[SCM] Samba Shared Repository - branch master updated

Andrew Bartlett abartlet at samba.org
Thu Oct 14 19:52:01 UTC 2021


The branch, master has been updated
       via  1d3e118f6f2 s3: smbspool. Remove last use of 'extern char **environ;'.
       via  f6adfefbbb4 krb5: Fix PAC signature leak affecting KDC
       via  02fa69c6c73 s4:kdc: Check ticket signature
       via  3bdce12789a heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
       via  28a5a586c8e s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
       via  91e684f5dcb kdc: correctly generate PAC TGS signature
       via  75d1a7cd14b kdc: use ticket client name when signing PAC
       via  db30b71f798 kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
       via  d6a472e9535 krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
       via  2773379603a krb5: rework PAC validation loop
       via  2d09de5c41e krb5: allow NULL parameter to krb5_pac_free()
       via  d7b03394a90 kdc: sign ticket using Windows PAC
       via  ccabc7f16cc kdc: remove KRB5SignedPath, to be replaced with PAC
       via  d5002c34ce1 s4/torture: Expect ticket checksum PAC buffer
       via  c14c61748b5 s4:kdc: Fix debugging messages
       via  7149eeaceb4 s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
       via  3dede18c5a1 tests/krb5: Fix duplicate account creation
       via  3948701f1d0 tests/krb5: Allow bypassing cache when creating accounts
       via  1a08399cd81 tests/krb5: Don't include empty AD-IF-RELEVANT
       via  56ccdba54e0 tests/krb5: Add constrained delegation tests
       via  d86eee2fd0f tests/krb5: Verify tickets obtained with get_service_ticket()
       via  bf632217229 tests/krb5: Require ticket checksums if decryption key is available
       via  ae2c57fb033 tests/krb5: Add TKT_SIG_SUPPORT environment variable
       via  40e5db4aabc selftest/dbcheck: Fix up RODC one-way links
       via  ebe72978680 tests/krb5: Fix sha1 checksum type
       via  5233f002000 tests/krb5: Provide clearer assertion messages for test failures
       via  dfd613661ee tests/krb5: Disable debugging output for tests
       via  cf3ca6ac456 tests/krb5: Simplify padata checking
       via  e7c39cc44f2 tests/krb5: Check logon name in PAC
       via  bd22dcd9cc4 tests/krb5: Check padata types when STRICT_CHECKING=0
       via  238f52bad81 tests/krb5: Add environment variable to specify KDC FAST support
       via  72265227e9c tests/krb5: Fix padata checking at functional level 2003
       via  ee2b7e2c77f tests/krb5: Clarify checksum type assertion message
       via  687c8f94c68 tests/krb5: Use correct principal name type
       via  ec4b264bdf9 tests/krb5: Add compatability tests for ticket checksums
       via  ef24fe982d7 tests/krb5: Add parameter to enforce presence of ticket checksums
       via  248249dc0ac tests/krb5: Supply supported account enctypes in tgs_req()
       via  34020766bb7 tests/krb5: Allow specifying options and expected flags when obtaining a ticket
       via  bb58b4b58c6 tests/krb5: Save account SPN
       via  0e232fa1c9e tests/krb5: Check constrained delegation PAC buffer
       via  aa2e583fdea tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
       via  8e1efd8bd3b heimdal:kdc: Only check for default salt for des-cbc-crc enctype
       via  7cfc225b549 tests/krb5: Add expect_claims parameter to kdc_exchange_dict
       via  ab92dc16d20 tests/krb5: Fix checking for presence of error data
       via  7fba83c6c63 tests/krb5: Remove unneeded parameters from ticket cache key
       via  788b3a29eea tests/krb5: Fix assertElementFlags()
       via  8f6d369d709 tests/krb5: Make expected_sname checking more explicit
       via  012b6fcd197 tests/krb5: Fix status code checking
       via  a4bc712ee02 tests/krb5: Fix handling authdata with missing PAC
       via  dcf45a151a1 tests/krb5: Allow excluding the PAC server checksum
       via  a927cecafdd tests/krb5: Fix checksum generation and verification
       via  ae09219c3a1 tests/krb5: Fix method for creating invalid length zeroed checksum
       via  9d142dc3a45 tests/krb5: Introduce helper method for creating invalid length checksums
       via  cda50b5c505 tests/krb5: Add assertion to make failures clearer
       via  bba8cb8dce1 tests/krb5: Allow created accounts to use resource-based constrained delegation
       via  31817c383c2 tests/krb5: Rename allowed_to_delegate_to parameter for clarity
       via  1fd00135fa4 tests/krb5: Fix PA-PAC-OPTIONS checking
       via  6f1282e8d34 tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
       via  ce433ff868d tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
       via  8e4b2159083 tests/krb5: Remove unused parameter
       via  d501ddca3b7 tests/krb5: Rename method parameter
      from  a9a3555b430 debug: Optimise construction of msg_no_nl

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 1d3e118f6f2274a67cdb8141dc8dade0c571c8f5
Author: Jeremy Allison <jra at samba.org>
Date:   Wed Oct 13 09:46:07 2021 -0700

    s3: smbspool. Remove last use of 'extern char **environ;'.
    
    This should come from lib/replace/replace.h to cope with
    system (MacOSX etc.) differences.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14862
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Thu Oct 14 19:51:59 UTC 2021 on sn-devel-184

commit f6adfefbbb41b9100736134d0f975f1ec0c33c42
Author: Nicolas Williams <nico at twosigma.com>
Date:   Sun Oct 10 21:55:59 2021 -0500

    krb5: Fix PAC signature leak affecting KDC
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    [jsutton at samba.org Cherry-picked from Heimdal commit
     54581d2d52443a9a07ed5980df331f660b397dcf]
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 02fa69c6c73c01d82807be4370e838f3e7c66f35
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Oct 8 16:08:39 2021 +1300

    s4:kdc: Check ticket signature
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 3bdce12789af1e7a7aba56691f184625a432410d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Oct 8 15:43:41 2021 +1300

    heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
    
    This lets us call it from Samba.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 28a5a586c8e9cd155d676dcfcb81a2587ace99d1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Aug 11 13:27:11 2021 +1200

    s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 91e684f5dcb48b76e6a322c15acb53cbce5c275a
Author: Luke Howard <lukeh at padl.com>
Date:   Thu Sep 23 17:51:51 2021 +1000

    kdc: correctly generate PAC TGS signature
    
    When generating an AS-REQ, the TGS signature was incorrectly generated using
    the server key, which would fail to validate if the server was not also the
    TGS. Fix this.
    
    Patch from Isaac Bourkis <iboukris at gmail.com>.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    [jsutton at samba.org Backported from Heimdal commit
     e7863e2af922809dad25a2e948e98c408944d551
     - Samba's Heimdal version does not have the generate_pac() helper
     function.
     - Samba's Heimdal version does not use the 'r' context variable.
    ]
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 75d1a7cd14b134506061ed64ddb9b99856231d2c
Author: Luke Howard <lukeh at padl.com>
Date:   Thu Sep 23 14:39:35 2021 +1000

    kdc: use ticket client name when signing PAC
    
    The principal in the PAC_LOGON_NAME buffer is expected to match the client name
    in the ticket. Previously we were setting this to the canonical client name,
    which would have broken PAC validation if the client did not request name
    canonicalization
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    [jsutton at samba.org Backported from Heimdal commit
     3b0856cab2b25624deb1f6e0e67637ba96a647ac
     - Renamed variable to avoid shadowing existing variable
    ]
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit db30b71f79864a20b38a1f812a5df833f3a92de8
Author: Luke Howard <lukeh at padl.com>
Date:   Sun Jan 6 17:54:58 2019 +1100

    kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    [jsutton at samba.org Backported from Heimdal commit
     f1dd2b818aa0866960945edea02a6bc782ed697c
     - Removed change to _kdc_find_etype() use_strongest_session_key
     parameter since Samba's Heimdal version uses different logic
    ]
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit d6a472e953545ec3858ca969c1a4191e4f27ba63
Author: Luke Howard <lukeh at padl.com>
Date:   Fri Sep 17 13:57:57 2021 +1000

    krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
    
    Return KRB5KRB_AP_ERR_INAPP_CKSUM instead of EINVAL when verifying a PAC, if
    the checksum is absent or unkeyed.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    [jsutton at samba.org Cherry-picked from Heimdal commit
    c4b99b48c4b18f30d504b427bc1961d7a71f631e]
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 2773379603a5a625c5d1c6e62f29c442942ff570
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Sun Sep 19 15:16:58 2021 +0300

    krb5: rework PAC validation loop
    
    Avoid allocating the PAC on error.
    
    Closes: #836
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    [jsutton at samba.org Cherry-picked from Heimdal commit
    6df8be5091363a1c9a9165465ab8292f817bec81]
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 2d09de5c41e729bccc2d7949d8a3568a95e80e76
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Sun Sep 19 15:04:14 2021 +0300

    krb5: allow NULL parameter to krb5_pac_free()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    [jsutton at samba.org Cherry-picked from Heimdal commit
    b295167208a96e68515902138f6ce93972892ec5]
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit d7b03394a9012960d71489e775d40d10fd6f5232
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Fri Aug 13 12:44:37 2021 +0300

    kdc: sign ticket using Windows PAC
    
    Split Windows PAC signing and verification logic, as the signing has to be when
    the ticket is ready.
    
    Create sign and verify the PAC KDC signature if the plugin did not, allowing
    for S4U2Proxy to work, instead of KRB5SignedPath.
    
    Use the header key to verify PAC server signature, as the same key used to
    encrypt/decrypt the ticket should be used for PAC server signature, like U2U
    tickets are signed witht the tgt session-key and not with the longterm key,
    and so krbtgt should be no different and the header key should be used.
    
    Lookup the delegated client in DB instead of passing the delegator DB entry.
    
    Add PAC ticket-signatures and related functions.
    
    Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests
    against new KDC will not work if the evidence ticket was acquired from
    an old KDC, and vide versa.
    
    Closes: #767
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    [jsutton at samba.org Backported from Heimdal commit
     2ffaba9401d19c718764d4bd24180960290238e9
     - Removed tests
     - Adapted to Samba's version of Heimdal
     - Addressed build failures with -O3
     - Added knownfails
    ]
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ccabc7f16cca5b0dcb46233e934e708167f1071b
Author: Isaac Boukris <iboukris at gmail.com>
Date:   Mon Dec 28 22:07:10 2020 +0200

    kdc: remove KRB5SignedPath, to be replaced with PAC
    
    KRB5SignedPath was a Heimdal-specific authorization data element used to
    protect the authenticity of evidence tickets when used in constrained
    delegation (without a Windows PAC).
    
    Remove this, to be replaced with the Windows PAC which itself now supports
    signing the entire ticket in the TGS key.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    [jsutton at samba.org Backported from Heimdal commit
     bb1d8f2a8c2545bccdf2c9179ce9259bf1050086
     - Removed tests
     - Removed auditing hook (only present in Heimdal master)
     - Added knownfails
    ]
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit d5002c34ce1ffef795dc83af3175ca0e04d17dfd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Oct 8 15:42:29 2021 +1300

    s4/torture: Expect ticket checksum PAC buffer
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit c14c61748b5a2d2a4f4de00615c476fcf381309e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Oct 6 16:40:21 2021 +1300

    s4:kdc: Fix debugging messages
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 7149eeaceb426470b1b8181749d2d081c2fb83a4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Oct 8 16:06:58 2021 +1300

    s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 3dede18c5a1801023a60cc55b99022b033428350
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Oct 8 15:40:39 2021 +1300

    tests/krb5: Fix duplicate account creation
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 3948701f1d0f3ccd06f6dad56ca72833d66b1d84
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Oct 8 15:41:35 2021 +1300

    tests/krb5: Allow bypassing cache when creating accounts
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 1a08399cd8169a525cc9e7aed99da84ef20e5b9c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 12:07:40 2021 +1300

    tests/krb5: Don't include empty AD-IF-RELEVANT
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 56ccdba54e0c7cf3409d8430ea1012e5d3d9b092
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Sep 30 15:03:04 2021 +1300

    tests/krb5: Add constrained delegation tests
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit d86eee2fd0fb72e52d878ceba0c476ca58abe6cf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Oct 6 16:35:47 2021 +1300

    tests/krb5: Verify tickets obtained with get_service_ticket()
    
    We only require the ticket checksum with Heimdal, because MIT currently
    doesn't add it.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit bf63221722903665e7b20991021fb5cdf4e4327e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Oct 5 15:39:11 2021 +1300

    tests/krb5: Require ticket checksums if decryption key is available
    
    We perform this check conditionally, because MIT doesn't currently add
    ticket checksums.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ae2c57fb0332f94ac44d0886c5edbed707ef52fe
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Oct 14 16:58:15 2021 +1300

    tests/krb5: Add TKT_SIG_SUPPORT environment variable
    
    This lets us indicate that service tickets should be issued with ticket
    checksums in the PAC.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 40e5db4aabcd32834ee524857b77d36921f6bdfe
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Oct 13 12:26:22 2021 +1300

    selftest/dbcheck: Fix up RODC one-way links
    
    Test accounts were replicated to the RODC and then deleted, causing
    state links to remain in the database.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ebe729786806c69e95b26ffc410e887e203accb8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Oct 5 16:32:01 2021 +1300

    tests/krb5: Fix sha1 checksum type
    
    Previously, sha1 signatures were being designated as rsa-md5-des3
    signatures.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 5233f002000f196875af488b4f4d1df26fca90de
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Oct 5 19:47:22 2021 +1300

    tests/krb5: Provide clearer assertion messages for test failures
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit dfd613661eec4b81e162f2d86a8fa9266c2fdc03
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Oct 8 11:48:41 2021 +1300

    tests/krb5: Disable debugging output for tests
    
    This reduces the time spent running the tests in a testenv.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit cf3ca6ac4567d7c7954ea4ecc8cc9dd5effcc094
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Oct 11 14:49:34 2021 +1300

    tests/krb5: Simplify padata checking
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit e7c39cc44f2e16aecb01c0afc195911a474ef0b9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Oct 11 14:48:03 2021 +1300

    tests/krb5: Check logon name in PAC
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit bd22dcd9cc4dfda827f892224eb2da4a16564176
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Oct 11 14:45:45 2021 +1300

    tests/krb5: Check padata types when STRICT_CHECKING=0
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 238f52bad811688624e9fd4b1595266e2149094a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Tue Oct 12 11:34:59 2021 +1300

    tests/krb5: Add environment variable to specify KDC FAST support
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 72265227e9c2037b63cdfb01a456a86ac8932f59
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Oct 11 16:15:43 2021 +1300

    tests/krb5: Fix padata checking at functional level 2003
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ee2b7e2c77f021984ec583fa0c4c756979197b0f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Oct 11 14:39:26 2021 +1300

    tests/krb5: Clarify checksum type assertion message
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 687c8f94c68af9f1e44771dfd7219eeb41382bba
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Mon Oct 11 14:37:03 2021 +1300

    tests/krb5: Use correct principal name type
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ec4b264bdf9ab64a728212580b344fbf35c3c673
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Oct 14 16:43:05 2021 +1300

    tests/krb5: Add compatability tests for ticket checksums
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ef24fe982d750a42be81808379b0254d8488c559
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Sep 30 16:53:35 2021 +1300

    tests/krb5: Add parameter to enforce presence of ticket checksums
    
    This allows existing tests to pass before this functionality is
    implemented.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 248249dc0acac89d1495c3572cbd2cbe8bdca362
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 16:52:01 2021 +1300

    tests/krb5: Supply supported account enctypes in tgs_req()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 34020766bb7094d1ab5d4fc4c0ee89ccb81f39f1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 16:48:50 2021 +1300

    tests/krb5: Allow specifying options and expected flags when obtaining a ticket
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit bb58b4b58c66a6ada79e886dd0c44401e1c5878c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 16:41:23 2021 +1300

    tests/krb5: Save account SPN
    
    This is useful for testing delegation.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 0e232fa1c9e5760ae6b9a99b5e7aa5513b84aa8b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 16:26:54 2021 +1300

    tests/krb5: Check constrained delegation PAC buffer
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit aa2e583fdea4fd93e4e71c54630e32a1035d1e2a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 16:15:26 2021 +1300

    tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 8e1efd8bd3bf698dc0b6ed2081919f49b1412b53
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Oct 8 15:53:47 2021 +1300

    heimdal:kdc: Only check for default salt for des-cbc-crc enctype
    
    Previously, this algorithm was preferring RC4 over AES for machine
    accounts in the preauth case. This is because AES keys for machine
    accounts in Active Directory use a non-default salt, while RC4 keys do
    not use a salt. To avoid this behaviour, only prefer keys with default
    salt for the des-cbc-crc enctype.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14864
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 7cfc225b549108739bd86e222f2f35eb96af4ea3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 16:10:07 2021 +1300

    tests/krb5: Add expect_claims parameter to kdc_exchange_dict
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ab92dc16d20b0996b8c46714652c15019c795095
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 15:48:58 2021 +1300

    tests/krb5: Fix checking for presence of error data
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 7fba83c6c6309a525742c38e904d3e473db99ef1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 14:02:37 2021 +1300

    tests/krb5: Remove unneeded parameters from ticket cache key
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 788b3a29eea62f9f38ca8865c7cb7860bdc94bec
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 13:03:49 2021 +1300

    tests/krb5: Fix assertElementFlags()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 8f6d369d709614e2f5c0684882c62f0476bcafa2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 13:01:30 2021 +1300

    tests/krb5: Make expected_sname checking more explicit
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 012b6fcd1976c6570e9b92c133d8c21e543e5a4f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 12:16:58 2021 +1300

    tests/krb5: Fix status code checking
    
    The type used to encode the status code is actually KERB-ERROR-DATA,
    rather than PA-DATA.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit a4bc712ee02f32c2d04dfc2d99d58931344e5ceb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 12:06:03 2021 +1300

    tests/krb5: Fix handling authdata with missing PAC
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit dcf45a151a198f7165cd332a26db78a5d8e8f8c5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 12:03:33 2021 +1300

    tests/krb5: Allow excluding the PAC server checksum
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit a927cecafdd5ad6dc5189fa98cb42684c9c3b033
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 11:59:42 2021 +1300

    tests/krb5: Fix checksum generation and verification
    
    The KDC and server checksums may be generated using the same key, but
    only the KDC checksum should have an RODCIdentifier. To fix this,
    instead of overriding the existing methods, add additional ones for
    RODC-specific signatures, so that both types of signatures can be
    generated or verified.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ae09219c3a1c6d47817f51baf3784e8986c7478d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 11:56:21 2021 +1300

    tests/krb5: Fix method for creating invalid length zeroed checksum
    
    Previously the base class method was being used.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 9d142dc3a452b0f06efc66f422402ee6e553ee7c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 11:54:49 2021 +1300

    tests/krb5: Introduce helper method for creating invalid length checksums
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit cda50b5c505072989abf84c209e16ff4efe2e628
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 11:52:17 2021 +1300

    tests/krb5: Add assertion to make failures clearer
    
    These failures may occur if tests are not run against an RODC.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit bba8cb8dce19e47a7b813efd9a7527e38856435e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 11:50:36 2021 +1300

    tests/krb5: Allow created accounts to use resource-based constrained delegation
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 31817c383c2014224b1397fde610624663313246
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 11:47:39 2021 +1300

    tests/krb5: Rename allowed_to_delegate_to parameter for clarity
    
    This helps to distinguish resourced-based and non-resource-based
    constrained delegation.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 1fd00135fa4dff4331d86b228ccc01f834476997
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Sep 30 10:54:33 2021 +1300

    tests/krb5: Fix PA-PAC-OPTIONS checking
    
    Make the check work correctly if bits other than the claims bit are
    specified.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 6f1282e8d34073d8499ce919908b39645b017cb8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Sep 30 10:51:01 2021 +1300

    tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
    
    These padata were not being sent if other FAST padata was not specified.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit ce433ff868d3cdf8e8a6e4995d89d6e036335fb6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 11:23:17 2021 +1300

    tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit 8e4b21590836dab02c1864f6ac12b3879c4bd69c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 11:16:51 2021 +1300

    tests/krb5: Remove unused parameter
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

commit d501ddca3b7b9c39c0b3eccf19176e3122cf5b9d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 29 11:16:24 2021 +1300

    tests/krb5: Rename method parameter
    
    For class methods, the name given to the first parameter is generally 'cls'
    rather than 'self'.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 librpc/idl/krb5pac.idl                             |   3 +
 .../samba/tests/krb5/as_canonicalization_tests.py  |   4 +-
 python/samba/tests/krb5/as_req_tests.py            |   4 +-
 python/samba/tests/krb5/compatability_tests.py     |  48 +-
 python/samba/tests/krb5/fast_tests.py              |  89 +-
 python/samba/tests/krb5/kcrypto.py                 |   2 +-
 python/samba/tests/krb5/kdc_base_test.py           | 111 ++-
 python/samba/tests/krb5/kdc_tests.py               |   4 +-
 python/samba/tests/krb5/kdc_tgs_tests.py           |   7 +-
 .../krb5/ms_kile_client_principal_lookup_tests.py  |  13 +-
 python/samba/tests/krb5/raw_testcase.py            | 603 +++++++------
 python/samba/tests/krb5/rfc4120_constants.py       |  11 +
 python/samba/tests/krb5/rodc_tests.py              |  73 ++
 python/samba/tests/krb5/s4u_tests.py               | 962 ++++++++++++++++++++-
 python/samba/tests/krb5/simple_tests.py            |   4 +-
 python/samba/tests/krb5/test_ccache.py             |   4 +-
 python/samba/tests/krb5/test_ldap.py               |   4 +-
 python/samba/tests/krb5/test_rpc.py                |   4 +-
 python/samba/tests/krb5/test_smb.py                |   4 +-
 python/samba/tests/krb5/xrealm_tests.py            |   4 +-
 python/samba/tests/usage.py                        |   1 +
 selftest/knownfail_heimdal_kdc                     |  23 +-
 selftest/knownfail_mit_kdc                         |  50 ++
 source3/client/smbspool_krb5_wrapper.c             |   5 +-
 source4/heimdal/kdc/kerberos5.c                    | 150 ++--
 source4/heimdal/kdc/krb5tgs.c                      | 650 ++++----------
 source4/heimdal/kdc/windc.c                        |  15 +-
 source4/heimdal/kdc/windc_plugin.h                 |   5 +-
 source4/heimdal/lib/asn1/krb5.asn1                 |  21 -
 source4/heimdal/lib/krb5/authdata.c                | 124 +++
 source4/heimdal/lib/krb5/pac.c                     | 484 +++++++++--
 source4/heimdal/lib/krb5/version-script.map        |   5 +
 source4/heimdal_build/wscript_build                |   2 +-
 source4/kdc/mit_samba.c                            |   7 +-
 source4/kdc/pac-glue.c                             |   5 +-
 source4/kdc/pac-glue.h                             |   3 +-
 source4/kdc/wdc-samba4.c                           | 320 +++++--
 source4/selftest/tests.py                          |  70 +-
 source4/torture/rpc/remote_pac.c                   |  14 +-
 testprogs/blackbox/dbcheck.sh                      |   2 +-
 40 files changed, 2780 insertions(+), 1134 deletions(-)
 create mode 100755 python/samba/tests/krb5/rodc_tests.py
 create mode 100644 source4/heimdal/lib/krb5/authdata.c


Changeset truncated at 500 lines:

diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index 3239d7656b6..515150ab9cd 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -113,6 +113,9 @@ interface krb5pac
 		PAC_TYPE_LOGON_NAME = 10,
 		PAC_TYPE_CONSTRAINED_DELEGATION = 11,
 		PAC_TYPE_UPN_DNS_INFO = 12,
+		PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
+		PAC_TYPE_DEVICE_INFO = 14,
+		PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
 		PAC_TYPE_TICKET_CHECKSUM = 16
 	} PAC_TYPE;
 
diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py
index 29d8cf418f5..9538d0ae3cf 100755
--- a/python/samba/tests/krb5/as_canonicalization_tests.py
+++ b/python/samba/tests/krb5/as_canonicalization_tests.py
@@ -427,8 +427,8 @@ class KerberosASCanonicalizationTests(KDCBaseTest):
 
 
 if __name__ == "__main__":
-    global_asn1_print = True
-    global_hexdump = True
+    global_asn1_print = False
+    global_hexdump = False
     import unittest
 
     unittest.main()
diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index 8d9b90fee69..7d7baaebf24 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -198,8 +198,8 @@ class AsReqKerberosTests(KDCBaseTest):
         self.assertIsNotNone(as_rep)
 
 if __name__ == "__main__":
-    global_asn1_print = True
-    global_hexdump = True
+    global_asn1_print = False
+    global_hexdump = False
     import unittest
     unittest.main()
 
diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py
index cd67549212a..ed2dc565b6d 100755
--- a/python/samba/tests/krb5/compatability_tests.py
+++ b/python/samba/tests/krb5/compatability_tests.py
@@ -23,7 +23,7 @@ import os
 sys.path.insert(0, "bin/python")
 os.environ["PYTHONUNBUFFERED"] = "1"
 
-from samba.tests.krb5.raw_testcase import RawKerberosTest
+from samba.tests.krb5.kdc_base_test import KDCBaseTest
 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
 from samba.tests.krb5.rfc4120_constants import (
     AES128_CTS_HMAC_SHA1_96,
@@ -50,7 +50,7 @@ MIT_ENC_AS_REP_PART_TYPE_TAG = 0x7A
 ENC_PA_REP_FLAG = 0x00010000
 
 
-class SimpleKerberosTests(RawKerberosTest):
+class SimpleKerberosTests(KDCBaseTest):
 
     def setUp(self):
         super(SimpleKerberosTests, self).setUp()
@@ -120,6 +120,46 @@ class SimpleKerberosTests(RawKerberosTest):
             self.fail(
                 "(Heimdal) Salt populated for ARCFOUR_HMAC_MD5 encryption")
 
+    def test_heimdal_ticket_signature(self):
+        # Ensure that a DC correctly issues tickets signed with its krbtgt key.
+        user_creds = self.get_client_creds()
+        target_creds = self.get_service_creds()
+
+        krbtgt_creds = self.get_krbtgt_creds()
+        key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
+
+        # Get a TGT from the DC.
+        tgt = self.get_tgt(user_creds)
+
+        # Ensure the PAC contains the expected checksums.
+        self.verify_ticket(tgt, key)
+
+        # Get a service ticket from the DC.
+        service_ticket = self.get_service_ticket(tgt, target_creds)
+
+        # Ensure the PAC contains the expected checksums.
+        self.verify_ticket(service_ticket, key, expect_ticket_checksum=True)
+
+    def test_mit_ticket_signature(self):
+        # Ensure that a DC does not issue tickets signed with its krbtgt key.
+        user_creds = self.get_client_creds()
+        target_creds = self.get_service_creds()
+
+        krbtgt_creds = self.get_krbtgt_creds()
+        key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
+
+        # Get a TGT from the DC.
+        tgt = self.get_tgt(user_creds)
+
+        # Ensure the PAC contains the expected checksums.
+        self.verify_ticket(tgt, key)
+
+        # Get a service ticket from the DC.
+        service_ticket = self.get_service_ticket(tgt, target_creds)
+
+        # Ensure the PAC does not contain the expected checksums.
+        self.verify_ticket(service_ticket, key, expect_ticket_checksum=False)
+
     def as_pre_auth_req(self, creds, etypes):
         user = creds.get_username()
         realm = creds.get_realm()
@@ -221,7 +261,7 @@ class SimpleKerberosTests(RawKerberosTest):
 
 
 if __name__ == "__main__":
-    global_asn1_print = True
-    global_hexdump = True
+    global_asn1_print = False
+    global_hexdump = False
     import unittest
     unittest.main()
diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py
index 5f396542d18..66cbf23978a 100755
--- a/python/samba/tests/krb5/fast_tests.py
+++ b/python/samba/tests/krb5/fast_tests.py
@@ -43,6 +43,7 @@ from samba.tests.krb5.rfc4120_constants import (
     KRB_AS_REP,
     KRB_TGS_REP,
     NT_PRINCIPAL,
+    NT_SRV_HST,
     NT_SRV_INST,
     PADATA_FX_COOKIE,
     PADATA_FX_FAST,
@@ -99,11 +100,7 @@ class FAST_Tests(KDCBaseTest):
         ])
 
     def test_simple_no_sname(self):
-        krbtgt_creds = self.get_krbtgt_creds()
-        krbtgt_username = krbtgt_creds.get_username()
-        krbtgt_realm = krbtgt_creds.get_realm()
-        expected_sname = self.PrincipalName_create(
-            name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm])
+        expected_sname = self.get_krbtgt_sname()
 
         self._run_test_sequence([
             {
@@ -111,16 +108,13 @@ class FAST_Tests(KDCBaseTest):
                 'expected_error_mode': (KDC_ERR_GENERIC, KDC_ERR_S_PRINCIPAL_UNKNOWN),
                 'use_fast': False,
                 'sname': None,
-                'expected_sname': expected_sname
+                'expected_sname': expected_sname,
+                'expect_edata': False
             }
         ])
 
     def test_simple_tgs_no_sname(self):
-        krbtgt_creds = self.get_krbtgt_creds()
-        krbtgt_username = krbtgt_creds.get_username()
-        krbtgt_realm = krbtgt_creds.get_realm()
-        expected_sname = self.PrincipalName_create(
-            name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm])
+        expected_sname = self.get_krbtgt_sname()
 
         self._run_test_sequence([
             {
@@ -129,16 +123,13 @@ class FAST_Tests(KDCBaseTest):
                 'use_fast': False,
                 'gen_tgt_fn': self.get_user_tgt,
                 'sname': None,
-                'expected_sname': expected_sname
+                'expected_sname': expected_sname,
+                'expect_edata': False
             }
         ])
 
     def test_fast_no_sname(self):
-        krbtgt_creds = self.get_krbtgt_creds()
-        krbtgt_username = krbtgt_creds.get_username()
-        krbtgt_realm = krbtgt_creds.get_realm()
-        expected_sname = self.PrincipalName_create(
-            name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm])
+        expected_sname = self.get_krbtgt_sname()
 
         self._run_test_sequence([
             {
@@ -153,11 +144,7 @@ class FAST_Tests(KDCBaseTest):
         ])
 
     def test_fast_tgs_no_sname(self):
-        krbtgt_creds = self.get_krbtgt_creds()
-        krbtgt_username = krbtgt_creds.get_username()
-        krbtgt_realm = krbtgt_creds.get_realm()
-        expected_sname = self.PrincipalName_create(
-            name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm])
+        expected_sname = self.get_krbtgt_sname()
 
         self._run_test_sequence([
             {
@@ -172,6 +159,8 @@ class FAST_Tests(KDCBaseTest):
         ])
 
     def test_fast_inner_no_sname(self):
+        expected_sname = self.get_krbtgt_sname()
+
         self._run_test_sequence([
             {
                 'rep_type': KRB_AS_REP,
@@ -181,11 +170,14 @@ class FAST_Tests(KDCBaseTest):
                 'gen_armor_tgt_fn': self.get_mach_tgt,
                 'inner_req': {
                     'sname': None  # should be ignored
-                }
+                },
+                'expected_sname': expected_sname
             }
         ])
 
     def test_fast_tgs_inner_no_sname(self):
+        expected_sname = self.get_krbtgt_sname()
+
         self._run_test_sequence([
             {
                 'rep_type': KRB_TGS_REP,
@@ -195,7 +187,8 @@ class FAST_Tests(KDCBaseTest):
                 'fast_armor': None,
                 'inner_req': {
                     'sname': None  # should be ignored
-                }
+                },
+                'expected_sname': expected_sname
             }
         ])
 
@@ -216,6 +209,7 @@ class FAST_Tests(KDCBaseTest):
                 'expected_error_mode': KDC_ERR_NOT_US,
                 'use_fast': False,
                 'gen_tgt_fn': self.get_user_service_ticket,
+                'expect_edata': False
             }
         ])
 
@@ -226,6 +220,7 @@ class FAST_Tests(KDCBaseTest):
                 'expected_error_mode': KDC_ERR_NOT_US,
                 'use_fast': False,
                 'gen_tgt_fn': self.get_mach_service_ticket,
+                'expect_edata': False
             }
         ])
 
@@ -338,7 +333,8 @@ class FAST_Tests(KDCBaseTest):
                 'expected_error_mode': KDC_ERR_ETYPE_NOSUPP,
                 'use_fast': False,
                 'gen_tgt_fn': self.get_mach_tgt,
-                'etypes': ()
+                'etypes': (),
+                'expect_edata': False
             }
         ])
 
@@ -386,7 +382,8 @@ class FAST_Tests(KDCBaseTest):
                 'use_fast': True,
                 'gen_fast_fn': self.generate_empty_fast,
                 'fast_armor': None,
-                'gen_armor_tgt_fn': self.get_mach_tgt
+                'gen_armor_tgt_fn': self.get_mach_tgt,
+                'expect_edata': False
             }
         ])
 
@@ -409,7 +406,8 @@ class FAST_Tests(KDCBaseTest):
                 'expected_error_mode': KDC_ERR_GENERIC,
                 'use_fast': True,
                 'fast_armor': None,  # no armor,
-                'gen_armor_tgt_fn': self.get_mach_tgt
+                'gen_armor_tgt_fn': self.get_mach_tgt,
+                'expect_edata': False
             }
         ])
 
@@ -868,11 +866,14 @@ class FAST_Tests(KDCBaseTest):
                 # should be KRB_APP_ERR_MODIFIED
                 'use_fast': False,
                 'gen_authdata_fn': self.generate_fast_used_auth_data,
-                'gen_tgt_fn': self.get_user_tgt
+                'gen_tgt_fn': self.get_user_tgt,
+                'expect_edata': False
             }
         ])
 
     def test_fast_ad_fx_fast_armor(self):
+        expected_sname = self.get_krbtgt_sname()
+
         # If the authenticator or TGT authentication data contains the
         # AD-fx-fast-armor authdata type, the KDC must reject the request
         # (RFC6113 5.4.1.1).
@@ -892,7 +893,9 @@ class FAST_Tests(KDCBaseTest):
                 'use_fast': True,
                 'gen_authdata_fn': self.generate_fast_armor_auth_data,
                 'gen_tgt_fn': self.get_user_tgt,
-                'fast_armor': None
+                'fast_armor': None,
+                'expected_sname': expected_sname,
+                'expect_edata': False
             }
         ])
 
@@ -920,6 +923,8 @@ class FAST_Tests(KDCBaseTest):
         ])
 
     def test_fast_ad_fx_fast_armor_ticket(self):
+        expected_sname = self.get_krbtgt_sname()
+
         # If the authenticator or TGT authentication data contains the
         # AD-fx-fast-armor authdata type, the KDC must reject the request
         # (RFC6113 5.4.2).
@@ -939,7 +944,9 @@ class FAST_Tests(KDCBaseTest):
                 'expected_error_mode': KDC_ERR_GENERIC,
                 'use_fast': True,
                 'gen_tgt_fn': self.gen_tgt_fast_armor_auth_data,
-                'fast_armor': None
+                'fast_armor': None,
+                'expected_sname': expected_sname,
+                'expect_edata': False
             }
         ])
 
@@ -999,6 +1006,8 @@ class FAST_Tests(KDCBaseTest):
         ])
 
     def test_fast_tgs_no_subkey(self):
+        expected_sname = self.get_krbtgt_sname()
+
         # Show that omitting the subkey in the TGS-REQ authenticator fails
         # (RFC6113 5.4.2).
         self._run_test_sequence([
@@ -1008,7 +1017,9 @@ class FAST_Tests(KDCBaseTest):
                 'use_fast': True,
                 'gen_tgt_fn': self.get_user_tgt,
                 'fast_armor': None,
-                'include_subkey': False
+                'include_subkey': False,
+                'expected_sname': expected_sname,
+                'expect_edata': False
             }
         ])
 
@@ -1175,7 +1186,7 @@ class FAST_Tests(KDCBaseTest):
         target_realm = target_creds.get_realm()
         target_service = 'host'
         target_sname = self.PrincipalName_create(
-            name_type=NT_SRV_INST, names=[target_service, target_username])
+            name_type=NT_SRV_HST, names=[target_service, target_username])
         target_decryption_key = self.TicketDecryptionKey_from_creds(
             target_creds)
         target_etypes = target_creds.tgs_supported_enctypes
@@ -1259,6 +1270,10 @@ class FAST_Tests(KDCBaseTest):
             else:
                 tgt_cname = client_cname
 
+            expect_edata = kdc_dict.pop('expect_edata', None)
+            if expect_edata is not None:
+                self.assertTrue(expected_error_mode)
+
             expected_cname = kdc_dict.pop('expected_cname', tgt_cname)
             expected_anon = kdc_dict.pop('expected_anon',
                                          False)
@@ -1355,10 +1370,10 @@ class FAST_Tests(KDCBaseTest):
 
             expected_flags = kdc_dict.pop('expected_flags', None)
             if expected_flags is not None:
-                expected_flags = krb5_asn1.KDCOptions(expected_flags)
+                expected_flags = krb5_asn1.TicketFlags(expected_flags)
             unexpected_flags = kdc_dict.pop('unexpected_flags', None)
             if unexpected_flags is not None:
-                unexpected_flags = krb5_asn1.KDCOptions(unexpected_flags)
+                unexpected_flags = krb5_asn1.TicketFlags(unexpected_flags)
 
             if rep_type == KRB_AS_REP:
                 kdc_exchange_dict = self.as_exchange_dict(
@@ -1393,7 +1408,8 @@ class FAST_Tests(KDCBaseTest):
                     inner_req=inner_req,
                     outer_req=outer_req,
                     pac_request=True,
-                    pac_options=pac_options)
+                    pac_options=pac_options,
+                    expect_edata=expect_edata)
             else:  # KRB_TGS_REP
                 kdc_exchange_dict = self.tgs_exchange_dict(
                     expected_crealm=expected_crealm,
@@ -1426,7 +1442,8 @@ class FAST_Tests(KDCBaseTest):
                     inner_req=inner_req,
                     outer_req=outer_req,
                     pac_request=None,
-                    pac_options=pac_options)
+                    pac_options=pac_options,
+                    expect_edata=expect_edata)
 
             repeat = kdc_dict.pop('repeat', 1)
             for _ in range(repeat):
diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py
index 4a4a12a66d4..4bf38d3c36b 100755
--- a/python/samba/tests/krb5/kcrypto.py
+++ b/python/samba/tests/krb5/kcrypto.py
@@ -81,8 +81,8 @@ class Cksumtype(object):
     MD4_DES = 3
     MD5 = 7
     MD5_DES = 8
-    SHA1 = 9
     SHA1_DES3 = 12
+    SHA1 = 14
     SHA1_AES128 = 15
     SHA1_AES256 = 16
     HMAC_MD5 = -138
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index b71ae66bf54..87160f675ae 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -285,6 +285,7 @@ class KDCBaseTest(RawKerberosTest):
         else:
             creds.set_workstation('')
         creds.set_dn(ldb.Dn(samdb, dn))
+        creds.set_spn(spn)
         #
         # Save the account name so it can be deleted in tearDownClass
         self.accounts.add(dn)
@@ -294,11 +295,37 @@ class KDCBaseTest(RawKerberosTest):
         res = samdb.search(base=dn,
                            scope=ldb.SCOPE_BASE,
                            attrs=['msDS-KeyVersionNumber'])
-        kvno = int(res[0]['msDS-KeyVersionNumber'][0])
-        creds.set_kvno(kvno)
+        kvno = res[0].get('msDS-KeyVersionNumber', idx=0)
+        if kvno is not None:
+            self.assertEqual(int(kvno), 1)
+        creds.set_kvno(1)
 
         return (creds, dn)
 
+    def get_security_descriptor(self, dn):
+        samdb = self.get_samdb()
+
+        sid = self.get_objectSid(samdb, dn)
+
+        owner_sid = security.dom_sid(security.SID_BUILTIN_ADMINISTRATORS)
+
+        ace = security.ace()
+        ace.access_mask = security.SEC_ADS_GENERIC_ALL
+
+        ace.trustee = security.dom_sid(sid)
+
+        dacl = security.acl()
+        dacl.revision = security.SECURITY_ACL_REVISION_ADS
+        dacl.aces = [ace]
+        dacl.num_aces = 1
+
+        security_desc = security.descriptor()
+        security_desc.type |= security.SEC_DESC_DACL_PRESENT
+        security_desc.owner_sid = owner_sid
+        security_desc.dacl = dacl
+
+        return ndr_pack(security_desc)
+
     def create_rodc(self, ctx):
         ctx.nc_list = [ctx.base_dn, ctx.config_dn, ctx.schema_dn]
         ctx.full_nc_list = [ctx.base_dn, ctx.config_dn, ctx.schema_dn]
@@ -564,6 +591,7 @@ class KDCBaseTest(RawKerberosTest):
                            scope=ldb.SCOPE_BASE,
                            attrs=[group_attr])
         orig_msg = res[0]
+        self.assertIn(group_attr, orig_msg)
 
         members = list(orig_msg[group_attr])
         members.append(account_dn)
@@ -582,7 +610,8 @@ class KDCBaseTest(RawKerberosTest):
 
     def get_cached_creds(self, *,
                          machine_account,
-                         opts=None):
+                         opts=None,
+                         use_cache=True):
         if opts is None:
             opts = {}
 
@@ -596,7 +625,8 @@ class KDCBaseTest(RawKerberosTest):
             'no_auth_data_required': False,
             'supported_enctypes': None,
             'not_delegated': False,
-            'allowed_to_delegate_to': None,
+            'delegation_to_spn': None,
+            'delegation_from_dn': None,
             'trusted_to_auth_for_delegation': False,
             'fast_support': False
         }
@@ -609,9 +639,13 @@ class KDCBaseTest(RawKerberosTest):
 
         cache_key = tuple(sorted(account_opts.items()))
 


-- 
Samba Shared Repository



More information about the samba-cvs mailing list