[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Mon Dec 6 22:58:02 UTC 2021
The branch, master has been updated
via 7eb1e1cc949 s4:torture: Remove test combination with enterprise principal without canonicalize flag
via 23ec41fd13f s4:torture: Remove AS_REQ_SELF test stage
via f8b17214d06 tests/krb5: Add tests for enterprise principals with canonicalization
via 860065a3c99 tests/krb5: Add tests for AS-REQ with an SPN
via 31900a0a582 tests/krb5: Add more AS-REQ ENC-TIMESTAMP tests with different encryption types
via ff6d325e38d tests/krb5: Check ticket cname for Heimdal
via 3fc9dc2395e tests/krb5: Check logon name in PAC for canonicalization tests
via 10983779bc5 tests/krb5: Only create testing accounts once per test run
via 8036aa12766 waf:mitkrb5: Always define lib so we get the header include path
via 238e4c86ca7 waf:mitkrb5: Fix MIT KRB5 detection if not in default system location
via 61404faf767 waf:mitkrb5: Detect com_err with pkgconfig first
via 61ce2899791 wafsamba: Pass lib to CHECK_DECLS()
via 18788e174ed s3:waf: Fix dependendies for libads
via 93619962020 s4:waf: Fix dependencies for TORTURE_UTIL
via 8393adaa5ad s3:param: Only include smb_ldap.h for LDAP_* defines
via 3bfdbc1e93b s3:param: Remove trailing spaces in loadparm.c
via 528e5efc17d samba-tool: Test DNS record creation on member join
via 5e31e8f15bf samba-tool: Create DNS entries on member join
from 05c09e8cfa0 heimdal_build: Prepare for Heimdal upgrade by only building HEIMDAL_ASN1_GEN_HOSTCC when needed.
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7eb1e1cc9498c761c9fcd2bd839e1e2c28a365df
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 3 11:58:40 2021 +1300
s4:torture: Remove test combination with enterprise principal without canonicalize flag
This test combination is not needed. Removing it allows us to avoid
modifying requests prior to sending them, which can cause problems with
an upgraded Heimdal version.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Dec 6 22:57:54 UTC 2021 on sn-devel-184
commit 23ec41fd13f3ccae6b494682901f084d34538bec
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 3 11:57:49 2021 +1300
s4:torture: Remove AS_REQ_SELF test stage
This behaviour is already covered by existing Python tests. This test
stage also modifies the request prior to sending it, which can cause
problems with an upgraded Heimdal version.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f8b17214d06ad9f1321a1d57f6e9bfe7b8899bf6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 30 09:42:00 2021 +1300
tests/krb5: Add tests for enterprise principals with canonicalization
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 860065a3c99475e43f68330f7349cb317bc5b009
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 25 16:22:58 2021 +1300
tests/krb5: Add tests for AS-REQ with an SPN
Using a SPN should only be permitted if it is also a UPN, and is not an
enterprise principal.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 31900a0a58283868798dcb90ed43519b39559c2c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 3 13:13:29 2021 +1300
tests/krb5: Add more AS-REQ ENC-TIMESTAMP tests with different encryption types
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ff6d325e38d83b689da47c1b059f3ed865ffa7c2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 25 16:16:52 2021 +1300
tests/krb5: Check ticket cname for Heimdal
This is currently not checked in several places due to STRICT_CHECKING
being set to 0.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3fc9dc2395ebc292087ae050bd721747e851056d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 2 16:51:26 2021 +1300
tests/krb5: Check logon name in PAC for canonicalization tests
This allows us to ensure that the correct name makes it through to the
PAC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 10983779bc5d50cdb69b64656cbc56f0250e3f23
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 2 16:50:55 2021 +1300
tests/krb5: Only create testing accounts once per test run
This decreases the time that the tests take to run.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8036aa12766840e019f28e914a30769f71444ba9
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 6 18:01:40 2021 +0100
waf:mitkrb5: Always define lib so we get the header include path
If you have libkrb5 in a non-standard include path, we would not check the
latest version but search default paths (e.g. /usr/include) first.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 238e4c86ca70174e88f11ab876965f9aba866e0d
Author: Andreas Schneider <asn at samba.org>
Date: Fri Dec 3 08:49:24 2021 +0100
waf:mitkrb5: Fix MIT KRB5 detection if not in default system location
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 61404faf7671f87359cf7c701ac6e159e7f2c7f9
Author: Andreas Schneider <asn at samba.org>
Date: Fri Dec 3 09:13:52 2021 +0100
waf:mitkrb5: Detect com_err with pkgconfig first
It is needed as a dependency later!
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 61ce2899791dc9a078b1af4ee62ab29436fe95dc
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 6 18:00:33 2021 +0100
wafsamba: Pass lib to CHECK_DECLS()
This is needed if you have headers in non-standard include paths.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 18788e174edbc0c852eccf7eadb76c1a421778f5
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 6 18:17:35 2021 +0100
s3:waf: Fix dependendies for libads
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 93619962020968bbfe7967f88b8814cff3ce5510
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 6 18:13:58 2021 +0100
s4:waf: Fix dependencies for TORTURE_UTIL
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 8393adaa5ad8e4b9ba9b2a155514e09f16298ca8
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 6 18:08:54 2021 +0100
s3:param: Only include smb_ldap.h for LDAP_* defines
There is no need for ads.h which would pull in krb5.h and much more ...
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3bfdbc1e93bdad91e7498ba2601e1527bc1982f0
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 6 18:08:37 2021 +0100
s3:param: Remove trailing spaces in loadparm.c
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 528e5efc17ddc3393c04b7add9c51303d5ff9336
Author: David Mulder <dmulder at suse.com>
Date: Tue Nov 23 08:59:01 2021 -0700
samba-tool: Test DNS record creation on member join
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5e31e8f15bf0dea1de4f09d270f6bed1a71fb875
Author: David Mulder <dmulder at suse.com>
Date: Fri Nov 5 14:43:18 2021 -0600
samba-tool: Create DNS entries on member join
The net ads join command already handles this,
and the call was missing from the python bindings
for samba-tool domain join member.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
buildtools/wafsamba/samba_autoconf.py | 4 +-
python/samba/netcmd/domain.py | 10 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 48 ++-
python/samba/tests/krb5/as_req_tests.py | 331 +++++++++++++++++++--
python/samba/tests/krb5/kdc_base_test.py | 23 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 243 ++++++++++++++-
python/samba/tests/krb5/raw_testcase.py | 27 +-
python/samba/tests/samba_tool/join_member.py | 71 +++++
selftest/knownfail_mit_kdc | 4 +
selftest/target/Samba.pm | 1 +
selftest/target/Samba3.pm | 23 ++
source3/param/loadparm.c | 28 +-
source3/utils/net_ads.c | 299 +------------------
source3/utils/net_ads_join_dns.c | 328 ++++++++++++++++++++
source3/utils/net_proto.h | 11 +
source3/utils/py_net.c | 24 +-
source3/utils/wscript_build | 7 +-
source3/wscript_build | 1 +
source4/selftest/tests.py | 59 ++--
source4/torture/krb5/kdc-canon-heimdal.c | 324 ++------------------
source4/torture/wscript_build | 2 +-
wscript_configure_system_mitkrb5 | 130 +++++---
22 files changed, 1250 insertions(+), 748 deletions(-)
create mode 100644 python/samba/tests/samba_tool/join_member.py
create mode 100644 source3/utils/net_ads_join_dns.c
Changeset truncated at 500 lines:
diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
index 4d2aea6c941..8b499825230 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -212,7 +212,7 @@ def CHECK_VARIABLE(conf, v, define=None, always=False,
@conf
-def CHECK_DECLS(conf, vars, reverse=False, headers=None, always=False):
+def CHECK_DECLS(conf, vars, reverse=False, headers=None, lib=None, always=False):
'''check a list of variable declarations, using the HAVE_DECL_xxx form
of define
@@ -227,6 +227,7 @@ def CHECK_DECLS(conf, vars, reverse=False, headers=None, always=False):
if not CHECK_VARIABLE(conf, v,
define=define,
headers=headers,
+ lib=lib,
msg='Checking for declaration of %s' % v,
always=always):
if not CHECK_CODE(conf,
@@ -238,6 +239,7 @@ def CHECK_DECLS(conf, vars, reverse=False, headers=None, always=False):
msg='Checking for declaration of %s (as enum)' % v,
local_include=False,
headers=headers,
+ lib=lib,
define=define,
always=always):
ret = False
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index eb52557212e..1bdc0ee535a 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -636,7 +636,10 @@ class cmd_domain_join(Command):
"Don't choose this unless you know what you're doing")
]
- takes_options = []
+ takes_options = [
+ Option("--no-dns-updates", action="store_true",
+ help="Disable DNS updates")
+ ]
takes_options.extend(common_join_options)
takes_options.extend(common_provision_join_options)
@@ -652,7 +655,7 @@ class cmd_domain_join(Command):
versionopts=None, server=None, site=None, targetdir=None,
domain_critical_only=False, machinepass=None,
use_ntvfs=False, experimental_s4_member=False, dns_backend=None,
- quiet=False, verbose=False,
+ quiet=False, verbose=False, no_dns_updates=False,
plaintext_secrets=False,
backend_store=None, backend_store_size=None):
lp = sambaopts.get_loadparm()
@@ -693,7 +696,8 @@ class cmd_domain_join(Command):
s3_net = s3_Net(creds, s3_lp, server=server)
(sid, domain_name) = s3_net.join_member(netbios_name,
machinepass=machinepass,
- debug=verbose)
+ debug=verbose,
+ noDnsUpdates=no_dns_updates)
self.errf.write("Joined domain %s (%s)\n" % (domain_name, sid))
elif role == "DC" and is_ad_dc_built():
diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py
index 674fcb37101..700a03622e1 100755
--- a/python/samba/tests/krb5/as_canonicalization_tests.py
+++ b/python/samba/tests/krb5/as_canonicalization_tests.py
@@ -28,7 +28,9 @@ os.environ["PYTHONUNBUFFERED"] = "1"
from samba.tests.krb5.kdc_base_test import KDCBaseTest
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
from samba.credentials import DONT_USE_KERBEROS
+from samba.dcerpc import krb5pac
from samba.dcerpc.misc import SEC_CHAN_WKSTA
+from samba.ndr import ndr_unpack
from samba.tests import DynamicTestCase
from samba.tests.krb5.rfc4120_constants import (
AES256_CTS_HMAC_SHA1_96,
@@ -39,6 +41,7 @@ from samba.tests.krb5.rfc4120_constants import (
KU_AS_REP_ENC_PART,
KRB_ERROR,
KU_PA_ENC_TIMESTAMP,
+ KU_TICKET,
PADATA_ENC_TIMESTAMP,
NT_ENTERPRISE_PRINCIPAL,
NT_PRINCIPAL,
@@ -134,6 +137,12 @@ USER_NAME = "tstkrb5cnnusr"
@DynamicTestCase
class KerberosASCanonicalizationTests(KDCBaseTest):
+ @classmethod
+ def setUpClass(cls):
+ super().setUpClass()
+ cls.user_creds = None
+ cls.machine_creds = None
+
@classmethod
def setUpDynamicTestCases(cls):
@@ -164,14 +173,14 @@ class KerberosASCanonicalizationTests(KDCBaseTest):
def user_account_creds(self):
if self.user_creds is None:
samdb = self.get_samdb()
- self.user_creds, _ = self.create_account(samdb, USER_NAME)
+ type(self).user_creds, _ = self.create_account(samdb, USER_NAME)
return self.user_creds
def machine_account_creds(self):
if self.machine_creds is None:
samdb = self.get_samdb()
- self.machine_creds, _ = self.create_account(
+ type(self).machine_creds, _ = self.create_account(
samdb,
MACHINE_NAME,
account_type=self.AccountType.COMPUTER)
@@ -185,9 +194,6 @@ class KerberosASCanonicalizationTests(KDCBaseTest):
self.do_asn1_print = global_asn1_print
self.do_hexdump = global_hexdump
- self.user_creds = None
- self.machine_creds = None
-
def _test_with_args(self, x, ct):
if ct == CredentialsType.User:
creds = self.user_account_creds()
@@ -226,6 +232,38 @@ class KerberosASCanonicalizationTests(KDCBaseTest):
srealm = as_rep['srealm'].decode('ascii')
self.check_srealm(srealm, data)
+ if TestOptions.AsReqSelf.is_set(data.options):
+ ticket_creds = creds
+ else:
+ ticket_creds = self.get_krbtgt_creds()
+ ticket_key = self.TicketDecryptionKey_from_creds(ticket_creds)
+
+ ticket_encpart = rep['ticket']['enc-part']
+ self.assertElementEqual(ticket_encpart, 'etype',
+ ticket_key.etype)
+ self.assertElementEqual(ticket_encpart, 'kvno',
+ ticket_key.kvno)
+ ticket_decpart = ticket_key.decrypt(KU_TICKET,
+ ticket_encpart['cipher'])
+ ticket_private = self.der_decode(
+ ticket_decpart,
+ asn1Spec=krb5_asn1.EncTicketPart())
+
+ pac_data = self.get_pac(ticket_private['authorization-data'])
+ pac = ndr_unpack(krb5pac.PAC_DATA, pac_data)
+
+ for pac_buffer in pac.buffers:
+ if pac_buffer.type == krb5pac.PAC_TYPE_LOGON_NAME:
+ if TestOptions.Canonicalize.is_set(data.options):
+ expected = data.user_creds.get_username()
+ else:
+ expected = data.user_name
+
+ self.assertEqual(expected, pac_buffer.info.account_name)
+ break
+ else:
+ self.fail('PAC_TYPE_LOGON_NAME not found')
+
def as_req(self, data):
user_creds = data.user_creds
realm = data.realm
diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index 315720f85d6..263e77d4812 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -27,9 +27,11 @@ from samba.tests.krb5.kdc_base_test import KDCBaseTest
import samba.tests.krb5.kcrypto as kcrypto
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
from samba.tests.krb5.rfc4120_constants import (
+ KDC_ERR_C_PRINCIPAL_UNKNOWN,
KDC_ERR_ETYPE_NOSUPP,
KDC_ERR_PREAUTH_REQUIRED,
KU_PA_ENC_TIMESTAMP,
+ NT_ENTERPRISE_PRINCIPAL,
NT_PRINCIPAL,
NT_SRV_INST,
PADATA_ENC_TIMESTAMP
@@ -40,46 +42,67 @@ global_hexdump = False
class AsReqBaseTest(KDCBaseTest):
- def _run_as_req_enc_timestamp(self, client_creds):
- client_account = client_creds.get_username()
+ def _run_as_req_enc_timestamp(self, client_creds, client_account=None,
+ expected_cname=None,
+ name_type=NT_PRINCIPAL, etypes=None,
+ expected_error=None, expect_edata=None,
+ kdc_options=None):
+ user_name = client_creds.get_username()
+ if client_account is None:
+ client_account = user_name
client_as_etypes = self.get_default_enctypes()
client_kvno = client_creds.get_kvno()
krbtgt_creds = self.get_krbtgt_creds(require_strongest_key=True)
krbtgt_account = krbtgt_creds.get_username()
+ krbtgt_supported_etypes = krbtgt_creds.tgs_supported_enctypes
realm = krbtgt_creds.get_realm()
- cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
- names=[client_account])
+ cname = self.PrincipalName_create(name_type=name_type,
+ names=client_account.split('/'))
sname = self.PrincipalName_create(name_type=NT_SRV_INST,
names=[krbtgt_account, realm])
expected_crealm = realm
- expected_cname = cname
+ if expected_cname is None:
+ expected_cname = cname
expected_srealm = realm
expected_sname = sname
expected_salt = client_creds.get_salt()
till = self.get_KerberosTime(offset=36000)
- initial_etypes = client_as_etypes
- initial_kdc_options = krb5_asn1.KDCOptions('forwardable')
- initial_error_mode = KDC_ERR_PREAUTH_REQUIRED
-
- rep, kdc_exchange_dict = self._test_as_exchange(cname,
- realm,
- sname,
- till,
- client_as_etypes,
- initial_error_mode,
- expected_crealm,
- expected_cname,
- expected_srealm,
- expected_sname,
- expected_salt,
- initial_etypes,
- None,
- initial_kdc_options,
- pac_request=True)
+ if etypes is None:
+ etypes = client_as_etypes
+ if kdc_options is None:
+ kdc_options = krb5_asn1.KDCOptions('forwardable')
+ if expected_error is not None:
+ initial_error_mode = expected_error
+ else:
+ initial_error_mode = KDC_ERR_PREAUTH_REQUIRED
+
+ rep, kdc_exchange_dict = self._test_as_exchange(
+ cname,
+ realm,
+ sname,
+ till,
+ client_as_etypes,
+ initial_error_mode,
+ expected_crealm,
+ expected_cname,
+ expected_srealm,
+ expected_sname,
+ expected_salt,
+ etypes,
+ None,
+ kdc_options,
+ expected_supported_etypes=krbtgt_supported_etypes,
+ expected_account_name=user_name,
+ pac_request=True,
+ expect_edata=expect_edata)
+
+ if expected_error is not None:
+ return None
+
etype_info2 = kdc_exchange_dict['preauth_etype_info2']
self.assertIsNotNone(etype_info2)
@@ -98,8 +121,6 @@ class AsReqBaseTest(KDCBaseTest):
pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts)
preauth_padata = [pa_ts]
- preauth_etypes = client_as_etypes
- preauth_kdc_options = krb5_asn1.KDCOptions('forwardable')
preauth_error_mode = 0 # AS-REP
krbtgt_decryption_key = (
@@ -117,9 +138,11 @@ class AsReqBaseTest(KDCBaseTest):
expected_srealm,
expected_sname,
expected_salt,
- preauth_etypes,
+ etypes,
preauth_padata,
- preauth_kdc_options,
+ kdc_options,
+ expected_supported_etypes=krbtgt_supported_etypes,
+ expected_account_name=user_name,
preauth_key=preauth_key,
ticket_decryption_key=krbtgt_decryption_key,
pac_request=True)
@@ -209,6 +232,258 @@ class AsReqKerberosTests(AsReqBaseTest):
client_creds = self.get_mach_creds()
self._run_as_req_enc_timestamp(client_creds)
+ def test_as_req_enc_timestamp_rc4(self):
+ client_creds = self.get_client_creds()
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ etypes={kcrypto.Enctype.RC4})
+
+ def test_as_req_enc_timestamp_mac_rc4(self):
+ client_creds = self.get_mach_creds()
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ etypes={kcrypto.Enctype.RC4})
+
+ def test_as_req_enc_timestamp_rc4_dummy(self):
+ client_creds = self.get_client_creds()
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ etypes={kcrypto.Enctype.RC4,
+ -1111})
+
+ def test_as_req_enc_timestamp_mac_rc4_dummy(self):
+ client_creds = self.get_mach_creds()
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ etypes={kcrypto.Enctype.RC4,
+ -1111})
+
+ def test_as_req_enc_timestamp_aes128_rc4(self):
+ client_creds = self.get_client_creds()
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ etypes={kcrypto.Enctype.AES128,
+ kcrypto.Enctype.RC4})
+
+ def test_as_req_enc_timestamp_mac_aes128_rc4(self):
+ client_creds = self.get_mach_creds()
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ etypes={kcrypto.Enctype.AES128,
+ kcrypto.Enctype.RC4})
+
+ def test_as_req_enc_timestamp_spn(self):
+ client_creds = self.get_mach_creds()
+ spn = client_creds.get_spn()
+ self._run_as_req_enc_timestamp(
+ client_creds, client_account=spn,
+ expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN,
+ expect_edata=False)
+
+ def test_as_req_enc_timestamp_spn_realm(self):
+ samdb = self.get_samdb()
+ realm = samdb.domain_dns_name().upper()
+
+ client_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={'upn': f'host/{{account}}.{realm}@{realm}'})
+ spn = client_creds.get_spn()
+ self._run_as_req_enc_timestamp(
+ client_creds, client_account=spn,
+ expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN,
+ expect_edata=False)
+
+ def test_as_req_enc_timestamp_spn_upn(self):
+ samdb = self.get_samdb()
+ realm = samdb.domain_dns_name().upper()
+
+ client_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={'upn': f'host/{{account}}.{realm}@{realm}',
+ 'spn': f'host/{{account}}.{realm}'})
+ spn = client_creds.get_spn()
+ self._run_as_req_enc_timestamp(client_creds, client_account=spn)
+
+ def test_as_req_enc_timestamp_spn_enterprise(self):
+ client_creds = self.get_mach_creds()
+ spn = client_creds.get_spn()
+ self._run_as_req_enc_timestamp(
+ client_creds, client_account=spn,
+ name_type=NT_ENTERPRISE_PRINCIPAL,
+ expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN,
+ expect_edata=False)
+
+ def test_as_req_enc_timestamp_spn_enterprise_realm(self):
+ samdb = self.get_samdb()
+ realm = samdb.domain_dns_name().upper()
+
+ client_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={'upn': f'host/{{account}}.{realm}@{realm}'})
+ spn = client_creds.get_spn()
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ name_type=NT_ENTERPRISE_PRINCIPAL,
+ client_account=spn,
+ expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN,
+ expect_edata=False)
+
+ def test_as_req_enc_timestamp_spn_upn_enterprise(self):
+ samdb = self.get_samdb()
+ realm = samdb.domain_dns_name().upper()
+
+ client_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={'upn': f'host/{{account}}.{realm}@{realm}',
+ 'spn': f'host/{{account}}.{realm}'})
+ spn = client_creds.get_spn()
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ name_type=NT_ENTERPRISE_PRINCIPAL,
+ client_account=spn,
+ expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN,
+ expect_edata=False)
+
+ def test_as_req_enterprise_canon(self):
+ client_creds = self.get_cached_creds(
+ account_type=self.AccountType.USER,
+ opts={'upn': 'krb5_enterprise0'})
+
+ user_name = client_creds.get_username()
+ realm = client_creds.get_realm()
+ client_account = f'{user_name}@{realm}'
+
+ expected_cname = self.PrincipalName_create(
+ name_type=NT_PRINCIPAL,
+ names=[user_name])
+
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ client_account=client_account,
+ expected_cname=expected_cname,
+ name_type=NT_ENTERPRISE_PRINCIPAL,
+ kdc_options=krb5_asn1.KDCOptions('canonicalize'))
+
+ def test_as_req_enterprise_canon_case(self):
+ client_creds = self.get_cached_creds(
+ account_type=self.AccountType.USER,
+ opts={'upn': 'krb5_enterprise1'})
+
+ user_name = client_creds.get_username()
+ realm = client_creds.get_realm().lower()
+ client_account = f'{user_name}@{realm}'
+
+ expected_cname = self.PrincipalName_create(
+ name_type=NT_PRINCIPAL,
+ names=[user_name])
+
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ client_account=client_account,
+ expected_cname=expected_cname,
+ name_type=NT_ENTERPRISE_PRINCIPAL,
+ kdc_options=krb5_asn1.KDCOptions('canonicalize'))
+
+ def test_as_req_enterprise_canon_mac(self):
+ client_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={'upn': 'krb5_enterprise2'})
+
+ user_name = client_creds.get_username()
+ realm = client_creds.get_realm()
+ client_account = f'{user_name}@{realm}'
+
+ expected_cname = self.PrincipalName_create(
+ name_type=NT_PRINCIPAL,
+ names=[user_name])
+
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ client_account=client_account,
+ expected_cname=expected_cname,
+ name_type=NT_ENTERPRISE_PRINCIPAL,
+ kdc_options=krb5_asn1.KDCOptions('canonicalize'))
+
+ def test_as_req_enterprise_canon_mac_case(self):
+ client_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={'upn': 'krb5_enterprise3'})
+
+ user_name = client_creds.get_username()
+ realm = client_creds.get_realm().lower()
+ client_account = f'{user_name}@{realm}'
+
+ expected_cname = self.PrincipalName_create(
+ name_type=NT_PRINCIPAL,
+ names=[user_name])
+
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ client_account=client_account,
+ expected_cname=expected_cname,
+ name_type=NT_ENTERPRISE_PRINCIPAL,
+ kdc_options=krb5_asn1.KDCOptions('canonicalize'))
+
+ def test_as_req_enterprise_no_canon(self):
+ client_creds = self.get_cached_creds(
+ account_type=self.AccountType.USER,
+ opts={'upn': 'krb5_enterprise4'})
+
+ user_name = client_creds.get_username()
+ realm = client_creds.get_realm()
+ client_account = f'{user_name}@{realm}'
--
Samba Shared Repository
More information about the samba-cvs
mailing list