[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Sun Oct 17 23:41:01 UTC 2021
The branch, master has been updated
via 9d3a6919202 tests/krb5: Add tests for requesting a service ticket without a PAC
via 288355896a2 tests/krb5: Add method to get the PAC from a ticket
via 0dc69c1327f tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
via e086c6193f6 tests/krb5: Allow get_tgt() to request including or omitting a PAC
via d23d8e85935 heimdal:kdc: Fix ticket signing without a PAC
from a7ad665e65f selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 9d3a691920205f8a9dc05d0e173e25e6a335f139
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:29:26 2021 +1300
tests/krb5: Add tests for requesting a service ticket without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sun Oct 17 23:40:33 UTC 2021 on sn-devel-184
commit 288355896a2b6f460c42559ec46ff980ab57782e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:27:25 2021 +1300
tests/krb5: Add method to get the PAC from a ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0dc69c1327f72384628a869a00482f6528b8671b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:27:15 2021 +1300
tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e086c6193f6da6fcb5d0bcada2199e9bc7ad25f5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:26:40 2021 +1300
tests/krb5: Allow get_tgt() to request including or omitting a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d23d8e859357b0fac4d1f4a49f1dce6cf60d6216
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 12:12:30 2021 +1300
heimdal:kdc: Fix ticket signing without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/krb5/kdc_base_test.py | 9 +--
python/samba/tests/krb5/kdc_tgs_tests.py | 120 +++++++++++++++++++++++++++++++
python/samba/tests/krb5/raw_testcase.py | 11 +++
selftest/knownfail_heimdal_kdc | 5 ++
selftest/knownfail_mit_kdc | 5 ++
source4/heimdal/kdc/krb5tgs.c | 6 +-
6 files changed, 150 insertions(+), 6 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 87160f675ae..1fc15315b0b 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -1306,9 +1306,9 @@ class KDCBaseTest(RawKerberosTest):
def get_tgt(self, creds, to_rodc=False, kdc_options=None,
expected_flags=None, unexpected_flags=None,
- fresh=False):
+ pac_request=True, expect_pac=True, fresh=False):
user_name = creds.get_username()
- cache_key = (user_name, to_rodc, kdc_options)
+ cache_key = (user_name, to_rodc, kdc_options, pac_request)
if not fresh:
tgt = self.tkt_cache.get(cache_key)
@@ -1363,7 +1363,7 @@ class KDCBaseTest(RawKerberosTest):
kdc_options=kdc_options,
preauth_key=None,
ticket_decryption_key=ticket_decryption_key,
- pac_request=True,
+ pac_request=pac_request,
pac_options=pac_options,
to_rodc=to_rodc)
self.check_pre_authentication(rep)
@@ -1405,8 +1405,9 @@ class KDCBaseTest(RawKerberosTest):
kdc_options=kdc_options,
preauth_key=preauth_key,
ticket_decryption_key=ticket_decryption_key,
- pac_request=True,
+ pac_request=pac_request,
pac_options=pac_options,
+ expect_pac=expect_pac,
to_rodc=to_rodc)
self.check_as_reply(rep)
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index 3075cc6b0a9..9d846a2c3ad 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -23,15 +23,18 @@ import os
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
+import samba.tests.krb5.kcrypto as kcrypto
from samba.tests.krb5.kdc_base_test import KDCBaseTest
from samba.tests.krb5.rfc4120_constants import (
AES256_CTS_HMAC_SHA1_96,
ARCFOUR_HMAC_MD5,
KRB_ERROR,
+ KRB_TGS_REP,
KDC_ERR_BADMATCH,
NT_PRINCIPAL,
NT_SRV_INST,
)
+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
global_asn1_print = False
global_hexdump = False
@@ -209,6 +212,123 @@ class KdcTgsTests(KDCBaseTest):
pac_data.account_sid,
"rep = {%s},%s" % (rep, pac_data))
+ def _make_tgs_request(self, client_creds, service_creds, tgt,
+ expect_pac=True):
+ client_account = client_creds.get_username()
+ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=[client_account])
+
+ service_account = service_creds.get_username()
+ sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=[service_account])
+
+ realm = service_creds.get_realm()
+
+ expected_crealm = realm
+ expected_cname = cname
+ expected_srealm = realm
+ expected_sname = sname
+
+ expected_supported_etypes = service_creds.tgs_supported_enctypes
+
+ etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
+
+ kdc_options = str(krb5_asn1.KDCOptions('canonicalize'))
+
+ target_decryption_key = self.TicketDecryptionKey_from_creds(
+ service_creds)
+
+ authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256)
+
+ kdc_exchange_dict = self.tgs_exchange_dict(
+ expected_crealm=expected_crealm,
+ expected_cname=expected_cname,
+ expected_srealm=expected_srealm,
+ expected_sname=expected_sname,
+ expected_supported_etypes=expected_supported_etypes,
+ ticket_decryption_key=target_decryption_key,
+ check_rep_fn=self.generic_check_kdc_rep,
+ check_kdc_private_fn=self.generic_check_kdc_private,
+ expected_error_mode=0,
+ tgt=tgt,
+ authenticator_subkey=authenticator_subkey,
+ kdc_options=kdc_options,
+ expect_pac=expect_pac)
+
+ rep = self._generic_kdc_exchange(kdc_exchange_dict,
+ cname=cname,
+ realm=realm,
+ sname=sname,
+ etypes=etypes)
+ self.check_reply(rep, KRB_TGS_REP)
+
+ return kdc_exchange_dict['rep_ticket_creds']
+
+ def test_request_no_pac(self):
+ client_creds = self.get_client_creds()
+ service_creds = self.get_service_creds()
+
+ tgt = self.get_tgt(client_creds, pac_request=False,
+ expect_pac=False)
+
+ pac = self.get_ticket_pac(tgt, expect_pac=False)
+ self.assertIsNone(pac)
+
+ ticket = self._make_tgs_request(client_creds, service_creds, tgt,
+ expect_pac=False)
+
+ pac = self.get_ticket_pac(ticket, expect_pac=False)
+ self.assertIsNone(pac)
+
+ def test_client_no_auth_data_required(self):
+ client_creds = self.get_cached_creds(
+ machine_account=False,
+ opts={'no_auth_data_required': True})
+ service_creds = self.get_service_creds()
+
+ tgt = self.get_tgt(client_creds)
+
+ pac = self.get_ticket_pac(tgt)
+ self.assertIsNotNone(pac)
+
+ ticket = self._make_tgs_request(client_creds, service_creds, tgt)
+
+ pac = self.get_ticket_pac(ticket)
+ self.assertIsNotNone(pac)
+
+ def test_service_no_auth_data_required(self):
+ client_creds = self.get_client_creds()
+ service_creds = self.get_cached_creds(
+ machine_account=True,
+ opts={'no_auth_data_required': True})
+
+ tgt = self.get_tgt(client_creds)
+
+ pac = self.get_ticket_pac(tgt)
+ self.assertIsNotNone(pac)
+
+ ticket = self._make_tgs_request(client_creds, service_creds, tgt,
+ expect_pac=False)
+
+ pac = self.get_ticket_pac(ticket, expect_pac=False)
+ self.assertIsNone(pac)
+
+ def test_remove_pac(self):
+ client_creds = self.get_client_creds()
+ service_creds = self.get_service_creds()
+
+ tgt = self.modified_ticket(self.get_tgt(client_creds),
+ exclude_pac=True)
+
+ pac = self.get_ticket_pac(tgt, expect_pac=False)
+ self.assertIsNone(pac)
+
+ ticket = self._make_tgs_request(client_creds, service_creds, tgt,
+ expect_pac=False)
+
+ pac = self.get_ticket_pac(ticket, expect_pac=False)
+ self.assertIsNone(pac)
+
if __name__ == "__main__":
global_asn1_print = False
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index e008223eb23..0790ac13f99 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -3447,6 +3447,15 @@ class RawKerberosTest(TestCaseInTempDir):
_, pac = self.replace_pac(auth_data, None, expect_pac)
return pac
+ def get_ticket_pac(self, ticket, expect_pac=True):
+ auth_data = ticket.ticket_private.get('authorization-data')
+ if expect_pac:
+ self.assertIsNotNone(auth_data)
+ elif auth_data is None:
+ return None
+
+ return self.get_pac(auth_data, expect_pac=expect_pac)
+
def get_krbtgt_checksum_key(self):
krbtgt_creds = self.get_krbtgt_creds()
krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
@@ -3530,6 +3539,7 @@ class RawKerberosTest(TestCaseInTempDir):
ticket_decryption_key=None,
pac_request=None,
pac_options=None,
+ expect_pac=True,
to_rodc=False):
def _generate_padata_copy(_kdc_exchange_dict,
@@ -3569,6 +3579,7 @@ class RawKerberosTest(TestCaseInTempDir):
kdc_options=str(kdc_options),
pac_request=pac_request,
pac_options=pac_options,
+ expect_pac=expect_pac,
to_rodc=to_rodc)
rep = self._generic_kdc_exchange(kdc_exchange_dict,
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 05e9a19220f..5008b998b78 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -87,3 +87,8 @@
# KRB5KRB_ERR_RESPONSE_TOO_BIG in this specific case
#
^samba4.krb5.kdc with machine account.as-req-pac-request.fl2000dc:local
+#
+# TGS tests
+#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_client_no_auth_data_required
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_service_no_auth_data_required
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 5f87ad47ea3..5c04b677e38 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -256,6 +256,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_ldap_service_ticket\(ad_dc\)
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_get_ticket_for_host_service_of_machine_account\(ad_dc\)
#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_client_no_auth_data_required\(ad_dc\)
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac\(ad_dc\)
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_request_no_pac\(ad_dc\)
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_service_no_auth_data_required\(ad_dc\)
+#
# MIT currently fails the following MS-KILE tests.
#
^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_1_3
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index d0483a3903b..2de3b099199 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -695,10 +695,12 @@ tgs_make_reply(krb5_context context,
}
/* The PAC should be the last change to the ticket. */
- ret = _krb5_kdc_pac_sign_ticket(context, mspac, tgt_name, serverkey,
- krbtgtkey, rodc_id, add_ticket_sig, &et);
+ if (mspac != NULL) {
+ ret = _krb5_kdc_pac_sign_ticket(context, mspac, tgt_name, serverkey,
+ krbtgtkey, rodc_id, add_ticket_sig, &et);
if (ret)
goto out;
+ }
/* It is somewhat unclear where the etype in the following
encryption should come from. What we have is a session
--
Samba Shared Repository
More information about the samba-cvs
mailing list