[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Nov 30 03:34:01 UTC 2021
The branch, master has been updated
via 38c5bad4a85 kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs
via 9bd26804852 heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket
via ee4aa21c487 selftest: Properly check extra PAC buffers with Heimdal
via 1f4f3018c50 heimdal:kdc: Always generate a PAC for S4U2Self
via 192d6edfe91 tests/krb5: Add a test for S4U2Self with no authorization data required
via 4b60e951649 kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets
via 90025b6a4d2 kdc: Don't include extra PAC buffers in service tickets
via e61983c7f2c Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers"
via 73a48063469 tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests
via 690a00a40c0 kdc: Always add the PAC if the header TGT is from an RODC
via b6a25f5f016 kdc: Match Windows error code for mismatching sname
via bac5f750594 tests/krb5: Add test for S4U2Self with wrong sname
via d5d22bf84a7 kdc: Adjust SID mismatch error code to match Windows
via f7a2fef8f49 heimdal:kdc: Adjust no-PAC error code to match Windows
via 9cfb88ba048 s4:torture: Fix typo
via 11fb9476ad3 heimdal:kdc: Fix error message for user-to-user
via 749349efab9 tests/krb5: Add comments for tests that fail against Windows
via ca80c47406e tests/krb5: Add tests for validation with requester SID PAC buffer
via ebc9137cee9 tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2
via ec823c2a83c tests/krb5: Add TGS-REQ tests with FAST
via 778029c1dc4 tests/krb5: Add tests for TGS requests with a non-TGT
via 7574ba9f580 tests/krb5: Add tests for invalid TGTs
via 28d501875a9 tests/krb5: Remove unnecessary expect_pac arguments
via d95705172bc tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2
via e930274aa43 tests/krb5: Split out methods to create renewable or invalid tickets
via a560c2e9ad8 tests/krb5: Allow PasswordKey_create() to use s2kparams
via 167bd207048 tests/krb5: Run test_rpc against member server
via f0b222e3ecf tests/krb5: Deduplicate AS-REQ tests
via 57b1b76154d tests/krb5: Remove unused variable
via ad4d6fb01fd selftest: Check received LDB error code when STRICT_CHECKING=0
from cbf312f02bc s3:winbind: Fix possible NULL pointer dereference
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 38c5bad4a853b19fe9a51fb059e150b153c4632a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 20:41:54 2021 +1300
kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Nov 30 03:33:26 UTC 2021 on sn-devel-184
commit 9bd26804852d957f81cb311e5142f9190f9afa65
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 23 19:38:35 2021 +1300
heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket
Normally samba_wdc_get_pac() is used to generate the PAC for a TGT, but
when generating a service ticket for S4U2Self, we want to avoid adding
the additional PAC_ATTRIBUTES_INFO and PAC_REQUESTER_SID buffers.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ee4aa21c487fa80082a548b2e4f115a791e30340
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 25 09:29:42 2021 +1300
selftest: Properly check extra PAC buffers with Heimdal
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1f4f3018c5001b289b91959a72d00575c8fc0ac1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 23 17:30:50 2021 +1300
heimdal:kdc: Always generate a PAC for S4U2Self
If we decided not to put a PAC into the ticket, mspac would be NULL
here, and the resulting ticket would not contain a PAC. This could
happen if there was a request to omit the PAC or the service did not
require authorization data. Ensure that we always generate a PAC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 192d6edfe912105ec344dc554f872a24c03540a3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 25 12:46:40 2021 +1300
tests/krb5: Add a test for S4U2Self with no authorization data required
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4b60e9516497c2e7f1545fe50887d0336b9893f2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 25 10:53:49 2021 +1300
kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets
Windows ignores PAC_TYPE_ATTRIBUTES_INFO and always issues a PAC when
presented with an RODC-issued TGT. By removing this PAC buffer from
RODC-issued tickets, we ensure that an RODC-issued ticket will still
result in a PAC if it is first renewed or validated by the main DC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 90025b6a4d250a15c0f988a9a9150ecfb63069ef
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 20:42:22 2021 +1300
kdc: Don't include extra PAC buffers in service tickets
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e61983c7f2c4daade83b237efb990d0c0645b3a3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 25 13:24:57 2021 +1300
Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers"
This reverts commit fa4c9bcefdeed0a7106aab84df20b02435febc1f.
We should not be generating these additional PAC buffers for service
tickets, only for TGTs.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 73a48063469205099f02efdf3b8f0f1040dc7a3d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 25 10:32:44 2021 +1300
tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 690a00a40c0a3f77da6e4dca42b630f2793a98b8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 23 20:15:41 2021 +1300
kdc: Always add the PAC if the header TGT is from an RODC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b6a25f5f016aef39c3b1d7be8b3ecfe021c03c83
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 23 20:00:07 2021 +1300
kdc: Match Windows error code for mismatching sname
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit bac5f75059450898937be891e863826e1350b62c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 25 10:05:17 2021 +1300
tests/krb5: Add test for S4U2Self with wrong sname
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d5d22bf84a71492342287e54b555c9f024e7e71c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 20:41:45 2021 +1300
kdc: Adjust SID mismatch error code to match Windows
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f7a2fef8f49a86f63c3dc2f6a2d7d979fb53238a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 20:41:34 2021 +1300
heimdal:kdc: Adjust no-PAC error code to match Windows
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9cfb88ba04818b5e9cec3c96422e8e4a3080d490
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 18 16:22:34 2021 +1300
s4:torture: Fix typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 11fb9476ad3c09415d12b3cdf7934c293cbefcb2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 18 13:14:51 2021 +1300
heimdal:kdc: Fix error message for user-to-user
We were checking the wrong variable to see whether a PAC was found or not.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 749349efab9b401d33a4fc286473a924364a41c9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 15:32:32 2021 +1300
tests/krb5: Add comments for tests that fail against Windows
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ca80c47406e0f2b6fac2c55229306e21ccef9745
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 13:10:52 2021 +1300
tests/krb5: Add tests for validation with requester SID PAC buffer
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ebc9137cee94dee9dcf0e47d5bc0dc83de7aaaa1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 12:37:08 2021 +1300
tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2
We set EXPECT_EXTRA_PAC_BUFFERS to 0 for the moment. This signifies that
these checks are currently not enforced, which avoids a lot of test
failures.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ec823c2a83c639f1d7c422153a53d366750e5f2a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 12:09:18 2021 +1300
tests/krb5: Add TGS-REQ tests with FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 778029c1dc443b87f4ed4b9d2c613d0e6fc45b0d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 12:10:45 2021 +1300
tests/krb5: Add tests for TGS requests with a non-TGT
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7574ba9f580fca552b80532a49d00e657fbdf4fd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Nov 30 09:26:40 2021 +1300
tests/krb5: Add tests for invalid TGTs
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 28d501875a98fa2817262eb8ec68bf91528428c2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 12:04:36 2021 +1300
tests/krb5: Remove unnecessary expect_pac arguments
The value of expect_pac is not considered if we are expecting an error.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d95705172bcf6fe24817800a4c0009e9cc8be595
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 11:52:31 2021 +1300
tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e930274aa43810d6485c3c8a7c82958ecb409630
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 11:40:35 2021 +1300
tests/krb5: Split out methods to create renewable or invalid tickets
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a560c2e9ad8abb824d1805c86c656943745f81eb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 11:37:35 2021 +1300
tests/krb5: Allow PasswordKey_create() to use s2kparams
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 167bd2070483004cd0b9a96ffb40ea73c6ddf579
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 16:02:00 2021 +1300
tests/krb5: Run test_rpc against member server
We were instead always running against the DC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f0b222e3ecf72c8562bc97bedd9f3a92980b60d5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 11:34:11 2021 +1300
tests/krb5: Deduplicate AS-REQ tests
salt_tests was running the tests defined in the base class as well as
its own tests.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 57b1b76154d699b9d70ad04fa5e94c4b30f0e4bf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 11:53:18 2021 +1300
tests/krb5: Remove unused variable
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ad4d6fb01fd8083e68f07c427af8932574810cdc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 24 11:30:38 2021 +1300
selftest: Check received LDB error code when STRICT_CHECKING=0
We were instead only checking the expected error.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/krb5/alias_tests.py | 7 +-
python/samba/tests/krb5/as_req_tests.py | 163 ++---
python/samba/tests/krb5/kdc_tgs_tests.py | 739 +++++++++++++++++----
.../krb5/ms_kile_client_principal_lookup_tests.py | 39 +-
python/samba/tests/krb5/raw_testcase.py | 50 +-
python/samba/tests/krb5/rfc4120_constants.py | 1 +
python/samba/tests/krb5/s4u_tests.py | 123 +++-
python/samba/tests/krb5/salt_tests.py | 4 +-
python/samba/tests/krb5/test_rpc.py | 17 +-
selftest/knownfail_heimdal_kdc | 17 +-
selftest/knownfail_mit_kdc | 41 +-
source4/dsdb/tests/python/priv_attrs.py | 2 +-
source4/heimdal/kdc/kerberos5.c | 2 +-
source4/heimdal/kdc/krb5tgs.c | 18 +-
source4/heimdal/kdc/windc.c | 5 +-
source4/heimdal/kdc/windc_plugin.h | 2 +
source4/kdc/db-glue.c | 2 +-
source4/kdc/pac-glue.c | 6 +-
source4/kdc/wdc-samba4.c | 48 +-
source4/selftest/tests.py | 58 +-
source4/torture/krb5/kdc-canon-heimdal.c | 2 +-
source4/torture/rpc/remote_pac.c | 24 +-
22 files changed, 986 insertions(+), 384 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/alias_tests.py b/python/samba/tests/krb5/alias_tests.py
index 60213845a44..1f63775c189 100755
--- a/python/samba/tests/krb5/alias_tests.py
+++ b/python/samba/tests/krb5/alias_tests.py
@@ -28,7 +28,7 @@ from samba.tests.krb5.kdc_base_test import KDCBaseTest
from samba.tests.krb5.rfc4120_constants import (
AES256_CTS_HMAC_SHA1_96,
ARCFOUR_HMAC_MD5,
- KDC_ERR_CLIENT_NAME_MISMATCH,
+ KDC_ERR_TGT_REVOKED,
NT_PRINCIPAL,
)
@@ -168,7 +168,7 @@ class AliasTests(KDCBaseTest):
ctype=None)
return [padata], req_body
- expected_error_mode = KDC_ERR_CLIENT_NAME_MISMATCH
+ expected_error_mode = KDC_ERR_TGT_REVOKED
# Make a request using S4U2Self. The request should fail.
kdc_exchange_dict = self.tgs_exchange_dict(
@@ -184,7 +184,8 @@ class AliasTests(KDCBaseTest):
tgt=tgt,
authenticator_subkey=authenticator_subkey,
kdc_options='0',
- expect_pac=True)
+ expect_pac=True,
+ expect_edata=False)
rep = self._generic_kdc_exchange(kdc_exchange_dict,
cname=None,
diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index 08081928363..315720f85d6 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -38,87 +38,8 @@ from samba.tests.krb5.rfc4120_constants import (
global_asn1_print = False
global_hexdump = False
- at DynamicTestCase
-class AsReqKerberosTests(KDCBaseTest):
-
- @classmethod
- def setUpDynamicTestCases(cls):
- for (name, idx) in cls.etype_test_permutation_name_idx():
- for pac in [None, True, False]:
- tname = "%s_pac_%s" % (name, pac)
- targs = (idx, pac)
- cls.generate_dynamic_test("test_as_req_no_preauth", tname, *targs)
-
- def setUp(self):
- super(AsReqKerberosTests, self).setUp()
- self.do_asn1_print = global_asn1_print
- self.do_hexdump = global_hexdump
-
- def _test_as_req_nopreauth(self,
- initial_etypes,
- pac=None,
- initial_kdc_options=None):
- client_creds = self.get_client_creds()
- client_account = client_creds.get_username()
- client_as_etypes = self.get_default_enctypes()
- krbtgt_creds = self.get_krbtgt_creds(require_keys=False)
- krbtgt_account = krbtgt_creds.get_username()
- realm = krbtgt_creds.get_realm()
-
- cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
- names=[client_account])
- sname = self.PrincipalName_create(name_type=NT_SRV_INST,
- names=[krbtgt_account, realm])
-
- expected_crealm = realm
- expected_cname = cname
- expected_srealm = realm
- expected_sname = sname
- expected_salt = client_creds.get_salt()
-
- if any(etype in client_as_etypes and etype in initial_etypes
- for etype in (kcrypto.Enctype.AES256,
- kcrypto.Enctype.AES128,
- kcrypto.Enctype.RC4)):
- expected_error_mode = KDC_ERR_PREAUTH_REQUIRED
- else:
- expected_error_mode = KDC_ERR_ETYPE_NOSUPP
-
- kdc_exchange_dict = self.as_exchange_dict(
- expected_crealm=expected_crealm,
- expected_cname=expected_cname,
- expected_srealm=expected_srealm,
- expected_sname=expected_sname,
- generate_padata_fn=None,
- check_error_fn=self.generic_check_kdc_error,
- check_rep_fn=None,
- expected_error_mode=expected_error_mode,
- client_as_etypes=client_as_etypes,
- expected_salt=expected_salt,
- kdc_options=str(initial_kdc_options),
- pac_request=pac)
-
- self._generic_kdc_exchange(kdc_exchange_dict,
- cname=cname,
- realm=realm,
- sname=sname,
- etypes=initial_etypes)
-
- def _test_as_req_no_preauth_with_args(self, etype_idx, pac):
- name, etypes = self.etype_test_permutation_by_idx(etype_idx)
- self._test_as_req_nopreauth(
- pac=pac,
- initial_etypes=etypes,
- initial_kdc_options=krb5_asn1.KDCOptions('forwardable'))
-
- def test_as_req_enc_timestamp(self):
- client_creds = self.get_client_creds()
- self._run_as_req_enc_timestamp(client_creds)
-
- def test_as_req_enc_timestamp_mac(self):
- client_creds = self.get_mach_creds()
- self._run_as_req_enc_timestamp(client_creds)
+class AsReqBaseTest(KDCBaseTest):
def _run_as_req_enc_timestamp(self, client_creds):
client_account = client_creds.get_username()
client_as_etypes = self.get_default_enctypes()
@@ -207,6 +128,88 @@ class AsReqKerberosTests(KDCBaseTest):
return etype_info2
+ at DynamicTestCase
+class AsReqKerberosTests(AsReqBaseTest):
+
+ @classmethod
+ def setUpDynamicTestCases(cls):
+ for (name, idx) in cls.etype_test_permutation_name_idx():
+ for pac in [None, True, False]:
+ tname = "%s_pac_%s" % (name, pac)
+ targs = (idx, pac)
+ cls.generate_dynamic_test("test_as_req_no_preauth", tname, *targs)
+
+ def setUp(self):
+ super(AsReqKerberosTests, self).setUp()
+ self.do_asn1_print = global_asn1_print
+ self.do_hexdump = global_hexdump
+
+ def _test_as_req_nopreauth(self,
+ initial_etypes,
+ pac=None,
+ initial_kdc_options=None):
+ client_creds = self.get_client_creds()
+ client_account = client_creds.get_username()
+ client_as_etypes = self.get_default_enctypes()
+ krbtgt_creds = self.get_krbtgt_creds(require_keys=False)
+ krbtgt_account = krbtgt_creds.get_username()
+ realm = krbtgt_creds.get_realm()
+
+ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=[client_account])
+ sname = self.PrincipalName_create(name_type=NT_SRV_INST,
+ names=[krbtgt_account, realm])
+
+ expected_crealm = realm
+ expected_cname = cname
+ expected_srealm = realm
+ expected_sname = sname
+ expected_salt = client_creds.get_salt()
+
+ if any(etype in client_as_etypes and etype in initial_etypes
+ for etype in (kcrypto.Enctype.AES256,
+ kcrypto.Enctype.AES128,
+ kcrypto.Enctype.RC4)):
+ expected_error_mode = KDC_ERR_PREAUTH_REQUIRED
+ else:
+ expected_error_mode = KDC_ERR_ETYPE_NOSUPP
+
+ kdc_exchange_dict = self.as_exchange_dict(
+ expected_crealm=expected_crealm,
+ expected_cname=expected_cname,
+ expected_srealm=expected_srealm,
+ expected_sname=expected_sname,
+ generate_padata_fn=None,
+ check_error_fn=self.generic_check_kdc_error,
+ check_rep_fn=None,
+ expected_error_mode=expected_error_mode,
+ client_as_etypes=client_as_etypes,
+ expected_salt=expected_salt,
+ kdc_options=str(initial_kdc_options),
+ pac_request=pac)
+
+ self._generic_kdc_exchange(kdc_exchange_dict,
+ cname=cname,
+ realm=realm,
+ sname=sname,
+ etypes=initial_etypes)
+
+ def _test_as_req_no_preauth_with_args(self, etype_idx, pac):
+ name, etypes = self.etype_test_permutation_by_idx(etype_idx)
+ self._test_as_req_nopreauth(
+ pac=pac,
+ initial_etypes=etypes,
+ initial_kdc_options=krb5_asn1.KDCOptions('forwardable'))
+
+ def test_as_req_enc_timestamp(self):
+ client_creds = self.get_client_creds()
+ self._run_as_req_enc_timestamp(client_creds)
+
+ def test_as_req_enc_timestamp_mac(self):
+ client_creds = self.get_mach_creds()
+ self._run_as_req_enc_timestamp(client_creds)
+
+
if __name__ == "__main__":
global_asn1_print = False
global_hexdump = False
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index abac5a47a56..2923d53772a 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -23,7 +23,7 @@ import os
import ldb
-from samba import dsdb, ntstatus
+from samba import dsdb
from samba.dcerpc import krb5pac, security
@@ -32,20 +32,21 @@ os.environ["PYTHONUNBUFFERED"] = "1"
import samba.tests.krb5.kcrypto as kcrypto
from samba.tests.krb5.kdc_base_test import KDCBaseTest
+from samba.tests.krb5.raw_testcase import Krb5EncryptionKey
from samba.tests.krb5.rfc4120_constants import (
AES256_CTS_HMAC_SHA1_96,
ARCFOUR_HMAC_MD5,
KRB_ERROR,
KRB_TGS_REP,
KDC_ERR_BADMATCH,
- KDC_ERR_BADOPTION,
- KDC_ERR_CLIENT_NAME_MISMATCH,
KDC_ERR_GENERIC,
KDC_ERR_MODIFIED,
+ KDC_ERR_NOT_US,
KDC_ERR_POLICY,
KDC_ERR_C_PRINCIPAL_UNKNOWN,
KDC_ERR_S_PRINCIPAL_UNKNOWN,
KDC_ERR_TGT_REVOKED,
+ KRB_ERR_TKT_NYV,
KDC_ERR_WRONG_REALM,
NT_PRINCIPAL,
NT_SRV_INST,
@@ -262,7 +263,7 @@ class KdcTgsTests(KDCBaseTest):
authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256)
if expect_error:
- expected_error_mode = KDC_ERR_BADOPTION
+ expected_error_mode = KDC_ERR_TGT_REVOKED
check_error_fn = self.generic_check_kdc_error
check_rep_fn = None
else:
@@ -288,7 +289,8 @@ class KdcTgsTests(KDCBaseTest):
authenticator_subkey=authenticator_subkey,
kdc_options=kdc_options,
pac_request=pac_request,
- expect_pac=expect_pac)
+ expect_pac=expect_pac,
+ expect_edata=False)
rep = self._generic_kdc_exchange(kdc_exchange_dict,
cname=cname,
@@ -413,7 +415,7 @@ class KdcTgsTests(KDCBaseTest):
self.assertIsNone(pac)
self._make_tgs_request(client_creds, service_creds, tgt,
- expect_pac=False, expect_error=True)
+ expect_error=True)
def test_remove_pac_client_no_auth_data_required(self):
client_creds = self.get_cached_creds(
@@ -428,7 +430,7 @@ class KdcTgsTests(KDCBaseTest):
self.assertIsNone(pac)
self._make_tgs_request(client_creds, service_creds, tgt,
- expect_pac=False, expect_error=True)
+ expect_error=True)
def test_remove_pac(self):
client_creds = self.get_client_creds()
@@ -441,7 +443,7 @@ class KdcTgsTests(KDCBaseTest):
self.assertIsNone(pac)
self._make_tgs_request(client_creds, service_creds, tgt,
- expect_pac=False, expect_error=True)
+ expect_error=True)
def test_upn_dns_info_ex_user(self):
client_creds = self.get_client_creds()
@@ -495,12 +497,18 @@ class KdcTgsTests(KDCBaseTest):
def test_renew_req(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, renewable=True)
- self._renew_tgt(tgt, expected_error=0)
+ self._renew_tgt(tgt, expected_error=0,
+ expect_pac_attrs=True,
+ expect_pac_attrs_pac_request=True,
+ expect_requester_sid=True)
def test_validate_req(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, invalid=True)
- self._validate_tgt(tgt, expected_error=0)
+ self._validate_tgt(tgt, expected_error=0,
+ expect_pac_attrs=True,
+ expect_pac_attrs_pac_request=True,
+ expect_requester_sid=True)
def test_s4u2self_req(self):
creds = self._get_creds()
@@ -512,12 +520,37 @@ class KdcTgsTests(KDCBaseTest):
tgt = self._get_tgt(creds)
self._user2user(tgt, creds, expected_error=0)
+ def test_fast_req(self):
+ creds = self._get_creds()
+ tgt = self._get_tgt(creds)
+ self._fast(tgt, creds, expected_error=0)
+
+ def test_tgs_req_invalid(self):
+ creds = self._get_creds()
+ tgt = self._get_tgt(creds, invalid=True)
+ self._run_tgs(tgt, expected_error=KRB_ERR_TKT_NYV)
+
+ def test_s4u2self_req_invalid(self):
+ creds = self._get_creds()
+ tgt = self._get_tgt(creds, invalid=True)
+ self._s4u2self(tgt, creds, expected_error=KRB_ERR_TKT_NYV)
+
+ def test_user2user_req_invalid(self):
+ creds = self._get_creds()
+ tgt = self._get_tgt(creds, invalid=True)
+ self._user2user(tgt, creds, expected_error=KRB_ERR_TKT_NYV)
+
+ def test_fast_req_invalid(self):
+ creds = self._get_creds()
+ tgt = self._get_tgt(creds, invalid=True)
+ self._fast(tgt, creds, expected_error=KRB_ERR_TKT_NYV,
+ expected_sname=self.get_krbtgt_sname())
+
def test_tgs_req_no_requester_sid(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, remove_requester_sid=True)
- self._run_tgs(tgt, expected_error=0, expect_pac=True,
- expect_requester_sid=False) # Note: not expected
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_tgs_req_no_pac_attrs(self):
creds = self._get_creds()
@@ -531,11 +564,7 @@ class KdcTgsTests(KDCBaseTest):
revealed_to_rodc=True)
tgt = self._get_tgt(creds, from_rodc=True, remove_requester_sid=True)
- samdb = self.get_samdb()
- sid = self.get_objectSid(samdb, creds.get_dn())
-
- self._run_tgs(tgt, expected_error=0, expect_pac=True,
- expect_requester_sid=True, expected_sid=sid)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_tgs_req_from_rodc_no_pac_attrs(self):
creds = self._get_creds(replication_allowed=True,
@@ -548,101 +577,119 @@ class KdcTgsTests(KDCBaseTest):
def test_tgs_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, remove_pac=True)
- self._run_tgs(tgt, expected_error=KDC_ERR_BADOPTION)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_renew_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, renewable=True, remove_pac=True)
- self._renew_tgt(tgt, expected_error=KDC_ERR_BADOPTION)
+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_validate_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, invalid=True, remove_pac=True)
- self._validate_tgt(tgt, expected_error=KDC_ERR_BADOPTION)
+ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_s4u2self_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, remove_pac=True)
self._s4u2self(tgt, creds,
- expected_error=(KDC_ERR_GENERIC, KDC_ERR_BADOPTION),
- expected_status=ntstatus.NT_STATUS_INVALID_PARAMETER,
- expect_edata=True)
+ expected_error=KDC_ERR_TGT_REVOKED,
+ expect_edata=False)
def test_user2user_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, remove_pac=True)
- self._user2user(tgt, creds, expected_error=KDC_ERR_BADOPTION)
+ self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
+
+ def test_fast_no_pac(self):
+ creds = self._get_creds()
+ tgt = self._get_tgt(creds, remove_pac=True)
+ self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
+ expected_sname=self.get_krbtgt_sname())
# Test making a request with authdata and without a PAC.
def test_tgs_authdata_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
- self._run_tgs(tgt, expected_error=KDC_ERR_BADOPTION)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_renew_authdata_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, renewable=True, remove_pac=True,
allow_empty_authdata=True)
- self._renew_tgt(tgt, expected_error=KDC_ERR_BADOPTION)
+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_validate_authdata_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, invalid=True, remove_pac=True,
allow_empty_authdata=True)
- self._validate_tgt(tgt, expected_error=KDC_ERR_BADOPTION)
+ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_s4u2self_authdata_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
self._s4u2self(tgt, creds,
- expected_error=(KDC_ERR_GENERIC, KDC_ERR_BADOPTION),
- expected_status=ntstatus.NT_STATUS_INVALID_PARAMETER,
- expect_edata=True)
+ expected_error=KDC_ERR_TGT_REVOKED,
+ expect_edata=False)
def test_user2user_authdata_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
- self._user2user(tgt, creds, expected_error=KDC_ERR_BADOPTION)
+ self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
+
+ def test_fast_authdata_no_pac(self):
+ creds = self._get_creds()
+ tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
+ self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
+ expected_sname=self.get_krbtgt_sname())
# Test changing the SID in the PAC to that of another account.
def test_tgs_sid_mismatch_existing(self):
creds = self._get_creds()
existing_rid = self._get_existing_rid()
tgt = self._get_tgt(creds, new_rid=existing_rid)
- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_renew_sid_mismatch_existing(self):
creds = self._get_creds()
existing_rid = self._get_existing_rid()
tgt = self._get_tgt(creds, renewable=True, new_rid=existing_rid)
- self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_validate_sid_mismatch_existing(self):
creds = self._get_creds()
existing_rid = self._get_existing_rid()
tgt = self._get_tgt(creds, invalid=True, new_rid=existing_rid)
- self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_s4u2self_sid_mismatch_existing(self):
creds = self._get_creds()
existing_rid = self._get_existing_rid()
tgt = self._get_tgt(creds, new_rid=existing_rid)
self._s4u2self(tgt, creds,
- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ expected_error=KDC_ERR_TGT_REVOKED)
def test_user2user_sid_mismatch_existing(self):
creds = self._get_creds()
existing_rid = self._get_existing_rid()
tgt = self._get_tgt(creds, new_rid=existing_rid)
self._user2user(tgt, creds,
- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ expected_error=KDC_ERR_TGT_REVOKED)
+
+ def test_fast_sid_mismatch_existing(self):
+ creds = self._get_creds()
+ existing_rid = self._get_existing_rid()
+ tgt = self._get_tgt(creds, new_rid=existing_rid)
+ self._fast(tgt, creds,
+ expected_error=KDC_ERR_TGT_REVOKED,
+ expected_sname=self.get_krbtgt_sname())
--
Samba Shared Repository
More information about the samba-cvs
mailing list