[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Thu Jul 1 18:38:01 UTC 2021
The branch, master has been updated
via b3ee034b4d4 s4:kdc: prefer newer enctypes for preauth responses
via bf71fa038e9 s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against
via ab221c1b3e2 tests/krb5: Use admin creds for SamDB rather than user creds
via fc857ea60e2 tests/krb5/as_canonicalization_tests.py: Refactor account creation
via 3e621dcb696 tests/krb5: Deduplicate 'host' attribute initialisation
via 381223117e0 tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value
via d4c38678e0c tests/krb5/as_req_tests.py: Check the client kvno
via d5e350a4a49 tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test
via 0fd71ed3c37 tests/krb5/as_req_tests.py: Automatically obtain credentials
via fd45bea7a88 tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials
via ec5c2b040b6 tests/krb5/raw_testcase.py: Simplify conditionals
via e1601f2b56f tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function
via 22a90aea82b tests/krb5/raw_testcase.py: Cache obtained credentials
via 6a77c2b9331 tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds
via 948bbc9cecb tests/krb5/raw_testcase.py: Make env_get_var() a standalone method
via 1f2ddd3c97e tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS
via 7d4a0ed21be tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
via 210e544016a tests/krb5/kdc_base_test.py: Create loadparm only when needed
via 364f1ce8d82 tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute
via 4f5566be483 tests/krb5/kdc_base_test.py: Create database connection only when needed
via 5afae39da0a tests/krb5/raw_testcase.py: Add get_admin_creds()
via 5412bffb9b4 tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called
via d91665d3313 selftest: run new as_req_tests against fl2008r2dc and fl2003dc
via 01d86954d21 tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol
via 6e2f2adc8e8 tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure
via 69ce2a6408f tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds()
via e3905035847 tests/krb5/raw_testcase.py: add methods to iterate over etype permutations
via ee2ac2b8cca tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create()
via b03fcfeb6c0 tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create()
via 3abb3b41368 tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values
via 34e079ce9a2 tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values
via 61e1b179812 tests/krb5/raw_testcase.py: add assertElement*()
via dff611976d6 tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future
via c3222870b92 tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds()
via d4492a8aaaf tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing
via fef08add9ec Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}
via 1f413b2b297 auth/credentials: allow credentials.Credentials to act as base class
from 0e3ddc27ed6 vfs_default: use fsp_get_io_fd() for copy_file_range()
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit b3ee034b4d457607ef25a5b01da64e1eaf5906dd
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Apr 10 23:10:28 2020 +0200
s4:kdc: prefer newer enctypes for preauth responses
This matches Windows KDCs, which was demonstrated by the
krb5.as_req_tests tests.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Jul 1 18:37:14 UTC 2021 on sn-devel-184
commit bf71fa038e9b97f770e06e88226e885d67342d47
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jun 21 14:14:48 2021 +1200
s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against
This enables us to more easily switch to a different algorithm to find
the strongest key in _kdc_find_etype().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ab221c1b3e24696aa0eed6aa970f310447657069
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 12:52:11 2021 +1200
tests/krb5: Use admin creds for SamDB rather than user creds
This makes the purpose of each set of credentials more consistent, and
makes some tests more convenient to run standalone as they no longer
require user credentials.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit fc857ea60e2a66d20d4174cb121e0a6949f8a0c1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 11:49:05 2021 +1200
tests/krb5/as_canonicalization_tests.py: Refactor account creation
Making this test a subclass of KDCBaseTest allows us to make use of its
methods for obtaining credentials and creating accounts, which helps to
eliminate some duplicated code.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3e621dcb6966f75034bb948a2705358d43454202
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 11:01:50 2021 +1200
tests/krb5: Deduplicate 'host' attribute initialisation
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 381223117e0bae4c348d538bffaa8227b18ef3d1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 13:25:34 2021 +1200
tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value
This is clearer than using the constant zero, which could be mistaken
for a valid kvno value.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d4c38678e0cc782965edfe40a0423fafb7d5a5ff
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 13:24:22 2021 +1200
tests/krb5/as_req_tests.py: Check the client kvno
Ensure we have the correct kvno for the client, rather than an 'unknown'
value.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d5e350a4a490fecf570f1c248c9dde1466796166
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 21 11:07:45 2020 +0200
tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test
Example commands:
Windows 2012R2:
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=4 python/samba/tests/krb5/as_req_tests.py
Windows 2008R2:
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py
Samba:
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0fd71ed3c37c8cf326f9f676b7fddda3d2d24072
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 14:51:22 2021 +1200
tests/krb5/as_req_tests.py: Automatically obtain credentials
The credentials for the client and krbtgt accounts are now fetched
automatically rather than using environment variables, and the client
account is now automatically created.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit fd45bea7a88837cbe4f99adf3a6b3f69ce32f34c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 16:07:16 2021 +1200
tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials
Now if the client credentials are not supplied in the environment, we
can fall back to creating a new user account. Similarly, if the krbtgt
credentials are not supplied, we can fetch the credentials of the
existing krbtgt account.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ec5c2b040b63d06a17bcd7bd133c2d68d07df587
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 15:55:17 2021 +1200
tests/krb5/raw_testcase.py: Simplify conditionals
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit e1601f2b56f09a944c5cfb119502fdcf49a03c99
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 17:12:39 2021 +1200
tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function
This allows us to use other methods of obtaining credentials if getting
them from the environment fails.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 22a90aea82ba6ef86bde835f2369daa6e23ed2fd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 17:10:44 2021 +1200
tests/krb5/raw_testcase.py: Cache obtained credentials
If credentials are used more than once, we can now use the credentials
that we already obtained and so avoid fetching them again.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 6a77c2b93315503008627ce786388f281bd6bb87
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 16:55:02 2021 +1200
tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds
This allows us to require encryption keys in the case that a password
would not be required, such as for the krbtgt account.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 948bbc9cecbfc1b33a338891d26a4a706864b9c6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 15:59:11 2021 +1200
tests/krb5/raw_testcase.py: Make env_get_var() a standalone method
This allows it to be used elsewhere in the tests.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1f2ddd3c97e3ff243c8bd0c17299f27b761f5e7f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 13:15:10 2021 +1200
tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS
This requires admin credentials, and removes the need to pass these keys
as environment variables.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 7d4a0ed21be49d13c2b815582f2d04f0c058bf3a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 15:12:38 2021 +1200
tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
This is done based on the domain functional level, which corresponds to
the logic Samba uses to decide whether or not to generate a
Primary:Kerberos-Newer-Keys element for the supplementalCredentials
attribute.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 210e544016a3a4de1cdb76ce28a2148811ff07eb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 11:40:41 2021 +1200
tests/krb5/kdc_base_test.py: Create loadparm only when needed
Now the .conf file is only loaded on its first use, which means that
SMB_CONF_PATH need not be defined for tests that don't make use of it.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 364f1ce8d8221cb8926635fc864db782cee61cf9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 11:31:26 2021 +1200
tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute
Credentials for tests are now obtained using the get_user_creds()
method.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 4f5566be4839838e0e3e501a030bcf6e85ff5159
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 11:04:00 2021 +1200
tests/krb5/kdc_base_test.py: Create database connection only when needed
Now the database connection is only created on its first use, which
means database credentials are no longer required for tests that don't
make use of it.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5afae39da0ab408bb36dde3a7801634bd9cc24f6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 13:14:33 2021 +1200
tests/krb5/raw_testcase.py: Add get_admin_creds()
This method allows obtaining credentials that can be used for
administrative tasks such as creating accounts.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 5412bffb9b4fc13023e650bbc9436a79b60b6fa2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 15:38:28 2021 +1200
tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called
This allows accounts created for permutation tests to be reused, rather
than having to be recreated for every test.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit d91665d33130aed11fa82d8d2796ab1627e04dc4
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 21 11:07:45 2020 +0200
selftest: run new as_req_tests against fl2008r2dc and fl2003dc
There are a lot of things we should improve in our KDC
in order to work like a Windows KDC.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 01d86954d217e38be333aa1ce7db1d3d9059cd4c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 21 11:07:45 2020 +0200
tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol
Example commands:
Windows 2012R2:
SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
Windows 2008R2:
SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
Samba 4.14:
SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6e2f2adc8e825634780077e24a9e437bdc68155a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 21 11:07:45 2020 +0200
tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure
This will allow us to write tests, which will all cross check almost
every aspect of the KDC response (including encrypted parts).
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 69ce2a6408f78d41eb865b89726021ad7643b065
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 16 17:13:35 2020 +0200
tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds()
This will allow building test_as_req_enc_timestamp()
It also introduces ways to specify keys in hex formated environment
variables ${PREFIX}_{AES256,AES128,RC4}_KEY_HEX.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e3905035847a5268c1a65366830cc739280ae437
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 20 20:02:52 2020 +0200
tests/krb5/raw_testcase.py: add methods to iterate over etype permutations
It's often useful to run tests over a lot of input parameter
permutations.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ee2ac2b8ccafe3e6d560d893a4135a28e393914d
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 16 10:43:54 2020 +0200
tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create()
This allows building the pre-authentication data that encodes
the request for the KDC (or more likely a request not to include)
the KRB5 PAC in the resulting ticket.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b03fcfeb6c005936818ce50d511e9f9cc75aa9fb
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 21 14:45:01 2020 +0200
tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create()
This allows us to reuse body in future and calculate checksums on it.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3abb3b41368666535a216a98c3e7d15a5d498f7e
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 15 17:57:37 2020 +0200
tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values
By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint
we allow the BitString_NamedValues_prettyPrint() routine to show more named values.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 34e079ce9a232a765fb3a2b25441434df35df54c
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 15 17:50:00 2020 +0200
tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values
By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint
we allow the BitString_NamedValues_prettyPrint() routine to show more named values.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 61e1b179812e48797146584998afc5bd0168beae
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 15 13:49:52 2020 +0200
tests/krb5/raw_testcase.py: add assertElement*()
These helper functions make writing subsequent Kerberos test
clearer.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit dff611976d6a067614e37add99edae214815a68b
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 9 22:28:32 2020 +0200
tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future
We should write tests as strict as possible in order to let them run
against Windows servers.
But at the same time we want to allow tests to be useful for Samba
too...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c3222870b92db7f867557c2896b7bf39915d469a
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 9 10:55:28 2020 +0200
tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds()
These helpful functions allow us to build the various credentials
that we will use in validating the KDC responses in this test.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d4492a8aaaf70cbe81af7e6703b4ea9fc1f24162
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 9 11:10:11 2020 +0200
tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing
Update and re-generate the ASN.1 to allow an improved testsuite.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fef08add9ec324fb0c3902e96c2a91c07646d499
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 15 16:50:55 2020 +0200
Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}
This is a clearer name for the script
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1f413b2b2977687884781ca2399dadf6611ab461
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 9 21:04:44 2020 +0200
auth/credentials: allow credentials.Credentials to act as base class
In tests it's useful to add more details.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/pycredentials.c | 2 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 136 +--
python/samba/tests/krb5/as_req_tests.py | 207 ++++
python/samba/tests/krb5/kdc_base_test.py | 329 +++++-
python/samba/tests/krb5/kdc_tgs_tests.py | 17 +-
.../krb5/ms_kile_client_principal_lookup_tests.py | 88 +-
.../{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} | 0
python/samba/tests/krb5/raw_testcase.py | 1181 ++++++++++++++++++--
python/samba/tests/krb5/rfc4120.asn1 | 70 +-
python/samba/tests/krb5/rfc4120_constants.py | 11 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 134 ++-
python/samba/tests/krb5/simple_tests.py | 6 +-
python/samba/tests/krb5/test_ccache.py | 19 +-
python/samba/tests/krb5/test_ldap.py | 14 +-
python/samba/tests/krb5/test_rpc.py | 8 +-
python/samba/tests/krb5/test_smb.py | 14 +-
python/samba/tests/usage.py | 1 +
selftest/knownfail | 6 +-
selftest/knownfail_mit_kdc | 358 +++++-
selftest/target/Samba4.pm | 2 +-
source4/kdc/kdc-heimdal.c | 2 +-
source4/selftest/tests.py | 49 +-
source4/torture/krb5/kdc-heimdal.c | 104 +-
23 files changed, 2414 insertions(+), 344 deletions(-)
create mode 100755 python/samba/tests/krb5/as_req_tests.py
rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} (100%)
Changeset truncated at 500 lines:
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index 798cdb41a00..08b78e9dfce 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -1437,7 +1437,7 @@ static struct PyModuleDef moduledef = {
PyTypeObject PyCredentials = {
.tp_name = "credentials.Credentials",
.tp_new = py_creds_new,
- .tp_flags = Py_TPFLAGS_DEFAULT,
+ .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE,
.tp_methods = py_creds_methods,
};
diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py
index 43f532dc483..abb3f96a1e6 100755
--- a/python/samba/tests/krb5/as_canonicalization_tests.py
+++ b/python/samba/tests/krb5/as_canonicalization_tests.py
@@ -25,20 +25,11 @@ import pyasn1
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
-from samba.tests.krb5.raw_testcase import RawKerberosTest
+from samba.tests.krb5.kdc_base_test import KDCBaseTest
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
-import samba
-from samba.auth import system_session
-from samba.credentials import (
- Credentials,
- DONT_USE_KERBEROS)
+from samba.credentials import DONT_USE_KERBEROS
from samba.dcerpc.misc import SEC_CHAN_WKSTA
-from samba.dsdb import (
- UF_WORKSTATION_TRUST_ACCOUNT,
- UF_PASSWD_NOTREQD,
- UF_NORMAL_ACCOUNT)
-from samba.samdb import SamDB
-from samba.tests import delete_force, DynamicTestCase
+from samba.tests import DynamicTestCase
from samba.tests.krb5.rfc4120_constants import (
AES256_CTS_HMAC_SHA1_96,
AES128_CTS_HMAC_SHA1_96,
@@ -96,12 +87,12 @@ class TestData:
else:
client_name_type = NT_PRINCIPAL
- self.cname = RawKerberosTest.PrincipalName_create(
+ self.cname = KDCBaseTest.PrincipalName_create(
name_type=client_name_type, names=[self.user_name])
if TestOptions.AsReqSelf.is_set(options):
self.sname = self.cname
else:
- self.sname = RawKerberosTest.PrincipalName_create(
+ self.sname = KDCBaseTest.PrincipalName_create(
name_type=NT_SRV_INST, names=["krbtgt", self.realm])
self.canonicalize = TestOptions.Canonicalize.is_set(options)
@@ -141,7 +132,7 @@ USER_NAME = "tstkrb5cnnusr"
@DynamicTestCase
-class KerberosASCanonicalizationTests(RawKerberosTest):
+class KerberosASCanonicalizationTests(KDCBaseTest):
@classmethod
def setUpDynamicTestCases(cls):
@@ -170,114 +161,37 @@ class KerberosASCanonicalizationTests(RawKerberosTest):
name = build_test_name(ct, x)
cls.generate_dynamic_test("test", name, x, ct)
- @classmethod
- def setUpClass(cls):
- cls.lp = cls.get_loadparm(cls)
- cls.username = os.environ["USERNAME"]
- cls.password = os.environ["PASSWORD"]
- cls.host = os.environ["SERVER"]
-
- c = Credentials()
- c.set_username(cls.username)
- c.set_password(cls.password)
- try:
- realm = os.environ["REALM"]
- c.set_realm(realm)
- except KeyError:
- pass
- try:
- domain = os.environ["DOMAIN"]
- c.set_domain(domain)
- except KeyError:
- pass
+ def user_account_creds(self):
+ if self.user_creds is None:
+ samdb = self.get_samdb()
+ self.user_creds, _ = self.create_account(samdb, USER_NAME)
- c.guess()
+ return self.user_creds
- cls.credentials = c
+ def machine_account_creds(self):
+ if self.machine_creds is None:
+ samdb = self.get_samdb()
+ self.machine_creds, _ = self.create_account(samdb,
+ MACHINE_NAME,
+ machine_account=True)
+ self.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA)
+ self.machine_creds.set_kerberos_state(DONT_USE_KERBEROS)
- cls.session = system_session()
- cls.ldb = SamDB(url="ldap://%s" % cls.host,
- session_info=cls.session,
- credentials=cls.credentials,
- lp=cls.lp)
- cls.create_machine_account()
- cls.create_user_account()
-
- @classmethod
- def tearDownClass(cls):
- super(KerberosASCanonicalizationTests, cls).tearDownClass()
- delete_force(cls.ldb, cls.machine_dn)
- delete_force(cls.ldb, cls.user_dn)
+ return self.machine_creds
def setUp(self):
- super(KerberosASCanonicalizationTests, self).setUp()
+ super().setUp()
self.do_asn1_print = global_asn1_print
self.do_hexdump = global_hexdump
- #
- # Create a test user account
- @classmethod
- def create_user_account(cls):
- cls.user_pass = samba.generate_random_password(32, 32)
- cls.user_name = USER_NAME
- cls.user_dn = "cn=%s,%s" % (cls.user_name, cls.ldb.domain_dn())
-
- # remove the account if it exists, this will happen if a previous test
- # run failed
- delete_force(cls.ldb, cls.user_dn)
-
- utf16pw = ('"%s"' % cls.user_pass).encode('utf-16-le')
- cls.ldb.add({
- "dn": cls.user_dn,
- "objectclass": "user",
- "sAMAccountName": "%s" % cls.user_name,
- "userAccountControl": str(UF_NORMAL_ACCOUNT),
- "unicodePwd": utf16pw})
-
- cls.user_creds = Credentials()
- cls.user_creds.guess(cls.lp)
- cls.user_creds.set_realm(cls.ldb.domain_dns_name().upper())
- cls.user_creds.set_domain(cls.ldb.domain_netbios_name().upper())
- cls.user_creds.set_password(cls.user_pass)
- cls.user_creds.set_username(cls.user_name)
- cls.user_creds.set_workstation(cls.machine_name)
-
- #
- # Create the machine account
- @classmethod
- def create_machine_account(cls):
- cls.machine_pass = samba.generate_random_password(32, 32)
- cls.machine_name = MACHINE_NAME
- cls.machine_dn = "cn=%s,%s" % (cls.machine_name, cls.ldb.domain_dn())
-
- # remove the account if it exists, this will happen if a previous test
- # run failed
- delete_force(cls.ldb, cls.machine_dn)
-
- utf16pw = ('"%s"' % cls.machine_pass).encode('utf-16-le')
- cls.ldb.add({
- "dn": cls.machine_dn,
- "objectclass": "computer",
- "sAMAccountName": "%s$" % cls.machine_name,
- "userAccountControl":
- str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD),
- "unicodePwd": utf16pw})
-
- cls.machine_creds = Credentials()
- cls.machine_creds.guess(cls.lp)
- cls.machine_creds.set_realm(cls.ldb.domain_dns_name().upper())
- cls.machine_creds.set_domain(cls.ldb.domain_netbios_name().upper())
- cls.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA)
- cls.machine_creds.set_kerberos_state(DONT_USE_KERBEROS)
- cls.machine_creds.set_password(cls.machine_pass)
- cls.machine_creds.set_username(cls.machine_name + "$")
- cls.machine_creds.set_workstation(cls.machine_name)
+ self.user_creds = None
+ self.machine_creds = None
def _test_with_args(self, x, ct):
if ct == CredentialsType.User:
- creds = self.user_creds
+ creds = self.user_account_creds()
elif ct == CredentialsType.Machine:
- creds = self.machine_creds
+ creds = self.machine_account_creds()
else:
raise Exception("Unexpected credential type")
data = TestData(x, creds)
diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
new file mode 100755
index 00000000000..10e7b603609
--- /dev/null
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -0,0 +1,207 @@
+#!/usr/bin/env python3
+# Unix SMB/CIFS implementation.
+# Copyright (C) Stefan Metzmacher 2020
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import os
+
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+
+from samba.tests import DynamicTestCase
+from samba.tests.krb5.kdc_base_test import KDCBaseTest
+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
+from samba.tests.krb5.rfc4120_constants import (
+ KDC_ERR_PREAUTH_REQUIRED,
+ KU_PA_ENC_TIMESTAMP,
+ NT_PRINCIPAL,
+ NT_SRV_INST,
+ PADATA_ENC_TIMESTAMP
+)
+
+global_asn1_print = False
+global_hexdump = False
+
+ at DynamicTestCase
+class AsReqKerberosTests(KDCBaseTest):
+
+ @classmethod
+ def setUpDynamicTestCases(cls):
+ for (name, idx) in cls.etype_test_permutation_name_idx():
+ for pac in [None, True, False]:
+ tname = "%s_pac_%s" % (name, pac)
+ targs = (idx, pac)
+ cls.generate_dynamic_test("test_as_req_no_preauth", tname, *targs)
+ return
+
+ def setUp(self):
+ super(AsReqKerberosTests, self).setUp()
+ self.do_asn1_print = global_asn1_print
+ self.do_hexdump = global_hexdump
+
+ def _test_as_req_nopreauth(self,
+ initial_etypes,
+ initial_padata=None,
+ initial_kdc_options=None):
+ client_creds = self.get_client_creds()
+ client_account = client_creds.get_username()
+ client_as_etypes = client_creds.get_as_krb5_etypes()
+ krbtgt_creds = self.get_krbtgt_creds(require_keys=False)
+ krbtgt_account = krbtgt_creds.get_username()
+ realm = krbtgt_creds.get_realm()
+
+ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=[client_account])
+ sname = self.PrincipalName_create(name_type=NT_SRV_INST,
+ names=[krbtgt_account, realm])
+
+ expected_error_mode = KDC_ERR_PREAUTH_REQUIRED
+ expected_crealm = realm
+ expected_cname = cname
+ expected_srealm = realm
+ expected_sname = sname
+ expected_salt = client_creds.get_forced_salt()
+
+ def _generate_padata_copy(_kdc_exchange_dict,
+ _callback_dict,
+ req_body):
+ return initial_padata, req_body
+
+ kdc_exchange_dict = self.as_exchange_dict(
+ expected_crealm=expected_crealm,
+ expected_cname=expected_cname,
+ expected_srealm=expected_srealm,
+ expected_sname=expected_sname,
+ generate_padata_fn=_generate_padata_copy,
+ check_error_fn=self.generic_check_as_error,
+ check_rep_fn=self.generic_check_kdc_rep,
+ expected_error_mode=expected_error_mode,
+ client_as_etypes=client_as_etypes,
+ expected_salt=expected_salt)
+
+ rep = self._generic_kdc_exchange(kdc_exchange_dict,
+ kdc_options=str(initial_kdc_options),
+ cname=cname,
+ realm=realm,
+ sname=sname,
+ etypes=initial_etypes)
+
+ return kdc_exchange_dict['preauth_etype_info2']
+
+ def _test_as_req_no_preauth_with_args(self, etype_idx, pac):
+ name, etypes = self.etype_test_permutation_by_idx(etype_idx)
+ if pac is None:
+ padata = None
+ else:
+ pa_pac = self.KERB_PA_PAC_REQUEST_create(pac)
+ padata = [pa_pac]
+ return self._test_as_req_nopreauth(
+ initial_padata=padata,
+ initial_etypes=etypes,
+ initial_kdc_options=krb5_asn1.KDCOptions('forwardable'))
+
+ def test_as_req_enc_timestamp(self):
+ client_creds = self.get_client_creds()
+ client_account = client_creds.get_username()
+ client_as_etypes = client_creds.get_as_krb5_etypes()
+ client_kvno = client_creds.get_kvno()
+ krbtgt_creds = self.get_krbtgt_creds(require_strongest_key=True)
+ krbtgt_account = krbtgt_creds.get_username()
+ realm = krbtgt_creds.get_realm()
+
+ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=[client_account])
+ sname = self.PrincipalName_create(name_type=NT_SRV_INST,
+ names=[krbtgt_account, realm])
+
+ expected_crealm = realm
+ expected_cname = cname
+ expected_srealm = realm
+ expected_sname = sname
+ expected_salt = client_creds.get_forced_salt()
+
+ till = self.get_KerberosTime(offset=36000)
+
+ pa_pac = self.KERB_PA_PAC_REQUEST_create(True)
+ initial_padata = [pa_pac]
+ initial_etypes = client_as_etypes
+ initial_kdc_options = krb5_asn1.KDCOptions('forwardable')
+ initial_error_mode = KDC_ERR_PREAUTH_REQUIRED
+
+ etype_info2 = self._test_as_exchange(cname,
+ realm,
+ sname,
+ till,
+ client_as_etypes,
+ initial_error_mode,
+ expected_crealm,
+ expected_cname,
+ expected_srealm,
+ expected_sname,
+ expected_salt,
+ initial_etypes,
+ initial_padata,
+ initial_kdc_options)
+ self.assertIsNotNone(etype_info2)
+
+ preauth_key = self.PasswordKey_from_etype_info2(client_creds,
+ etype_info2[0],
+ kvno=client_kvno)
+
+ (patime, pausec) = self.get_KerberosTimeWithUsec()
+ pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec)
+ pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC())
+
+ enc_pa_ts_usage = KU_PA_ENC_TIMESTAMP
+ pa_ts = self.EncryptedData_create(preauth_key, enc_pa_ts_usage, pa_ts)
+ pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData())
+
+ pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts)
+
+ preauth_padata = [pa_ts, pa_pac]
+ preauth_etypes = client_as_etypes
+ preauth_kdc_options = krb5_asn1.KDCOptions('forwardable')
+ preauth_error_mode = 0 # AS-REP
+
+ krbtgt_decryption_key = (
+ self.TicketDecryptionKey_from_creds(krbtgt_creds))
+
+ as_rep = self._test_as_exchange(cname,
+ realm,
+ sname,
+ till,
+ client_as_etypes,
+ preauth_error_mode,
+ expected_crealm,
+ expected_cname,
+ expected_srealm,
+ expected_sname,
+ expected_salt,
+ preauth_etypes,
+ preauth_padata,
+ preauth_kdc_options,
+ preauth_key=preauth_key,
+ ticket_decryption_key=krbtgt_decryption_key)
+ self.assertIsNotNone(as_rep)
+ return
+
+if __name__ == "__main__":
+ global_asn1_print = True
+ global_hexdump = True
+ import unittest
+ unittest.main()
+
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index e345f739e1c..0f5238a3de9 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -20,6 +20,8 @@ import sys
import os
from datetime import datetime, timezone
import tempfile
+import binascii
+import struct
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
@@ -29,13 +31,21 @@ from ldb import SCOPE_BASE
from samba import generate_random_password
from samba.auth import system_session
from samba.credentials import Credentials, SPECIFIED, MUST_USE_KERBEROS
-from samba.dcerpc import krb5pac, krb5ccache
-from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_NORMAL_ACCOUNT
+from samba.dcerpc import drsblobs, drsuapi, misc, krb5pac, krb5ccache, security
+from samba.drs_utils import drsuapi_connect
+from samba.dsdb import (
+ DS_DOMAIN_FUNCTION_2000,
+ DS_DOMAIN_FUNCTION_2008,
+ UF_WORKSTATION_TRUST_ACCOUNT,
+ UF_NORMAL_ACCOUNT
+)
from samba.ndr import ndr_pack, ndr_unpack
+from samba import net
from samba.samdb import SamDB
from samba.tests import delete_force
-from samba.tests.krb5.raw_testcase import RawKerberosTest
+import samba.tests.krb5.kcrypto as kcrypto
+from samba.tests.krb5.raw_testcase import KerberosCredentials, RawKerberosTest
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
from samba.tests.krb5.rfc4120_constants import (
AD_IF_RELEVANT,
@@ -66,60 +76,88 @@ class KDCBaseTest(RawKerberosTest):
@classmethod
def setUpClass(cls):
- cls.lp = cls.get_loadparm(cls)
- cls.username = os.environ["USERNAME"]
- cls.password = os.environ["PASSWORD"]
- cls.host = os.environ["SERVER"]
-
- c = Credentials()
- c.set_username(cls.username)
- c.set_password(cls.password)
- try:
- realm = os.environ["REALM"]
- c.set_realm(realm)
- except KeyError:
- pass
- try:
- domain = os.environ["DOMAIN"]
- c.set_domain(domain)
- except KeyError:
- pass
+ super().setUpClass()
+ cls._lp = None
- c.guess()
+ cls._ldb = None
- cls.credentials = c
+ cls._functional_level = None
- cls.session = system_session()
- cls.ldb = SamDB(url="ldap://%s" % cls.host,
- session_info=cls.session,
- credentials=cls.credentials,
- lp=cls.lp)
- # fetch the dnsHostName from the RootDse
- res = cls.ldb.search(
- base="", expression="", scope=SCOPE_BASE, attrs=["dnsHostName"])
- cls.dns_host_name = str(res[0]['dnsHostName'])
+ # A set containing DNs of accounts created as part of testing.
+ cls.accounts = set()
+
+ @classmethod
+ def tearDownClass(cls):
+ # Clean up any accounts created by create_account. This is
+ # done in tearDownClass() rather than tearDown(), so that
+ # accounts need only be created once for permutation tests.
+ if cls._ldb is not None:
+ for dn in cls.accounts:
--
Samba Shared Repository
More information about the samba-cvs
mailing list