[SCM] Samba Shared Repository - branch v4-14-test updated
Stefan Metzmacher
metze at samba.org
Tue Oct 26 13:04:01 UTC 2021
The branch, v4-14-test has been updated
via c1d2a0570df ldb: Release ldb 2.3.1
via e425abeb7d2 pyldb: Make ldb.Message containment testing consistent with indexing
via fabd904977a pyldb: Add tests for ldb.Message containment testing
via 588749ba7ba pyldb: Raise TypeError for an invalid ldb.Message index
via a78c94440be pyldb: Add test for an invalid ldb.Message index type
via e37949faf91 s4/torture/drs/python: Fix attribute existence check
via d8f30194798 pyldb: Fix deleting an ldb.Control critical flag
via 320278f1cfb pytest:segfault: Add test for deleting an ldb.Control critical flag
via 2bb74e48c7f pyldb: Fix deleting an ldb.Message dn
via 805183c8165 pytest:segfault: Add test for deleting an ldb.Message dn
via 33e8ef79d4d Fix Python docstrings
via 6b5aba80e64 lib/krb5_wrap: Fix missing error check in new salt code
via 51324ea4a65 dsdb: Allow special chars like "@" in samAccountName when generating the salt
via d79ddfb027a tests/krb5: Add tests for account salt calculation
via 46ef1ac3f37 tests/krb5: Fix account salt calculation to match Windows
via b2157fd16de tests/krb5: Allow specifying the UPN for test accounts
via 68f9cc0b9f2 tests/krb5: Allow creating machine accounts without a trailing dollar
via cf03277b663 tests/krb5: Allow specifying prefix or suffix for test account names
via 3a813c6d70e tests/krb5: Decrease length of test account prefix
via 7fbdc4f0bc4 selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
via 64880dc2ad2 selftest/Samba3: remove unused close(USERMAP); calls
via 523b18be4b1 waf: Allow building with MIT KRB5 >= 1.20
via 1918feb3e9f selftest: Improve error handling and perl style when setting up users in Samba4.pm
via e4e9f671d03 selftest: Remove duplicate setup of $base_dn and $ldbmodify
via 93ea095a260 selftest: krb5 account creation: clarify account type as an enum
via 11a5c413da5 pytest: dynamic tests optionally add __doc__
via 0d100830605 selftest: Increase account lockout windows to make test more realiable
via 30b9be9601b pytest/rodc_rwdc: try to avoid race.
via 45cd642a456 HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
via 716b2825791 tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
via d8b9907d2a7 tests/krb5: Ensure PAC is not present if expect_pac is false
via 2149108966f kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
via 5cdec75f8bc kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
via 8034d387a8f tests/krb5: Add tests for requesting a service ticket without a PAC
via bb3fbf53ad1 tests/krb5: Add method to get the PAC from a ticket
via d09fa6b47b3 tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
via 1a1f72c2e22 tests/krb5: Allow get_tgt() to request including or omitting a PAC
via 4e98f5d9d46 heimdal:kdc: Fix ticket signing without a PAC
via c3df114577d selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
via 4ecd119b7c1 krb5: Fix PAC signature leak affecting KDC
via eadd3b8844d s4:kdc: Check ticket signature
via a2c7a5a94e6 heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
via c8bbd3d659b s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
via a1d8f275d10 kdc: correctly generate PAC TGS signature
via 4de575650ee kdc: use ticket client name when signing PAC
via 81e1564e3ee kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
via 15789d27dd9 krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
via bf8ad7c0d29 krb5: rework PAC validation loop
via 5c5ca93aab7 krb5: allow NULL parameter to krb5_pac_free()
via 2d2da2af26e kdc: sign ticket using Windows PAC
via 4e4fa68e1b5 kdc: remove KRB5SignedPath, to be replaced with PAC
via 77f46ab1a4a s4/torture: Expect ticket checksum PAC buffer
via a3864293e82 s4:kdc: Fix debugging messages
via 8048b6fe8cf s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
via 761ae6dba67 tests/krb5: Fix duplicate account creation
via 0c828728e0d tests/krb5: Allow bypassing cache when creating accounts
via fbf52f34082 tests/krb5: Don't include empty AD-IF-RELEVANT
via f8ac3ccdb7c tests/krb5: Add constrained delegation tests
via 271b8cebf14 tests/krb5: Verify tickets obtained with get_service_ticket()
via a5f3863aec1 tests/krb5: Require ticket checksums if decryption key is available
via ec438f0b6ee tests/krb5: Add TKT_SIG_SUPPORT environment variable
via 1ddb8111ed5 selftest/dbcheck: Fix up RODC one-way links
via 2c65205c238 tests/krb5: Fix sha1 checksum type
via fd40fbe9a39 tests/krb5: Provide clearer assertion messages for test failures
via 2dc3b7d9a4c tests/krb5: Disable debugging output for tests
via 5620fbd2a3d tests/krb5: Simplify padata checking
via dafb8efd7f5 tests/krb5: Check logon name in PAC
via 1eb3f880c70 tests/krb5: Check padata types when STRICT_CHECKING=0
via e7150fe2968 tests/krb5: Add environment variable to specify KDC FAST support
via a26133b9f0a tests/krb5: Fix padata checking at functional level 2003
via 72c05a708d1 tests/krb5: Clarify checksum type assertion message
via 8537439913a tests/krb5: Use correct principal name type
via cb0b486f483 tests/krb5: Add compatability tests for ticket checksums
via d5e7162ae37 tests/krb5: Add parameter to enforce presence of ticket checksums
via a608f759105 tests/krb5: Supply supported account enctypes in tgs_req()
via d9135f31e33 tests/krb5: Allow specifying options and expected flags when obtaining a ticket
via 0e16f882d02 tests/krb5: Save account SPN
via 2c77e1d8771 tests/krb5: Check constrained delegation PAC buffer
via fbfdfb979f3 tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
via bbaa1159d2d tests/krb5: Add expect_claims parameter to kdc_exchange_dict
via 68275cdd191 tests/krb5: Fix checking for presence of error data
via 0bdeb9cebf0 tests/krb5: Remove unneeded parameters from ticket cache key
via 316df8064de tests/krb5: Fix assertElementFlags()
via 191a0e9dbb3 tests/krb5: Make expected_sname checking more explicit
via ca549882cf6 tests/krb5: Fix status code checking
via 0547b4ebcdd tests/krb5: Fix handling authdata with missing PAC
via a4e9eb693a9 tests/krb5: Allow excluding the PAC server checksum
via f2c1535f8b6 tests/krb5: Fix checksum generation and verification
via 08608d9f50e tests/krb5: Fix method for creating invalid length zeroed checksum
via bd1aa18c52b tests/krb5: Introduce helper method for creating invalid length checksums
via d5566cbb681 tests/krb5: Add assertion to make failures clearer
via ce2da506c77 tests/krb5: Allow created accounts to use resource-based constrained delegation
via 22477380e69 tests/krb5: Rename allowed_to_delegate_to parameter for clarity
via b5432f5203f tests/krb5: Fix PA-PAC-OPTIONS checking
via 505eb4e71f7 tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
via 2af40a2ddf2 tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
via 91df69559c5 tests/krb5: Remove unused parameter
via 85053e6eb2e tests/krb5: Rename method parameter
via bb6eb577c05 tests/krb5: Add classes for testing invalid checksums
via 4cf6614a16a tests/krb5: Add method to determine if principal is krbtgt
via 6868628eab7 tests/krb5: Verify checksums of tickets obtained from the KDC
via 1c1154d81ad tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
via 5cd321086ba tests/krb5: Simplify account creation
via ac378a754bd tests/krb5: Provide ticket enc-part key to tgs_req()
via 0fbff441fc7 tests/krb5: Fix checking for presence of authorization data
via e71cfc36ad7 tests/krb5: Add method to get DC credentials
via c08defb5a7d tests/krb5: Allow tgs_req() to check the returned ticket enc-part
via 39941358333 tests/krb5: Set key version number for all accounts created with create_account()
via 15c7c561f7b tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
via 4ace77d830b tests/krb5: Get supported enctypes for credentials from database
via 84973c79a79 tests/krb5: Add methods to convert between enctypes and bitfields
via efc3d6edd69 tests/krb5: Make get_default_enctypes() return a set of enctype constants
via f2744977896 tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
via 02c17fe22be tests/krb5: Add method for modifying a ticket and creating PAC checksums
via bee8264f1bc tests/krb5: Add method to verify ticket PAC checksums
via 1301ed37c44 tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
via 4fc5d67f601 tests/krb5: Add methods for creating zeroed checksums and verifying checksums
via 912bac3ba71 tests/krb5: Cache obtained tickets
via 10db9a0bfb0 tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
via 5db1b57b20d tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
via 459e3bd695b tests/krb5: Allow get_tgt() to specify expected and unexpected flags
via b14183e7f35 tests/krb5: Allow get_tgt() to specify different kdc-options
via 65a269f1e31 tests/krb5: Allow get_tgt() to get tickets from the RODC
via 1e6c77a03af tests/krb5: Allow get_service_ticket() to get tickets from the RODC
via 690d90ba615 tests/krb5: Set DN of created accounts to ldb.Dn type
via 7ad68c8cc59 tests/krb5: Don't manually create PAC request and options in fast_tests
via 71c46e032a9 tests/krb5: Use PAC buffer type constants from krb5pac.idl
via eb103f6337a tests/krb5: Allow as_req() to specify different kdc-options
via aff414e2a75 tests/krb5: Allow tgs_req() to send requests to the RODC
via 8c7d78a2e1a tests/krb5: Allow tgs_req() to specify different kdc-options
via c2a61c2c911 tests/krb5: Allow tgs_req() to send additional padata
via 76f1deb3cd8 tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
via 61cc6767c32 tests/krb5: Check correct flags element
via 5812a13ec5f tests/krb5: Add helper method for modifying PACs
via bf06918b44d python/join: Check for correct msDS-KrbTgtLink attribute
via 0dcab6505c6 python: Don't leak file handles
via 6614fee6e8b tests/krb5: Allow replicating accounts to the created RODC
via 82a19ce548e tests/krb5: Create RODC account for testing
via 10e46b9b74b tests/krb5: Allow replicating accounts to the RODC
via fadecadfe2f tests/krb5: Add get_secrets() method to get the secret attributes of a DN
via 61739d1a33a tests/krb5: Add method to get RODC krbtgt credentials
via 811714e4f6b tests/krb5: Sign-extend kvno from 32-bit integer
via 58f68bf357f tests/krb5: Generate padata for FAST tests
via 18c892942ee tests/krb5: Add get_cached_creds() method to create persistent accounts for testing
via 7594ba47c19 tests/krb5: Get encpart decryption key from kdc_exchange_dict
via 0e1d6fda206 tests/krb5: Get expected cname from TGT for TGS-REQ messages
via dcd13ba166e tests/krb5: Allow specifying status code to be checked
via 23eaf0160ad tests/krb5: Create testing accounts in appropriate containers
via fc91b526f7d tests/krb5: Check for presence of 'key-expiration' element
via 95c7eba3951 tests/krb5: Check 'caddr' element
via 1984c30ce37 tests/krb5: Check for presence of 'renew-till' element
via 0e80a7ef9c4 tests/krb5: Allow Kerberos requests to be sent to DC or RODC
via 39a7676c868 tests/krb5: Make time assertion less strict
via d5b1b59cde4 tests/krb5: Allow specifying ticket flags expected to be set or reset
via 3edaa318df9 tests/krb5: Remove magic constants
via d94233f1e0c tests/krb5: Don't create PAC request or options manually in fast_tests
via 7d955391e29 tests/krb5: Don't create PAC request manually in as_req_tests
via f63461ffd80 tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
via 7b6848c73b0 tests/krb5: Move padata generation methods to base class
via c8c0af0b20f tests/krb5: Keep track of account DN in credentials object
via ee2a85aba9f tests/krb5: Allow specifying additional User Account Control flags for account
via dadedd0d550 tests/krb5: Allow specifying an OU to create accounts in
via e1fa2fff930 tests/krb5: Replace expected_cname_private with expected_anon parameter
via 231d508a472 tests/krb5: Use more compact dict lookup
via a87fdc6629f tests/krb5: Add KDCOptions flag for constrained delegation
via 22aa29993e0 tests/krb5: Use signed integers to represent key version numbers in ASN.1
via ba22aee1d8c tests/krb5: Add methods to obtain the length of checksum types
via 67d713b9362 tests/krb5: Calculate expected salt if not given explicitly
via fb63bdd8283 security.idl: Add well-known SIDs for FAST
via 6acbb94dadd krb5pac.idl: Add ticket checksum PAC buffer type
from 44636fa0378 ctdb-tests: add a comment to the generated public_addresses file used by eventscript UNIT tests
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test
- Log -----------------------------------------------------------------
commit c1d2a0570dfc697bbdda6047f10da4ea9cf261f8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 4 21:57:25 2021 +1300
ldb: Release ldb 2.3.1
* Corrected python behaviour for 'in' for LDAP attributes
contained as part of ldb.Message (bug 14845)
* Fix memory handling in ldb.msg_diff (bug 14836)
* Corrected python docstrings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(v4-14-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-14-test): Tue Oct 26 13:03:37 UTC 2021 on sn-devel-184
commit e425abeb7d228615a2766ddd497b26af228a022b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 14:39:59 2021 +1200
pyldb: Make ldb.Message containment testing consistent with indexing
Previously, containment testing using the 'in' operator was handled by
performing an equality comparison between the chosen object and each of
the message's keys in turn. This behaviour was prone to errors due to
not considering differences in case between otherwise equal elements, as
the indexing operations do.
Containment testing should now be more consistent with the indexing
operations and with the get() method of ldb.Message.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 860d8902a9c502d4be83396598cf4a53c80fea69)
commit fabd904977ab34244195fff424502672846413e1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 13:48:57 2021 +1200
pyldb: Add tests for ldb.Message containment testing
These tests verify that the 'in' operator on ldb.Message is consistent
with indexing and the get() method. This means that the 'dn' element
should always be present, lookups should be case-insensitive, and use of
an invalid type should result in a TypeError.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 865fe238599a732360b77e06e592cb85d459acf8)
commit 588749ba7ba7a0cf1f11583f9570275c67616d35
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 13:39:56 2021 +1200
pyldb: Raise TypeError for an invalid ldb.Message index
Previously, a TypeError was raised and subsequently overridden by a
KeyError.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 22353767ca75af9d9e8fa1e7da372dcb5eddfcb7)
commit a78c94440be47741f6c0d81d766af64055833da2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 13:22:05 2021 +1200
pyldb: Add test for an invalid ldb.Message index type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b018e51d2725a23b2fedd3058644b8021f6a6a06)
commit e37949faf918a960292a8cb48265427defcbe557
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 19:18:39 2021 +1200
s4/torture/drs/python: Fix attribute existence check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit fb758c32e7633178f42dc2c031667b10c2ca6e90)
commit d8f30194798a83c27348e4aa5ee5ed7411ae4379
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 11:16:09 2021 +1200
pyldb: Fix deleting an ldb.Control critical flag
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9d25a21d6024c6c2f8e4634f45e3944d8acbf8b8)
commit 320278f1cfb4ebcd0579d448ff774206a6b94d18
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 11:13:02 2021 +1200
pytest:segfault: Add test for deleting an ldb.Control critical flag
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit b1adaa517c1237a473bdcf818523f5107df3d6b0
as @no_gdb_backtrace is not in Samba 4.14]
commit 2bb74e48c7f0b84c4972d84e3b54d6fa1c06081e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 11:12:16 2021 +1200
pyldb: Fix deleting an ldb.Message dn
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit d7af772de88885f46708329ff7bb5798da91d2c7
due to conflicts in knownfail.d/python-segfaults]
commit 805183c81657271abce450f04e20285038acaffa
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Sat Sep 25 10:56:25 2021 +1200
pytest:segfault: Add test for deleting an ldb.Message dn
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit 6a041f6a99c39632d5c32e9d53b06719c20bef2c
as other segfaulting tests are listed in knownfail.d/python-segfaults
and @no_gdb_backtrace is not in 4.14]
commit 33e8ef79d4d8a8b4b991cdb2cfdf56a66c101dae
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 28 16:48:55 2021 +1200
Fix Python docstrings
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Sat Sep 4 00:55:32 UTC 2021 on sn-devel-184
(cherry picked from commit 02b187303369d3ce0c19dfb72ffa78f86a3911f0)
commit 6b5aba80e648a2b1c67c802c44ea7060540ac262
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 10:50:36 2021 +1300
lib/krb5_wrap: Fix missing error check in new salt code
CID 1492905: Control flow issues (DEADCODE)
This was a regression in 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184
(cherry picked from commit 5094d986b7686f057195dcb10764295b88967019)
commit 51324ea4a6507d550f08b7166701f72f7752a100
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 19 16:01:36 2021 +1300
dsdb: Allow special chars like "@" in samAccountName when generating the salt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184
(cherry picked from commit 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed)
commit d79ddfb027a47a5cf81f14d77ebced2b38844442
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:46:36 2021 +1300
tests/krb5: Add tests for account salt calculation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
[abartlet at samba.org backported from commit 46039baa81377df10e5b134e4bb064ed246795e4
as the no_preauth side of the testsuite shows differences in enctypes
in Samba 4.14. The change is only in salt calculation so this is
not vital]
commit 46ef1ac3f37118aa6c4a67c98a6fbd3829905153
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:45:47 2021 +1300
tests/krb5: Fix account salt calculation to match Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 25bdf4c994e4fdb74abbacb1e22237f3f2cc37fe)
commit b2157fd16de68853c98422cfcaea6bd35faa3a42
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:45:08 2021 +1300
tests/krb5: Allow specifying the UPN for test accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 889476d1754f8ce2a41557ed3bf5242c1293584e)
commit 68f9cc0b9f299f8690036b19570826b1798b1523
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:44:19 2021 +1300
tests/krb5: Allow creating machine accounts without a trailing dollar
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit f4785ccfefe7c89f84ad847ca3c12f604172b321)
commit cf03277b663796a22d9fffbfdb6db270169a0385
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:41:39 2021 +1300
tests/krb5: Allow specifying prefix or suffix for test account names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 7e39994ed341883ac4c8c257220c19dbf70c7bc5)
commit 3a813c6d70e0a6b390f550ec208599ad4f79a661
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:39:05 2021 +1300
tests/krb5: Decrease length of test account prefix
This allows us more room to test with different account names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit a5a6296e57cab2b53617d997c37b4e92d4124cc7)
commit 7fbdc4f0bc4783eac09be6adcda8db986712501f
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 5 16:42:00 2021 +0200
selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
This is much more flexible and concentrates the logic in a single place.
We'll use winbindd => "offline" in other places soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de)
commit 64880dc2ad2ac44b0a133248d56c6ac2169a4140
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 18:04:55 2021 +0200
selftest/Samba3: remove unused close(USERMAP); calls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit d998f7f8df215866ab32e05be772e24fc0b2131c
as offline login tests are not in Samba 4.14]
commit 523b18be4b1304cbfe0fb25ebd13245278fe33c8
Author: Andreas Schneider <asn at samba.org>
Date: Mon Oct 4 13:02:35 2021 +0200
waf: Allow building with MIT KRB5 >= 1.20
gssrpc/xdr.h:105:1: error: function declaration isn’t a prototype
[-Werror=strict-prototypes]
105 | typedef bool_t (*xdrproc_t)();
| ^~~~~~~
This can't be fixed, as the protoype is variadic. It can take up to three
arguments.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 5d8e794551b5df835f07e2bd8348fef746144601)
commit 1918feb3e9fcba21df55a48e28786243fe9c58a7
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 18 11:55:14 2021 +1300
selftest: Improve error handling and perl style when setting up users in Samba4.pm
This catches errors and avoids using global varibles (the old
style file handles are global).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 459200caba04fd83ed650b9cdfe5b158cf9a149f)
commit e4e9f671d0349540e80c197e7e4a0e49ffcac0d3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 18 20:44:54 2021 +1300
selftest: Remove duplicate setup of $base_dn and $ldbmodify
These are already set up to the same values above for the full
DC and correct values for the (strange) s4member environment.
By not setting $base_dn again we avoid an error once we start
checking for them.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 2c0658d408f17af2abc223b0cb18d8d33e0ecd1a)
commit 93ea095a260f45d27b69b08a323d093c0dea1cde
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:40:09 2021 +1300
selftest: krb5 account creation: clarify account type as an enum
This makes the code clearer with a symbolic constant rather
than a True/False boolean.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 49306f74eb29a2192019fab9260f9d242f9d5fd9)
commit 11a5c413da5e690e2aafde5aaff5417619c9ef94
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Aug 6 11:08:10 2021 +1200
pytest: dynamic tests optionally add __doc__
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit aacb18f920349e13b562c7c97901a0be7b273137)
commit 0d100830605dd95e2ff308a2deb43bd8c31f1dc1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 16:27:40 2021 +1200
selftest: Increase account lockout windows to make test more realiable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 6292f0597f208d7953382341380921cf0fd0a8a8)
commit 30b9be9601b19ef492b6170a74c917bd0cd9eaa7
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 8 17:01:26 2021 +1200
pytest/rodc_rwdc: try to avoid race.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit a169e013e66bab15e594ce49b805edebfcd503cf)
commit 45cd642a45669619b23ecec7f0735dfe9804bb99
Author: Viktor Dukhovni <viktor at twosigma.com>
Date: Wed Aug 10 23:31:14 2016 +0000
HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
to not be added to the transit path of issued tickets. This may, in
some cases, enable bypass of capath policy in Heimdal versions 1.5
through 7.2.
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
(similar to heimdal commit b1e699103f08d6a0ca46a122193c9da65f6cf837)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12998
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 20 10:58:37 UTC 2021 on sn-devel-184
(cherry picked from commit 7e961f3f7a815960ae25377d5b7515184d439690)
commit 716b2825791f64040ad69f88c5324ae045d108f7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 16:07:11 2021 +1300
tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 20 09:22:43 UTC 2021 on sn-devel-184
(cherry picked from commit 83a654a4efd39a6e792a6d49e0ecf586e9bc53ef)
commit d8b9907d2a78fa06a0fd944eeee4a6bdd0e02614
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 16:05:19 2021 +1300
tests/krb5: Ensure PAC is not present if expect_pac is false
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit cc3d27596b9e8a8a46e8ba9c3c1a445477d458cf)
commit 2149108966f4159a218a901c19bea3921d68fa1e
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 18 16:00:45 2021 +1300
kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
UF_NO_AUTH_DATA_REQUIRED on a server/service account should cause
the PAC to be stripped not to given an error if the PAC was still
present.
Tested against Windows 2019
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 031a8287642e3c4b9d0b7c6b51f3b1d79b227542)
commit 5cdec75f8bceee0e4996682d09104ff076e241b3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 18 15:21:50 2021 +1300
kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED
applies to services only, not to clients.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
[abartlet at samba.org backported from commit 92e8ce18a79e88c9b961dc20e39436c4cf653013
as there was a knownfail conflict with the test_remove_pac case
which succeeds on this branch]
commit 8034d387a8fcdd455be24a1fcb48a488bfde0f03
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:29:26 2021 +1300
tests/krb5: Add tests for requesting a service ticket without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sun Oct 17 23:40:33 UTC 2021 on sn-devel-184
[abartlet at samba.org backported from commit 9d3a691920205f8a9dc05d0e173e25e6a335f139
as the MIT KDC 1.16 seen on the reference Ubuntu 18.04 does not fail
test_remove_pac]
commit bb3fbf53ad1bd665d0a02e5459a9eef631802f4c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:27:25 2021 +1300
tests/krb5: Add method to get the PAC from a ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 288355896a2b6f460c42559ec46ff980ab57782e)
commit d09fa6b47b30165769041143f210816a447f5c9f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:27:15 2021 +1300
tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0dc69c1327f72384628a869a00482f6528b8671b)
commit 1a1f72c2e2297a39b9743b13ebb94adf027a30a1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:26:40 2021 +1300
tests/krb5: Allow get_tgt() to request including or omitting a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e086c6193f6da6fcb5d0bcada2199e9bc7ad25f5)
commit 4e98f5d9d4609e88783580b6a4d752b4d54f505e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 12:12:30 2021 +1300
heimdal:kdc: Fix ticket signing without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d23d8e859357b0fac4d1f4a49f1dce6cf60d6216)
commit c3df114577d5a535b0e0c0dc1ec4beed0907e25c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 15 13:09:20 2021 +1300
selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
The previous commit was correct on intention, but it was not noticed
as there is a race, that the incorrect rule was appended to.
These links are removed by remove_plausible_deleted_DN_links not
fix_all_old_dn_string_component_mismatch
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Oct 15 10:00:47 UTC 2021 on sn-devel-184
(cherry picked from commit a7ad665e65f0701eb75cac5bc10a366ccd9689f4)
commit 4ecd119b7c1aff7db9fc1f475121debe464391c2
Author: Nicolas Williams <nico at twosigma.com>
Date: Sun Oct 10 21:55:59 2021 -0500
krb5: Fix PAC signature leak affecting KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Cherry-picked from Heimdal commit
54581d2d52443a9a07ed5980df331f660b397dcf]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f6adfefbbb41b9100736134d0f975f1ec0c33c42)
commit eadd3b8844d1e4162558f443e5cd4905f12667e6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 16:08:39 2021 +1300
s4:kdc: Check ticket signature
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 02fa69c6c73c01d82807be4370e838f3e7c66f35)
commit a2c7a5a94e68ce19ffb877d4d68ce1ceb44c622d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:43:41 2021 +1300
heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
This lets us call it from Samba.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3bdce12789af1e7a7aba56691f184625a432410d)
commit c8bbd3d659bbe42436cf43e8e32ca8da30adce39
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Aug 11 13:27:11 2021 +1200
s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 28a5a586c8e9cd155d676dcfcb81a2587ace99d1)
commit a1d8f275d10cb7e311609d915132aa6f87c872fa
Author: Luke Howard <lukeh at padl.com>
Date: Thu Sep 23 17:51:51 2021 +1000
kdc: correctly generate PAC TGS signature
When generating an AS-REQ, the TGS signature was incorrectly generated using
the server key, which would fail to validate if the server was not also the
TGS. Fix this.
Patch from Isaac Bourkis <iboukris at gmail.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Backported from Heimdal commit
e7863e2af922809dad25a2e948e98c408944d551
- Samba's Heimdal version does not have the generate_pac() helper
function.
- Samba's Heimdal version does not use the 'r' context variable.
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 91e684f5dcb48b76e6a322c15acb53cbce5c275a)
commit 4de575650ee1d809e9e242b4a7ea802071f0da89
Author: Luke Howard <lukeh at padl.com>
Date: Thu Sep 23 14:39:35 2021 +1000
kdc: use ticket client name when signing PAC
The principal in the PAC_LOGON_NAME buffer is expected to match the client name
in the ticket. Previously we were setting this to the canonical client name,
which would have broken PAC validation if the client did not request name
canonicalization
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Backported from Heimdal commit
3b0856cab2b25624deb1f6e0e67637ba96a647ac
- Renamed variable to avoid shadowing existing variable
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 75d1a7cd14b134506061ed64ddb9b99856231d2c)
commit 81e1564e3eeddb4e6f2b63af87d14302e4ad2fc7
Author: Luke Howard <lukeh at padl.com>
Date: Sun Jan 6 17:54:58 2019 +1100
kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Backported from Heimdal commit
f1dd2b818aa0866960945edea02a6bc782ed697c
- Removed change to _kdc_find_etype() use_strongest_session_key
parameter since Samba's Heimdal version uses different logic
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit db30b71f79864a20b38a1f812a5df833f3a92de8)
commit 15789d27dd9ec30d4d313849cc2689c54929b13b
Author: Luke Howard <lukeh at padl.com>
Date: Fri Sep 17 13:57:57 2021 +1000
krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
Return KRB5KRB_AP_ERR_INAPP_CKSUM instead of EINVAL when verifying a PAC, if
the checksum is absent or unkeyed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Cherry-picked from Heimdal commit
c4b99b48c4b18f30d504b427bc1961d7a71f631e]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d6a472e953545ec3858ca969c1a4191e4f27ba63)
commit bf8ad7c0d292b44556c9e8b8c6118134e461a5fa
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sun Sep 19 15:16:58 2021 +0300
krb5: rework PAC validation loop
Avoid allocating the PAC on error.
Closes: #836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Cherry-picked from Heimdal commit
6df8be5091363a1c9a9165465ab8292f817bec81]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2773379603a5a625c5d1c6e62f29c442942ff570)
commit 5c5ca93aab796dbfc1c2e428890aa6c5fa6f0b81
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sun Sep 19 15:04:14 2021 +0300
krb5: allow NULL parameter to krb5_pac_free()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Cherry-picked from Heimdal commit
b295167208a96e68515902138f6ce93972892ec5]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2d09de5c41e729bccc2d7949d8a3568a95e80e76)
commit 2d2da2af26e621e20bdb13f7a85fdb98569f9724
Author: Isaac Boukris <iboukris at gmail.com>
Date: Fri Aug 13 12:44:37 2021 +0300
kdc: sign ticket using Windows PAC
Split Windows PAC signing and verification logic, as the signing has to be when
the ticket is ready.
Create sign and verify the PAC KDC signature if the plugin did not, allowing
for S4U2Proxy to work, instead of KRB5SignedPath.
Use the header key to verify PAC server signature, as the same key used to
encrypt/decrypt the ticket should be used for PAC server signature, like U2U
tickets are signed witht the tgt session-key and not with the longterm key,
and so krbtgt should be no different and the header key should be used.
Lookup the delegated client in DB instead of passing the delegator DB entry.
Add PAC ticket-signatures and related functions.
Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests
against new KDC will not work if the evidence ticket was acquired from
an old KDC, and vide versa.
Closes: #767
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Backported from Heimdal commit
2ffaba9401d19c718764d4bd24180960290238e9
- Removed tests
- Adapted to Samba's version of Heimdal
- Addressed build failures with -O3
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit d7b03394a9012960d71489e775d40d10fd6f5232
due to conflicts in knownfail due to missing tests that crash the
MIT KDC]
commit 4e4fa68e1b5fbad23d87ba2b9c85e8f8f89d917a
Author: Isaac Boukris <iboukris at gmail.com>
Date: Mon Dec 28 22:07:10 2020 +0200
kdc: remove KRB5SignedPath, to be replaced with PAC
KRB5SignedPath was a Heimdal-specific authorization data element used to
protect the authenticity of evidence tickets when used in constrained
delegation (without a Windows PAC).
Remove this, to be replaced with the Windows PAC which itself now supports
signing the entire ticket in the TGS key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Backported from Heimdal commit
bb1d8f2a8c2545bccdf2c9179ce9259bf1050086
- Removed tests
- Removed auditing hook (only present in Heimdal master)
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ccabc7f16cca5b0dcb46233e934e708167f1071b)
commit 77f46ab1a4a70de542fc035b20c829d4cab51082
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:42:29 2021 +1300
s4/torture: Expect ticket checksum PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit d5002c34ce1ffef795dc83af3175ca0e04d17dfd
due to missing tests in Samba 4.14 that crashed the MIT KDC]
commit a3864293e828dade0ff63412517530a5267d0716
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 6 16:40:21 2021 +1300
s4:kdc: Fix debugging messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c14c61748b5a2d2a4f4de00615c476fcf381309e)
commit 8048b6fe8cfd2887090a5aec682060b396794f6b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 16:06:58 2021 +1300
s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7149eeaceb426470b1b8181749d2d081c2fb83a4)
commit 761ae6dba6720bea48fdcc8bc695d5724fc00c1a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:40:39 2021 +1300
tests/krb5: Fix duplicate account creation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3dede18c5a1801023a60cc55b99022b033428350)
commit 0c828728e0d2c6a3f76247d12aeafa1eee991a10
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:41:35 2021 +1300
tests/krb5: Allow bypassing cache when creating accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3948701f1d0f3ccd06f6dad56ca72833d66b1d84)
commit fbf52f34082a4ce970042d1cbfb56f9d72e3630d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 12:07:40 2021 +1300
tests/krb5: Don't include empty AD-IF-RELEVANT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1a08399cd8169a525cc9e7aed99da84ef20e5b9c)
commit f8ac3ccdb7cf9c67b8a842e0c51faaae8aa6bee4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 15:03:04 2021 +1300
tests/krb5: Add constrained delegation tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 56ccdba54e0c7cf3409d8430ea1012e5d3d9b092)
commit 271b8cebf14be3f99944b984dd96919af16c63f2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 6 16:35:47 2021 +1300
tests/krb5: Verify tickets obtained with get_service_ticket()
We only require the ticket checksum with Heimdal, because MIT currently
doesn't add it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d86eee2fd0fb72e52d878ceba0c476ca58abe6cf)
commit a5f3863aec192fbf1a7366da516475c066e5f942
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 5 15:39:11 2021 +1300
tests/krb5: Require ticket checksums if decryption key is available
We perform this check conditionally, because MIT doesn't currently add
ticket checksums.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bf63221722903665e7b20991021fb5cdf4e4327e)
commit ec438f0b6eefb83b0d09357a67d2cc6be27a90fc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 14 16:58:15 2021 +1300
tests/krb5: Add TKT_SIG_SUPPORT environment variable
This lets us indicate that service tickets should be issued with ticket
checksums in the PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit ae2c57fb0332f94ac44d0886c5edbed707ef52fe
due to changes in other tests nearby in tests.py]
commit 1ddb8111ed540841b075749e13678c7c6ad98f9e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 13 12:26:22 2021 +1300
selftest/dbcheck: Fix up RODC one-way links
Test accounts were replicated to the RODC and then deleted, causing
state links to remain in the database.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 40e5db4aabcd32834ee524857b77d36921f6bdfe)
commit 2c65205c2387549a19318b0d50811ce87bbc0c85
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 5 16:32:01 2021 +1300
tests/krb5: Fix sha1 checksum type
Previously, sha1 signatures were being designated as rsa-md5-des3
signatures.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ebe729786806c69e95b26ffc410e887e203accb8)
commit fd40fbe9a39908d5a27ec2dad0c8ead4963faef4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 5 19:47:22 2021 +1300
tests/krb5: Provide clearer assertion messages for test failures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5233f002000f196875af488b4f4d1df26fca90de)
commit 2dc3b7d9a4cbea44fc59f6ec2748eba8314d7e4d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 11:48:41 2021 +1300
tests/krb5: Disable debugging output for tests
This reduces the time spent running the tests in a testenv.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit dfd613661eec4b81e162f2d86a8fa9266c2fdc03)
commit 5620fbd2a3d4dbb4cac1fe5883b7d022e5c29896
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:49:34 2021 +1300
tests/krb5: Simplify padata checking
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cf3ca6ac4567d7c7954ea4ecc8cc9dd5effcc094)
commit dafb8efd7f586afd18413b40b949298913c9402b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:48:03 2021 +1300
tests/krb5: Check logon name in PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e7c39cc44f2e16aecb01c0afc195911a474ef0b9)
commit 1eb3f880c703f43730446236b0b4d2f88704e934
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:45:45 2021 +1300
tests/krb5: Check padata types when STRICT_CHECKING=0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit bd22dcd9cc4dfda827f892224eb2da4a16564176
to Samba 4.14 due to conflicts in
knownfail as the test which crashes older MIT KDC versions is
omitted]
commit e7150fe29689df9d2df5d08fb8dc06248ba80889
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 12 11:34:59 2021 +1300
tests/krb5: Add environment variable to specify KDC FAST support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backportd from commit 238f52bad811688624e9fd4b1595266e2149094a
because tests.py changed in more recent releases with new tests nearby]
commit a26133b9f0a4da4f376ded0f30bb0477b772eb81
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 16:15:43 2021 +1300
tests/krb5: Fix padata checking at functional level 2003
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 72265227e9c2037b63cdfb01a456a86ac8932f59)
commit 72c05a708d11699b7a474e2bf2fae8304ac4b9d7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:39:26 2021 +1300
tests/krb5: Clarify checksum type assertion message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ee2b7e2c77f021984ec583fa0c4c756979197b0f)
commit 8537439913a93c2471abb7b1591f31493ee12c6f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:37:03 2021 +1300
tests/krb5: Use correct principal name type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 687c8f94c68af9f1e44771dfd7219eeb41382bba)
commit cb0b486f483ff5554fc1f7adf125698750854ce7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 14 16:43:05 2021 +1300
tests/krb5: Add compatability tests for ticket checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org: Backported from ec4b264bdf9ab64a728212580b344fbf35c3c673
to Samba 4.14 due to conflicts in
knownfail as the test which crashes older MIT KDC versions is
omitted]
commit d5e7162ae37f3eb7d31a211e9b49cf62509b27ba
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 16:53:35 2021 +1300
tests/krb5: Add parameter to enforce presence of ticket checksums
This allows existing tests to pass before this functionality is
implemented.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ef24fe982d750a42be81808379b0254d8488c559)
commit a608f75910526816da7d63fa7635a2ddd2884f5f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:52:01 2021 +1300
tests/krb5: Supply supported account enctypes in tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 248249dc0acac89d1495c3572cbd2cbe8bdca362)
commit d9135f31e33058d444f89bb7c54d8daf80c1f388
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:48:50 2021 +1300
tests/krb5: Allow specifying options and expected flags when obtaining a ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 34020766bb7094d1ab5d4fc4c0ee89ccb81f39f1)
commit 0e16f882d02a5173862056e50490e8d60853cb15
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:41:23 2021 +1300
tests/krb5: Save account SPN
This is useful for testing delegation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bb58b4b58c66a6ada79e886dd0c44401e1c5878c)
commit 2c77e1d8771e8206e699d3df687dd017c0f46e1c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:26:54 2021 +1300
tests/krb5: Check constrained delegation PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0e232fa1c9e5760ae6b9a99b5e7aa5513b84aa8b)
commit fbfdfb979f3277e6504c15faa1a8212cb657889f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:15:26 2021 +1300
tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit aa2e583fdea4fd93e4e71c54630e32a1035d1e2a)
commit bbaa1159d2dbfc0d8bcab153c9e10137507fd315
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:10:07 2021 +1300
tests/krb5: Add expect_claims parameter to kdc_exchange_dict
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7cfc225b549108739bd86e222f2f35eb96af4ea3)
commit 68275cdd1911c4e587f2cffd43d282b3abdbb13d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 15:48:58 2021 +1300
tests/krb5: Fix checking for presence of error data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ab92dc16d20b0996b8c46714652c15019c795095)
commit 0bdeb9cebf0309f50ddae7e7c2f38ca740993c95
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 14:02:37 2021 +1300
tests/krb5: Remove unneeded parameters from ticket cache key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7fba83c6c6309a525742c38e904d3e473db99ef1)
commit 316df8064dea1d1b6d318231f18e8a7ae2b65bca
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 13:03:49 2021 +1300
tests/krb5: Fix assertElementFlags()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 788b3a29eea62f9f38ca8865c7cb7860bdc94bec)
commit 191a0e9dbb3a8b4b04168bf11c54c13482cff4e2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 13:01:30 2021 +1300
tests/krb5: Make expected_sname checking more explicit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit 8f6d369d709614e2f5c0684882c62f0476bcafa2
as Samba 4.14 as the test which crashes older MIT KDC versions is
omitted]
commit ca549882cf62299935a5416ab8bb9e0a0a643827
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 12:16:58 2021 +1300
tests/krb5: Fix status code checking
The type used to encode the status code is actually KERB-ERROR-DATA,
rather than PA-DATA.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 012b6fcd1976c6570e9b92c133d8c21e543e5a4f)
commit 0547b4ebcdd5f25d09b47a0691e6d6b7435fd346
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 12:06:03 2021 +1300
tests/krb5: Fix handling authdata with missing PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a4bc712ee02f32c2d04dfc2d99d58931344e5ceb)
commit a4e9eb693a92ed8ca5bcafb1ae2aaf02cc8e6e36
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 12:03:33 2021 +1300
tests/krb5: Allow excluding the PAC server checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit dcf45a151a198f7165cd332a26db78a5d8e8f8c5)
commit f2c1535f8b68e618f90f7cfa320c7fc61af60bbc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:59:42 2021 +1300
tests/krb5: Fix checksum generation and verification
The KDC and server checksums may be generated using the same key, but
only the KDC checksum should have an RODCIdentifier. To fix this,
instead of overriding the existing methods, add additional ones for
RODC-specific signatures, so that both types of signatures can be
generated or verified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a927cecafdd5ad6dc5189fa98cb42684c9c3b033)
commit 08608d9f50e4240fdcd4beef57eabeed825a8563
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:56:21 2021 +1300
tests/krb5: Fix method for creating invalid length zeroed checksum
Previously the base class method was being used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ae09219c3a1c6d47817f51baf3784e8986c7478d)
commit bd1aa18c52bb2ad6f857c9bf30bd988556fb9fe9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:54:49 2021 +1300
tests/krb5: Introduce helper method for creating invalid length checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9d142dc3a452b0f06efc66f422402ee6e553ee7c)
commit d5566cbb6815cd0f0dcb10195edf99cc255b2b3e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:52:17 2021 +1300
tests/krb5: Add assertion to make failures clearer
These failures may occur if tests are not run against an RODC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cda50b5c505072989abf84c209e16ff4efe2e628)
commit ce2da506c772af4a28a45939f4ba25a22500848e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:50:36 2021 +1300
tests/krb5: Allow created accounts to use resource-based constrained delegation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bba8cb8dce19e47a7b813efd9a7527e38856435e)
commit 22477380e69e92953f74ac35f61da442e77dc834
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:47:39 2021 +1300
tests/krb5: Rename allowed_to_delegate_to parameter for clarity
This helps to distinguish resourced-based and non-resource-based
constrained delegation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 31817c383c2014224b1397fde610624663313246)
commit b5432f5203fc16d5cc6ebe00cf659c9a0a94580f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 10:54:33 2021 +1300
tests/krb5: Fix PA-PAC-OPTIONS checking
Make the check work correctly if bits other than the claims bit are
specified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1fd00135fa4dff4331d86b228ccc01f834476997)
commit 505eb4e71f7d31549f6038312fcbbde7050038b9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 10:51:01 2021 +1300
tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
These padata were not being sent if other FAST padata was not specified.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 6f1282e8d34073d8499ce919908b39645b017cb8)
commit 2af40a2ddf23d843aac7637ae094ae439d14fcfb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:23:17 2021 +1300
tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ce433ff868d3cdf8e8a6e4995d89d6e036335fb6)
commit 91df69559c5b09f2a9d32e577e09bcefce85f303
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:16:51 2021 +1300
tests/krb5: Remove unused parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8e4b21590836dab02c1864f6ac12b3879c4bd69c)
commit 85053e6eb2ec716046e502f304614ef8d863d3c2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:16:24 2021 +1300
tests/krb5: Rename method parameter
For class methods, the name given to the first parameter is generally 'cls'
rather than 'self'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d501ddca3b7b9c39c0b3eccf19176e3122cf5b9d)
commit bb6eb577c0530540d145f3b7ec7c5e0d39c80d3a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 15:10:35 2021 +1200
tests/krb5: Add classes for testing invalid checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Sep 23 19:28:44 UTC 2021 on sn-devel-184
(cherry picked from commit 5b331443d0698256ee7fcc040a1ab8137efe925d)
commit 4cf6614a16a89f74045e1eb5db288dd1cf91ea15
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 15:06:18 2021 +1200
tests/krb5: Add method to determine if principal is krbtgt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c0b81f0dd54d0d71b5d0f5a870b505e82d0e85b8)
commit 6868628eab75e155305ac711b4b6b8ff4fbbd92d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 14:10:07 2021 +1200
tests/krb5: Verify checksums of tickets obtained from the KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ea7b550a500d9e458498d37688b67dafd3d9509d)
commit 1c1154d81ad9ad32fd2c43902073a63c7063ead4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 13:54:47 2021 +1200
tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1458cd9065de34c42bd5ec63feb2f66c25103982)
commit 5cd321086ba7e87fcb8949de9769ef45880ecde8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 14:05:58 2021 +1200
tests/krb5: Simplify account creation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 394e8db261b10d130c5e5730989bf68f9bf4f85f)
commit ac378a754bd3f7ac37005ba11040076f77a5dc0a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 22 11:41:45 2021 +1200
tests/krb5: Provide ticket enc-part key to tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f2f1f3a1e9269f0e7b93006bba2368a6ffbecc7c)
commit 0fbff441fc71c167ee5ab38db6405044a421564c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 14:08:16 2021 +1200
tests/krb5: Fix checking for presence of authorization data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f9284d8517edd9ffd96f0c24166a16366f97de8f)
commit e71cfc36ad7b4748806c58e425672b5df9eebf5d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 13:58:09 2021 +1200
tests/krb5: Add method to get DC credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9d01043042f1caac98a23cf4d9aa9a02a31a9239)
commit c08defb5a7df10f2598c2ae844f6f3fe22e481b5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 13:59:24 2021 +1200
tests/krb5: Allow tgs_req() to check the returned ticket enc-part
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 38b4b334caf1b32f1479db3ada48b2028946f5e6)
commit 39941358333cd1c9acbbcdca851f538bf41b1c91
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 13:54:39 2021 +1200
tests/krb5: Set key version number for all accounts created with create_account()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 054ec1a8cc4ae42918c7c06ef9c66c8a81242655)
commit 15c7c561f7bb29c2b436d5c34b8ce84a2579743b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 17:11:28 2021 +1200
tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 14cd933a9d6af08deb680c9f688b166138d45ed9)
commit 4ace77d830bce86e29380ce7dd4568f581e35960
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 17:10:49 2021 +1200
tests/krb5: Get supported enctypes for credentials from database
Look up the account's msDS-SupportedEncryptionTypes attribute to get the
encryption types that it supports. Move the fallback to RC4 to when the
ticket decryption key is obtained.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b6eaf2cf44fb66d8f302d4cab050827a67de3ea4)
commit 84973c79a7926b16d47a084ee88a6e3e8ace81b5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 21:01:46 2021 +1200
tests/krb5: Add methods to convert between enctypes and bitfields
These methods are useful for converting a collection of encryption types
into msDS-SupportedEncryptionTypes bit flags, and vice versa.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 432eba9e09849e74f4c0f2d7826d45cbd2b7ce42)
commit efc3d6edd69439a72ab7b75934387f65c7c1d86e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 17:01:12 2021 +1200
tests/krb5: Make get_default_enctypes() return a set of enctype constants
This is often more convenient than a bitfield.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7cedd383bcc1b5652ea65817b464d6e0485c7b8b)
commit f274497789601bfa62db3e6e8f5248c1b68bc00c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 13:33:16 2021 +1200
tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4c67a53cdca206a118e82b356db0faf0ddc011ab)
commit 02c17fe22bed720814610418cc7fedf54a49a777
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 17 15:26:12 2021 +1200
tests/krb5: Add method for modifying a ticket and creating PAC checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1fcde7cb6ce50e0a08097841e92476f320560664)
commit bee8264f1bc9360c5bbe15e60e7b5161358efecf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 17 14:56:51 2021 +1200
tests/krb5: Add method to verify ticket PAC checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 12b5e72a35d632516980f6c051a5d83f913079e7)
commit 1301ed37c447682a32356e470ec9cf85d2416f87
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 17:20:22 2021 +1200
tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
Signatures created by an RODC have an RODCIdentifier appended to them
identifying the RODC's krbtgt account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Sep 21 23:55:39 UTC 2021 on sn-devel-184
(cherry picked from commit ec95b3042bf2649c0600cafb12818c27242b5098)
commit 4fc5d67f601ee02a968d69a504653fc794d12380
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 16:54:57 2021 +1200
tests/krb5: Add methods for creating zeroed checksums and verifying checksums
Creating a zeroed checksum is needed for signing a PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a562882b15125902c5d89f094b8c9b1150f5d010)
commit 912bac3ba71ef07a8d5c90810e08551938f1b89f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 11:51:20 2021 +1200
tests/krb5: Cache obtained tickets
Now tickets obtained with get_tgt() and get_service_ticket() make use of
a cache so they can be reused, unless the 'fresh' parameter is specified
as true.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 419e4061ced466ec7e5e23f815823b540ef4751c)
commit 10db9a0bfb05924c1e9721f5def2425abac5cd57
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 11:51:05 2021 +1200
tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
The encpart is already contained in ticket_creds, so it no longer needs
to be returned as a separate value.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6193f7433b15579aa32b26a146287923c9d3844d)
commit 5db1b57b20d1c8fc6f7ecf6204427a6e4e851775
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 13:24:46 2021 +1200
tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 59c1043be25b92db75ab5676601cb15426ef37a3)
commit 459e3bd695b98f8efff4b4bc5c98ba1e2270d25f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 13:14:45 2021 +1200
tests/krb5: Allow get_tgt() to specify expected and unexpected flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 035a8f198555ad1eedf8e2e6c565fbbbe4fbe7ce)
commit b14183e7f35ee1536594a66664465956066723ae
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 13:14:06 2021 +1200
tests/krb5: Allow get_tgt() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4ecfa82e71b0dd5b71aa97973033c5c72257a0c3)
commit 65a269f1e31dd402fa048d99a3676d9a6df0f87d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:41:46 2021 +1200
tests/krb5: Allow get_tgt() to get tickets from the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2d69805b1e3a8022f1418605e5f29ae0bbaa4a06)
commit 1e6c77a03afa9595d06141060a7a9ed58f5793a0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:38:38 2021 +1200
tests/krb5: Allow get_service_ticket() to get tickets from the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5d3a135c2326edc9ca8f56bea24d2f52320f4fd6)
commit 690d90ba615ccbf0094fb1a93d29be1e651cc879
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:19:28 2021 +1200
tests/krb5: Set DN of created accounts to ldb.Dn type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7645dfa5bedee7ef3f7debbf0fa7600bd1c4bd79)
commit 7ad68c8cc59be645b9e6506c5253eca027900ec9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:13:51 2021 +1200
tests/krb5: Don't manually create PAC request and options in fast_tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c226029655ca361560d93298a6729a021f2f6b75)
commit 71c46e032a9d0a0f9809b237c1fa09cbc4619efa
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:06:51 2021 +1200
tests/krb5: Use PAC buffer type constants from krb5pac.idl
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3504e99dc5bcc206ca2964012b7fdca541555416)
commit eb103f6337a6a433b204ce8640324fe0f6a1a744
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:52:46 2021 +1200
tests/krb5: Allow as_req() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a5e62d681d81a422bac7bd89dc27ef2314d77457)
commit aff414e2a7586384d36502a8e825ac20f4a88f14
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:25:01 2021 +1200
tests/krb5: Allow tgs_req() to send requests to the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6403a09d94ab54f89d6e50601ae6b19ab7e6aae7)
commit 8c7d78a2e1aefb9d3f4dcfd07c4bcdd95c1096d4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:18:12 2021 +1200
tests/krb5: Allow tgs_req() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1a3426da54463c3e454c1b76c3df4e96882e6aa9)
commit c2a61c2c911ca5bb928b6bd68c3eb72c7d98e0fb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:16:27 2021 +1200
tests/krb5: Allow tgs_req() to send additional padata
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1f0654b8facf3b9b2288d2569a573ff3a5ca4a82)
commit 76f1deb3cd85333bf469128d6e56996db8dde182
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:13:09 2021 +1200
tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2a4d53dc12aa785f696e53ae3376f67375ce455f)
commit 61cc6767c32cb131e24c1f303c9d312e4d3d395c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:22:28 2021 +1200
tests/krb5: Check correct flags element
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0061fa2c2a26d990ed2e47441bca8797fc9be356)
commit 5812a13ec5febc96d718377178727327160c132f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 15 20:56:28 2021 +1200
tests/krb5: Add helper method for modifying PACs
This method can remove or replace a PAC in an authorization-data
container, while additionally returning the original PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a281ae09bcf35277c830c4112567c72233fd66b8)
commit bf06918b44d2737f3b696430e6db2d03878158f8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 10 14:02:22 2021 +1200
python/join: Check for correct msDS-KrbTgtLink attribute
Previously, the wrong case was used when checking for this attribute,
which meant krbtgt accounts were not being cleaned up.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 21a7717359082feaddfdf42788648c3d7574c28e)
commit 0dcab6505c62475f0d30012c748322e0f8d76ced
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:42:28 2021 +1200
python: Don't leak file handles
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit cde38d36b98f1d40e7b58cd4c4b4bedfab76c390)
commit 6614fee6e8b47ec8052306281fb3e5642dfbddcc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 21:24:31 2021 +1200
tests/krb5: Allow replicating accounts to the created RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 35292bd32225b39ad7a03c3aa53027458f0671eb)
commit 82a19ce548eac76f9ce4ca60f2b6b4c98aa87cbb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 21:24:05 2021 +1200
tests/krb5: Create RODC account for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit ef5666bc51ca80e1acdadd525a9c61762756c8e3)
commit 10e46b9b74bc581ade5fde1d3936f652448b03ef
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 22:13:24 2021 +1200
tests/krb5: Allow replicating accounts to the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 3cc9e77f38f6698aa01abca4285a520c7c0cd2ac)
commit fadecadfe2f42bc43eea50be0a479eef494d5c0a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 20:58:01 2021 +1200
tests/krb5: Add get_secrets() method to get the secret attributes of a DN
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit af633992e31e839cdd7f77740c1f25d129be2f79)
commit 61739d1a33a57d54a184fd09e89f349f4e7eb385
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 20:20:23 2021 +1200
tests/krb5: Add method to get RODC krbtgt credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit a5bf7aad54b7053417a24ae0918ee42ceed7bf21)
commit 811714e4f6b32d667659810c422096fc992da11a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 21:14:18 2021 +1200
tests/krb5: Sign-extend kvno from 32-bit integer
This helps to avoid problems with RODC kvnos that have the high bit set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 7bc52cecb442c4bcbd39372a8b98bb033e4d1540)
commit 58f68bf357f10b3e42609b0166a56cfa292413a5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 8 11:28:52 2021 +1200
tests/krb5: Generate padata for FAST tests
This gives us access to parameters of kdc_exchange_dict and enables us
to simplify the logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 943079fd94fec66cdc2ba4ea1b2beb2971473004)
commit 18c892942ee450e776b19f8f212ef8aa8f1b7f6e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 3 15:36:24 2021 +1200
tests/krb5: Add get_cached_creds() method to create persistent accounts for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit c9fd8ffd8927ef42fd555e690f966f65aa01332e)
commit 7594ba47c19e0a288a03eb76fc7cec137c1f4024
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 3 09:55:10 2021 +1200
tests/krb5: Get encpart decryption key from kdc_exchange_dict
Instead of using check_padata_fn to get the encpart decryption key, we
can get the key from the AS-REQ preauth phase or from the TGT, depending
on whether the message is an AS-REQ or a TGS-REQ. This allows removal of
check_padata_fn and some duplicated code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 0e99382d73f44eed7e19e83e430938d587e762d0)
commit 0e1d6fda2067caf37415332de8da6e3712bf8620
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 3 09:40:02 2021 +1200
tests/krb5: Get expected cname from TGT for TGS-REQ messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit a5186f92803009c81eca2957e1bf2eb0ff7b6dff)
commit dcd13ba166e8385b6e60f206acd34912a5eb09c7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:26:43 2021 +1200
tests/krb5: Allow specifying status code to be checked
This allows us to check the status code that may be sent in an error
reply to a TGS-REQ message.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 4ba5e82ae53410ec9a0bc7d47b181a88c15d9387)
commit 23eaf0160adde30986811b7591ac46758c0427c2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 3 09:18:32 2021 +1200
tests/krb5: Create testing accounts in appropriate containers
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Sep 14 00:01:44 UTC 2021 on sn-devel-184
(cherry picked from commit 01378a52a1cf0b6855492673455013d5719be45b)
commit fc91b526f7daec574b9ebd2a00f5b54eae4ca04e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:47:27 2021 +1200
tests/krb5: Check for presence of 'key-expiration' element
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit c3b746290278f7b5c1dea676e3fa28b9f15bcf94)
commit 95c7eba3951abe029b32f11271f0ac320ebd48ab
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:45:57 2021 +1200
tests/krb5: Check 'caddr' element
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit d3106a8d35225e826d548d3bea0d42edc3998c38)
commit 1984c30ce37453c5a5597bfb9a9bd7e70670962d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:43:41 2021 +1200
tests/krb5: Check for presence of 'renew-till' element
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 9cba5f9a1b098e49315e2e3d4c0b626884c04a64)
commit 0e80a7ef9c41c89ca126a813ca36cc4398de5ab5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:34:20 2021 +1200
tests/krb5: Allow Kerberos requests to be sent to DC or RODC
If run inside the 'rodc' testing environment, 'DC_SERVER' and 'SERVER'
refer to the hostnames of the DC and RODC respectively, and this commit
allows either one of them to be used as the KDC for Kerberos exchanges.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 0afb548a0a3221730c4a81d51bc31e99ec90e334)
commit 39a7676c8688703e96254df54417404b848ccd4c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:15:17 2021 +1200
tests/krb5: Make time assertion less strict
This assertion could fail if there was a time difference between the KDC
and the client.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 1974b872fb5a7da052305d01e2f1efc8d0637078)
commit d5b1b59cde48c0695bafc0e8d7309d1277d28208
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:13:11 2021 +1200
tests/krb5: Allow specifying ticket flags expected to be set or reset
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 85ddfc1afcf21797dab15431a5f375444c4d316e)
commit 3edaa318df912f92ac4a7d4f7f4aeaf2e0193bbb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 17:46:02 2021 +1200
tests/krb5: Remove magic constants
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 571265257f335ba7f6f1b46daa0d657b8a8dff2b)
commit d94233f1e0c9a16ba2e5bf003bf7d10b71d3329f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 2 14:38:33 2021 +1200
tests/krb5: Don't create PAC request or options manually in fast_tests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 7556a4dfa64650939aef14a2fc4d10b9ed3d29f7)
commit 7d955391e290aeec931f95d16ac96c289ae71942
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 2 14:37:27 2021 +1200
tests/krb5: Don't create PAC request manually in as_req_tests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit bc21ba2592093c765751ed3e8083dcd3512997f8)
commit f63461ffd80426830abd24b667de1356509a1aad
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 2 14:36:42 2021 +1200
tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit c0db1ba54d238d4b2da8895215d8314b068ce09c)
commit 7b6848c73b0cb9451eb033ef93772f168b9bfad7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 2 14:27:00 2021 +1200
tests/krb5: Move padata generation methods to base class
This allows them to be used directly from RawKerberosTest.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 1f23b16ef3a900a1bda01bf2a5a3a3847e2e79d1)
commit c8c0af0b20f4339628172867ea85b0d3df16d780
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:35:58 2021 +1200
tests/krb5: Keep track of account DN in credentials object
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 9973b51e48a5d5f3e33c6e0da46e6231a42bd77a)
commit ee2a85aba9f6daeb94a38299ad852d98b5af5a82
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:34:46 2021 +1200
tests/krb5: Allow specifying additional User Account Control flags for account
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 9aa900857441ea7e1c2d6c60bfa1ddeb142bf3e3)
commit dadedd0d55089bbd9ced65a774f03b8a1d71abbf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:34:02 2021 +1200
tests/krb5: Allow specifying an OU to create accounts in
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 7aae0e9b100b8cb7d1da78b8cb9a4a5c20acffbd)
commit e1fa2fff9304bcbf828b1b6c50bd127ced9f71bf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:31:56 2021 +1200
tests/krb5: Replace expected_cname_private with expected_anon parameter
This is used in the case where the KDC returns 'WELLKNOWN/ANONYMOUS' as
the cname, and makes the reply checking logic easier to follow. This
also removes the need to fetch the client credentials in the test
methods.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit bf55786fcd9a96daa9002661d6f5d9b3502ed8a7)
commit 231d508a4724487c7a8cbf31557a43822b451ec9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:21:55 2021 +1200
tests/krb5: Use more compact dict lookup
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 3fd73b65a3db405db5a0a82cca6c808763d4f437)
commit a87fdc6629f1ff2f0534c54fedd76243f2342769
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:05:39 2021 +1200
tests/krb5: Add KDCOptions flag for constrained delegation
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 08086c43987abecc588ebd32ec846ff7e27a83b6)
commit 22aa29993e01f3c7bc68eb8e2f1cc4224b5715d5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:57:26 2021 +1200
tests/krb5: Use signed integers to represent key version numbers in ASN.1
As specified in 'MS-KILE 3.1.5.8: Key Version Numbers', Windows uses
signed 32-bit integers to represent key version numbers. This makes a
difference for an RODC with a msDS-SecondaryKrbTgtNumber greater than
32767, where the kvno should be encoded in four bytes rather than five.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 448b661bf8815a05f534926d8ee8d6f57d123c2c)
commit ba22aee1d8c32a4e2de4e7d31822c658918312ff
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:50:26 2021 +1200
tests/krb5: Add methods to obtain the length of checksum types
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 9924dd976183ea62b08f116f8b8bacc698bb9b95)
commit 67d713b9362aab401585610b4f662aac7e9fda6e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:46:42 2021 +1200
tests/krb5: Calculate expected salt if not given explicitly
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit c6badf818e9db44461979a931c74fc5ab6e80132)
commit fb63bdd828330274452436da2f8fd02e40866e82
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:40:59 2021 +1200
security.idl: Add well-known SIDs for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 0092b4a3ed58b2c256d4dd9117cce927a3edde12)
commit 6acbb94daddb94a795e0b506bb7637ed15578cc5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:39:19 2021 +1200
krb5pac.idl: Add ticket checksum PAC buffer type
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit ff2f38fae79220e16765e17671972f9a55eb7cce)
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_krb5.c | 12 +-
lib/krb5_wrap/krb5_samba.c | 192 ++-
lib/krb5_wrap/krb5_samba.h | 13 +-
lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.3.1.sigs} | 0
...pyldb-util-2.1.0.sigs => pyldb-util-2.3.1.sigs} | 0
lib/ldb/pyldb.c | 51 +-
lib/ldb/tests/python/api.py | 29 +
lib/ldb/wscript | 2 +-
lib/tdb/pytdb.c | 2 +-
lib/tevent/pytevent.c | 2 +-
librpc/idl/krb5pac.idl | 7 +-
librpc/idl/security.idl | 3 +
python/samba/__init__.py | 12 +-
python/samba/join.py | 7 +-
python/samba/ms_schema.py | 6 +-
python/samba/schema.py | 9 +-
python/samba/tests/__init__.py | 3 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 11 +-
python/samba/tests/krb5/as_req_tests.py | 57 +-
python/samba/tests/krb5/compatability_tests.py | 48 +-
python/samba/tests/krb5/fast_tests.py | 476 ++-----
python/samba/tests/krb5/kcrypto.py | 28 +-
python/samba/tests/krb5/kdc_base_test.py | 1099 +++++++++++++--
python/samba/tests/krb5/kdc_tests.py | 4 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 137 +-
.../krb5/ms_kile_client_principal_lookup_tests.py | 93 +-
python/samba/tests/krb5/raw_testcase.py | 1461 +++++++++++++++-----
python/samba/tests/krb5/rfc4120.asn1 | 3 +-
python/samba/tests/krb5/rfc4120_constants.py | 11 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 3 +-
python/samba/tests/krb5/rodc_tests.py | 73 +
python/samba/tests/krb5/s4u_tests.py | 1074 +++++++++++++-
python/samba/tests/krb5/salt_tests.py | 327 +++++
python/samba/tests/krb5/simple_tests.py | 4 +-
python/samba/tests/krb5/test_ccache.py | 15 +-
python/samba/tests/krb5/test_ldap.py | 4 +-
python/samba/tests/krb5/test_rpc.py | 4 +-
python/samba/tests/krb5/test_smb.py | 4 +-
python/samba/tests/krb5/xrealm_tests.py | 4 +-
python/samba/tests/segfault.py | 12 +
python/samba/tests/usage.py | 2 +
selftest/knownfail.d/kdc-salt | 1 +
selftest/knownfail.d/python-segfaults | 2 +
selftest/knownfail_heimdal_kdc | 134 ++
selftest/knownfail_mit_kdc | 53 +
selftest/target/Samba3.pm | 16 +-
selftest/target/Samba4.pm | 76 +-
source3/passdb/machine_account_secrets.c | 10 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 23 +-
source4/dsdb/tests/python/rodc_rwdc.py | 8 +-
source4/heimdal/kdc/kerberos5.c | 147 +-
source4/heimdal/kdc/krb5tgs.c | 665 +++------
source4/heimdal/kdc/windc.c | 15 +-
source4/heimdal/kdc/windc_plugin.h | 5 +-
source4/heimdal/lib/asn1/krb5.asn1 | 21 -
source4/heimdal/lib/krb5/authdata.c | 124 ++
source4/heimdal/lib/krb5/pac.c | 484 ++++++-
source4/heimdal/lib/krb5/version-script.map | 5 +
source4/heimdal_build/wscript_build | 2 +-
source4/kdc/mit_samba.c | 14 +-
source4/kdc/pac-glue.c | 10 +-
source4/kdc/pac-glue.h | 3 +-
source4/kdc/wdc-samba4.c | 356 +++--
source4/kdc/wscript_build | 1 +
source4/librpc/ndr/py_security.c | 2 +-
source4/selftest/tests.py | 86 +-
source4/torture/drs/python/replica_sync.py | 2 +-
source4/torture/rpc/remote_pac.c | 14 +-
testprogs/blackbox/dbcheck.sh | 2 +-
69 files changed, 5735 insertions(+), 1850 deletions(-)
copy lib/ldb/ABI/{ldb-2.0.5.sigs => ldb-2.3.1.sigs} (100%)
copy lib/ldb/ABI/{pyldb-util-2.1.0.sigs => pyldb-util-2.3.1.sigs} (100%)
create mode 100755 python/samba/tests/krb5/rodc_tests.py
create mode 100755 python/samba/tests/krb5/salt_tests.py
create mode 100644 selftest/knownfail.d/kdc-salt
create mode 100644 source4/heimdal/lib/krb5/authdata.c
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index d7b1c430841..2338d9f114b 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -1200,12 +1200,12 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
break;
}
- ret = smb_krb5_salt_principal(realm,
- username, /* sAMAccountName */
- upn, /* userPrincipalName */
- uac_flags,
- mem_ctx,
- &salt_principal);
+ ret = smb_krb5_salt_principal_str(realm,
+ username, /* sAMAccountName */
+ upn, /* userPrincipalName */
+ uac_flags,
+ mem_ctx,
+ &salt_principal);
if (ret) {
talloc_free(mem_ctx);
return ret;
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 20ce86c708d..fff5b4e2a22 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -456,19 +456,20 @@ int smb_krb5_get_pw_salt(krb5_context context,
*
* @see smb_krb5_salt_principal2data
*/
-int smb_krb5_salt_principal(const char *realm,
+int smb_krb5_salt_principal(krb5_context krb5_ctx,
+ const char *realm,
const char *sAMAccountName,
const char *userPrincipalName,
uint32_t uac_flags,
- TALLOC_CTX *mem_ctx,
- char **_salt_principal)
+ krb5_principal *salt_princ)
{
TALLOC_CTX *frame = talloc_stackframe();
char *upper_realm = NULL;
const char *principal = NULL;
int principal_len = 0;
+ krb5_error_code krb5_ret;
- *_salt_principal = NULL;
+ *salt_princ = NULL;
if (sAMAccountName == NULL) {
TALLOC_FREE(frame);
@@ -512,7 +513,6 @@ int smb_krb5_salt_principal(const char *realm,
*/
if (uac_flags & UF_TRUST_ACCOUNT_MASK) {
int computer_len = 0;
- char *tmp = NULL;
computer_len = strlen(sAMAccountName);
if (sAMAccountName[computer_len-1] == '$') {
@@ -520,60 +520,186 @@ int smb_krb5_salt_principal(const char *realm,
}
if (uac_flags & UF_INTERDOMAIN_TRUST_ACCOUNT) {
- principal = talloc_asprintf(frame, "krbtgt/%*.*s",
- computer_len, computer_len,
- sAMAccountName);
- if (principal == NULL) {
+ const char *krbtgt = "krbtgt";
+ krb5_ret = krb5_build_principal_ext(krb5_ctx,
+ salt_princ,
+ strlen(upper_realm),
+ upper_realm,
+ strlen(krbtgt),
+ krbtgt,
+ computer_len,
+ sAMAccountName,
+ 0);
+ if (krb5_ret != 0) {
TALLOC_FREE(frame);
- return ENOMEM;
+ return krb5_ret;
}
} else {
-
- tmp = talloc_asprintf(frame, "host/%*.*s.%s",
- computer_len, computer_len,
- sAMAccountName, realm);
+ const char *host = "host";
+ char *tmp = NULL;
+ char *tmp_lower = NULL;
+
+ tmp = talloc_asprintf(frame, "%*.*s.%s",
+ computer_len,
+ computer_len,
+ sAMAccountName,
+ realm);
if (tmp == NULL) {
TALLOC_FREE(frame);
return ENOMEM;
}
- principal = strlower_talloc(frame, tmp);
- TALLOC_FREE(tmp);
- if (principal == NULL) {
+ tmp_lower = strlower_talloc(frame, tmp);
+ if (tmp_lower == NULL) {
TALLOC_FREE(frame);
return ENOMEM;
}
- }
- principal_len = strlen(principal);
+ krb5_ret = krb5_build_principal_ext(krb5_ctx,
+ salt_princ,
+ strlen(upper_realm),
+ upper_realm,
+ strlen(host),
+ host,
+ strlen(tmp_lower),
+ tmp_lower,
+ 0);
+ if (krb5_ret != 0) {
+ TALLOC_FREE(frame);
+ return krb5_ret;
+ }
+ }
} else if (userPrincipalName != NULL) {
- char *p;
+ /*
+ * We parse the name not only to allow an easy
+ * replacement of the realm (no matter the realm in
+ * the UPN, the salt comes from the upper-case real
+ * realm, but also to correctly provide a salt when
+ * the UPN is host/foo.bar
+ *
+ * This can fail for a UPN of the form foo at bar@REALM
+ * (which is accepted by windows) however.
+ */
+ krb5_ret = krb5_parse_name(krb5_ctx,
+ userPrincipalName,
+ salt_princ);
- principal = userPrincipalName;
- p = strchr(principal, '@');
- if (p != NULL) {
- principal_len = PTR_DIFF(p, principal);
- } else {
- principal_len = strlen(principal);
+ if (krb5_ret != 0) {
+ TALLOC_FREE(frame);
+ return krb5_ret;
+ }
+
+ /*
+ * No matter what realm (including none) in the UPN,
+ * the realm is replaced with our upper-case realm
+ */
+ krb5_ret = smb_krb5_principal_set_realm(krb5_ctx,
+ *salt_princ,
+ upper_realm);
+ if (krb5_ret != 0) {
+ krb5_free_principal(krb5_ctx, *salt_princ);
+ TALLOC_FREE(frame);
+ return krb5_ret;
}
} else {
principal = sAMAccountName;
principal_len = strlen(principal);
- }
- *_salt_principal = talloc_asprintf(mem_ctx, "%*.*s@%s",
- principal_len, principal_len,
- principal, upper_realm);
- if (*_salt_principal == NULL) {
- TALLOC_FREE(frame);
- return ENOMEM;
+ krb5_ret = krb5_build_principal_ext(krb5_ctx,
+ salt_princ,
+ strlen(upper_realm),
+ upper_realm,
+ principal_len,
+ principal,
+ 0);
+ if (krb5_ret != 0) {
+ TALLOC_FREE(frame);
+ return krb5_ret;
+ }
}
TALLOC_FREE(frame);
return 0;
}
+/**
+ * @brief This constructs the salt principal used by active directory
+ *
+ * Most Kerberos encryption types require a salt in order to
+ * calculate the long term private key for user/computer object
+ * based on a password.
+ *
+ * The returned _salt_principal is a string in forms like this:
+ * - host/somehost.example.com at EXAMPLE.COM
+ * - SomeAccount at EXAMPLE.COM
+ * - SomePrincipal at EXAMPLE.COM
+ *
+ * This is not the form that's used as salt, it's just
+ * the human readable form. It needs to be converted by
+ * smb_krb5_salt_principal2data().
+ *
+ * @param[in] realm The realm the user/computer is added too.
+ *
+ * @param[in] sAMAccountName The sAMAccountName attribute of the object.
+ *
+ * @param[in] userPrincipalName The userPrincipalName attribute of the object
+ * or NULL is not available.
+ *
+ * @param[in] uac_flags UF_ACCOUNT_TYPE_MASKed userAccountControl field
+ *
+ * @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal.
+ *
+ * @param[out] _salt_principal The resulting principal as string.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ *
+ * @see smb_krb5_salt_principal2data
+ */
+int smb_krb5_salt_principal_str(const char *realm,
+ const char *sAMAccountName,
+ const char *userPrincipalName,
+ uint32_t uac_flags,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_principal_str)
+{
+ krb5_principal salt_principal = NULL;
+ char *salt_principal_malloc;
+ krb5_context krb5_ctx;
+ krb5_error_code krb5_ret
+ = smb_krb5_init_context_common(&krb5_ctx);
+ if (krb5_ret != 0) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(krb5_ret));
+ return krb5_ret;
+ }
+
+ krb5_ret = smb_krb5_salt_principal(krb5_ctx,
+ realm,
+ sAMAccountName,
+ userPrincipalName,
+ uac_flags,
+ &salt_principal);
+
+ krb5_ret = krb5_unparse_name(krb5_ctx, salt_principal,
+ &salt_principal_malloc);
+ if (krb5_ret != 0) {
+ krb5_free_principal(krb5_ctx, salt_principal);
+ DBG_ERR("kerberos unparse of salt principal failed (%s)\n",
+ error_message(krb5_ret));
+ return krb5_ret;
+ }
+ krb5_free_principal(krb5_ctx, salt_principal);
+ *_salt_principal_str
+ = talloc_strdup(mem_ctx, salt_principal_malloc);
+ krb5_free_unparsed_name(krb5_ctx, salt_principal_malloc);
+
+ if (*_salt_principal_str == NULL) {
+ return ENOMEM;
+ }
+ return 0;
+}
+
/**
* @brief Converts the salt principal string into the salt data blob
*
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index ca9a893e4f7..56a2a975278 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -350,12 +350,19 @@ krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
int smb_krb5_get_pw_salt(krb5_context context,
krb5_const_principal host_princ,
krb5_data *psalt);
-int smb_krb5_salt_principal(const char *realm,
+int smb_krb5_salt_principal(krb5_context krb5_ctx,
+ const char *realm,
const char *sAMAccountName,
const char *userPrincipalName,
uint32_t uac_flags,
- TALLOC_CTX *mem_ctx,
- char **_salt_principal);
+ krb5_principal *salt_princ);
+
+int smb_krb5_salt_principal_str(const char *realm,
+ const char *sAMAccountName,
+ const char *userPrincipalName,
+ uint32_t uac_flags,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_principal);
int smb_krb5_salt_principal2data(krb5_context context,
const char *salt_principal,
TALLOC_CTX *mem_ctx,
diff --git a/lib/ldb/ABI/ldb-2.0.5.sigs b/lib/ldb/ABI/ldb-2.3.1.sigs
similarity index 100%
copy from lib/ldb/ABI/ldb-2.0.5.sigs
copy to lib/ldb/ABI/ldb-2.3.1.sigs
diff --git a/lib/ldb/ABI/pyldb-util-2.1.0.sigs b/lib/ldb/ABI/pyldb-util-2.3.1.sigs
similarity index 100%
copy from lib/ldb/ABI/pyldb-util-2.1.0.sigs
copy to lib/ldb/ABI/pyldb-util-2.3.1.sigs
diff --git a/lib/ldb/pyldb.c b/lib/ldb/pyldb.c
index 443b677c2c4..d093daedf5c 100644
--- a/lib/ldb/pyldb.c
+++ b/lib/ldb/pyldb.c
@@ -182,6 +182,10 @@ static PyObject *py_ldb_control_get_critical(PyLdbControlObject *self,
static int py_ldb_control_set_critical(PyLdbControlObject *self, PyObject *value, void *closure)
{
+ if (value == NULL) {
+ PyErr_SetString(PyExc_AttributeError, "cannot delete critical flag");
+ return -1;
+ }
if (PyObject_IsTrue(value)) {
self->data->critical = true;
} else {
@@ -839,7 +843,7 @@ static PyMethodDef py_ldb_dn_methods[] = {
"S.get_component_value(num) -> string\n"
"get the attribute value of the specified component as a binary string" },
{ "set_component", (PyCFunction)py_ldb_dn_set_component, METH_VARARGS,
- "S.get_component_value(num, name, value) -> None\n"
+ "S.set_component(num, name, value) -> None\n"
"set the attribute name and value of the specified component" },
{ "get_rdn_name", (PyCFunction)py_ldb_dn_get_rdn_name, METH_NOARGS,
"S.get_rdn_name() -> string\n"
@@ -3429,33 +3433,41 @@ static PyObject *py_ldb_msg_keys(PyLdbMessageObject *self,
return obj;
}
-static PyObject *py_ldb_msg_getitem_helper(PyLdbMessageObject *self, PyObject *py_name)
+static int py_ldb_msg_contains(PyLdbMessageObject *self, PyObject *py_name)
{
- struct ldb_message_element *el;
- const char *name;
+ struct ldb_message_element *el = NULL;
+ const char *name = NULL;
struct ldb_message *msg = pyldb_Message_AsMessage(self);
name = PyUnicode_AsUTF8(py_name);
if (name == NULL) {
- PyErr_SetNone(PyExc_TypeError);
- return NULL;
+ return -1;
}
- if (!ldb_attr_cmp(name, "dn"))
- return pyldb_Dn_FromDn(msg->dn);
- el = ldb_msg_find_element(msg, name);
- if (el == NULL) {
- return NULL;
+ if (!ldb_attr_cmp(name, "dn")) {
+ return 1;
}
- return (PyObject *)PyLdbMessageElement_FromMessageElement(el, msg->elements);
+ el = ldb_msg_find_element(msg, name);
+ return el != NULL ? 1 : 0;
}
static PyObject *py_ldb_msg_getitem(PyLdbMessageObject *self, PyObject *py_name)
{
- PyObject *ret = py_ldb_msg_getitem_helper(self, py_name);
- if (ret == NULL) {
+ struct ldb_message_element *el = NULL;
+ const char *name = NULL;
+ struct ldb_message *msg = pyldb_Message_AsMessage(self);
+ name = PyUnicode_AsUTF8(py_name);
+ if (name == NULL) {
+ return NULL;
+ }
+ if (!ldb_attr_cmp(name, "dn")) {
+ return pyldb_Dn_FromDn(msg->dn);
+ }
+ el = ldb_msg_find_element(msg, name);
+ if (el == NULL) {
PyErr_SetString(PyExc_KeyError, "No such element");
return NULL;
}
- return ret;
+
+ return PyLdbMessageElement_FromMessageElement(el, msg->elements);
}
static PyObject *py_ldb_msg_get(PyLdbMessageObject *self, PyObject *args, PyObject *kwargs)
@@ -3665,6 +3677,10 @@ static Py_ssize_t py_ldb_msg_length(PyLdbMessageObject *self)
return pyldb_Message_AsMessage(self)->num_elements;
}
+static PySequenceMethods py_ldb_msg_sequence = {
+ .sq_contains = (objobjproc)py_ldb_msg_contains,
+};
+
static PyMappingMethods py_ldb_msg_mapping = {
.mp_length = (lenfunc)py_ldb_msg_length,
.mp_subscript = (binaryfunc)py_ldb_msg_getitem,
@@ -3741,6 +3757,10 @@ static PyObject *py_ldb_msg_get_dn(PyLdbMessageObject *self, void *closure)
static int py_ldb_msg_set_dn(PyLdbMessageObject *self, PyObject *value, void *closure)
{
struct ldb_message *msg = pyldb_Message_AsMessage(self);
+ if (value == NULL) {
+ PyErr_SetString(PyExc_AttributeError, "cannot delete dn");
+ return -1;
+ }
if (!pyldb_Dn_Check(value)) {
PyErr_SetString(PyExc_TypeError, "expected dn");
return -1;
@@ -3838,6 +3858,7 @@ static PyTypeObject PyLdbMessage = {
.tp_name = "ldb.Message",
.tp_methods = py_ldb_msg_methods,
.tp_getset = py_ldb_msg_getset,
+ .tp_as_sequence = &py_ldb_msg_sequence,
.tp_as_mapping = &py_ldb_msg_mapping,
.tp_basicsize = sizeof(PyLdbMessageObject),
.tp_dealloc = (destructor)py_ldb_msg_dealloc,
diff --git a/lib/ldb/tests/python/api.py b/lib/ldb/tests/python/api.py
index 1d3d765e607..675b5859af8 100755
--- a/lib/ldb/tests/python/api.py
+++ b/lib/ldb/tests/python/api.py
@@ -3056,6 +3056,12 @@ class LdbMsgTests(TestCase):
def test_notpresent(self):
self.assertRaises(KeyError, lambda: self.msg["foo"])
+ def test_invalid(self):
+ try:
+ self.assertRaises(TypeError, lambda: self.msg[42])
+ except KeyError:
+ self.fail()
+
def test_del(self):
del self.msg["foo"]
@@ -3171,6 +3177,29 @@ class LdbMsgTests(TestCase):
def test_get_unknown_text(self):
self.assertEqual(None, self.msg.text.get("lalalala"))
+ def test_contains(self):
+ self.msg['foo'] = ['bar']
+ self.assertIn('foo', self.msg)
+
+ self.msg['Foo'] = ['bar']
+ self.assertIn('Foo', self.msg)
+
+ def test_contains_case(self):
+ self.msg['foo'] = ['bar']
+ self.assertIn('Foo', self.msg)
+
+ self.msg['Foo'] = ['bar']
+ self.assertIn('foo', self.msg)
+
+ def test_contains_dn(self):
+ self.assertIn('dn', self.msg)
+
+ def test_contains_dn_case(self):
+ self.assertIn('DN', self.msg)
+
+ def test_contains_invalid(self):
+ self.assertRaises(TypeError, lambda: None in self.msg)
+
def test_msg_diff(self):
l = ldb.Ldb()
msgs = l.parse_ldif("dn: foo=bar\nfoo: bar\nbaz: do\n\ndn: foo=bar\nfoo: bar\nbaz: dont\n")
diff --git a/lib/ldb/wscript b/lib/ldb/wscript
index bf6129bd6fa..339da577e3b 100644
--- a/lib/ldb/wscript
+++ b/lib/ldb/wscript
@@ -1,7 +1,7 @@
#!/usr/bin/env python
APPNAME = 'ldb'
-VERSION = '2.3.0'
+VERSION = '2.3.1'
import sys, os
diff --git a/lib/tdb/pytdb.c b/lib/tdb/pytdb.c
index 2ea2042c1e5..e2f8ace227f 100644
--- a/lib/tdb/pytdb.c
+++ b/lib/tdb/pytdb.c
@@ -577,7 +577,7 @@ static PyMethodDef tdb_object_methods[] = {
{ "add_flags", (PyCFunction)obj_add_flags, METH_VARARGS, "S.add_flags(flags) -> None" },
{ "remove_flags", (PyCFunction)obj_remove_flags, METH_VARARGS, "S.remove_flags(flags) -> None" },
#if PY_MAJOR_VERSION >= 3
- { "keys", (PyCFunction)tdb_object_iter, METH_NOARGS, "S.iterkeys() -> iterator" },
+ { "keys", (PyCFunction)tdb_object_iter, METH_NOARGS, "S.keys() -> iterator" },
#else
{ "iterkeys", (PyCFunction)tdb_object_iter, METH_NOARGS, "S.iterkeys() -> iterator" },
#endif
diff --git a/lib/tevent/pytevent.c b/lib/tevent/pytevent.c
index 93375f71868..62dfe2419ff 100644
--- a/lib/tevent/pytevent.c
+++ b/lib/tevent/pytevent.c
@@ -573,7 +573,7 @@ static PyMethodDef py_tevent_context_methods[] = {
{ "add_timer", (PyCFunction)py_tevent_context_add_timer,
METH_VARARGS, "S.add_timer(next_event, handler) -> timer" },
--
Samba Shared Repository
More information about the samba-cvs
mailing list