511cf46b7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 11:28:37 2021 +1200
tests/krb5: Use credentials kvno when creating password key
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit d6a242e20004217a0ce02dc4ef620a121e5944da
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:07:59 2021 +1200
tests/krb5: Check Kerberos protocol version number
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 8194b2a2611c6b1db2d29ec22c70e14decd1784b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 17:00:09 2021 +1200
tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a0c6538a97126671f9c7bcf3b581f3d98cbc7fd1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:06:29 2021 +1200
tests/krb5: Fix encpart_decryption_key with MIT KDC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit bad5f4ee5fdf64ca9d775233fec24975e0b510bf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:12:34 2021 +1200
tests/krb5: Fix callback_dict parameter
Items contained in a default-created callback_dict should not be carried
over between unrelated calls to {as,tgs}_as_exchange_dict().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 67ff72395cec2e5170c0ebae8db416a1f226df72
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:14:08 2021 +1200
tests/krb5: Fix including enc-authorization-data
Remove the EncAuthorizationData parameters from AS_REQ_create(), since
it should only be present in the TGS-REQ form. Also, fix a call to
EncryptedData_create() to supply the key usage when creating
enc-authorization-data.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit a2b183c179e74634438c85a4b35518836ba59e47
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 13:49:27 2021 +1200
tests/krb5: Remove magic constants
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 41c3e410344280d691e5a21fa5240ef52e71bd2d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Aug 3 15:03:00 2021 +1200
tests/krb5: Simplify Python syntax
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 38b3a361819c716adb773fb3b4507c28d7d26c0d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 2 17:10:32 2021 +1200
tests/krb5: Use more compact dict lookup
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1320ac0f91a9b0fc8156840ec498059ee10b5a2d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 2 17:01:39 2021 +1200
tests/krb5: Remove unneeded statements
A return statement is redundant as the last statement in a method, as
methods will otherwise return None. Also, code blocks consisting of a
single 'pass' statement can be safely omitted.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit df6623363a7ec1a13af48a09e1d29fa8784e825c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 2 17:00:09 2021 +1200
tests/krb5: formatting
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 7013a8edd1f628b8659f0836f3b37ccf13156ae2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:17:52 2021 +1200
tests/krb5: Fix method name typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 9eb4c4b7b1c2e8d124456e6a57262dc9c02d67d4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 22 16:26:17 2021 +1200
tests/krb5: Fix comment typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 4797ced89095155c01e44727cf8b66ee4fb39710
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:15:23 2021 +1200
tests/krb5: Fix ms_kile_client_principal_lookup_test errors
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 6818d204897d0b7946dcfbedf79cd53fb9b3f159
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 20 10:48:41 2021 +1200
pygensec: Don't modify Python bytes objects
gensec_update() and gensec_unwrap() can both modify their input buffers
(for example, during the inplace RRC operation on GSSAPI tokens).
However, buffers obtained from Python bytes objects must not be modified
in any way. Create a copy of the input buffer so the original isn't
modified.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 814df05f8c10e9d82e6082d42ece1df569db4385
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 19 17:29:39 2021 +1200
pygensec: Fix memory leaks
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
-----------------------------------------------------------------------
Summary of changes:
.../samba/tests/krb5/as_canonicalization_tests.py | 4 -
python/samba/tests/krb5/as_req_tests.py | 101 +-
python/samba/tests/krb5/compatability_tests.py | 4 -
python/samba/tests/krb5/fast_tests.py | 1562 ++++++++++++++++++++
python/samba/tests/krb5/kcrypto.py | 12 +-
python/samba/tests/krb5/kdc_base_test.py | 187 ++-
python/samba/tests/krb5/kdc_tests.py | 27 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 18 +-
.../krb5/ms_kile_client_principal_lookup_tests.py | 71 +-
python/samba/tests/krb5/raw_testcase.py | 1504 ++++++++++++++-----
python/samba/tests/krb5/rfc4120.asn1 | 106 +-
python/samba/tests/krb5/rfc4120_constants.py | 41 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 100 +-
python/samba/tests/krb5/s4u_tests.py | 4 -
python/samba/tests/krb5/simple_tests.py | 4 -
python/samba/tests/krb5/xrealm_tests.py | 4 -
python/samba/tests/usage.py | 1 +
selftest/knownfail_heimdal_kdc | 50 +
selftest/knownfail_mit_kdc | 53 +
source4/auth/gensec/gensec_gssapi.c | 4 +
source4/auth/gensec/pygensec.c | 59 +-
source4/selftest/tests.py | 8 +
22 files changed, 3379 insertions(+), 545 deletions(-)
create mode 100755 python/samba/tests/krb5/fast_tests.py
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py
index abb3f96a1e6..29d8cf418f5 100755
--- a/python/samba/tests/krb5/as_canonicalization_tests.py
+++ b/python/samba/tests/krb5/as_canonicalization_tests.py
@@ -257,8 +257,6 @@ class KerberosASCanonicalizationTests(KDCBaseTest):
nonce=0x7fffffff,
etypes=etypes,
addresses=None,
- EncAuthorizationData=None,
- EncAuthorizationData_key=None,
additional_tickets=None)
rep = self.send_recv_transaction(req)
self.assertIsNotNone(rep)
@@ -314,8 +312,6 @@ class KerberosASCanonicalizationTests(KDCBaseTest):
nonce=0x7fffffff,
etypes=etypes,
addresses=None,
- EncAuthorizationData=None,
- EncAuthorizationData_key=None,
additional_tickets=None)
rep = self.send_recv_transaction(req)
self.assertIsNotNone(rep)
diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index 10e7b603609..fd258e8164a 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -24,8 +24,10 @@ os.environ["PYTHONUNBUFFERED"] = "1"
from samba.tests import DynamicTestCase
from samba.tests.krb5.kdc_base_test import KDCBaseTest
+import samba.tests.krb5.kcrypto as kcrypto
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
from samba.tests.krb5.rfc4120_constants import (
+ KDC_ERR_ETYPE_NOSUPP,
KDC_ERR_PREAUTH_REQUIRED,
KU_PA_ENC_TIMESTAMP,
NT_PRINCIPAL,
@@ -46,7 +48,6 @@ class AsReqKerberosTests(KDCBaseTest):
tname = "%s_pac_%s" % (name, pac)
targs = (idx, pac)
cls.generate_dynamic_test("test_as_req_no_preauth", tname, *targs)
- return
def setUp(self):
super(AsReqKerberosTests, self).setUp()
@@ -69,32 +70,43 @@ class AsReqKerberosTests(KDCBaseTest):
sname = self.PrincipalName_create(name_type=NT_SRV_INST,
names=[krbtgt_account, realm])
- expected_error_mode = KDC_ERR_PREAUTH_REQUIRED
expected_crealm = realm
expected_cname = cname
expected_srealm = realm
expected_sname = sname
expected_salt = client_creds.get_forced_salt()
+ if any(etype in client_as_etypes and etype in initial_etypes
+ for etype in (kcrypto.Enctype.AES256,
+ kcrypto.Enctype.AES128,
+ kcrypto.Enctype.RC4)):
+ expected_error_mode = KDC_ERR_PREAUTH_REQUIRED
+ else:
+ expected_error_mode = KDC_ERR_ETYPE_NOSUPP
+
def _generate_padata_copy(_kdc_exchange_dict,
_callback_dict,
req_body):
return initial_padata, req_body
+ generate_padata_fn = (_generate_padata_copy
+ if initial_padata is not None
+ else None)
+
kdc_exchange_dict = self.as_exchange_dict(
- expected_crealm=expected_crealm,
- expected_cname=expected_cname,
- expected_srealm=expected_srealm,
- expected_sname=expected_sname,
- generate_padata_fn=_generate_padata_copy,
- check_error_fn=self.generic_check_as_error,
- check_rep_fn=self.generic_check_kdc_rep,
- expected_error_mode=expected_error_mode,
- client_as_etypes=client_as_etypes,
- expected_salt=expected_salt)
+ expected_crealm=expected_crealm,
+ expected_cname=expected_cname,
+ expected_srealm=expected_srealm,
+ expected_sname=expected_sname,
+ generate_padata_fn=generate_padata_fn,
+ check_error_fn=self.generic_check_kdc_error,
+ check_rep_fn=None,
+ expected_error_mode=expected_error_mode,
+ client_as_etypes=client_as_etypes,
+ expected_salt=expected_salt,
+ kdc_options=str(initial_kdc_options))
rep = self._generic_kdc_exchange(kdc_exchange_dict,
- kdc_options=str(initial_kdc_options),
cname=cname,
realm=realm,
sname=sname,
@@ -142,20 +154,21 @@ class AsReqKerberosTests(KDCBaseTest):
initial_kdc_options = krb5_asn1.KDCOptions('forwardable')
initial_error_mode = KDC_ERR_PREAUTH_REQUIRED
- etype_info2 = self._test_as_exchange(cname,
- realm,
- sname,
- till,
- client_as_etypes,
- initial_error_mode,
- expected_crealm,
- expected_cname,
- expected_srealm,
- expected_sname,
- expected_salt,
- initial_etypes,
- initial_padata,
- initial_kdc_options)
+ rep, kdc_exchange_dict = self._test_as_exchange(cname,
+ realm,
+ sname,
+ till,
+ client_as_etypes,
+ initial_error_mode,
+ expected_crealm,
+ expected_cname,
+ expected_srealm,
+ expected_sname,
+ expected_salt,
+ initial_etypes,
+ initial_padata,
+ initial_kdc_options)
+ etype_info2 = kdc_exchange_dict['preauth_etype_info2']
self.assertIsNotNone(etype_info2)
preauth_key = self.PasswordKey_from_etype_info2(client_creds,
@@ -180,24 +193,24 @@ class AsReqKerberosTests(KDCBaseTest):
krbtgt_decryption_key = (
self.TicketDecryptionKey_from_creds(krbtgt_creds))
- as_rep = self._test_as_exchange(cname,
- realm,
- sname,
- till,
- client_as_etypes,
- preauth_error_mode,
- expected_crealm,
- expected_cname,
- expected_srealm,
- expected_sname,
- expected_salt,
- preauth_etypes,
- preauth_padata,
- preauth_kdc_options,
- preauth_key=preauth_key,
- ticket_decryption_key=krbtgt_decryption_key)
+ as_rep, kdc_exchange_dict = self._test_as_exchange(
+ cname,
+ realm,
+ sname,
+ till,
+ client_as_etypes,
+ preauth_error_mode,
+ expected_crealm,
+ expected_cname,
+ expected_srealm,
+ expected_sname,
+ expected_salt,
+ preauth_etypes,
+ preauth_padata,
+ preauth_kdc_options,
+ preauth_key=preauth_key,
+ ticket_decryption_key=krbtgt_decryption_key)
self.assertIsNotNone(as_rep)
- return
if __name__ == "__main__":
global_asn1_print = True
diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py
index 5a1ef02ef80..cd67549212a 100755
--- a/python/samba/tests/krb5/compatability_tests.py
+++ b/python/samba/tests/krb5/compatability_tests.py
@@ -147,8 +147,6 @@ class SimpleKerberosTests(RawKerberosTest):
nonce=0x7fffffff,
etypes=etypes,
addresses=None,
- EncAuthorizationData=None,
- EncAuthorizationData_key=None,
additional_tickets=None)
rep = self.send_recv_transaction(req)
@@ -209,8 +207,6 @@ class SimpleKerberosTests(RawKerberosTest):
nonce=0x7fffffff,
etypes=etypes,
addresses=None,
- EncAuthorizationData=None,
- EncAuthorizationData_key=None,
additional_tickets=None)
rep = self.send_recv_transaction(req)
self.assertIsNotNone(rep)
diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py
new file mode 100755
index 00000000000..e38b2e0a6e1
--- /dev/null
+++ b/python/samba/tests/krb5/fast_tests.py
@@ -0,0 +1,1562 @@
+#!/usr/bin/env python3
+# Unix SMB/CIFS implementation.
+# Copyright (C) Stefan Metzmacher 2020
+# Copyright (C) 2020 Catalyst.Net Ltd
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import functools
+import os
+import sys
+
+import ldb
+
+from samba.dcerpc import security
+from samba.tests.krb5.raw_testcase import (
+ KerberosTicketCreds,
+ Krb5EncryptionKey
+)
+from samba.tests.krb5.kdc_base_test import KDCBaseTest
+from samba.tests.krb5.rfc4120_constants import (
+ AD_FX_FAST_ARMOR,
+ AD_FX_FAST_USED,
+ AES256_CTS_HMAC_SHA1_96,
+ ARCFOUR_HMAC_MD5,
+ FX_FAST_ARMOR_AP_REQUEST,
+ KDC_ERR_ETYPE_NOSUPP,
+ KDC_ERR_GENERIC,
+ KDC_ERR_NOT_US,
+ KDC_ERR_PREAUTH_FAILED,
+ KDC_ERR_PREAUTH_REQUIRED,
+ KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS,
+ KRB_AS_REP,
+ KRB_TGS_REP,
+ KU_AS_REP_ENC_PART,
+ KU_TICKET,
+ NT_PRINCIPAL,
+ NT_SRV_INST,
+ NT_WELLKNOWN,
+ PADATA_FX_COOKIE,
+ PADATA_FX_FAST,
+ PADATA_PAC_OPTIONS
+)
+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
+import samba.tests.krb5.kcrypto as kcrypto
+
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+
+global_asn1_print = False
+global_hexdump = False
+
+
+class FAST_Tests(KDCBaseTest):
+ @classmethod
+ def setUpClass(cls):
+ super().setUpClass()
+
+ cls.user_tgt = None
+ cls.user_enc_part = None
+ cls.user_service_ticket = None
+
+ cls.mach_tgt = None
+ cls.mach_enc_part = None
+ cls.mach_service_ticket = None
+
+ def setUp(self):
+ super().setUp()
+ self.do_asn1_print = global_asn1_print
+ self.do_hexdump = global_hexdump
+
+ def test_simple(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'use_fast': False
+ },
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': False,
+ 'gen_padata_fn': self.generate_enc_timestamp_padata
+ }
+ ])
+
+ def test_simple_tgs(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': False,
+ 'gen_tgt_fn': self.get_user_tgt
+ }
+ ])
+
+ def test_simple_tgs_wrong_principal(self):
+ mach_creds = self.get_mach_creds()
+ mach_name = mach_creds.get_username()
+ expected_cname = self.PrincipalName_create(
+ name_type=NT_PRINCIPAL, names=[mach_name])
+
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': False,
+ 'gen_tgt_fn': self.get_mach_tgt,
+ 'expected_cname': expected_cname
+ }
+ ])
+
+ def test_simple_tgs_service_ticket(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': KDC_ERR_NOT_US,
+ 'use_fast': False,
+ 'gen_tgt_fn': self.get_user_service_ticket,
+ }
+ ])
+
+ def test_simple_tgs_service_ticket_mach(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': KDC_ERR_NOT_US,
+ 'use_fast': False,
+ 'gen_tgt_fn': self.get_mach_service_ticket,
+ }
+ ])
+
+ def test_fast_no_claims(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'use_fast': True,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'pac_options': '0'
+ },
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': True,
+ 'gen_padata_fn': self.generate_enc_challenge_padata,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'pac_options': '0'
+ }
+ ])
+
+ def test_fast_tgs_no_claims(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': True,
+ 'gen_tgt_fn': self.get_user_tgt,
+ 'fast_armor': None,
+ 'pac_options': '0'
+ }
+ ])
+
+ def test_fast_no_claims_or_canon(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'use_fast': True,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'pac_options': '0',
+ 'kdc_options': '0'
+ },
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': True,
+ 'gen_padata_fn': self.generate_enc_challenge_padata,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'pac_options': '0',
+ 'kdc_options': '0'
+ }
+ ])
+
+ def test_fast_tgs_no_claims_or_canon(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': True,
+ 'gen_tgt_fn': self.get_user_tgt,
+ 'fast_armor': None,
+ 'pac_options': '0',
+ 'kdc_options': '0'
+ }
+ ])
+
+ def test_fast_no_canon(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'use_fast': True,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'kdc_options': '0'
+ },
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': True,
+ 'gen_padata_fn': self.generate_enc_challenge_padata,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'kdc_options': '0'
+ }
+ ])
+
+ def test_fast_tgs_no_canon(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': True,
+ 'gen_tgt_fn': self.get_user_tgt,
+ 'fast_armor': None,
+ 'kdc_options': '0'
+ }
+ ])
+
+ def test_simple_tgs_no_etypes(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': KDC_ERR_ETYPE_NOSUPP,
+ 'use_fast': False,
+ 'gen_tgt_fn': self.get_mach_tgt,
+ 'etypes': ()
+ }
+ ])
+
+ def test_fast_tgs_no_etypes(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_TGS_REP,
+ 'expected_error_mode': KDC_ERR_ETYPE_NOSUPP,
+ 'use_fast': True,
+ 'gen_tgt_fn': self.get_mach_tgt,
+ 'fast_armor': None,
+ 'etypes': ()
+ }
+ ])
+
+ def test_simple_no_etypes(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_ETYPE_NOSUPP,
+ 'use_fast': False,
+ 'etypes': ()
+ }
+ ])
+
+ def test_simple_fast_no_etypes(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_ETYPE_NOSUPP,
+ 'use_fast': True,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'etypes': ()
+ }
+ ])
+
+ def test_empty_fast(self):
+ # Add an empty PA-FX-FAST in the initial AS-REQ. This should get
+ # rejected with a Generic error.
--
Samba Shared Repository
More information about the samba-cvs
mailing list