[SCM] Samba Shared Repository - branch master updated

Stefan Metzmacher metze at samba.org
Thu Jul 1 18:38:01 UTC 2021


The branch, master has been updated
       via  b3ee034b4d4 s4:kdc: prefer newer enctypes for preauth responses
       via  bf71fa038e9 s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against
       via  ab221c1b3e2 tests/krb5: Use admin creds for SamDB rather than user creds
       via  fc857ea60e2 tests/krb5/as_canonicalization_tests.py: Refactor account creation
       via  3e621dcb696 tests/krb5: Deduplicate 'host' attribute initialisation
       via  381223117e0 tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value
       via  d4c38678e0c tests/krb5/as_req_tests.py: Check the client kvno
       via  d5e350a4a49 tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test
       via  0fd71ed3c37 tests/krb5/as_req_tests.py: Automatically obtain credentials
       via  fd45bea7a88 tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials
       via  ec5c2b040b6 tests/krb5/raw_testcase.py: Simplify conditionals
       via  e1601f2b56f tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function
       via  22a90aea82b tests/krb5/raw_testcase.py: Cache obtained credentials
       via  6a77c2b9331 tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds
       via  948bbc9cecb tests/krb5/raw_testcase.py: Make env_get_var() a standalone method
       via  1f2ddd3c97e tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS
       via  7d4a0ed21be tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
       via  210e544016a tests/krb5/kdc_base_test.py: Create loadparm only when needed
       via  364f1ce8d82 tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute
       via  4f5566be483 tests/krb5/kdc_base_test.py: Create database connection only when needed
       via  5afae39da0a tests/krb5/raw_testcase.py: Add get_admin_creds()
       via  5412bffb9b4 tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called
       via  d91665d3313 selftest: run new as_req_tests against fl2008r2dc and fl2003dc
       via  01d86954d21 tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol
       via  6e2f2adc8e8 tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure
       via  69ce2a6408f tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds()
       via  e3905035847 tests/krb5/raw_testcase.py: add methods to iterate over etype permutations
       via  ee2ac2b8cca tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create()
       via  b03fcfeb6c0 tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create()
       via  3abb3b41368 tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values
       via  34e079ce9a2 tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values
       via  61e1b179812 tests/krb5/raw_testcase.py: add assertElement*()
       via  dff611976d6 tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future
       via  c3222870b92 tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds()
       via  d4492a8aaaf tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing
       via  fef08add9ec Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}
       via  1f413b2b297 auth/credentials: allow credentials.Credentials to act as base class
      from  0e3ddc27ed6 vfs_default: use fsp_get_io_fd() for copy_file_range()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit b3ee034b4d457607ef25a5b01da64e1eaf5906dd
Author: Stefan Metzmacher <metze at samba.org>
Date:   Fri Apr 10 23:10:28 2020 +0200

    s4:kdc: prefer newer enctypes for preauth responses
    
    This matches Windows KDCs, which was demonstrated by the
    krb5.as_req_tests tests.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
    Autobuild-Date(master): Thu Jul  1 18:37:14 UTC 2021 on sn-devel-184

commit bf71fa038e9b97f770e06e88226e885d67342d47
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Jun 21 14:14:48 2021 +1200

    s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against
    
    This enables us to more easily switch to a different algorithm to find
    the strongest key in _kdc_find_etype().
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit ab221c1b3e24696aa0eed6aa970f310447657069
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Jun 16 12:52:11 2021 +1200

    tests/krb5: Use admin creds for SamDB rather than user creds
    
    This makes the purpose of each set of credentials more consistent, and
    makes some tests more convenient to run standalone as they no longer
    require user credentials.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit fc857ea60e2a66d20d4174cb121e0a6949f8a0c1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Jun 16 11:49:05 2021 +1200

    tests/krb5/as_canonicalization_tests.py: Refactor account creation
    
    Making this test a subclass of KDCBaseTest allows us to make use of its
    methods for obtaining credentials and creating accounts, which helps to
    eliminate some duplicated code.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 3e621dcb6966f75034bb948a2705358d43454202
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Jun 16 11:01:50 2021 +1200

    tests/krb5: Deduplicate 'host' attribute initialisation
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 381223117e0bae4c348d538bffaa8227b18ef3d1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 15 13:25:34 2021 +1200

    tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value
    
    This is clearer than using the constant zero, which could be mistaken
    for a valid kvno value.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit d4c38678e0cc782965edfe40a0423fafb7d5a5ff
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 15 13:24:22 2021 +1200

    tests/krb5/as_req_tests.py: Check the client kvno
    
    Ensure we have the correct kvno for the client, rather than an 'unknown'
    value.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit d5e350a4a490fecf570f1c248c9dde1466796166
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Apr 21 11:07:45 2020 +0200

    tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test
    
    Example commands:
    
    Windows 2012R2:
    SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
    SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
    SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py
    SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
    SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=4 python/samba/tests/krb5/as_req_tests.py
    
    Windows 2008R2:
    SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
    SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
    SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
    SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py
    SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py
    
    Samba:
    SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
    SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
    SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
    SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py
    SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 0fd71ed3c37c8cf326f9f676b7fddda3d2d24072
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Jun 16 14:51:22 2021 +1200

    tests/krb5/as_req_tests.py: Automatically obtain credentials
    
    The credentials for the client and krbtgt accounts are now fetched
    automatically rather than using environment variables, and the client
    account is now automatically created.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit fd45bea7a88837cbe4f99adf3a6b3f69ce32f34c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 15 16:07:16 2021 +1200

    tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials
    
    Now if the client credentials are not supplied in the environment, we
    can fall back to creating a new user account. Similarly, if the krbtgt
    credentials are not supplied, we can fetch the credentials of the
    existing krbtgt account.
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ec5c2b040b63d06a17bcd7bd133c2d68d07df587
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 15 15:55:17 2021 +1200

    tests/krb5/raw_testcase.py: Simplify conditionals
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit e1601f2b56f09a944c5cfb119502fdcf49a03c99
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 15 17:12:39 2021 +1200

    tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function
    
    This allows us to use other methods of obtaining credentials if getting
    them from the environment fails.
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 22a90aea82ba6ef86bde835f2369daa6e23ed2fd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 15 17:10:44 2021 +1200

    tests/krb5/raw_testcase.py: Cache obtained credentials
    
    If credentials are used more than once, we can now use the credentials
    that we already obtained and so avoid fetching them again.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 6a77c2b93315503008627ce786388f281bd6bb87
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 15 16:55:02 2021 +1200

    tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds
    
    This allows us to require encryption keys in the case that a password
    would not be required, such as for the krbtgt account.
    
    Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 948bbc9cecbfc1b33a338891d26a4a706864b9c6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 15 15:59:11 2021 +1200

    tests/krb5/raw_testcase.py: Make env_get_var() a standalone method
    
    This allows it to be used elsewhere in the tests.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 1f2ddd3c97e3ff243c8bd0c17299f27b761f5e7f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 15 13:15:10 2021 +1200

    tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS
    
    This requires admin credentials, and removes the need to pass these keys
    as environment variables.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 7d4a0ed21be49d13c2b815582f2d04f0c058bf3a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 15 15:12:38 2021 +1200

    tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
    
    This is done based on the domain functional level, which corresponds to
    the logic Samba uses to decide whether or not to generate a
    Primary:Kerberos-Newer-Keys element for the supplementalCredentials
    attribute.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 210e544016a3a4de1cdb76ce28a2148811ff07eb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Jun 16 11:40:41 2021 +1200

    tests/krb5/kdc_base_test.py: Create loadparm only when needed
    
    Now the .conf file is only loaded on its first use, which means that
    SMB_CONF_PATH need not be defined for tests that don't make use of it.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 364f1ce8d8221cb8926635fc864db782cee61cf9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Jun 16 11:31:26 2021 +1200

    tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute
    
    Credentials for tests are now obtained using the get_user_creds()
    method.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 4f5566be4839838e0e3e501a030bcf6e85ff5159
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Jun 16 11:04:00 2021 +1200

    tests/krb5/kdc_base_test.py: Create database connection only when needed
    
    Now the database connection is only created on its first use, which
    means database credentials are no longer required for tests that don't
    make use of it.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 5afae39da0ab408bb36dde3a7801634bd9cc24f6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 15 13:14:33 2021 +1200

    tests/krb5/raw_testcase.py: Add get_admin_creds()
    
    This method allows obtaining credentials that can be used for
    administrative tasks such as creating accounts.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit 5412bffb9b4fc13023e650bbc9436a79b60b6fa2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Jun 15 15:38:28 2021 +1200

    tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called
    
    This allows accounts created for permutation tests to be reused, rather
    than having to be recreated for every test.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Stefan Metzmacher <metze at samba.org>

commit d91665d33130aed11fa82d8d2796ab1627e04dc4
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Apr 21 11:07:45 2020 +0200

    selftest: run new as_req_tests against fl2008r2dc and fl2003dc
    
    There are a lot of things we should improve in our KDC
    in order to work like a Windows KDC.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 01d86954d217e38be333aa1ce7db1d3d9059cd4c
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Apr 21 11:07:45 2020 +0200

    tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol
    
    Example commands:
    
    Windows 2012R2:
    SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
    SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
    
    Windows 2008R2:
    SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
    SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
    
    Samba 4.14:
    SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
    SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 6e2f2adc8e825634780077e24a9e437bdc68155a
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Apr 21 11:07:45 2020 +0200

    tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure
    
    This will allow us to write tests, which will all cross check almost
    every aspect of the KDC response (including encrypted parts).
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 69ce2a6408f78d41eb865b89726021ad7643b065
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Apr 16 17:13:35 2020 +0200

    tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds()
    
    This will allow building test_as_req_enc_timestamp()
    
    It also introduces ways to specify keys in hex formated environment
    variables ${PREFIX}_{AES256,AES128,RC4}_KEY_HEX.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit e3905035847a5268c1a65366830cc739280ae437
Author: Stefan Metzmacher <metze at samba.org>
Date:   Mon Apr 20 20:02:52 2020 +0200

    tests/krb5/raw_testcase.py: add methods to iterate over etype permutations
    
    It's often useful to run tests over a lot of input parameter
    permutations.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ee2ac2b8ccafe3e6d560d893a4135a28e393914d
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Apr 16 10:43:54 2020 +0200

    tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create()
    
    This allows building the pre-authentication data that encodes
    the request for the KDC (or more likely a request not to include)
    the KRB5 PAC in the resulting ticket.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit b03fcfeb6c005936818ce50d511e9f9cc75aa9fb
Author: Stefan Metzmacher <metze at samba.org>
Date:   Tue Apr 21 14:45:01 2020 +0200

    tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create()
    
    This allows us to reuse body in future and calculate checksums on it.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 3abb3b41368666535a216a98c3e7d15a5d498f7e
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Apr 15 17:57:37 2020 +0200

    tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values
    
    By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint
    we allow the BitString_NamedValues_prettyPrint() routine to show more named values.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 34e079ce9a232a765fb3a2b25441434df35df54c
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Apr 15 17:50:00 2020 +0200

    tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values
    
    By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint
    we allow the BitString_NamedValues_prettyPrint() routine to show more named values.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 61e1b179812e48797146584998afc5bd0168beae
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Apr 15 13:49:52 2020 +0200

    tests/krb5/raw_testcase.py: add assertElement*()
    
    These helper functions make writing subsequent Kerberos test
    clearer.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit dff611976d6a067614e37add99edae214815a68b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Apr 9 22:28:32 2020 +0200

    tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future
    
    We should write tests as strict as possible in order to let them run
    against Windows servers.
    
    But at the same time we want to allow tests to be useful for Samba
    too...
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit c3222870b92db7f867557c2896b7bf39915d469a
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Apr 9 10:55:28 2020 +0200

    tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds()
    
    These helpful functions allow us to build the various credentials
    that we will use in validating the KDC responses in this test.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit d4492a8aaaf70cbe81af7e6703b4ea9fc1f24162
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Apr 9 11:10:11 2020 +0200

    tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing
    
    Update and re-generate the ASN.1 to allow an improved testsuite.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit fef08add9ec324fb0c3902e96c2a91c07646d499
Author: Stefan Metzmacher <metze at samba.org>
Date:   Wed Apr 15 16:50:55 2020 +0200

    Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}
    
    This is a clearer name for the script
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 1f413b2b2977687884781ca2399dadf6611ab461
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Apr 9 21:04:44 2020 +0200

    auth/credentials: allow credentials.Credentials to act as base class
    
    In tests it's useful to add more details.
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 auth/credentials/pycredentials.c                   |    2 +-
 .../samba/tests/krb5/as_canonicalization_tests.py  |  136 +--
 python/samba/tests/krb5/as_req_tests.py            |  207 ++++
 python/samba/tests/krb5/kdc_base_test.py           |  329 +++++-
 python/samba/tests/krb5/kdc_tgs_tests.py           |   17 +-
 .../krb5/ms_kile_client_principal_lookup_tests.py  |   88 +-
 .../{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}   |    0
 python/samba/tests/krb5/raw_testcase.py            | 1181 ++++++++++++++++++--
 python/samba/tests/krb5/rfc4120.asn1               |   70 +-
 python/samba/tests/krb5/rfc4120_constants.py       |   11 +
 python/samba/tests/krb5/rfc4120_pyasn1.py          |  134 ++-
 python/samba/tests/krb5/simple_tests.py            |    6 +-
 python/samba/tests/krb5/test_ccache.py             |   19 +-
 python/samba/tests/krb5/test_ldap.py               |   14 +-
 python/samba/tests/krb5/test_rpc.py                |    8 +-
 python/samba/tests/krb5/test_smb.py                |   14 +-
 python/samba/tests/usage.py                        |    1 +
 selftest/knownfail                                 |    6 +-
 selftest/knownfail_mit_kdc                         |  358 +++++-
 selftest/target/Samba4.pm                          |    2 +-
 source4/kdc/kdc-heimdal.c                          |    2 +-
 source4/selftest/tests.py                          |   49 +-
 source4/torture/krb5/kdc-heimdal.c                 |  104 +-
 23 files changed, 2414 insertions(+), 344 deletions(-)
 create mode 100755 python/samba/tests/krb5/as_req_tests.py
 rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} (100%)


Changeset truncated at 500 lines:

diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index 798cdb41a00..08b78e9dfce 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -1437,7 +1437,7 @@ static struct PyModuleDef moduledef = {
 PyTypeObject PyCredentials = {
 	.tp_name = "credentials.Credentials",
 	.tp_new = py_creds_new,
-	.tp_flags = Py_TPFLAGS_DEFAULT,
+	.tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE,
 	.tp_methods = py_creds_methods,
 };
 
diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py
index 43f532dc483..abb3f96a1e6 100755
--- a/python/samba/tests/krb5/as_canonicalization_tests.py
+++ b/python/samba/tests/krb5/as_canonicalization_tests.py
@@ -25,20 +25,11 @@ import pyasn1
 sys.path.insert(0, "bin/python")
 os.environ["PYTHONUNBUFFERED"] = "1"
 
-from samba.tests.krb5.raw_testcase import RawKerberosTest
+from samba.tests.krb5.kdc_base_test import KDCBaseTest
 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
-import samba
-from samba.auth import system_session
-from samba.credentials import (
-    Credentials,
-    DONT_USE_KERBEROS)
+from samba.credentials import DONT_USE_KERBEROS
 from samba.dcerpc.misc import SEC_CHAN_WKSTA
-from samba.dsdb import (
-    UF_WORKSTATION_TRUST_ACCOUNT,
-    UF_PASSWD_NOTREQD,
-    UF_NORMAL_ACCOUNT)
-from samba.samdb import SamDB
-from samba.tests import delete_force, DynamicTestCase
+from samba.tests import DynamicTestCase
 from samba.tests.krb5.rfc4120_constants import (
     AES256_CTS_HMAC_SHA1_96,
     AES128_CTS_HMAC_SHA1_96,
@@ -96,12 +87,12 @@ class TestData:
         else:
             client_name_type = NT_PRINCIPAL
 
-        self.cname = RawKerberosTest.PrincipalName_create(
+        self.cname = KDCBaseTest.PrincipalName_create(
             name_type=client_name_type, names=[self.user_name])
         if TestOptions.AsReqSelf.is_set(options):
             self.sname = self.cname
         else:
-            self.sname = RawKerberosTest.PrincipalName_create(
+            self.sname = KDCBaseTest.PrincipalName_create(
                 name_type=NT_SRV_INST, names=["krbtgt", self.realm])
         self.canonicalize = TestOptions.Canonicalize.is_set(options)
 
@@ -141,7 +132,7 @@ USER_NAME = "tstkrb5cnnusr"
 
 
 @DynamicTestCase
-class KerberosASCanonicalizationTests(RawKerberosTest):
+class KerberosASCanonicalizationTests(KDCBaseTest):
 
     @classmethod
     def setUpDynamicTestCases(cls):
@@ -170,114 +161,37 @@ class KerberosASCanonicalizationTests(RawKerberosTest):
                 name = build_test_name(ct, x)
                 cls.generate_dynamic_test("test", name, x, ct)
 
-    @classmethod
-    def setUpClass(cls):
-        cls.lp = cls.get_loadparm(cls)
-        cls.username = os.environ["USERNAME"]
-        cls.password = os.environ["PASSWORD"]
-        cls.host = os.environ["SERVER"]
-
-        c = Credentials()
-        c.set_username(cls.username)
-        c.set_password(cls.password)
-        try:
-            realm = os.environ["REALM"]
-            c.set_realm(realm)
-        except KeyError:
-            pass
-        try:
-            domain = os.environ["DOMAIN"]
-            c.set_domain(domain)
-        except KeyError:
-            pass
+    def user_account_creds(self):
+        if self.user_creds is None:
+            samdb = self.get_samdb()
+            self.user_creds, _ = self.create_account(samdb, USER_NAME)
 
-        c.guess()
+        return self.user_creds
 
-        cls.credentials = c
+    def machine_account_creds(self):
+        if self.machine_creds is None:
+            samdb = self.get_samdb()
+            self.machine_creds, _ = self.create_account(samdb,
+                                                        MACHINE_NAME,
+                                                        machine_account=True)
+            self.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA)
+            self.machine_creds.set_kerberos_state(DONT_USE_KERBEROS)
 
-        cls.session = system_session()
-        cls.ldb = SamDB(url="ldap://%s" % cls.host,
-                        session_info=cls.session,
-                        credentials=cls.credentials,
-                        lp=cls.lp)
-        cls.create_machine_account()
-        cls.create_user_account()
-
-    @classmethod
-    def tearDownClass(cls):
-        super(KerberosASCanonicalizationTests, cls).tearDownClass()
-        delete_force(cls.ldb, cls.machine_dn)
-        delete_force(cls.ldb, cls.user_dn)
+        return self.machine_creds
 
     def setUp(self):
-        super(KerberosASCanonicalizationTests, self).setUp()
+        super().setUp()
         self.do_asn1_print = global_asn1_print
         self.do_hexdump = global_hexdump
 
-    #
-    # Create a test user account
-    @classmethod
-    def create_user_account(cls):
-        cls.user_pass = samba.generate_random_password(32, 32)
-        cls.user_name = USER_NAME
-        cls.user_dn = "cn=%s,%s" % (cls.user_name, cls.ldb.domain_dn())
-
-        # remove the account if it exists, this will happen if a previous test
-        # run failed
-        delete_force(cls.ldb, cls.user_dn)
-
-        utf16pw = ('"%s"' % cls.user_pass).encode('utf-16-le')
-        cls.ldb.add({
-            "dn": cls.user_dn,
-            "objectclass": "user",
-            "sAMAccountName": "%s" % cls.user_name,
-            "userAccountControl": str(UF_NORMAL_ACCOUNT),
-            "unicodePwd": utf16pw})
-
-        cls.user_creds = Credentials()
-        cls.user_creds.guess(cls.lp)
-        cls.user_creds.set_realm(cls.ldb.domain_dns_name().upper())
-        cls.user_creds.set_domain(cls.ldb.domain_netbios_name().upper())
-        cls.user_creds.set_password(cls.user_pass)
-        cls.user_creds.set_username(cls.user_name)
-        cls.user_creds.set_workstation(cls.machine_name)
-
-    #
-    # Create the machine account
-    @classmethod
-    def create_machine_account(cls):
-        cls.machine_pass = samba.generate_random_password(32, 32)
-        cls.machine_name = MACHINE_NAME
-        cls.machine_dn = "cn=%s,%s" % (cls.machine_name, cls.ldb.domain_dn())
-
-        # remove the account if it exists, this will happen if a previous test
-        # run failed
-        delete_force(cls.ldb, cls.machine_dn)
-
-        utf16pw = ('"%s"' % cls.machine_pass).encode('utf-16-le')
-        cls.ldb.add({
-            "dn": cls.machine_dn,
-            "objectclass": "computer",
-            "sAMAccountName": "%s$" % cls.machine_name,
-            "userAccountControl":
-                str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD),
-            "unicodePwd": utf16pw})
-
-        cls.machine_creds = Credentials()
-        cls.machine_creds.guess(cls.lp)
-        cls.machine_creds.set_realm(cls.ldb.domain_dns_name().upper())
-        cls.machine_creds.set_domain(cls.ldb.domain_netbios_name().upper())
-        cls.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA)
-        cls.machine_creds.set_kerberos_state(DONT_USE_KERBEROS)
-        cls.machine_creds.set_password(cls.machine_pass)
-        cls.machine_creds.set_username(cls.machine_name + "$")
-        cls.machine_creds.set_workstation(cls.machine_name)
+        self.user_creds = None
+        self.machine_creds = None
 
     def _test_with_args(self, x, ct):
         if ct == CredentialsType.User:
-            creds = self.user_creds
+            creds = self.user_account_creds()
         elif ct == CredentialsType.Machine:
-            creds = self.machine_creds
+            creds = self.machine_account_creds()
         else:
             raise Exception("Unexpected credential type")
         data = TestData(x, creds)
diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
new file mode 100755
index 00000000000..10e7b603609
--- /dev/null
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -0,0 +1,207 @@
+#!/usr/bin/env python3
+# Unix SMB/CIFS implementation.
+# Copyright (C) Stefan Metzmacher 2020
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import os
+
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+
+from samba.tests import DynamicTestCase
+from samba.tests.krb5.kdc_base_test import KDCBaseTest
+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
+from samba.tests.krb5.rfc4120_constants import (
+    KDC_ERR_PREAUTH_REQUIRED,
+    KU_PA_ENC_TIMESTAMP,
+    NT_PRINCIPAL,
+    NT_SRV_INST,
+    PADATA_ENC_TIMESTAMP
+)
+
+global_asn1_print = False
+global_hexdump = False
+
+ at DynamicTestCase
+class AsReqKerberosTests(KDCBaseTest):
+
+    @classmethod
+    def setUpDynamicTestCases(cls):
+        for (name, idx) in cls.etype_test_permutation_name_idx():
+            for pac in [None, True, False]:
+                tname = "%s_pac_%s" % (name, pac)
+                targs = (idx, pac)
+                cls.generate_dynamic_test("test_as_req_no_preauth", tname, *targs)
+        return
+
+    def setUp(self):
+        super(AsReqKerberosTests, self).setUp()
+        self.do_asn1_print = global_asn1_print
+        self.do_hexdump = global_hexdump
+
+    def _test_as_req_nopreauth(self,
+                               initial_etypes,
+                               initial_padata=None,
+                               initial_kdc_options=None):
+        client_creds = self.get_client_creds()
+        client_account = client_creds.get_username()
+        client_as_etypes = client_creds.get_as_krb5_etypes()
+        krbtgt_creds = self.get_krbtgt_creds(require_keys=False)
+        krbtgt_account = krbtgt_creds.get_username()
+        realm = krbtgt_creds.get_realm()
+
+        cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+                                          names=[client_account])
+        sname = self.PrincipalName_create(name_type=NT_SRV_INST,
+                                          names=[krbtgt_account, realm])
+
+        expected_error_mode = KDC_ERR_PREAUTH_REQUIRED
+        expected_crealm = realm
+        expected_cname = cname
+        expected_srealm = realm
+        expected_sname = sname
+        expected_salt = client_creds.get_forced_salt()
+
+        def _generate_padata_copy(_kdc_exchange_dict,
+                                  _callback_dict,
+                                  req_body):
+            return initial_padata, req_body
+
+        kdc_exchange_dict = self.as_exchange_dict(
+                         expected_crealm=expected_crealm,
+                         expected_cname=expected_cname,
+                         expected_srealm=expected_srealm,
+                         expected_sname=expected_sname,
+                         generate_padata_fn=_generate_padata_copy,
+                         check_error_fn=self.generic_check_as_error,
+                         check_rep_fn=self.generic_check_kdc_rep,
+                         expected_error_mode=expected_error_mode,
+                         client_as_etypes=client_as_etypes,
+                         expected_salt=expected_salt)
+
+        rep = self._generic_kdc_exchange(kdc_exchange_dict,
+                                         kdc_options=str(initial_kdc_options),
+                                         cname=cname,
+                                         realm=realm,
+                                         sname=sname,
+                                         etypes=initial_etypes)
+
+        return kdc_exchange_dict['preauth_etype_info2']
+
+    def _test_as_req_no_preauth_with_args(self, etype_idx, pac):
+        name, etypes = self.etype_test_permutation_by_idx(etype_idx)
+        if pac is None:
+            padata = None
+        else:
+            pa_pac = self.KERB_PA_PAC_REQUEST_create(pac)
+            padata = [pa_pac]
+        return self._test_as_req_nopreauth(
+                     initial_padata=padata,
+                     initial_etypes=etypes,
+                     initial_kdc_options=krb5_asn1.KDCOptions('forwardable'))
+
+    def test_as_req_enc_timestamp(self):
+        client_creds = self.get_client_creds()
+        client_account = client_creds.get_username()
+        client_as_etypes = client_creds.get_as_krb5_etypes()
+        client_kvno = client_creds.get_kvno()
+        krbtgt_creds = self.get_krbtgt_creds(require_strongest_key=True)
+        krbtgt_account = krbtgt_creds.get_username()
+        realm = krbtgt_creds.get_realm()
+
+        cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+                                          names=[client_account])
+        sname = self.PrincipalName_create(name_type=NT_SRV_INST,
+                                          names=[krbtgt_account, realm])
+
+        expected_crealm = realm
+        expected_cname = cname
+        expected_srealm = realm
+        expected_sname = sname
+        expected_salt = client_creds.get_forced_salt()
+
+        till = self.get_KerberosTime(offset=36000)
+
+        pa_pac = self.KERB_PA_PAC_REQUEST_create(True)
+        initial_padata = [pa_pac]
+        initial_etypes = client_as_etypes
+        initial_kdc_options = krb5_asn1.KDCOptions('forwardable')
+        initial_error_mode = KDC_ERR_PREAUTH_REQUIRED
+
+        etype_info2 = self._test_as_exchange(cname,
+                                             realm,
+                                             sname,
+                                             till,
+                                             client_as_etypes,
+                                             initial_error_mode,
+                                             expected_crealm,
+                                             expected_cname,
+                                             expected_srealm,
+                                             expected_sname,
+                                             expected_salt,
+                                             initial_etypes,
+                                             initial_padata,
+                                             initial_kdc_options)
+        self.assertIsNotNone(etype_info2)
+
+        preauth_key = self.PasswordKey_from_etype_info2(client_creds,
+                                                        etype_info2[0],
+                                                        kvno=client_kvno)
+
+        (patime, pausec) = self.get_KerberosTimeWithUsec()
+        pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec)
+        pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC())
+
+        enc_pa_ts_usage = KU_PA_ENC_TIMESTAMP
+        pa_ts = self.EncryptedData_create(preauth_key, enc_pa_ts_usage, pa_ts)
+        pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData())
+
+        pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts)
+
+        preauth_padata = [pa_ts, pa_pac]
+        preauth_etypes = client_as_etypes
+        preauth_kdc_options = krb5_asn1.KDCOptions('forwardable')
+        preauth_error_mode = 0 # AS-REP
+
+        krbtgt_decryption_key = (
+            self.TicketDecryptionKey_from_creds(krbtgt_creds))
+
+        as_rep = self._test_as_exchange(cname,
+                                        realm,
+                                        sname,
+                                        till,
+                                        client_as_etypes,
+                                        preauth_error_mode,
+                                        expected_crealm,
+                                        expected_cname,
+                                        expected_srealm,
+                                        expected_sname,
+                                        expected_salt,
+                                        preauth_etypes,
+                                        preauth_padata,
+                                        preauth_kdc_options,
+                                        preauth_key=preauth_key,
+                                        ticket_decryption_key=krbtgt_decryption_key)
+        self.assertIsNotNone(as_rep)
+        return
+
+if __name__ == "__main__":
+    global_asn1_print = True
+    global_hexdump = True
+    import unittest
+    unittest.main()
+
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index e345f739e1c..0f5238a3de9 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -20,6 +20,8 @@ import sys
 import os
 from datetime import datetime, timezone
 import tempfile
+import binascii
+import struct
 
 sys.path.insert(0, "bin/python")
 os.environ["PYTHONUNBUFFERED"] = "1"
@@ -29,13 +31,21 @@ from ldb import SCOPE_BASE
 from samba import generate_random_password
 from samba.auth import system_session
 from samba.credentials import Credentials, SPECIFIED, MUST_USE_KERBEROS
-from samba.dcerpc import krb5pac, krb5ccache
-from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_NORMAL_ACCOUNT
+from samba.dcerpc import drsblobs, drsuapi, misc, krb5pac, krb5ccache, security
+from samba.drs_utils import drsuapi_connect
+from samba.dsdb import (
+    DS_DOMAIN_FUNCTION_2000,
+    DS_DOMAIN_FUNCTION_2008,
+    UF_WORKSTATION_TRUST_ACCOUNT,
+    UF_NORMAL_ACCOUNT
+)
 from samba.ndr import ndr_pack, ndr_unpack
+from samba import net
 from samba.samdb import SamDB
 
 from samba.tests import delete_force
-from samba.tests.krb5.raw_testcase import RawKerberosTest
+import samba.tests.krb5.kcrypto as kcrypto
+from samba.tests.krb5.raw_testcase import KerberosCredentials, RawKerberosTest
 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
 from samba.tests.krb5.rfc4120_constants import (
     AD_IF_RELEVANT,
@@ -66,60 +76,88 @@ class KDCBaseTest(RawKerberosTest):
 
     @classmethod
     def setUpClass(cls):
-        cls.lp = cls.get_loadparm(cls)
-        cls.username = os.environ["USERNAME"]
-        cls.password = os.environ["PASSWORD"]
-        cls.host = os.environ["SERVER"]
-
-        c = Credentials()
-        c.set_username(cls.username)
-        c.set_password(cls.password)
-        try:
-            realm = os.environ["REALM"]
-            c.set_realm(realm)
-        except KeyError:
-            pass
-        try:
-            domain = os.environ["DOMAIN"]
-            c.set_domain(domain)
-        except KeyError:
-            pass
+        super().setUpClass()
+        cls._lp = None
 
-        c.guess()
+        cls._ldb = None
 
-        cls.credentials = c
+        cls._functional_level = None
 
-        cls.session = system_session()
-        cls.ldb = SamDB(url="ldap://%s" % cls.host,
-                        session_info=cls.session,
-                        credentials=cls.credentials,
-                        lp=cls.lp)
-        # fetch the dnsHostName from the RootDse
-        res = cls.ldb.search(
-            base="", expression="", scope=SCOPE_BASE, attrs=["dnsHostName"])
-        cls.dns_host_name = str(res[0]['dnsHostName'])
+        # A set containing DNs of accounts created as part of testing.
+        cls.accounts = set()
+
+    @classmethod
+    def tearDownClass(cls):
+        # Clean up any accounts created by create_account. This is
+        # done in tearDownClass() rather than tearDown(), so that
+        # accounts need only be created once for permutation tests.
+        if cls._ldb is not None:
+            for dn in cls.accounts:


-- 
Samba Shared Repository



More information about the samba-cvs mailing list