[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Wed Dec 15 04:34:02 UTC 2021
The branch, master has been updated
via 0f4eca775aa tests/krb5: Add tests for AS-REQ to self with FAST
via 100be7eb8e7 tests/krb5: Correctly determine whether tickets are service tickets
via 1eb91291b54 tests/krb5: Generate unique UPNs for enterprise tests
via 3b23ae59ac4 s4:torture: Fix typo
via 030afa6c01b s4:torture: Remove comments that are no longer relevant
via bba30095ca1 kdc: Pad UPN_DNS_INFO PAC buffer
via 31f3e815799 Revert "s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows"
via 7dfcbc4e381 tests/krb5: Add tests for PAC buffer alignment
via abbeb5c2175 s4:mitkdc: Call krb5_pac_init() in kdb_samba_db_sign_auth_data()
via 3a3f7feac59 s4:mitkdc: Do not allocate the PAC buffer in samba_make_krb5_pac()
via 731d9c42d07 s4:mitkdc: Pass NULL to ks_get_pac() as the client_key
via e95fb04c5de s4:mitkdc: Add support for pac_attrs and requester_sid
via b46a942f95b s4:mitkdc: Reset errno to 0 for com_err messages
via c69bfa0939d s4:mitkdc: Use talloc_get_type_abort() in ks_get_context()
via f00eb8485f4 s4:mitkdc: Initilalize is_error with errno instead of EPERM(1)
from 5b526f4533b tdb: Raw performance torture to beat tdb_increment_seqnum
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 0f4eca775aa52cfe40a25ead90c560d76b286ad9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Dec 14 19:16:15 2021 +1300
tests/krb5: Add tests for AS-REQ to self with FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Dec 15 04:33:11 UTC 2021 on sn-devel-184
commit 100be7eb8e70ba270a8e92957a5e47466160a901
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Dec 14 19:16:00 2021 +1300
tests/krb5: Correctly determine whether tickets are service tickets
Previously we expected tickets to contain a ticket checksum if the sname
was not the krbtgt. However, the ticket checksum should not be present
if we are performing an AS-REQ to our own account. Now we determine a
ticket is a service ticket only if the request is also a TGS-REQ.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1eb91291b54b194d8312dac6dd605c793eabfd53
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Dec 14 19:16:26 2021 +1300
tests/krb5: Generate unique UPNs for enterprise tests
This helps to avoid problems with account creation on Windows due to UPN
uniqueness constraints.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3b23ae59ac4953d20ca4422b567a15227a17c545
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 9 13:18:54 2021 +1300
s4:torture: Fix typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 030afa6c01bfc0bfd20a204a5cc7c9d33032a1e7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 9 13:18:45 2021 +1300
s4:torture: Remove comments that are no longer relevant
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bba30095ca14dd947cb32a4403e351b0523304dd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Dec 10 14:59:22 2021 +1300
kdc: Pad UPN_DNS_INFO PAC buffer
Padding this buffer to a multiple of 8 bytes allows the PAC buffer
padding to match Windows.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 31f3e815799a205f48bebae666deb327e1058674
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Dec 14 19:19:42 2021 +1300
Revert "s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows"
This alignment should be done on the Samba side instead.
This reverts commit 28a5a586c8e9cd155d676dcfcb81a2587ace99d1.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7dfcbc4e381080b3e3e1777134aecef5522d1f01
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Dec 9 11:56:55 2021 +1300
tests/krb5: Add tests for PAC buffer alignment
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit abbeb5c2175ad9574d75e852c101887d6e642cb4
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 13 08:31:49 2021 +0100
s4:mitkdc: Call krb5_pac_init() in kdb_samba_db_sign_auth_data()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3a3f7feac59feba08438831cb02564e9b80cdc59
Author: Andreas Schneider <asn at samba.org>
Date: Thu Oct 7 15:12:35 2021 +0200
s4:mitkdc: Do not allocate the PAC buffer in samba_make_krb5_pac()
This will be allocated by the KDC in MIT KRB5 1.20 and newer.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 731d9c42d0775d9b1a7475ad2efbe23c2439f6db
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 13 15:48:08 2021 +0100
s4:mitkdc: Pass NULL to ks_get_pac() as the client_key
This is unused with MIT KRB5 < 1.20 as this is probably not the right key.
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e95fb04c5dec9f0487010fb59b6ebf99effe873f
Author: Andreas Schneider <asn at samba.org>
Date: Mon Dec 13 08:33:05 2021 +0100
s4:mitkdc: Add support for pac_attrs and requester_sid
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b46a942f95bb28bceb84a14d1125d7f69fdc3fe7
Author: Andreas Schneider <asn at samba.org>
Date: Wed Dec 8 09:17:32 2021 +0100
s4:mitkdc: Reset errno to 0 for com_err messages
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c69bfa0939df3a8f15c917d7f9b8336fb0fef655
Author: Andreas Schneider <asn at samba.org>
Date: Wed Dec 8 09:16:57 2021 +0100
s4:mitkdc: Use talloc_get_type_abort() in ks_get_context()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f00eb8485f429e100d09ae2d529a7b8a1f6a6d34
Author: Andreas Schneider <asn at cryptomilk.org>
Date: Tue Oct 19 12:15:50 2021 +0200
s4:mitkdc: Initilalize is_error with errno instead of EPERM(1)
Signed-off-by: Andreas Schneider <asn at cryptomilk.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
lib/util/data_blob.c | 21 ++++++
lib/util/data_blob.h | 7 ++
python/samba/tests/krb5/compatability_tests.py | 10 +--
python/samba/tests/krb5/fast_tests.py | 66 ++++++++++++++++--
python/samba/tests/krb5/kdc_base_test.py | 2 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 24 ++++---
python/samba/tests/krb5/pac_align_tests.py | 93 ++++++++++++++++++++++++++
python/samba/tests/krb5/raw_testcase.py | 18 ++---
python/samba/tests/krb5/rodc_tests.py | 4 +-
python/samba/tests/usage.py | 1 +
selftest/knownfail_heimdal_kdc | 1 +
selftest/knownfail_mit_kdc | 14 +---
source4/heimdal/lib/krb5/pac.c | 14 +---
source4/kdc/mit-kdb/kdb_samba_common.c | 13 +++-
source4/kdc/mit-kdb/kdb_samba_policies.c | 22 +++++-
source4/kdc/mit_samba.c | 18 +++--
source4/kdc/mit_samba.h | 1 +
source4/kdc/pac-glue.c | 56 ++++++++++------
source4/kdc/pac-glue.h | 2 +-
source4/kdc/wdc-samba4.c | 8 ++-
source4/selftest/tests.py | 13 ++++
source4/torture/krb5/kdc-canon-heimdal.c | 6 --
source4/torture/krb5/kdc-heimdal.c | 2 +-
23 files changed, 325 insertions(+), 91 deletions(-)
create mode 100755 python/samba/tests/krb5/pac_align_tests.py
Changeset truncated at 500 lines:
diff --git a/lib/util/data_blob.c b/lib/util/data_blob.c
index e528eb093a0..77b077f7ef9 100644
--- a/lib/util/data_blob.c
+++ b/lib/util/data_blob.c
@@ -245,3 +245,24 @@ _PUBLIC_ bool data_blob_append(TALLOC_CTX *mem_ctx, DATA_BLOB *blob,
return true;
}
+/**
+ pad the length of a data blob to a multiple of
+ 'pad'. 'pad' must be a power of two.
+**/
+_PUBLIC_ bool data_blob_pad(TALLOC_CTX *mem_ctx, DATA_BLOB *blob,
+ size_t pad)
+{
+ size_t old_len = blob->length;
+ size_t new_len = (old_len + pad - 1) & ~(pad - 1);
+
+ if (new_len < old_len) {
+ return false;
+ }
+
+ if (!data_blob_realloc(mem_ctx, blob, new_len)) {
+ return false;
+ }
+
+ memset(blob->data + old_len, 0, new_len - old_len);
+ return true;
+}
diff --git a/lib/util/data_blob.h b/lib/util/data_blob.h
index 799e9531cbd..7a0dc3b0014 100644
--- a/lib/util/data_blob.h
+++ b/lib/util/data_blob.h
@@ -126,6 +126,13 @@ _PUBLIC_ bool data_blob_realloc(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, size_t len
_PUBLIC_ bool data_blob_append(TALLOC_CTX *mem_ctx, DATA_BLOB *blob,
const void *p, size_t length);
+/**
+ pad the length of a data blob to a multiple of
+ 'pad'. 'pad' must be a power of two.
+**/
+_PUBLIC_ bool data_blob_pad(TALLOC_CTX *mem_ctx, DATA_BLOB *blob,
+ size_t pad);
+
extern const DATA_BLOB data_blob_null;
#endif /* _SAMBA_DATABLOB_H_ */
diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py
index ed2dc565b6d..65e9e3788d5 100755
--- a/python/samba/tests/krb5/compatability_tests.py
+++ b/python/samba/tests/krb5/compatability_tests.py
@@ -132,13 +132,14 @@ class SimpleKerberosTests(KDCBaseTest):
tgt = self.get_tgt(user_creds)
# Ensure the PAC contains the expected checksums.
- self.verify_ticket(tgt, key)
+ self.verify_ticket(tgt, key, service_ticket=False)
# Get a service ticket from the DC.
service_ticket = self.get_service_ticket(tgt, target_creds)
# Ensure the PAC contains the expected checksums.
- self.verify_ticket(service_ticket, key, expect_ticket_checksum=True)
+ self.verify_ticket(service_ticket, key, service_ticket=True,
+ expect_ticket_checksum=True)
def test_mit_ticket_signature(self):
# Ensure that a DC does not issue tickets signed with its krbtgt key.
@@ -152,13 +153,14 @@ class SimpleKerberosTests(KDCBaseTest):
tgt = self.get_tgt(user_creds)
# Ensure the PAC contains the expected checksums.
- self.verify_ticket(tgt, key)
+ self.verify_ticket(tgt, key, service_ticket=False)
# Get a service ticket from the DC.
service_ticket = self.get_service_ticket(tgt, target_creds)
# Ensure the PAC does not contain the expected checksums.
- self.verify_ticket(service_ticket, key, expect_ticket_checksum=False)
+ self.verify_ticket(service_ticket, key, service_ticket=True,
+ expect_ticket_checksum=False)
def as_pre_auth_req(self, creds, etypes):
user = creds.get_username()
diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py
index 54b74c067e8..6a6fdfa786e 100755
--- a/python/samba/tests/krb5/fast_tests.py
+++ b/python/samba/tests/krb5/fast_tests.py
@@ -95,6 +95,23 @@ class FAST_Tests(KDCBaseTest):
}
])
+ def test_simple_as_req_self(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'use_fast': False,
+ 'as_req_self': True
+ },
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': False,
+ 'gen_padata_fn': self.generate_enc_timestamp_padata,
+ 'as_req_self': True
+ }
+ ], client_account=self.AccountType.COMPUTER)
+
def test_simple_tgs(self):
self._run_test_sequence([
{
@@ -479,6 +496,27 @@ class FAST_Tests(KDCBaseTest):
}
])
+ def test_fast_encrypted_challenge_as_req_self(self):
+ self._run_test_sequence([
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED,
+ 'use_fast': True,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'as_req_self': True
+ },
+ {
+ 'rep_type': KRB_AS_REP,
+ 'expected_error_mode': 0,
+ 'use_fast': True,
+ 'gen_padata_fn': self.generate_enc_challenge_padata,
+ 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
+ 'gen_armor_tgt_fn': self.get_mach_tgt,
+ 'as_req_self': True
+ }
+ ], client_account=self.AccountType.COMPUTER)
+
def test_fast_encrypted_challenge_wrong_key(self):
self._run_test_sequence([
{
@@ -1256,14 +1294,15 @@ class FAST_Tests(KDCBaseTest):
return fast_padata
- def _run_test_sequence(self, test_sequence):
+ def _run_test_sequence(self, test_sequence,
+ client_account=KDCBaseTest.AccountType.USER):
if self.strict_checking:
self.check_kdc_fast_support()
kdc_options_default = str(krb5_asn1.KDCOptions('forwardable,'
'canonicalize'))
- client_creds = self.get_client_creds()
+ client_creds = self.get_cached_creds(account_type=client_account)
target_creds = self.get_service_creds()
krbtgt_creds = self.get_krbtgt_creds()
@@ -1289,6 +1328,10 @@ class FAST_Tests(KDCBaseTest):
target_creds)
target_etypes = target_creds.tgs_supported_enctypes
+ client_decryption_key = self.TicketDecryptionKey_from_creds(
+ client_creds)
+ client_etypes = client_creds.tgs_supported_enctypes
+
fast_cookie = None
preauth_etype_info2 = None
@@ -1350,10 +1393,16 @@ class FAST_Tests(KDCBaseTest):
cname = client_cname if rep_type == KRB_AS_REP else None
crealm = client_realm
+ as_req_self = kdc_dict.pop('as_req_self', False)
+ if as_req_self:
+ self.assertEqual(KRB_AS_REP, rep_type)
+
if 'sname' in kdc_dict:
sname = kdc_dict.pop('sname')
else:
- if rep_type == KRB_AS_REP:
+ if as_req_self:
+ sname = client_cname
+ elif rep_type == KRB_AS_REP:
sname = krbtgt_sname
else: # KRB_TGS_REP
sname = target_sname
@@ -1493,16 +1542,23 @@ class FAST_Tests(KDCBaseTest):
strict_edata_checking = kdc_dict.pop('strict_edata_checking', True)
if rep_type == KRB_AS_REP:
+ if as_req_self:
+ expected_supported_etypes = client_etypes
+ decryption_key = client_decryption_key
+ else:
+ expected_supported_etypes = krbtgt_etypes
+ decryption_key = krbtgt_decryption_key
+
kdc_exchange_dict = self.as_exchange_dict(
expected_crealm=expected_crealm,
expected_cname=expected_cname,
expected_anon=expected_anon,
expected_srealm=expected_srealm,
expected_sname=expected_sname,
- expected_supported_etypes=krbtgt_etypes,
+ expected_supported_etypes=expected_supported_etypes,
expected_flags=expected_flags,
unexpected_flags=unexpected_flags,
- ticket_decryption_key=krbtgt_decryption_key,
+ ticket_decryption_key=decryption_key,
generate_fast_fn=generate_fast_fn,
generate_fast_armor_fn=generate_fast_armor_fn,
generate_fast_padata_fn=generate_fast_padata_fn,
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index aada0457461..d6cbaac60e0 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -1397,7 +1397,7 @@ class KDCBaseTest(RawKerberosTest):
krbtgt_creds = self.get_krbtgt_creds()
krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
self.verify_ticket(service_ticket_creds, krbtgt_key,
- expect_pac=expect_pac,
+ service_ticket=True, expect_pac=expect_pac,
expect_ticket_checksum=self.tkt_sig_support)
self.tkt_cache[cache_key] = service_ticket_creds
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index 740dd43f34d..b418a087df8 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -345,9 +345,10 @@ class KdcTgsTests(KDCBaseTest):
self.assertIsNone(pac)
def test_request_enterprise_canon(self):
+ upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
- opts={'upn': 'tgs_enterprise0'})
+ opts={'upn': upn})
service_creds = self.get_service_creds()
user_name = client_creds.get_username()
@@ -376,9 +377,10 @@ class KdcTgsTests(KDCBaseTest):
kdc_options=kdc_options)
def test_request_enterprise_canon_case(self):
+ upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
- opts={'upn': 'tgs_enterprise1'})
+ opts={'upn': upn})
service_creds = self.get_service_creds()
user_name = client_creds.get_username()
@@ -407,9 +409,10 @@ class KdcTgsTests(KDCBaseTest):
kdc_options=kdc_options)
def test_request_enterprise_canon_mac(self):
+ upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
- opts={'upn': 'tgs_enterprise2'})
+ opts={'upn': upn})
service_creds = self.get_service_creds()
user_name = client_creds.get_username()
@@ -438,9 +441,10 @@ class KdcTgsTests(KDCBaseTest):
kdc_options=kdc_options)
def test_request_enterprise_canon_case_mac(self):
+ upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
- opts={'upn': 'tgs_enterprise3'})
+ opts={'upn': upn})
service_creds = self.get_service_creds()
user_name = client_creds.get_username()
@@ -469,9 +473,10 @@ class KdcTgsTests(KDCBaseTest):
kdc_options=kdc_options)
def test_request_enterprise_no_canon(self):
+ upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
- opts={'upn': 'tgs_enterprise4'})
+ opts={'upn': upn})
service_creds = self.get_service_creds()
user_name = client_creds.get_username()
@@ -494,9 +499,10 @@ class KdcTgsTests(KDCBaseTest):
kdc_options=kdc_options)
def test_request_enterprise_no_canon_case(self):
+ upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
- opts={'upn': 'tgs_enterprise5'})
+ opts={'upn': upn})
service_creds = self.get_service_creds()
user_name = client_creds.get_username()
@@ -519,9 +525,10 @@ class KdcTgsTests(KDCBaseTest):
kdc_options=kdc_options)
def test_request_enterprise_no_canon_mac(self):
+ upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
- opts={'upn': 'tgs_enterprise6'})
+ opts={'upn': upn})
service_creds = self.get_service_creds()
user_name = client_creds.get_username()
@@ -544,9 +551,10 @@ class KdcTgsTests(KDCBaseTest):
kdc_options=kdc_options)
def test_request_enterprise_no_canon_case_mac(self):
+ upn = self.get_new_username()
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
- opts={'upn': 'tgs_enterprise7'})
+ opts={'upn': upn})
service_creds = self.get_service_creds()
user_name = client_creds.get_username()
diff --git a/python/samba/tests/krb5/pac_align_tests.py b/python/samba/tests/krb5/pac_align_tests.py
new file mode 100755
index 00000000000..ff8b608dde1
--- /dev/null
+++ b/python/samba/tests/krb5/pac_align_tests.py
@@ -0,0 +1,93 @@
+#!/usr/bin/env python3
+# Unix SMB/CIFS implementation.
+# Copyright (C) Stefan Metzmacher 2020
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import os
+
+from samba.dcerpc import krb5pac
+from samba.ndr import ndr_unpack
+from samba.tests import DynamicTestCase
+from samba.tests.krb5.kdc_base_test import KDCBaseTest
+
+sys.path.insert(0, 'bin/python')
+os.environ['PYTHONUNBUFFERED'] = '1'
+
+global_asn1_print = False
+global_hexdump = False
+
+
+ at DynamicTestCase
+class PacAlignTests(KDCBaseTest):
+
+ base_name = 'krbpac'
+
+ @classmethod
+ def setUpDynamicTestCases(cls):
+ for length in range(len(cls.base_name), 21):
+ cls.generate_dynamic_test('test_pac_align',
+ f'{length}_chars',
+ length)
+
+ def setUp(self):
+ super().setUp()
+ self.do_asn1_print = global_asn1_print
+ self.do_hexdump = global_hexdump
+
+ def _test_pac_align_with_args(self, length):
+ samdb = self.get_samdb()
+
+ account_name = self.base_name + 'a' * (length - len(self.base_name))
+ creds, _ = self.create_account(samdb, account_name)
+
+ tgt = self.get_tgt(creds, expect_pac=True)
+
+ pac_data = self.get_ticket_pac(tgt)
+ self.assertIsNotNone(pac_data)
+
+ self.assertEqual(0, len(pac_data) & 7)
+
+ pac = ndr_unpack(krb5pac.PAC_DATA_RAW, pac_data)
+ for pac_buffer in pac.buffers:
+ buffer_type = pac_buffer.type
+ buffer_size = pac_buffer.ndr_size
+
+ with self.subTest(buffer_type=buffer_type):
+ if buffer_type == krb5pac.PAC_TYPE_LOGON_NAME:
+ self.assertEqual(length * 2 + 10, buffer_size)
+ elif buffer_type == krb5pac.PAC_TYPE_REQUESTER_SID:
+ self.assertEqual(28, buffer_size)
+ elif buffer_type in {krb5pac.PAC_TYPE_SRV_CHECKSUM,
+ krb5pac.PAC_TYPE_KDC_CHECKSUM,
+ krb5pac.PAC_TYPE_TICKET_CHECKSUM}:
+ self.assertEqual(0, buffer_size & 3,
+ f'buffer type was: {buffer_type}, '
+ f'buffer size was: {buffer_size}')
+ else:
+ self.assertEqual(0, buffer_size & 7,
+ f'buffer type was: {buffer_type}, '
+ f'buffer size was: {buffer_size}')
+
+ rounded_len = (buffer_size + 7) & ~7
+ self.assertEqual(rounded_len, len(pac_buffer.info.remaining))
+
+
+if __name__ == '__main__':
+ global_asn1_print = False
+ global_hexdump = False
+ import unittest
+ unittest.main()
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index cc004f04842..d11f628d7b6 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -2609,7 +2609,11 @@ class RawKerberosTest(TestCaseInTempDir):
self.assertIsNotNone(ticket_decryption_key)
if ticket_decryption_key is not None:
- self.verify_ticket(ticket_creds, krbtgt_keys, expect_pac=expect_pac,
+ service_ticket = (not self.is_tgs(expected_sname)
+ and rep_msg_type == KRB_TGS_REP)
+ self.verify_ticket(ticket_creds, krbtgt_keys,
+ service_ticket=service_ticket,
+ expect_pac=expect_pac,
expect_ticket_checksum=expect_ticket_checksum
or self.tkt_sig_support)
@@ -2646,7 +2650,7 @@ class RawKerberosTest(TestCaseInTempDir):
expected_types.append(krb5pac.PAC_TYPE_DEVICE_INFO)
expected_types.append(krb5pac.PAC_TYPE_DEVICE_CLAIMS_INFO)
- if not self.is_tgs(expected_sname):
+ if not self.is_tgs(expected_sname) and rep_msg_type == KRB_TGS_REP:
expected_types.append(krb5pac.PAC_TYPE_TICKET_CHECKSUM)
require_strict = {krb5pac.PAC_TYPE_CLIENT_CLAIMS_INFO,
@@ -2655,7 +2659,7 @@ class RawKerberosTest(TestCaseInTempDir):
if not self.tkt_sig_support:
require_strict.add(krb5pac.PAC_TYPE_TICKET_CHECKSUM)
- expect_extra_pac_buffers = rep_msg_type == KRB_AS_REP
+ expect_extra_pac_buffers = self.is_tgs(expected_sname)
expect_pac_attrs = kdc_exchange_dict['expect_pac_attrs']
@@ -3271,11 +3275,9 @@ class RawKerberosTest(TestCaseInTempDir):
ticket_blob)
self.assertEqual(expected_checksum, checksum)
- def verify_ticket(self, ticket, krbtgt_keys, expect_pac=True,
+ def verify_ticket(self, ticket, krbtgt_keys, service_ticket,
+ expect_pac=True,
expect_ticket_checksum=True):
- # Check if the ticket is a TGT.
- is_tgt = self.is_tgt(ticket)
-
# Decrypt the ticket.
key = ticket.decryption_key
@@ -3374,7 +3376,7 @@ class RawKerberosTest(TestCaseInTempDir):
kdc_ctype,
kdc_checksum)
- if is_tgt:
+ if not service_ticket:
self.assertNotIn(krb5pac.PAC_TYPE_TICKET_CHECKSUM, checksums)
else:
ticket_checksum, ticket_ctype = checksums.get(
diff --git a/python/samba/tests/krb5/rodc_tests.py b/python/samba/tests/krb5/rodc_tests.py
index 0e252d90262..83ee35d650a 100755
--- a/python/samba/tests/krb5/rodc_tests.py
+++ b/python/samba/tests/krb5/rodc_tests.py
@@ -58,14 +58,14 @@ class RodcKerberosTests(KDCBaseTest):
tgt = self.get_tgt(user_creds, to_rodc=True)
# Ensure the PAC contains the expected checksums.
- self.verify_ticket(tgt, rodc_key)
+ self.verify_ticket(tgt, rodc_key, service_ticket=False)
# Get a service ticket from the RODC.
service_ticket = self.get_service_ticket(tgt, target_creds,
to_rodc=True)
# Ensure the PAC contains the expected checksums.
--
Samba Shared Repository
More information about the samba-cvs
mailing list