[SCM] Samba Shared Repository - branch v4-15-test updated
Stefan Metzmacher
metze at samba.org
Mon Oct 25 13:06:01 UTC 2021
The branch, v4-15-test has been updated
via 753e0dfc6c9 lib/krb5_wrap: Fix missing error check in new salt code
via c72b210cdca dsdb: Allow special chars like "@" in samAccountName when generating the salt
via b1dbaecb2ec tests/krb5: Add tests for account salt calculation
via 798ac7ff1ba tests/krb5: Fix account salt calculation to match Windows
via fcd11a480e7 tests/krb5: Allow specifying the UPN for test accounts
via 8c0296c8956 tests/krb5: Allow creating machine accounts without a trailing dollar
via 4cedeb32538 tests/krb5: Allow specifying prefix or suffix for test account names
via cd1b3cbce50 tests/krb5: Decrease length of test account prefix
via 3affd02a83a selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
via 057e6d872db selftest/Samba3: remove unused close(USERMAP); calls
via f901e3dc08c waf: Allow building with MIT KRB5 >= 1.20
via 28630a31be8 selftest: Improve error handling and perl style when setting up users in Samba4.pm
via cd04ce50ac3 selftest: Remove duplicate setup of $base_dn and $ldbmodify
via 175dde8ab48 pytest: s3_net_join: avoid name clash
via 63e688099b4 selftest: krb5 account creation: clarify account type as an enum
via c4b15874037 pytest: dynamic tests optionally add __doc__
via e17d54554c9 selftest: Increase account lockout windows to make test more realiable
via 140ec12e25e pytest/rodc_rwdc: try to avoid race.
via dc768d84f02 HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
via a7dcff14bdd tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
via 54d9b9e0406 tests/krb5: Ensure PAC is not present if expect_pac is false
via 19e770f04ea kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
via 30b2a47af03 kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
via ce53ffc660e tests/krb5: Add tests for requesting a service ticket without a PAC
via 3f89f5d3e09 tests/krb5: Add method to get the PAC from a ticket
via 3c2cf8200d2 tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
via 34e3b8e09f4 tests/krb5: Allow get_tgt() to request including or omitting a PAC
via bab70b995a1 heimdal:kdc: Fix ticket signing without a PAC
via af42d3fa44c selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
via 9a25efd54aa gitlab-ci: Do not download artifacts of unrelated builds
via 64f81e2e589 gitlab-ci: Do not retry for job_execution_timeout
via 2cf612f8096 krb5: Fix PAC signature leak affecting KDC
via 276820695a9 s4:kdc: Check ticket signature
via 1d764175725 heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
via 03ababc0de6 s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
via e735b36fcc1 kdc: correctly generate PAC TGS signature
via 329054bc433 kdc: use ticket client name when signing PAC
via 4cdcbc761c3 kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
via 7df64eb0189 krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
via 764c7d74090 krb5: rework PAC validation loop
via 060abb2f1b4 krb5: allow NULL parameter to krb5_pac_free()
via 4b2890412c9 kdc: sign ticket using Windows PAC
via 79278289cf3 kdc: remove KRB5SignedPath, to be replaced with PAC
via 2e20aefce2c s4/torture: Expect ticket checksum PAC buffer
via 8ba2b8aef8a s4:kdc: Fix debugging messages
via 9edf3d6d810 s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
via d8871802eb2 tests/krb5: Fix duplicate account creation
via 7b8d569aefc tests/krb5: Allow bypassing cache when creating accounts
via f90bc484f49 tests/krb5: Don't include empty AD-IF-RELEVANT
via bc71b3c179d tests/krb5: Add constrained delegation tests
via 571991a319c tests/krb5: Verify tickets obtained with get_service_ticket()
via 6b5a223e42f tests/krb5: Require ticket checksums if decryption key is available
via 904e0855c86 tests/krb5: Add TKT_SIG_SUPPORT environment variable
via f7e487fc4d0 selftest/dbcheck: Fix up RODC one-way links
via 5284920767d tests/krb5: Fix sha1 checksum type
via e7f75340b62 tests/krb5: Provide clearer assertion messages for test failures
via 25895e26fc4 tests/krb5: Disable debugging output for tests
via 41e4c3a8ae1 tests/krb5: Simplify padata checking
via 5f07249a6b8 tests/krb5: Check logon name in PAC
via c2a5111e71f tests/krb5: Check padata types when STRICT_CHECKING=0
via cdef6a8416c tests/krb5: Add environment variable to specify KDC FAST support
via 0f4886d4db2 tests/krb5: Fix padata checking at functional level 2003
via 7b44f8db99d tests/krb5: Clarify checksum type assertion message
via fe35ca21cfc tests/krb5: Use correct principal name type
via 5fca67c7188 tests/krb5: Add compatability tests for ticket checksums
via 53d4a46fcd2 tests/krb5: Add parameter to enforce presence of ticket checksums
via 41cbe50ac93 tests/krb5: Supply supported account enctypes in tgs_req()
via ea64b0fde2f tests/krb5: Allow specifying options and expected flags when obtaining a ticket
via e35ae2d57d8 tests/krb5: Save account SPN
via d4404ecb951 tests/krb5: Check constrained delegation PAC buffer
via 5a43b4ec548 tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
via eea7988e67f tests/krb5: Add expect_claims parameter to kdc_exchange_dict
via 4955aacc2ea tests/krb5: Fix checking for presence of error data
via 768e7ec7734 tests/krb5: Remove unneeded parameters from ticket cache key
via 71b3142aba7 tests/krb5: Fix assertElementFlags()
via c4580eb131b tests/krb5: Make expected_sname checking more explicit
via 97be9339ca2 tests/krb5: Fix status code checking
via e7dbc8e26e6 tests/krb5: Fix handling authdata with missing PAC
via 7cb8c699284 tests/krb5: Allow excluding the PAC server checksum
via ae1bada6c1b tests/krb5: Fix checksum generation and verification
via b09fd767916 tests/krb5: Fix method for creating invalid length zeroed checksum
via fccb0a6ecbc tests/krb5: Introduce helper method for creating invalid length checksums
via db559680c42 tests/krb5: Add assertion to make failures clearer
via bfccdc3827f tests/krb5: Allow created accounts to use resource-based constrained delegation
via e6eca4a04ee tests/krb5: Rename allowed_to_delegate_to parameter for clarity
via 825aef9f8c7 tests/krb5: Fix PA-PAC-OPTIONS checking
via e669b561b8b tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
via 9b781f1ca03 tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
via eaf9f8d9ebe tests/krb5: Remove unused parameter
via a1228650b68 tests/krb5: Rename method parameter
via 1c1c1a04991 .gitlab-ci: Avoid duplicate CI on all merge requests
via 60419689f3e .gitlab-ci.yml: Restore building most of our jobs
via 2c36f7c67ed .gitlab-ci: Increase build timeout
via 44ad4dc8b77 .gitlab-ci.yml: Honour AUTOBUILD_SKIP_SAMBA_O3 in GitLab CI
via aa08c5cfbf7 tests/krb5: Add classes for testing invalid checksums
via 2988bc51788 tests/krb5: Add method to determine if principal is krbtgt
via 5ec45f3068a tests/krb5: Verify checksums of tickets obtained from the KDC
via 6270587045f tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
via 50a5116cff2 tests/krb5: Simplify account creation
via 7dba3ae4b59 tests/krb5: Provide ticket enc-part key to tgs_req()
via 2ef8022937f tests/krb5: Fix checking for presence of authorization data
via 3787c21f2b7 tests/krb5: Add method to get DC credentials
via 8eda339691a tests/krb5: Allow tgs_req() to check the returned ticket enc-part
via 0da5e1029ec tests/krb5: Set key version number for all accounts created with create_account()
via 8ff67351802 tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
via 2bfcb3f6b00 tests/krb5: Get supported enctypes for credentials from database
via 320847972df tests/krb5: Add methods to convert between enctypes and bitfields
via 73f27f9ddb0 tests/krb5: Make get_default_enctypes() return a set of enctype constants
via 8ab6d2f0bdd tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
via 53b793b9e7c tests/krb5: Add method for modifying a ticket and creating PAC checksums
via eed5b13f4af tests/krb5: Add method to verify ticket PAC checksums
via 6fe3f55476b tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
via f817cbc6815 tests/krb5: Add methods for creating zeroed checksums and verifying checksums
via 182bf696e32 tests/krb5: Cache obtained tickets
via 0cad7ba2032 tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
via 5125f9c1a1b tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
via 1e44488b58d tests/krb5: Allow get_tgt() to specify expected and unexpected flags
via cfb16b40c74 tests/krb5: Allow get_tgt() to specify different kdc-options
via 3022340bf22 tests/krb5: Allow get_tgt() to get tickets from the RODC
via 8416eb2a884 tests/krb5: Allow get_service_ticket() to get tickets from the RODC
via ca0123d86a4 tests/krb5: Set DN of created accounts to ldb.Dn type
via 56a567be0e4 tests/krb5: Don't manually create PAC request and options in fast_tests
via 278eff6115f tests/krb5: Use PAC buffer type constants from krb5pac.idl
via c8a724118e6 tests/krb5: Allow as_req() to specify different kdc-options
via 3c77ef9dbb5 tests/krb5: Allow tgs_req() to send requests to the RODC
via 063f1cbdbe7 tests/krb5: Allow tgs_req() to specify different kdc-options
via e4b278566af tests/krb5: Allow tgs_req() to send additional padata
via 3e3d205df7c tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
via cba0b1a6c48 tests/krb5: Check correct flags element
via 159d451d817 tests/krb5: Add helper method for modifying PACs
via 77227799d98 python/join: Check for correct msDS-KrbTgtLink attribute
via c8bb7750c86 python: Don't leak file handles
via 7b6a5c97092 tests/krb5: Allow replicating accounts to the created RODC
via f2d6361dc33 tests/krb5: Create RODC account for testing
via b0339d5a1a8 tests/krb5: Allow replicating accounts to the RODC
via d413e7d79a3 tests/krb5: Add get_secrets() method to get the secret attributes of a DN
via 56f49f117bf tests/krb5: Add method to get RODC krbtgt credentials
via f730c68834c tests/krb5: Sign-extend kvno from 32-bit integer
via 2af3293f67d tests/krb5: Generate padata for FAST tests
via 1d2d30748a9 tests/krb5: Add get_cached_creds() method to create persistent accounts for testing
via f44a5b984b7 tests/krb5: Get encpart decryption key from kdc_exchange_dict
via 336725dc79f tests/krb5: Get expected cname from TGT for TGS-REQ messages
via bc7bdc5b7e0 tests/krb5: Allow specifying status code to be checked
via 01b16673af8 tests/krb5: Create testing accounts in appropriate containers
via 2bf5265847d tests/krb5: Check for presence of 'key-expiration' element
via 6f04bd793ec tests/krb5: Check 'caddr' element
via 9ff47e13441 tests/krb5: Check for presence of 'renew-till' element
via a1face49c70 tests/krb5: Allow Kerberos requests to be sent to DC or RODC
via 5a546788f45 tests/krb5: Make time assertion less strict
via 22e1b694879 tests/krb5: Allow specifying ticket flags expected to be set or reset
via 53336347494 tests/krb5: Remove magic constants
via 6bf8e3cb537 tests/krb5: Don't create PAC request or options manually in fast_tests
via 2c1a8950b5e tests/krb5: Don't create PAC request manually in as_req_tests
via f6c3497e9f9 tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
via 138ac8a3a70 tests/krb5: Move padata generation methods to base class
via ebecaf715d3 tests/krb5: Keep track of account DN in credentials object
via b8485a79791 tests/krb5: Allow specifying additional User Account Control flags for account
via 4f47721d599 tests/krb5: Allow specifying an OU to create accounts in
via dda665b918b tests/krb5: Replace expected_cname_private with expected_anon parameter
via 31e990533c1 tests/krb5: Use more compact dict lookup
via 6df25780147 tests/krb5: Add KDCOptions flag for constrained delegation
via c625e16ffa6 tests/krb5: Use signed integers to represent key version numbers in ASN.1
via 7bb3ac920f9 tests/krb5: Add methods to obtain the length of checksum types
via a08b603d822 tests/krb5: Calculate expected salt if not given explicitly
via 487b57cd34e security.idl: Add well-known SIDs for FAST
via aef886c7787 krb5pac.idl: Add ticket checksum PAC buffer type
from be8fb0218af heimdal:kdc: Only check for default salt for des-cbc-crc enctype
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-15-test
- Log -----------------------------------------------------------------
commit 753e0dfc6c9def1aebacc593fd4130882ce3ff32
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 10:50:36 2021 +1300
lib/krb5_wrap: Fix missing error check in new salt code
CID 1492905: Control flow issues (DEADCODE)
This was a regression in 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184
(cherry picked from commit 5094d986b7686f057195dcb10764295b88967019)
Autobuild-User(v4-15-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-15-test): Mon Oct 25 13:05:31 UTC 2021 on sn-devel-184
commit c72b210cdca5bae5377d1069b8e59044f219356c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 19 16:01:36 2021 +1300
dsdb: Allow special chars like "@" in samAccountName when generating the salt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184
(cherry picked from commit 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed)
commit b1dbaecb2ec14cdacabf6188ff68bad42d3bbffe
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:46:36 2021 +1300
tests/krb5: Add tests for account salt calculation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 46039baa81377df10e5b134e4bb064ed246795e4)
commit 798ac7ff1babe6293fb97deeacb2eff0b018fde0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:45:47 2021 +1300
tests/krb5: Fix account salt calculation to match Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 25bdf4c994e4fdb74abbacb1e22237f3f2cc37fe)
commit fcd11a480e7402985941de974fb0a3f273748ce0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:45:08 2021 +1300
tests/krb5: Allow specifying the UPN for test accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 889476d1754f8ce2a41557ed3bf5242c1293584e)
commit 8c0296c8956d0328ac111deb1b2d932a24ab50fa
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:44:19 2021 +1300
tests/krb5: Allow creating machine accounts without a trailing dollar
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit f4785ccfefe7c89f84ad847ca3c12f604172b321)
commit 4cedeb3253863467adf7e2638167221cbf930f82
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:41:39 2021 +1300
tests/krb5: Allow specifying prefix or suffix for test account names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 7e39994ed341883ac4c8c257220c19dbf70c7bc5)
commit cd1b3cbce5033664d18dc11db3d96c3cdb356afb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:39:05 2021 +1300
tests/krb5: Decrease length of test account prefix
This allows us more room to test with different account names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit a5a6296e57cab2b53617d997c37b4e92d4124cc7)
commit 3affd02a83a1626afa6c7ec56a7e317fb5dc22ae
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 5 16:42:00 2021 +0200
selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
This is much more flexible and concentrates the logic in a single place.
We'll use winbindd => "offline" in other places soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de)
commit 057e6d872db350d5c72b52e7cfc831d10c3e7966
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 18:04:55 2021 +0200
selftest/Samba3: remove unused close(USERMAP); calls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d998f7f8df215866ab32e05be772e24fc0b2131c)
commit f901e3dc08c0311eaf47171570f1ac25bd1dfbbd
Author: Andreas Schneider <asn at samba.org>
Date: Mon Oct 4 13:02:35 2021 +0200
waf: Allow building with MIT KRB5 >= 1.20
gssrpc/xdr.h:105:1: error: function declaration isn’t a prototype
[-Werror=strict-prototypes]
105 | typedef bool_t (*xdrproc_t)();
| ^~~~~~~
This can't be fixed, as the protoype is variadic. It can take up to three
arguments.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 5d8e794551b5df835f07e2bd8348fef746144601)
commit 28630a31be8a56a1a94c56cfa3d192387bea01e5
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 18 11:55:14 2021 +1300
selftest: Improve error handling and perl style when setting up users in Samba4.pm
This catches errors and avoids using global varibles (the old
style file handles are global).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 459200caba04fd83ed650b9cdfe5b158cf9a149f)
commit cd04ce50ac37abae66f582a96949075adc2e2522
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 18 20:44:54 2021 +1300
selftest: Remove duplicate setup of $base_dn and $ldbmodify
These are already set up to the same values above for the full
DC and correct values for the (strange) s4member environment.
By not setting $base_dn again we avoid an error once we start
checking for them.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 2c0658d408f17af2abc223b0cb18d8d33e0ecd1a)
commit 175dde8ab488b3b471c979c896366f4b9ae20bdd
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Aug 20 11:26:02 2021 +1200
pytest: s3_net_join: avoid name clash
The net_join test uses "NetJoinTest" (and doesn't properly clean up),
we must use a unique name for this test in s3_net_join.py.
[abartlet at samba.org The hilarious naming conventions come from a time when samba-tool
was known as "net" in the s4 branch]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit d4a75eead058879b11c8a0901d7277052123d13b)
commit 63e688099b433fe550e0db464f56fedddf9e0aa1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:40:09 2021 +1300
selftest: krb5 account creation: clarify account type as an enum
This makes the code clearer with a symbolic constant rather
than a True/False boolean.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 49306f74eb29a2192019fab9260f9d242f9d5fd9)
commit c4b158740371ec1fbb87ebfa6439e2ce59c08bbc
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Aug 6 11:08:10 2021 +1200
pytest: dynamic tests optionally add __doc__
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit aacb18f920349e13b562c7c97901a0be7b273137)
commit e17d54554c9d61339f92849885cef56a7e3c2999
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 16:27:40 2021 +1200
selftest: Increase account lockout windows to make test more realiable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 6292f0597f208d7953382341380921cf0fd0a8a8)
commit 140ec12e25edafce962f341c9b57db587eebd99c
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 8 17:01:26 2021 +1200
pytest/rodc_rwdc: try to avoid race.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit a169e013e66bab15e594ce49b805edebfcd503cf)
commit dc768d84f0210ab9d7bbdc84dae24d23a31dedfe
Author: Viktor Dukhovni <viktor at twosigma.com>
Date: Wed Aug 10 23:31:14 2016 +0000
HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
to not be added to the transit path of issued tickets. This may, in
some cases, enable bypass of capath policy in Heimdal versions 1.5
through 7.2.
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
(similar to heimdal commit b1e699103f08d6a0ca46a122193c9da65f6cf837)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12998
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 20 10:58:37 UTC 2021 on sn-devel-184
(cherry picked from commit 7e961f3f7a815960ae25377d5b7515184d439690)
commit a7dcff14bdd971bd4c9e3d178de15a0d505f28d8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 16:07:11 2021 +1300
tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 20 09:22:43 UTC 2021 on sn-devel-184
(cherry picked from commit 83a654a4efd39a6e792a6d49e0ecf586e9bc53ef)
commit 54d9b9e04062079476555823806373a0c2ad42c7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 16:05:19 2021 +1300
tests/krb5: Ensure PAC is not present if expect_pac is false
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit cc3d27596b9e8a8a46e8ba9c3c1a445477d458cf)
commit 19e770f04eafa09fca583130b01e97a331dd387d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 18 16:00:45 2021 +1300
kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
UF_NO_AUTH_DATA_REQUIRED on a server/service account should cause
the PAC to be stripped not to given an error if the PAC was still
present.
Tested against Windows 2019
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 031a8287642e3c4b9d0b7c6b51f3b1d79b227542)
commit 30b2a47af03c19f24deba07472f495e1e9c7aa73
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 18 15:21:50 2021 +1300
kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED
applies to services only, not to clients.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 92e8ce18a79e88c9b961dc20e39436c4cf653013)
commit ce53ffc660e83950030c60bc69a5d9eb5988b6b0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:29:26 2021 +1300
tests/krb5: Add tests for requesting a service ticket without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sun Oct 17 23:40:33 UTC 2021 on sn-devel-184
(cherry picked from commit 9d3a691920205f8a9dc05d0e173e25e6a335f139)
commit 3f89f5d3e09fffaae9b446b184982185a41f4f35
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:27:25 2021 +1300
tests/krb5: Add method to get the PAC from a ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 288355896a2b6f460c42559ec46ff980ab57782e)
commit 3c2cf8200d209ce9c998438a0695af23777fcc0f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:27:15 2021 +1300
tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0dc69c1327f72384628a869a00482f6528b8671b)
commit 34e3b8e09f4b671d540e9a28b2af2de2d2da6fea
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:26:40 2021 +1300
tests/krb5: Allow get_tgt() to request including or omitting a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e086c6193f6da6fcb5d0bcada2199e9bc7ad25f5)
commit bab70b995a1f7309818fa5487f04770ac8da231c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 12:12:30 2021 +1300
heimdal:kdc: Fix ticket signing without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d23d8e859357b0fac4d1f4a49f1dce6cf60d6216)
commit af42d3fa44c5fea9f793f03519d4ca5a186ab48b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 15 13:09:20 2021 +1300
selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
The previous commit was correct on intention, but it was not noticed
as there is a race, that the incorrect rule was appended to.
These links are removed by remove_plausible_deleted_DN_links not
fix_all_old_dn_string_component_mismatch
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Oct 15 10:00:47 UTC 2021 on sn-devel-184
(cherry picked from commit a7ad665e65f0701eb75cac5bc10a366ccd9689f4)
commit 9a25efd54aa779f59f1f0e95d62a2f9b676f9558
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 15 08:22:17 2021 +1300
gitlab-ci: Do not download artifacts of unrelated builds
This needs: is overridden in many cases, but ensures none of the other
main jobs start until this build finishes. However this also
ensures we do not download artifacts from any build unless we
specifically depend on it, saving bandwidth
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14863
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit ce3d33f4c141afdfa3fbe9fe26835dc32ef95fe0)
commit 64f81e2e58911587c2180a53225e5d918d997f49
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 14 20:24:49 2021 +1300
gitlab-ci: Do not retry for job_execution_timeout
If we timeout, we should just stop at 2 hours, not waste 6 hours (3 x 2 hours).
This is for when the job runs long for any reason, currently the
reasons for a timeout are not transient, we need to either change
the timeout or fix the system. Likewise if the tests get into a loop
or deadlock we want to see that as a failure.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14863
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 1cdf8493b5a43a084b5004e5c2667b9dd9e31d91)
commit 2cf612f80964c804a99313baa39b537e09f4fd6d
Author: Nicolas Williams <nico at twosigma.com>
Date: Sun Oct 10 21:55:59 2021 -0500
krb5: Fix PAC signature leak affecting KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Cherry-picked from Heimdal commit
54581d2d52443a9a07ed5980df331f660b397dcf]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f6adfefbbb41b9100736134d0f975f1ec0c33c42)
commit 276820695a9e5e3c87f16c79e036e44e599d86b3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 16:08:39 2021 +1300
s4:kdc: Check ticket signature
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 02fa69c6c73c01d82807be4370e838f3e7c66f35)
commit 1d764175725ffae8679516a6109c1c09dfbe42c7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:43:41 2021 +1300
heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
This lets us call it from Samba.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3bdce12789af1e7a7aba56691f184625a432410d)
commit 03ababc0de61298407ef79954d75951083cee217
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Aug 11 13:27:11 2021 +1200
s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 28a5a586c8e9cd155d676dcfcb81a2587ace99d1)
commit e735b36fcc18faf15a00c99bad884cd48d216dc1
Author: Luke Howard <lukeh at padl.com>
Date: Thu Sep 23 17:51:51 2021 +1000
kdc: correctly generate PAC TGS signature
When generating an AS-REQ, the TGS signature was incorrectly generated using
the server key, which would fail to validate if the server was not also the
TGS. Fix this.
Patch from Isaac Bourkis <iboukris at gmail.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Backported from Heimdal commit
e7863e2af922809dad25a2e948e98c408944d551
- Samba's Heimdal version does not have the generate_pac() helper
function.
- Samba's Heimdal version does not use the 'r' context variable.
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 91e684f5dcb48b76e6a322c15acb53cbce5c275a)
commit 329054bc43308523659ce539028738f500b305c1
Author: Luke Howard <lukeh at padl.com>
Date: Thu Sep 23 14:39:35 2021 +1000
kdc: use ticket client name when signing PAC
The principal in the PAC_LOGON_NAME buffer is expected to match the client name
in the ticket. Previously we were setting this to the canonical client name,
which would have broken PAC validation if the client did not request name
canonicalization
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Backported from Heimdal commit
3b0856cab2b25624deb1f6e0e67637ba96a647ac
- Renamed variable to avoid shadowing existing variable
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 75d1a7cd14b134506061ed64ddb9b99856231d2c)
commit 4cdcbc761c31aab9869144860ce13c95eddebe6f
Author: Luke Howard <lukeh at padl.com>
Date: Sun Jan 6 17:54:58 2019 +1100
kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Backported from Heimdal commit
f1dd2b818aa0866960945edea02a6bc782ed697c
- Removed change to _kdc_find_etype() use_strongest_session_key
parameter since Samba's Heimdal version uses different logic
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit db30b71f79864a20b38a1f812a5df833f3a92de8)
commit 7df64eb0189461c98cf85cc755c2dea3f03840a5
Author: Luke Howard <lukeh at padl.com>
Date: Fri Sep 17 13:57:57 2021 +1000
krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
Return KRB5KRB_AP_ERR_INAPP_CKSUM instead of EINVAL when verifying a PAC, if
the checksum is absent or unkeyed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Cherry-picked from Heimdal commit
c4b99b48c4b18f30d504b427bc1961d7a71f631e]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d6a472e953545ec3858ca969c1a4191e4f27ba63)
commit 764c7d74090a7879107c6bc4a5c8e6cc6c106e70
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sun Sep 19 15:16:58 2021 +0300
krb5: rework PAC validation loop
Avoid allocating the PAC on error.
Closes: #836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Cherry-picked from Heimdal commit
6df8be5091363a1c9a9165465ab8292f817bec81]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2773379603a5a625c5d1c6e62f29c442942ff570)
commit 060abb2f1b4190399e68c1ae81a8a4838b1417b6
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sun Sep 19 15:04:14 2021 +0300
krb5: allow NULL parameter to krb5_pac_free()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Cherry-picked from Heimdal commit
b295167208a96e68515902138f6ce93972892ec5]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2d09de5c41e729bccc2d7949d8a3568a95e80e76)
commit 4b2890412c915d90a26a0af5d4d39a1d19d2687d
Author: Isaac Boukris <iboukris at gmail.com>
Date: Fri Aug 13 12:44:37 2021 +0300
kdc: sign ticket using Windows PAC
Split Windows PAC signing and verification logic, as the signing has to be when
the ticket is ready.
Create sign and verify the PAC KDC signature if the plugin did not, allowing
for S4U2Proxy to work, instead of KRB5SignedPath.
Use the header key to verify PAC server signature, as the same key used to
encrypt/decrypt the ticket should be used for PAC server signature, like U2U
tickets are signed witht the tgt session-key and not with the longterm key,
and so krbtgt should be no different and the header key should be used.
Lookup the delegated client in DB instead of passing the delegator DB entry.
Add PAC ticket-signatures and related functions.
Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests
against new KDC will not work if the evidence ticket was acquired from
an old KDC, and vide versa.
Closes: #767
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Backported from Heimdal commit
2ffaba9401d19c718764d4bd24180960290238e9
- Removed tests
- Adapted to Samba's version of Heimdal
- Addressed build failures with -O3
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d7b03394a9012960d71489e775d40d10fd6f5232)
commit 79278289cf39764fee860588b059e2dc119eaf57
Author: Isaac Boukris <iboukris at gmail.com>
Date: Mon Dec 28 22:07:10 2020 +0200
kdc: remove KRB5SignedPath, to be replaced with PAC
KRB5SignedPath was a Heimdal-specific authorization data element used to
protect the authenticity of evidence tickets when used in constrained
delegation (without a Windows PAC).
Remove this, to be replaced with the Windows PAC which itself now supports
signing the entire ticket in the TGS key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
[jsutton at samba.org Backported from Heimdal commit
bb1d8f2a8c2545bccdf2c9179ce9259bf1050086
- Removed tests
- Removed auditing hook (only present in Heimdal master)
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ccabc7f16cca5b0dcb46233e934e708167f1071b)
commit 2e20aefce2cebf4b4b5102fe41d8a310fd69f7ad
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:42:29 2021 +1300
s4/torture: Expect ticket checksum PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d5002c34ce1ffef795dc83af3175ca0e04d17dfd)
commit 8ba2b8aef8a1e55c6eda8b7306da46fbe6b62041
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 6 16:40:21 2021 +1300
s4:kdc: Fix debugging messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c14c61748b5a2d2a4f4de00615c476fcf381309e)
commit 9edf3d6d81097207d4e764f1f498c244dba9c7ba
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 16:06:58 2021 +1300
s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7149eeaceb426470b1b8181749d2d081c2fb83a4)
commit d8871802eb28c39aa0bbf5eb9e9584fa572f62da
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:40:39 2021 +1300
tests/krb5: Fix duplicate account creation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3dede18c5a1801023a60cc55b99022b033428350)
commit 7b8d569aefc47d27a2c6a92392aba9ba48bdbd96
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:41:35 2021 +1300
tests/krb5: Allow bypassing cache when creating accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3948701f1d0f3ccd06f6dad56ca72833d66b1d84)
commit f90bc484f4968934701e886232e10e8f3094bf96
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 12:07:40 2021 +1300
tests/krb5: Don't include empty AD-IF-RELEVANT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1a08399cd8169a525cc9e7aed99da84ef20e5b9c)
commit bc71b3c179dc903cd248c5b52997ecf218ab69d1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 15:03:04 2021 +1300
tests/krb5: Add constrained delegation tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 56ccdba54e0c7cf3409d8430ea1012e5d3d9b092)
commit 571991a319c6e6ca9b724ebe473163e4e1ad193d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 6 16:35:47 2021 +1300
tests/krb5: Verify tickets obtained with get_service_ticket()
We only require the ticket checksum with Heimdal, because MIT currently
doesn't add it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d86eee2fd0fb72e52d878ceba0c476ca58abe6cf)
commit 6b5a223e42f3631edd54588d70f7ca92e11a6e32
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 5 15:39:11 2021 +1300
tests/krb5: Require ticket checksums if decryption key is available
We perform this check conditionally, because MIT doesn't currently add
ticket checksums.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bf63221722903665e7b20991021fb5cdf4e4327e)
commit 904e0855c86b81319b5cacd9cfd4af75582f2513
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 14 16:58:15 2021 +1300
tests/krb5: Add TKT_SIG_SUPPORT environment variable
This lets us indicate that service tickets should be issued with ticket
checksums in the PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ae2c57fb0332f94ac44d0886c5edbed707ef52fe)
commit f7e487fc4d03183d455e44e1f9848ee3b09a0401
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 13 12:26:22 2021 +1300
selftest/dbcheck: Fix up RODC one-way links
Test accounts were replicated to the RODC and then deleted, causing
state links to remain in the database.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 40e5db4aabcd32834ee524857b77d36921f6bdfe)
commit 5284920767de1f24d3337d6329520d6ecb5f2c29
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 5 16:32:01 2021 +1300
tests/krb5: Fix sha1 checksum type
Previously, sha1 signatures were being designated as rsa-md5-des3
signatures.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ebe729786806c69e95b26ffc410e887e203accb8)
commit e7f75340b628027fb1593c973de7d99b93b11a07
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 5 19:47:22 2021 +1300
tests/krb5: Provide clearer assertion messages for test failures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5233f002000f196875af488b4f4d1df26fca90de)
commit 25895e26fc4675aa0b46cb8a2869b7201fe37c81
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 11:48:41 2021 +1300
tests/krb5: Disable debugging output for tests
This reduces the time spent running the tests in a testenv.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit dfd613661eec4b81e162f2d86a8fa9266c2fdc03)
commit 41e4c3a8ae1115adcca64916da653ced18577463
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:49:34 2021 +1300
tests/krb5: Simplify padata checking
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cf3ca6ac4567d7c7954ea4ecc8cc9dd5effcc094)
commit 5f07249a6b854955b461dbeffdaf2d577272e7e4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:48:03 2021 +1300
tests/krb5: Check logon name in PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e7c39cc44f2e16aecb01c0afc195911a474ef0b9)
commit c2a5111e71f19faae691f3216bf776aeddd80490
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:45:45 2021 +1300
tests/krb5: Check padata types when STRICT_CHECKING=0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bd22dcd9cc4dfda827f892224eb2da4a16564176)
commit cdef6a8416c32f9038d8b3d4523b640bfc7af024
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 12 11:34:59 2021 +1300
tests/krb5: Add environment variable to specify KDC FAST support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 238f52bad811688624e9fd4b1595266e2149094a)
commit 0f4886d4db2f1979f853a6b84ac5c76b131c6666
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 16:15:43 2021 +1300
tests/krb5: Fix padata checking at functional level 2003
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 72265227e9c2037b63cdfb01a456a86ac8932f59)
commit 7b44f8db99dacab7b3b6144cd63fc13eecd99325
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:39:26 2021 +1300
tests/krb5: Clarify checksum type assertion message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ee2b7e2c77f021984ec583fa0c4c756979197b0f)
commit fe35ca21cfcfe8358d7d2c358229e16cca55406a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:37:03 2021 +1300
tests/krb5: Use correct principal name type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 687c8f94c68af9f1e44771dfd7219eeb41382bba)
commit 5fca67c718861fdca5c63435526fa51a46e4d09a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 14 16:43:05 2021 +1300
tests/krb5: Add compatability tests for ticket checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ec4b264bdf9ab64a728212580b344fbf35c3c673)
commit 53d4a46fcd2a1f2d51fbb0a8450fa66fbf6f4baf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 16:53:35 2021 +1300
tests/krb5: Add parameter to enforce presence of ticket checksums
This allows existing tests to pass before this functionality is
implemented.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ef24fe982d750a42be81808379b0254d8488c559)
commit 41cbe50ac93436537d4d2a83798e14dbbafbf804
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:52:01 2021 +1300
tests/krb5: Supply supported account enctypes in tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 248249dc0acac89d1495c3572cbd2cbe8bdca362)
commit ea64b0fde2f33ab238d1774481b34a33446d3f28
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:48:50 2021 +1300
tests/krb5: Allow specifying options and expected flags when obtaining a ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 34020766bb7094d1ab5d4fc4c0ee89ccb81f39f1)
commit e35ae2d57d869a059e16312bee8cd3b4f38e73b7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:41:23 2021 +1300
tests/krb5: Save account SPN
This is useful for testing delegation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bb58b4b58c66a6ada79e886dd0c44401e1c5878c)
commit d4404ecb95127bbc359af1e37797a1c3aafe95a7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:26:54 2021 +1300
tests/krb5: Check constrained delegation PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0e232fa1c9e5760ae6b9a99b5e7aa5513b84aa8b)
commit 5a43b4ec548b7aa008b62aedd776a7ea221f1eab
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:15:26 2021 +1300
tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit aa2e583fdea4fd93e4e71c54630e32a1035d1e2a)
commit eea7988e67f91bb2493289232fbb0d0857b645e3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:10:07 2021 +1300
tests/krb5: Add expect_claims parameter to kdc_exchange_dict
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7cfc225b549108739bd86e222f2f35eb96af4ea3)
commit 4955aacc2ea2e11afc0cfaadeead83bed022070c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 15:48:58 2021 +1300
tests/krb5: Fix checking for presence of error data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ab92dc16d20b0996b8c46714652c15019c795095)
commit 768e7ec77344ffcdd20ea2bd2e60f3ccf77b291f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 14:02:37 2021 +1300
tests/krb5: Remove unneeded parameters from ticket cache key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7fba83c6c6309a525742c38e904d3e473db99ef1)
commit 71b3142aba779d5e438b5a6b7adeeb1333c02c2b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 13:03:49 2021 +1300
tests/krb5: Fix assertElementFlags()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 788b3a29eea62f9f38ca8865c7cb7860bdc94bec)
commit c4580eb131b934a2ca64ab342f009563c453605d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 13:01:30 2021 +1300
tests/krb5: Make expected_sname checking more explicit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8f6d369d709614e2f5c0684882c62f0476bcafa2)
commit 97be9339ca20e2733c1735db9d4cc7346fc2e01a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 12:16:58 2021 +1300
tests/krb5: Fix status code checking
The type used to encode the status code is actually KERB-ERROR-DATA,
rather than PA-DATA.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 012b6fcd1976c6570e9b92c133d8c21e543e5a4f)
commit e7dbc8e26e688e8cb6d858e04e1c37310f2de631
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 12:06:03 2021 +1300
tests/krb5: Fix handling authdata with missing PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a4bc712ee02f32c2d04dfc2d99d58931344e5ceb)
commit 7cb8c699284cae4aba6e9a1cc26a713b5071c0f4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 12:03:33 2021 +1300
tests/krb5: Allow excluding the PAC server checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit dcf45a151a198f7165cd332a26db78a5d8e8f8c5)
commit ae1bada6c1b5480bde017886f3440de489f9e331
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:59:42 2021 +1300
tests/krb5: Fix checksum generation and verification
The KDC and server checksums may be generated using the same key, but
only the KDC checksum should have an RODCIdentifier. To fix this,
instead of overriding the existing methods, add additional ones for
RODC-specific signatures, so that both types of signatures can be
generated or verified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a927cecafdd5ad6dc5189fa98cb42684c9c3b033)
commit b09fd76791631e557bdcdbdb02b4567eb521be8b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:56:21 2021 +1300
tests/krb5: Fix method for creating invalid length zeroed checksum
Previously the base class method was being used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ae09219c3a1c6d47817f51baf3784e8986c7478d)
commit fccb0a6ecbc6ba55445d8de9e0832b50562b6262
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:54:49 2021 +1300
tests/krb5: Introduce helper method for creating invalid length checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9d142dc3a452b0f06efc66f422402ee6e553ee7c)
commit db559680c42526ff2f6313bb70338fba5f92123f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:52:17 2021 +1300
tests/krb5: Add assertion to make failures clearer
These failures may occur if tests are not run against an RODC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cda50b5c505072989abf84c209e16ff4efe2e628)
commit bfccdc3827f007174ef1e2c487ef5f61e4986e31
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:50:36 2021 +1300
tests/krb5: Allow created accounts to use resource-based constrained delegation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bba8cb8dce19e47a7b813efd9a7527e38856435e)
commit e6eca4a04eed6025576d52d44c0cf3fc9a47f299
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:47:39 2021 +1300
tests/krb5: Rename allowed_to_delegate_to parameter for clarity
This helps to distinguish resourced-based and non-resource-based
constrained delegation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 31817c383c2014224b1397fde610624663313246)
commit 825aef9f8c72dcc5ddf27e7ec1a94f363f917d92
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 10:54:33 2021 +1300
tests/krb5: Fix PA-PAC-OPTIONS checking
Make the check work correctly if bits other than the claims bit are
specified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1fd00135fa4dff4331d86b228ccc01f834476997)
commit e669b561b8b9b7055126e86b55a282000bd87f7d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 10:51:01 2021 +1300
tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
These padata were not being sent if other FAST padata was not specified.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6f1282e8d34073d8499ce919908b39645b017cb8)
commit 9b781f1ca034c41f62fdaf4cf4f56190cb4821a0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:23:17 2021 +1300
tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ce433ff868d3cdf8e8a6e4995d89d6e036335fb6)
commit eaf9f8d9ebe63463f8c0ffe40ea418740592deaa
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:16:51 2021 +1300
tests/krb5: Remove unused parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8e4b21590836dab02c1864f6ac12b3879c4bd69c)
commit a1228650b68c02ecafec434e05670d577b406835
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:16:24 2021 +1300
tests/krb5: Rename method parameter
For class methods, the name given to the first parameter is generally 'cls'
rather than 'self'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d501ddca3b7b9c39c0b3eccf19176e3122cf5b9d)
commit 1c1c1a0499108f416ec4b642c2e869bda04c4dfc
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 14 08:51:21 2021 +1300
.gitlab-ci: Avoid duplicate CI on all merge requests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14861
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Oct 14 01:21:11 UTC 2021 on sn-devel-184
(cherry picked from commit 8ab0238abd171f9a11b013fd185605e7d1722b27)
commit 60419689f3e768a7a57d2812bec4bc49ebc9d2f7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Thu Oct 14 08:11:49 2021 +1300
.gitlab-ci.yml: Restore building most of our jobs
We are changing the primary build jobs to use "when"
not "only". These a similar and related GitLab syntax
tools to control when jobs are run.
With 'when' now in use it must be specified on all jobs
that inherit from each other via:
.extends .shared_template
"only" can be left however for the pages and coverity as
these use:
.extends .shared_runner_build_image
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14861
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit bcc22d00569551cfa25851c8c267ec9decc63d21)
commit 2c36f7c67ed552fab1a59bd14c6592ea6ac85738
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 15:37:48 2021 +1300
.gitlab-ci: Increase build timeout
While the build will not take > 1hr, uploading the artifacts
needed to pass the build objects to the next stage can take
some time due to the distance between the runners and the
private CI server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14861
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Oct 13 12:00:03 UTC 2021 on sn-devel-184
(cherry picked from commit dd178d97250e041b29aad9b26d2994163bd99231)
commit 44ad4dc8b77fd894a059dec1ea8b21e8f1e95f42
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 12 07:55:54 2021 +1300
.gitlab-ci.yml: Honour AUTOBUILD_SKIP_SAMBA_O3 in GitLab CI
GitLab CI resources are expensive and often rationed so
provide a way to test other things without testing an -O3
build also, as this will save 9 jobs.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14861
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Ralph Boehme <slow at samba.org>
(cherry picked from commit 7857e1249b72be8c8841b99cb0820c9c563178f9)
commit aa08c5cfbf72eee86174d75b8366a528411ea7c7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 15:10:35 2021 +1200
tests/krb5: Add classes for testing invalid checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Sep 23 19:28:44 UTC 2021 on sn-devel-184
(cherry picked from commit 5b331443d0698256ee7fcc040a1ab8137efe925d)
commit 2988bc5178875a3623abc5f19eac978ea1b67501
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 15:06:18 2021 +1200
tests/krb5: Add method to determine if principal is krbtgt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c0b81f0dd54d0d71b5d0f5a870b505e82d0e85b8)
commit 5ec45f3068ab3d668f0dec6c6e6ab3ba7d6a6e72
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 14:10:07 2021 +1200
tests/krb5: Verify checksums of tickets obtained from the KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ea7b550a500d9e458498d37688b67dafd3d9509d)
commit 6270587045faa6d1b58fc1792b356e16ddbd5b6f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 13:54:47 2021 +1200
tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1458cd9065de34c42bd5ec63feb2f66c25103982)
commit 50a5116cff2317b878882b14474c8b27edbd4a94
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 14:05:58 2021 +1200
tests/krb5: Simplify account creation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 394e8db261b10d130c5e5730989bf68f9bf4f85f)
commit 7dba3ae4b590840f4e70b134c0d21ee8970b2162
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 22 11:41:45 2021 +1200
tests/krb5: Provide ticket enc-part key to tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f2f1f3a1e9269f0e7b93006bba2368a6ffbecc7c)
commit 2ef8022937f933aa0f365bcab82d803e0d001993
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 14:08:16 2021 +1200
tests/krb5: Fix checking for presence of authorization data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f9284d8517edd9ffd96f0c24166a16366f97de8f)
commit 3787c21f2b72bdda4bb1a0bbf987d8ccedd83a9c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 13:58:09 2021 +1200
tests/krb5: Add method to get DC credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9d01043042f1caac98a23cf4d9aa9a02a31a9239)
commit 8eda339691aad55b890bbc4785a4b01ca6e18d47
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 13:59:24 2021 +1200
tests/krb5: Allow tgs_req() to check the returned ticket enc-part
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 38b4b334caf1b32f1479db3ada48b2028946f5e6)
commit 0da5e1029ecc03b7ae2c5f8068cbefdcf62359bc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 13:54:39 2021 +1200
tests/krb5: Set key version number for all accounts created with create_account()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 054ec1a8cc4ae42918c7c06ef9c66c8a81242655)
commit 8ff6735180220e63d2088f5f7e7499cab5d48879
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 17:11:28 2021 +1200
tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 14cd933a9d6af08deb680c9f688b166138d45ed9)
commit 2bfcb3f6b009b28a3ca48ba3b8449db67eded920
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 17:10:49 2021 +1200
tests/krb5: Get supported enctypes for credentials from database
Look up the account's msDS-SupportedEncryptionTypes attribute to get the
encryption types that it supports. Move the fallback to RC4 to when the
ticket decryption key is obtained.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b6eaf2cf44fb66d8f302d4cab050827a67de3ea4)
commit 320847972dff91eccfc87845eb123f7ba84b28f3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 21:01:46 2021 +1200
tests/krb5: Add methods to convert between enctypes and bitfields
These methods are useful for converting a collection of encryption types
into msDS-SupportedEncryptionTypes bit flags, and vice versa.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 432eba9e09849e74f4c0f2d7826d45cbd2b7ce42)
commit 73f27f9ddb0262fe46aaee10984ab78355b100a3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 17:01:12 2021 +1200
tests/krb5: Make get_default_enctypes() return a set of enctype constants
This is often more convenient than a bitfield.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7cedd383bcc1b5652ea65817b464d6e0485c7b8b)
commit 8ab6d2f0bdd85e8e7f7119f003e39a1989a551b6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 13:33:16 2021 +1200
tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4c67a53cdca206a118e82b356db0faf0ddc011ab)
commit 53b793b9e7c54a37e44517990d4fe54add659fac
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 17 15:26:12 2021 +1200
tests/krb5: Add method for modifying a ticket and creating PAC checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1fcde7cb6ce50e0a08097841e92476f320560664)
commit eed5b13f4af168aa21e3f691193f2fd9ec1e33f8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 17 14:56:51 2021 +1200
tests/krb5: Add method to verify ticket PAC checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 12b5e72a35d632516980f6c051a5d83f913079e7)
commit 6fe3f55476be738634cbd1e8af07290b1b79758f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 17:20:22 2021 +1200
tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
Signatures created by an RODC have an RODCIdentifier appended to them
identifying the RODC's krbtgt account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Sep 21 23:55:39 UTC 2021 on sn-devel-184
(cherry picked from commit ec95b3042bf2649c0600cafb12818c27242b5098)
commit f817cbc6815220b7476ec78d8f7e1d734ef770c8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 16:54:57 2021 +1200
tests/krb5: Add methods for creating zeroed checksums and verifying checksums
Creating a zeroed checksum is needed for signing a PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a562882b15125902c5d89f094b8c9b1150f5d010)
commit 182bf696e32e79fcb0195487d2b0a5709198c0de
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 11:51:20 2021 +1200
tests/krb5: Cache obtained tickets
Now tickets obtained with get_tgt() and get_service_ticket() make use of
a cache so they can be reused, unless the 'fresh' parameter is specified
as true.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 419e4061ced466ec7e5e23f815823b540ef4751c)
commit 0cad7ba2032a400453a68d0b7a428748d037e769
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 11:51:05 2021 +1200
tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
The encpart is already contained in ticket_creds, so it no longer needs
to be returned as a separate value.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6193f7433b15579aa32b26a146287923c9d3844d)
commit 5125f9c1a1b36e73cfa363b34a2676a68fdd694d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 13:24:46 2021 +1200
tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 59c1043be25b92db75ab5676601cb15426ef37a3)
commit 1e44488b58de1f0cbc3434ea4e95067d1b08a525
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 13:14:45 2021 +1200
tests/krb5: Allow get_tgt() to specify expected and unexpected flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 035a8f198555ad1eedf8e2e6c565fbbbe4fbe7ce)
commit cfb16b40c740b549dffb0cdec8cbda16fd7f665a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 13:14:06 2021 +1200
tests/krb5: Allow get_tgt() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4ecfa82e71b0dd5b71aa97973033c5c72257a0c3)
commit 3022340bf225fb5328d13e64f17157d381a34bc7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:41:46 2021 +1200
tests/krb5: Allow get_tgt() to get tickets from the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2d69805b1e3a8022f1418605e5f29ae0bbaa4a06)
commit 8416eb2a8840cc13bd1d59eeddbe7082dc2377b0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:38:38 2021 +1200
tests/krb5: Allow get_service_ticket() to get tickets from the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5d3a135c2326edc9ca8f56bea24d2f52320f4fd6)
commit ca0123d86a47e4a1a2f8a06a20e0029af0e578a6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:19:28 2021 +1200
tests/krb5: Set DN of created accounts to ldb.Dn type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7645dfa5bedee7ef3f7debbf0fa7600bd1c4bd79)
commit 56a567be0e4d2f485a095d6344a7c0e1f144047e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:13:51 2021 +1200
tests/krb5: Don't manually create PAC request and options in fast_tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c226029655ca361560d93298a6729a021f2f6b75)
commit 278eff6115fc6ada0b005561e7a7a56f170978b1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:06:51 2021 +1200
tests/krb5: Use PAC buffer type constants from krb5pac.idl
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3504e99dc5bcc206ca2964012b7fdca541555416)
commit c8a724118e646e83499b74a95d246bc6e902fac6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:52:46 2021 +1200
tests/krb5: Allow as_req() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a5e62d681d81a422bac7bd89dc27ef2314d77457)
commit 3c77ef9dbb553d7a683251933c3c63383fa7f7f1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:25:01 2021 +1200
tests/krb5: Allow tgs_req() to send requests to the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6403a09d94ab54f89d6e50601ae6b19ab7e6aae7)
commit 063f1cbdbe707e0f48d80914e02a2aef04a9dae0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:18:12 2021 +1200
tests/krb5: Allow tgs_req() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1a3426da54463c3e454c1b76c3df4e96882e6aa9)
commit e4b278566afac0aa0945e340d131620c59ae1d92
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:16:27 2021 +1200
tests/krb5: Allow tgs_req() to send additional padata
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1f0654b8facf3b9b2288d2569a573ff3a5ca4a82)
commit 3e3d205df7c92b0156942171b2298147684c2d2c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:13:09 2021 +1200
tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2a4d53dc12aa785f696e53ae3376f67375ce455f)
commit cba0b1a6c48ecbfbc3c07f61a47c71f6f57018d0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:22:28 2021 +1200
tests/krb5: Check correct flags element
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0061fa2c2a26d990ed2e47441bca8797fc9be356)
commit 159d451d817db789b47d1b624f71465912e2ec39
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 15 20:56:28 2021 +1200
tests/krb5: Add helper method for modifying PACs
This method can remove or replace a PAC in an authorization-data
container, while additionally returning the original PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a281ae09bcf35277c830c4112567c72233fd66b8)
commit 77227799d9809760254a235b70743146fdcc68f4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 10 14:02:22 2021 +1200
python/join: Check for correct msDS-KrbTgtLink attribute
Previously, the wrong case was used when checking for this attribute,
which meant krbtgt accounts were not being cleaned up.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 21a7717359082feaddfdf42788648c3d7574c28e)
commit c8bb7750c860e11906ebe849f1a714d51a267b35
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:42:28 2021 +1200
python: Don't leak file handles
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cde38d36b98f1d40e7b58cd4c4b4bedfab76c390)
commit 7b6a5c97092bcd5ce5239bccb2f025387c62c1e5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 21:24:31 2021 +1200
tests/krb5: Allow replicating accounts to the created RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 35292bd32225b39ad7a03c3aa53027458f0671eb)
commit f2d6361dc332d573e63000569d7a98983e5db5e3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 21:24:05 2021 +1200
tests/krb5: Create RODC account for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit ef5666bc51ca80e1acdadd525a9c61762756c8e3)
commit b0339d5a1a8248f36422d10ba36918aca01093e1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 22:13:24 2021 +1200
tests/krb5: Allow replicating accounts to the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 3cc9e77f38f6698aa01abca4285a520c7c0cd2ac)
commit d413e7d79a394f9a801c9a8fdafe1b51aab22698
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 20:58:01 2021 +1200
tests/krb5: Add get_secrets() method to get the secret attributes of a DN
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit af633992e31e839cdd7f77740c1f25d129be2f79)
commit 56f49f117bf267e6013e415d6ff68b4cb35e56c0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 20:20:23 2021 +1200
tests/krb5: Add method to get RODC krbtgt credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit a5bf7aad54b7053417a24ae0918ee42ceed7bf21)
commit f730c68834c315df9f0eb3d7d788a08b87d2eee0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 21:14:18 2021 +1200
tests/krb5: Sign-extend kvno from 32-bit integer
This helps to avoid problems with RODC kvnos that have the high bit set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 7bc52cecb442c4bcbd39372a8b98bb033e4d1540)
commit 2af3293f67d643d15de575d1f01138ed382c3f18
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 8 11:28:52 2021 +1200
tests/krb5: Generate padata for FAST tests
This gives us access to parameters of kdc_exchange_dict and enables us
to simplify the logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 943079fd94fec66cdc2ba4ea1b2beb2971473004)
commit 1d2d30748a91e45694289600c2dc6e73f0bdc390
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 3 15:36:24 2021 +1200
tests/krb5: Add get_cached_creds() method to create persistent accounts for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit c9fd8ffd8927ef42fd555e690f966f65aa01332e)
commit f44a5b984b74f4e0d4b4d0794cc445aa47fe1440
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 3 09:55:10 2021 +1200
tests/krb5: Get encpart decryption key from kdc_exchange_dict
Instead of using check_padata_fn to get the encpart decryption key, we
can get the key from the AS-REQ preauth phase or from the TGT, depending
on whether the message is an AS-REQ or a TGS-REQ. This allows removal of
check_padata_fn and some duplicated code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 0e99382d73f44eed7e19e83e430938d587e762d0)
commit 336725dc79f79f07bc991812a70a6dddcc55701d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 3 09:40:02 2021 +1200
tests/krb5: Get expected cname from TGT for TGS-REQ messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit a5186f92803009c81eca2957e1bf2eb0ff7b6dff)
commit bc7bdc5b7e0bfb6abd051e07677d940d7070c50d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:26:43 2021 +1200
tests/krb5: Allow specifying status code to be checked
This allows us to check the status code that may be sent in an error
reply to a TGS-REQ message.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 4ba5e82ae53410ec9a0bc7d47b181a88c15d9387)
commit 01b16673af891c053f7f725f5f8fbbfc80478633
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 3 09:18:32 2021 +1200
tests/krb5: Create testing accounts in appropriate containers
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Sep 14 00:01:44 UTC 2021 on sn-devel-184
(cherry picked from commit 01378a52a1cf0b6855492673455013d5719be45b)
commit 2bf5265847db4a47a3136896b280080c61b7987f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:47:27 2021 +1200
tests/krb5: Check for presence of 'key-expiration' element
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit c3b746290278f7b5c1dea676e3fa28b9f15bcf94)
commit 6f04bd793ecc92d9f24a0ae92bc6040cef80827e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:45:57 2021 +1200
tests/krb5: Check 'caddr' element
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit d3106a8d35225e826d548d3bea0d42edc3998c38)
commit 9ff47e1344173de5ebdad4d02589ec2a94fe6dce
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:43:41 2021 +1200
tests/krb5: Check for presence of 'renew-till' element
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit 9cba5f9a1b098e49315e2e3d4c0b626884c04a64)
commit a1face49c70b29e26dcc8641ceca684921596ab7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:34:20 2021 +1200
tests/krb5: Allow Kerberos requests to be sent to DC or RODC
If run inside the 'rodc' testing environment, 'DC_SERVER' and 'SERVER'
refer to the hostnames of the DC and RODC respectively, and this commit
allows either one of them to be used as the KDC for Kerberos exchanges.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit 0afb548a0a3221730c4a81d51bc31e99ec90e334)
commit 5a546788f457bb721257dbaf60da92bdc9a32708
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:15:17 2021 +1200
tests/krb5: Make time assertion less strict
This assertion could fail if there was a time difference between the KDC
and the client.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit 1974b872fb5a7da052305d01e2f1efc8d0637078)
commit 22e1b694879c38ffddf367e67458e477773e63cc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:13:11 2021 +1200
tests/krb5: Allow specifying ticket flags expected to be set or reset
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit 85ddfc1afcf21797dab15431a5f375444c4d316e)
commit 533363474949ec4df88b4f9d7271fd2293cb5f56
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 17:46:02 2021 +1200
tests/krb5: Remove magic constants
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit 571265257f335ba7f6f1b46daa0d657b8a8dff2b)
commit 6bf8e3cb53727489c2b0f29977eea9a59b4a96c2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 2 14:38:33 2021 +1200
tests/krb5: Don't create PAC request or options manually in fast_tests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit 7556a4dfa64650939aef14a2fc4d10b9ed3d29f7)
commit 2c1a8950b5e8fd2f4fd6dadf152b897753857514
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 2 14:37:27 2021 +1200
tests/krb5: Don't create PAC request manually in as_req_tests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit bc21ba2592093c765751ed3e8083dcd3512997f8)
commit f6c3497e9f9f182cae48b1720e4bfb0f8f031b29
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 2 14:36:42 2021 +1200
tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit c0db1ba54d238d4b2da8895215d8314b068ce09c)
commit 138ac8a3a70fa24b861540675ca983e2afe623b4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 2 14:27:00 2021 +1200
tests/krb5: Move padata generation methods to base class
This allows them to be used directly from RawKerberosTest.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit 1f23b16ef3a900a1bda01bf2a5a3a3847e2e79d1)
commit ebecaf715d3fb2d2991e8bbe7b111760c564d2f9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:35:58 2021 +1200
tests/krb5: Keep track of account DN in credentials object
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit 9973b51e48a5d5f3e33c6e0da46e6231a42bd77a)
commit b8485a79791eabf56bce01f0ad1c6f42faa270e4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:34:46 2021 +1200
tests/krb5: Allow specifying additional User Account Control flags for account
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit 9aa900857441ea7e1c2d6c60bfa1ddeb142bf3e3)
commit 4f47721d5991719cc0244daa6a184aa82e732b82
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:34:02 2021 +1200
tests/krb5: Allow specifying an OU to create accounts in
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit 7aae0e9b100b8cb7d1da78b8cb9a4a5c20acffbd)
commit dda665b918b5f4d0acfd5f5d0d6a82eeba7d36ea
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:31:56 2021 +1200
tests/krb5: Replace expected_cname_private with expected_anon parameter
This is used in the case where the KDC returns 'WELLKNOWN/ANONYMOUS' as
the cname, and makes the reply checking logic easier to follow. This
also removes the need to fetch the client credentials in the test
methods.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit bf55786fcd9a96daa9002661d6f5d9b3502ed8a7)
commit 31e990533c166c52c1a4a4b0a9177a8e34550297
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:21:55 2021 +1200
tests/krb5: Use more compact dict lookup
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit 3fd73b65a3db405db5a0a82cca6c808763d4f437)
commit 6df25780147feb510b0105dd0c6da73622a993cf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:05:39 2021 +1200
tests/krb5: Add KDCOptions flag for constrained delegation
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit 08086c43987abecc588ebd32ec846ff7e27a83b6)
commit c625e16ffa6b26afd4df212266c3754959d12bd6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:57:26 2021 +1200
tests/krb5: Use signed integers to represent key version numbers in ASN.1
As specified in 'MS-KILE 3.1.5.8: Key Version Numbers', Windows uses
signed 32-bit integers to represent key version numbers. This makes a
difference for an RODC with a msDS-SecondaryKrbTgtNumber greater than
32767, where the kvno should be encoded in four bytes rather than five.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit 448b661bf8815a05f534926d8ee8d6f57d123c2c)
commit 7bb3ac920f9714d5d81a5e11cb043ee5b2cbb3b5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:50:26 2021 +1200
tests/krb5: Add methods to obtain the length of checksum types
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit 9924dd976183ea62b08f116f8b8bacc698bb9b95)
commit a08b603d822481a9c5146dc469c6984c3fc5b9c1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:46:42 2021 +1200
tests/krb5: Calculate expected salt if not given explicitly
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit c6badf818e9db44461979a931c74fc5ab6e80132)
commit 487b57cd34e1e71221259f0a4c91c5c3231600c5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:40:59 2021 +1200
security.idl: Add well-known SIDs for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit 0092b4a3ed58b2c256d4dd9117cce927a3edde12)
commit aef886c7787a99ebb01fbc462e7b795c30a938e8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:39:19 2021 +1200
krb5pac.idl: Add ticket checksum PAC buffer type
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
(cherry picked from commit ff2f38fae79220e16765e17671972f9a55eb7cce)
-----------------------------------------------------------------------
Summary of changes:
.gitlab-ci-default.yml | 1 +
.gitlab-ci-main.yml | 52 +-
auth/credentials/credentials_krb5.c | 12 +-
lib/krb5_wrap/krb5_samba.c | 192 ++-
lib/krb5_wrap/krb5_samba.h | 13 +-
librpc/idl/krb5pac.idl | 7 +-
librpc/idl/security.idl | 3 +
python/samba/__init__.py | 12 +-
python/samba/join.py | 7 +-
python/samba/ms_schema.py | 6 +-
python/samba/schema.py | 9 +-
python/samba/tests/__init__.py | 3 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 11 +-
python/samba/tests/krb5/as_req_tests.py | 57 +-
python/samba/tests/krb5/compatability_tests.py | 48 +-
python/samba/tests/krb5/fast_tests.py | 486 +++----
python/samba/tests/krb5/kcrypto.py | 28 +-
python/samba/tests/krb5/kdc_base_test.py | 1099 +++++++++++++--
python/samba/tests/krb5/kdc_tests.py | 4 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 137 +-
.../krb5/ms_kile_client_principal_lookup_tests.py | 93 +-
python/samba/tests/krb5/raw_testcase.py | 1461 +++++++++++++++-----
python/samba/tests/krb5/rfc4120.asn1 | 3 +-
python/samba/tests/krb5/rfc4120_constants.py | 11 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 3 +-
python/samba/tests/krb5/rodc_tests.py | 73 +
python/samba/tests/krb5/s4u_tests.py | 1074 +++++++++++++-
python/samba/tests/krb5/salt_tests.py | 327 +++++
python/samba/tests/krb5/simple_tests.py | 4 +-
python/samba/tests/krb5/test_ccache.py | 15 +-
python/samba/tests/krb5/test_ldap.py | 4 +-
python/samba/tests/krb5/test_rpc.py | 4 +-
python/samba/tests/krb5/test_smb.py | 4 +-
python/samba/tests/krb5/xrealm_tests.py | 4 +-
python/samba/tests/s3_net_join.py | 2 +-
python/samba/tests/usage.py | 2 +
selftest/knownfail.d/kdc-salt | 1 +
selftest/knownfail_heimdal_kdc | 26 +
selftest/knownfail_mit_kdc | 54 +
selftest/target/Samba3.pm | 43 +-
selftest/target/Samba4.pm | 76 +-
source3/passdb/machine_account_secrets.c | 10 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 23 +-
source4/dsdb/tests/python/rodc_rwdc.py | 8 +-
source4/heimdal/kdc/kerberos5.c | 147 +-
source4/heimdal/kdc/krb5tgs.c | 665 +++------
source4/heimdal/kdc/windc.c | 15 +-
source4/heimdal/kdc/windc_plugin.h | 5 +-
source4/heimdal/lib/asn1/krb5.asn1 | 21 -
source4/heimdal/lib/krb5/authdata.c | 124 ++
source4/heimdal/lib/krb5/pac.c | 484 ++++++-
source4/heimdal/lib/krb5/version-script.map | 5 +
source4/heimdal_build/wscript_build | 2 +-
source4/kdc/mit_samba.c | 14 +-
source4/kdc/pac-glue.c | 10 +-
source4/kdc/pac-glue.h | 3 +-
source4/kdc/wdc-samba4.c | 356 +++--
source4/kdc/wscript_build | 1 +
source4/selftest/tests.py | 84 +-
source4/torture/rpc/remote_pac.c | 14 +-
testprogs/blackbox/dbcheck.sh | 2 +-
61 files changed, 5596 insertions(+), 1868 deletions(-)
create mode 100755 python/samba/tests/krb5/rodc_tests.py
create mode 100755 python/samba/tests/krb5/salt_tests.py
create mode 100644 selftest/knownfail.d/kdc-salt
create mode 100644 source4/heimdal/lib/krb5/authdata.c
Changeset truncated at 500 lines:
diff --git a/.gitlab-ci-default.yml b/.gitlab-ci-default.yml
index d0831017d9b..e6089183674 100644
--- a/.gitlab-ci-default.yml
+++ b/.gitlab-ci-default.yml
@@ -3,6 +3,7 @@ variables:
# "--enable-coverage" or ""
# See .gitlab-ci-coverage.yml
SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE: ""
+ AUTOBUILD_SKIP_SAMBA_O3: "0"
include:
- /.gitlab-ci-default-runners.yml
diff --git a/.gitlab-ci-main.yml b/.gitlab-ci-main.yml
index 832e8a8b5e7..0cbcc17c94c 100644
--- a/.gitlab-ci-main.yml
+++ b/.gitlab-ci-main.yml
@@ -83,6 +83,13 @@ include:
interruptible: true
timeout: 2h
+ # Otherwise we run twice, once on push and once on MR
+ # https://forum.gitlab.com/t/new-rules-syntax-and-detached-pipelines/37292
+ rules:
+ - if: $CI_MERGE_REQUEST_ID
+ when: never
+ - when: on_success
+
variables:
AUTOBUILD_JOB_NAME: $CI_JOB_NAME
stage: build
@@ -90,6 +97,16 @@ include:
key: ccache.${CI_JOB_NAME}.${SAMBA_CI_JOB_IMAGE}.${SAMBA_CI_FLAVOR}
paths:
- ccache
+
+ # This is overridden in many cases, but ensures none of the other
+ # main jobs start until and unless this build finishes. However
+ # this also ensures we do not download artifacts from any build
+ # unless we specifically depend on it, saving bandwidth
+
+ needs:
+ - job: samba-def-build
+ artifacts: false
+
before_script:
- uname -a
- lsb_release -a
@@ -141,7 +158,6 @@ include:
- api_failure
- runner_unsupported
- stale_schedule
- - job_execution_timeout
- archived_failure
- scheduler_failure
- data_integrity_failure
@@ -169,7 +185,8 @@ others:
.shared_template_build_only:
extends: .shared_template
- timeout: 1h
+ timeout: 2h
+ needs:
artifacts:
expire_in: 1 week
paths:
@@ -353,13 +370,16 @@ samba-fips:
.private_test_only:
extends: .private_runner_test
stage: test_private
- only:
- variables:
+ rules:
+ # See above, to avoid a duplicate CI on the MR (these rules override the others)
+ - if: $CI_MERGE_REQUEST_ID
+ when: never
+
# These jobs are only run if the gitlab repo has private runners available.
# To enable private jobs, you must add the following var and value to
# your gitlab repo by navigating to:
# settings -> CI/CD -> Environment variables
- - $SUPPORT_PRIVATE_TEST == "yes"
+ - if: $SUPPORT_PRIVATE_TEST == "yes"
.needs_samba-def-build-private:
extends:
@@ -514,16 +534,30 @@ ubuntu1804-samba-o3:
AUTOBUILD_JOB_NAME: samba-o3
SAMBA_CI_JOB_IMAGE: ${SAMBA_CI_CONTAINER_IMAGE_ubuntu1804}
SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE: "--enable-coverage"
+ rules:
+ # See above, to avoid a duplicate CI on the MR (these rules override the others)
+ - if: $CI_MERGE_REQUEST_ID
+ when: never
+ # do not run o3 builds (which run a lot of VMs) if told not to
+ # (this uses the same variable as autobuild.py)
+ - if: $AUTOBUILD_SKIP_SAMBA_O3 == "1"
+ when: never
# All other jobs do not want code coverage.
.samba-o3-template:
extends: .shared_template
variables:
AUTOBUILD_JOB_NAME: samba-o3
- only:
- variables:
- # do not run o3 for coverage since they are using different images
- - $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE == ""
+ rules:
+ # See above, to avoid a duplicate CI on the MR (these rules override the others)
+ - if: $CI_MERGE_REQUEST_ID
+ when: never
+ # do not run o3 builds (which run a lot of VMs) if told not to
+ # (this uses the same variable as autobuild.py)
+ - if: $AUTOBUILD_SKIP_SAMBA_O3 == "1"
+ when: never
+ # do not run o3 for coverage since they are using different images
+ - if: $SAMBA_CI_AUTOBUILD_ENABLE_COVERAGE == ""
ubuntu2004-samba-o3:
extends: .samba-o3-template
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index c03d80ac440..d2e7a76a69e 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -1200,12 +1200,12 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
break;
}
- ret = smb_krb5_salt_principal(realm,
- username, /* sAMAccountName */
- upn, /* userPrincipalName */
- uac_flags,
- mem_ctx,
- &salt_principal);
+ ret = smb_krb5_salt_principal_str(realm,
+ username, /* sAMAccountName */
+ upn, /* userPrincipalName */
+ uac_flags,
+ mem_ctx,
+ &salt_principal);
if (ret) {
talloc_free(mem_ctx);
return ret;
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 20ce86c708d..fff5b4e2a22 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -456,19 +456,20 @@ int smb_krb5_get_pw_salt(krb5_context context,
*
* @see smb_krb5_salt_principal2data
*/
-int smb_krb5_salt_principal(const char *realm,
+int smb_krb5_salt_principal(krb5_context krb5_ctx,
+ const char *realm,
const char *sAMAccountName,
const char *userPrincipalName,
uint32_t uac_flags,
- TALLOC_CTX *mem_ctx,
- char **_salt_principal)
+ krb5_principal *salt_princ)
{
TALLOC_CTX *frame = talloc_stackframe();
char *upper_realm = NULL;
const char *principal = NULL;
int principal_len = 0;
+ krb5_error_code krb5_ret;
- *_salt_principal = NULL;
+ *salt_princ = NULL;
if (sAMAccountName == NULL) {
TALLOC_FREE(frame);
@@ -512,7 +513,6 @@ int smb_krb5_salt_principal(const char *realm,
*/
if (uac_flags & UF_TRUST_ACCOUNT_MASK) {
int computer_len = 0;
- char *tmp = NULL;
computer_len = strlen(sAMAccountName);
if (sAMAccountName[computer_len-1] == '$') {
@@ -520,60 +520,186 @@ int smb_krb5_salt_principal(const char *realm,
}
if (uac_flags & UF_INTERDOMAIN_TRUST_ACCOUNT) {
- principal = talloc_asprintf(frame, "krbtgt/%*.*s",
- computer_len, computer_len,
- sAMAccountName);
- if (principal == NULL) {
+ const char *krbtgt = "krbtgt";
+ krb5_ret = krb5_build_principal_ext(krb5_ctx,
+ salt_princ,
+ strlen(upper_realm),
+ upper_realm,
+ strlen(krbtgt),
+ krbtgt,
+ computer_len,
+ sAMAccountName,
+ 0);
+ if (krb5_ret != 0) {
TALLOC_FREE(frame);
- return ENOMEM;
+ return krb5_ret;
}
} else {
-
- tmp = talloc_asprintf(frame, "host/%*.*s.%s",
- computer_len, computer_len,
- sAMAccountName, realm);
+ const char *host = "host";
+ char *tmp = NULL;
+ char *tmp_lower = NULL;
+
+ tmp = talloc_asprintf(frame, "%*.*s.%s",
+ computer_len,
+ computer_len,
+ sAMAccountName,
+ realm);
if (tmp == NULL) {
TALLOC_FREE(frame);
return ENOMEM;
}
- principal = strlower_talloc(frame, tmp);
- TALLOC_FREE(tmp);
- if (principal == NULL) {
+ tmp_lower = strlower_talloc(frame, tmp);
+ if (tmp_lower == NULL) {
TALLOC_FREE(frame);
return ENOMEM;
}
- }
- principal_len = strlen(principal);
+ krb5_ret = krb5_build_principal_ext(krb5_ctx,
+ salt_princ,
+ strlen(upper_realm),
+ upper_realm,
+ strlen(host),
+ host,
+ strlen(tmp_lower),
+ tmp_lower,
+ 0);
+ if (krb5_ret != 0) {
+ TALLOC_FREE(frame);
+ return krb5_ret;
+ }
+ }
} else if (userPrincipalName != NULL) {
- char *p;
+ /*
+ * We parse the name not only to allow an easy
+ * replacement of the realm (no matter the realm in
+ * the UPN, the salt comes from the upper-case real
+ * realm, but also to correctly provide a salt when
+ * the UPN is host/foo.bar
+ *
+ * This can fail for a UPN of the form foo at bar@REALM
+ * (which is accepted by windows) however.
+ */
+ krb5_ret = krb5_parse_name(krb5_ctx,
+ userPrincipalName,
+ salt_princ);
- principal = userPrincipalName;
- p = strchr(principal, '@');
- if (p != NULL) {
- principal_len = PTR_DIFF(p, principal);
- } else {
- principal_len = strlen(principal);
+ if (krb5_ret != 0) {
+ TALLOC_FREE(frame);
+ return krb5_ret;
+ }
+
+ /*
+ * No matter what realm (including none) in the UPN,
+ * the realm is replaced with our upper-case realm
+ */
+ krb5_ret = smb_krb5_principal_set_realm(krb5_ctx,
+ *salt_princ,
+ upper_realm);
+ if (krb5_ret != 0) {
+ krb5_free_principal(krb5_ctx, *salt_princ);
+ TALLOC_FREE(frame);
+ return krb5_ret;
}
} else {
principal = sAMAccountName;
principal_len = strlen(principal);
- }
- *_salt_principal = talloc_asprintf(mem_ctx, "%*.*s@%s",
- principal_len, principal_len,
- principal, upper_realm);
- if (*_salt_principal == NULL) {
- TALLOC_FREE(frame);
- return ENOMEM;
+ krb5_ret = krb5_build_principal_ext(krb5_ctx,
+ salt_princ,
+ strlen(upper_realm),
+ upper_realm,
+ principal_len,
+ principal,
+ 0);
+ if (krb5_ret != 0) {
+ TALLOC_FREE(frame);
+ return krb5_ret;
+ }
}
TALLOC_FREE(frame);
return 0;
}
+/**
+ * @brief This constructs the salt principal used by active directory
+ *
+ * Most Kerberos encryption types require a salt in order to
+ * calculate the long term private key for user/computer object
+ * based on a password.
+ *
+ * The returned _salt_principal is a string in forms like this:
+ * - host/somehost.example.com at EXAMPLE.COM
+ * - SomeAccount at EXAMPLE.COM
+ * - SomePrincipal at EXAMPLE.COM
+ *
+ * This is not the form that's used as salt, it's just
+ * the human readable form. It needs to be converted by
+ * smb_krb5_salt_principal2data().
+ *
+ * @param[in] realm The realm the user/computer is added too.
+ *
+ * @param[in] sAMAccountName The sAMAccountName attribute of the object.
+ *
+ * @param[in] userPrincipalName The userPrincipalName attribute of the object
+ * or NULL is not available.
+ *
+ * @param[in] uac_flags UF_ACCOUNT_TYPE_MASKed userAccountControl field
+ *
+ * @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal.
+ *
+ * @param[out] _salt_principal The resulting principal as string.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ *
+ * @see smb_krb5_salt_principal2data
+ */
+int smb_krb5_salt_principal_str(const char *realm,
+ const char *sAMAccountName,
+ const char *userPrincipalName,
+ uint32_t uac_flags,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_principal_str)
+{
+ krb5_principal salt_principal = NULL;
+ char *salt_principal_malloc;
+ krb5_context krb5_ctx;
+ krb5_error_code krb5_ret
+ = smb_krb5_init_context_common(&krb5_ctx);
+ if (krb5_ret != 0) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(krb5_ret));
+ return krb5_ret;
+ }
+
+ krb5_ret = smb_krb5_salt_principal(krb5_ctx,
+ realm,
+ sAMAccountName,
+ userPrincipalName,
+ uac_flags,
+ &salt_principal);
+
+ krb5_ret = krb5_unparse_name(krb5_ctx, salt_principal,
+ &salt_principal_malloc);
+ if (krb5_ret != 0) {
+ krb5_free_principal(krb5_ctx, salt_principal);
+ DBG_ERR("kerberos unparse of salt principal failed (%s)\n",
+ error_message(krb5_ret));
+ return krb5_ret;
+ }
+ krb5_free_principal(krb5_ctx, salt_principal);
+ *_salt_principal_str
+ = talloc_strdup(mem_ctx, salt_principal_malloc);
+ krb5_free_unparsed_name(krb5_ctx, salt_principal_malloc);
+
+ if (*_salt_principal_str == NULL) {
+ return ENOMEM;
+ }
+ return 0;
+}
+
/**
* @brief Converts the salt principal string into the salt data blob
*
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index 9550447b2c5..eab67f6d969 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -350,12 +350,19 @@ krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
int smb_krb5_get_pw_salt(krb5_context context,
krb5_const_principal host_princ,
krb5_data *psalt);
-int smb_krb5_salt_principal(const char *realm,
+int smb_krb5_salt_principal(krb5_context krb5_ctx,
+ const char *realm,
const char *sAMAccountName,
const char *userPrincipalName,
uint32_t uac_flags,
- TALLOC_CTX *mem_ctx,
- char **_salt_principal);
+ krb5_principal *salt_princ);
+
+int smb_krb5_salt_principal_str(const char *realm,
+ const char *sAMAccountName,
+ const char *userPrincipalName,
+ uint32_t uac_flags,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_principal);
int smb_krb5_salt_principal2data(krb5_context context,
const char *salt_principal,
TALLOC_CTX *mem_ctx,
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index fb360c1257f..515150ab9cd 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -112,7 +112,11 @@ interface krb5pac
PAC_TYPE_KDC_CHECKSUM = 7,
PAC_TYPE_LOGON_NAME = 10,
PAC_TYPE_CONSTRAINED_DELEGATION = 11,
- PAC_TYPE_UPN_DNS_INFO = 12
+ PAC_TYPE_UPN_DNS_INFO = 12,
+ PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
+ PAC_TYPE_DEVICE_INFO = 14,
+ PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
+ PAC_TYPE_TICKET_CHECKSUM = 16
} PAC_TYPE;
typedef struct {
@@ -128,6 +132,7 @@ interface krb5pac
[case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)]
PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
[case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
+ [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
/* when new PAC info types are added they are supposed to be done
in such a way that they are backwards compatible with existing
servers. This makes it safe to just use a [default] for
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 06bf7449a70..3df96dedbdd 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -295,6 +295,9 @@ interface security
const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
+ const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
+ const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
+
/*
* http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
*/
diff --git a/python/samba/__init__.py b/python/samba/__init__.py
index 449e4826ffb..0e6a33322f8 100644
--- a/python/samba/__init__.py
+++ b/python/samba/__init__.py
@@ -217,7 +217,8 @@ class Ldb(_Ldb):
:param ldif_path: Path to LDIF file.
"""
- self.add_ldif(open(ldif_path, 'r').read())
+ with open(ldif_path, 'r') as ldif_file:
+ self.add_ldif(ldif_file.read())
def add_ldif(self, ldif, controls=None):
"""Add data based on a LDIF string.
@@ -279,10 +280,11 @@ def read_and_sub_file(file_name, subst_vars):
:param file_name: File to be read (typically from setup directory)
param subst_vars: Optional variables to subsitute in the file.
"""
- data = open(file_name, 'r', encoding="utf-8").read()
- if subst_vars is not None:
- data = substitute_var(data, subst_vars)
- check_all_substituted(data)
+ with open(file_name, 'r', encoding="utf-8") as data_file:
+ data = data_file.read()
+ if subst_vars is not None:
+ data = substitute_var(data, subst_vars)
+ check_all_substituted(data)
return data
diff --git a/python/samba/join.py b/python/samba/join.py
index b557eac03eb..4399367c817 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -256,8 +256,9 @@ class DCJoinContext(object):
ctx.del_noerror(res[0].dn, recursive=True)
- if "msDS-Krbtgtlink" in res[0]:
--
Samba Shared Repository
More information about the samba-cvs
mailing list