[SCM] Samba Shared Repository - branch v4-13-test updated
Stefan Metzmacher
metze at samba.org
Wed Oct 27 23:30:01 UTC 2021
The branch, v4-13-test has been updated
via 0cea7f53c01 lib/krb5_wrap: Fix missing error check in new salt code
via 274f16103f6 dsdb: Allow special chars like "@" in samAccountName when generating the salt
via ae6d74c9ef8 tests/krb5: Add tests for account salt calculation
via d3b491c3116 tests/krb5: Fix account salt calculation to match Windows
via a742af325f9 tests/krb5: Allow specifying the UPN for test accounts
via 3f376eeaa88 tests/krb5: Allow creating machine accounts without a trailing dollar
via a2a173d70ad tests/krb5: Allow specifying prefix or suffix for test account names
via 4056198f4c9 tests/krb5: Decrease length of test account prefix
via 89b9cb8b786 selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
via 88f824aeb3f selftest/Samba3: remove unused close(USERMAP); calls
via c9e54bbe242 waf: Allow building with MIT KRB5 >= 1.20
via f01e4e19cf6 selftest: Improve error handling and perl style when setting up users in Samba4.pm
via 2bf0e4224f8 selftest: Remove duplicate setup of $base_dn and $ldbmodify
via 38ebe186f42 selftest: krb5 account creation: clarify account type as an enum
via 18bce6fc477 pytest: dynamic tests optionally add __doc__
via a64c25ff097 selftest: Increase account lockout windows to make test more realiable
via a203de48197 pytest/rodc_rwdc: try to avoid race.
via f7d6826afea HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
via e9b12d2def9 tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
via 999208d3afa tests/krb5: Ensure PAC is not present if expect_pac is false
via 3eb78cd43b6 kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
via 106dc4a0492 kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
via fa32948c1d1 tests/krb5: Add tests for requesting a service ticket without a PAC
via 473278c1301 tests/krb5: Add method to get the PAC from a ticket
via 033249c56e1 tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
via 33537398392 tests/krb5: Allow get_tgt() to request including or omitting a PAC
via 543478fe985 heimdal:kdc: Fix ticket signing without a PAC
via 4ff8af7d54d selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
via cb044703b29 krb5: Fix PAC signature leak affecting KDC
via 5919475dc90 s4:kdc: Check ticket signature
via 9d3419c3068 heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
via 6fbde548803 s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
via e5ca4a51c80 kdc: correctly generate PAC TGS signature
via 61fb0ba82c6 kdc: use ticket client name when signing PAC
via 58bc0a4b7f1 kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
via 49bcbcbb4d6 krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
via c73825d0b01 krb5: rework PAC validation loop
via c17bfba3001 krb5: allow NULL parameter to krb5_pac_free()
via 4114e57a371 kdc: sign ticket using Windows PAC
via ff31503bd41 kdc: remove KRB5SignedPath, to be replaced with PAC
via 6afc41b262e s4/torture: Expect ticket checksum PAC buffer
via 1486a8a04b0 s4:kdc: Fix debugging messages
via 8b363a630e5 s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
via 0e53c4353a2 tests/krb5: Fix duplicate account creation
via f3c36a06998 tests/krb5: Allow bypassing cache when creating accounts
via 8b947965d4f tests/krb5: Don't include empty AD-IF-RELEVANT
via 2373c1ac1ef tests/krb5: Add constrained delegation tests
via 61ec92dc096 tests/krb5: Verify tickets obtained with get_service_ticket()
via 6a1549a4955 tests/krb5: Require ticket checksums if decryption key is available
via 91faad4ef6b tests/krb5: Add TKT_SIG_SUPPORT environment variable
via 518e990f496 selftest/dbcheck: Fix up RODC one-way links
via 1ca795a0cb9 tests/krb5: Fix sha1 checksum type
via 2c6b918ab92 tests/krb5: Provide clearer assertion messages for test failures
via d46f0d1793b tests/krb5: Disable debugging output for tests
via 90d58c72bd7 tests/krb5: Simplify padata checking
via b08fd85bcb2 tests/krb5: Check logon name in PAC
via 07ace448a5c tests/krb5: Check padata types when STRICT_CHECKING=0
via 54fb144fe9a tests/krb5: Add environment variable to specify KDC FAST support
via 8ee28d96b29 tests/krb5: Fix padata checking at functional level 2003
via d82e7716f48 tests/krb5: Clarify checksum type assertion message
via 07e242da411 tests/krb5: Use correct principal name type
via 5f72fd098f0 tests/krb5: Add compatability tests for ticket checksums
via 7f3d6f9d925 tests/krb5: Add parameter to enforce presence of ticket checksums
via b0f9a83846b tests/krb5: Supply supported account enctypes in tgs_req()
via 5bc46c831ef tests/krb5: Allow specifying options and expected flags when obtaining a ticket
via 129772e049d tests/krb5: Save account SPN
via e56da60d01b tests/krb5: Check constrained delegation PAC buffer
via cb49059ab46 tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
via 334361501a9 tests/krb5: Add expect_claims parameter to kdc_exchange_dict
via 86e97e83ce4 tests/krb5: Fix checking for presence of error data
via f1fad85fe18 tests/krb5: Remove unneeded parameters from ticket cache key
via 896eea26d35 tests/krb5: Fix assertElementFlags()
via 4f6e02bf1db tests/krb5: Make expected_sname checking more explicit
via 8a6c15b431c tests/krb5: Fix status code checking
via 0e33a8d82fe tests/krb5: Fix handling authdata with missing PAC
via e3cd9b3649f tests/krb5: Allow excluding the PAC server checksum
via 2052395dd89 tests/krb5: Fix checksum generation and verification
via d310714c221 tests/krb5: Fix method for creating invalid length zeroed checksum
via 91d385abffb tests/krb5: Introduce helper method for creating invalid length checksums
via 501d5e76a82 tests/krb5: Add assertion to make failures clearer
via 1506b1c29bb tests/krb5: Allow created accounts to use resource-based constrained delegation
via 39bba78a5d0 tests/krb5: Rename allowed_to_delegate_to parameter for clarity
via 528c950eff9 tests/krb5: Fix PA-PAC-OPTIONS checking
via 7ba4cad1a76 tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
via 82606cd6f31 tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
via 5c1ab0b2697 tests/krb5: Remove unused parameter
via b047ed0c87d tests/krb5: Rename method parameter
via ab9034dd824 tests/krb5: Add classes for testing invalid checksums
via 0b5f8ac5b4d tests/krb5: Add method to determine if principal is krbtgt
via 279bb102fe8 tests/krb5: Verify checksums of tickets obtained from the KDC
via 65ff3ff171e tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
via 74f90d6b1a6 tests/krb5: Simplify account creation
via dc44a5b6fdf tests/krb5: Provide ticket enc-part key to tgs_req()
via 5b2c7c0930d tests/krb5: Fix checking for presence of authorization data
via 466f694f2fd tests/krb5: Add method to get DC credentials
via 1e4e8d883b6 tests/krb5: Allow tgs_req() to check the returned ticket enc-part
via 6d3e996b480 tests/krb5: Set key version number for all accounts created with create_account()
via e238315bbdf tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
via 4c561dbb3ca tests/krb5: Get supported enctypes for credentials from database
via 68da62728d2 tests/krb5: Add methods to convert between enctypes and bitfields
via 74b4bcc2b98 tests/krb5: Make get_default_enctypes() return a set of enctype constants
via 3d1e55d0607 tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
via bce8a8bd915 tests/krb5: Add method for modifying a ticket and creating PAC checksums
via 0eccbbc2748 tests/krb5: Add method to verify ticket PAC checksums
via 891195fa81e tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
via 454a8a7e687 tests/krb5: Add methods for creating zeroed checksums and verifying checksums
via b1466890632 tests/krb5: Cache obtained tickets
via 3fdc427411c tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
via c6a2b7f196e tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
via a54629359b6 tests/krb5: Allow get_tgt() to specify expected and unexpected flags
via 1c05c3f7433 tests/krb5: Allow get_tgt() to specify different kdc-options
via 7446e1cd801 tests/krb5: Allow get_tgt() to get tickets from the RODC
via b619f4cb768 tests/krb5: Allow get_service_ticket() to get tickets from the RODC
via e380626903e tests/krb5: Set DN of created accounts to ldb.Dn type
via a8c139de2af tests/krb5: Don't manually create PAC request and options in fast_tests
via cb35919a14f tests/krb5: Use PAC buffer type constants from krb5pac.idl
via bb236fc2432 tests/krb5: Allow as_req() to specify different kdc-options
via e93ed34f928 tests/krb5: Allow tgs_req() to send requests to the RODC
via d97a975e92a tests/krb5: Allow tgs_req() to specify different kdc-options
via 2850771dfcb tests/krb5: Allow tgs_req() to send additional padata
via c106983b6fa tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
via 286d69daf8b tests/krb5: Check correct flags element
via b2f98011015 tests/krb5: Add helper method for modifying PACs
via 3f2c977d478 python/join: Check for correct msDS-KrbTgtLink attribute
via 4b9b3e92256 python: Don't leak file handles
via b68eae6687b tests/krb5: Allow replicating accounts to the created RODC
via 8c7d0544035 tests/krb5: Create RODC account for testing
via c7491a9e760 tests/krb5: Allow replicating accounts to the RODC
via 329fcc65aa6 tests/krb5: Add get_secrets() method to get the secret attributes of a DN
via 9b151de2653 tests/krb5: Add method to get RODC krbtgt credentials
via 7d6ad51b20c tests/krb5: Sign-extend kvno from 32-bit integer
via c2cbe6e9aab tests/krb5: Generate padata for FAST tests
via 860f7704650 tests/krb5: Add get_cached_creds() method to create persistent accounts for testing
via 9926198bce0 tests/krb5: Get encpart decryption key from kdc_exchange_dict
via ac14815f849 tests/krb5: Get expected cname from TGT for TGS-REQ messages
via 36f8c7080a7 tests/krb5: Allow specifying status code to be checked
via a57391cf431 tests/krb5: Create testing accounts in appropriate containers
via 26b6b6e630b tests/krb5: Check for presence of 'key-expiration' element
via 39541dfa2d0 tests/krb5: Check 'caddr' element
via eef81ead620 tests/krb5: Check for presence of 'renew-till' element
via 829de7f89a7 tests/krb5: Allow Kerberos requests to be sent to DC or RODC
via 9bd79bfe7a8 tests/krb5: Make time assertion less strict
via af38bdc0569 tests/krb5: Allow specifying ticket flags expected to be set or reset
via f86766afd92 tests/krb5: Remove magic constants
via e4c5a3ea34f tests/krb5: Don't create PAC request or options manually in fast_tests
via 36eb76b6c2f tests/krb5: Don't create PAC request manually in as_req_tests
via 99702d5d7db tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
via dcde84d9268 tests/krb5: Move padata generation methods to base class
via 1837ddb3481 tests/krb5: Keep track of account DN in credentials object
via a2d8713c55c tests/krb5: Allow specifying additional User Account Control flags for account
via 9b75a279c03 tests/krb5: Allow specifying an OU to create accounts in
via 4892fa1315f tests/krb5: Replace expected_cname_private with expected_anon parameter
via c978fcdf535 tests/krb5: Use more compact dict lookup
via 735d514ec11 tests/krb5: Add KDCOptions flag for constrained delegation
via 20df014fb13 tests/krb5: Use signed integers to represent key version numbers in ASN.1
via a91f36d7bc4 tests/krb5: Add methods to obtain the length of checksum types
via efb8340f41f tests/krb5: Calculate expected salt if not given explicitly
via d5572676f51 security.idl: Add well-known SIDs for FAST
via 0d0d609dc07 krb5pac.idl: Add ticket checksum PAC buffer type
via 6882fb5c3e6 autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
via d4872f50bc4 python/join: use the provided krbtgt link in cleanup_old_accounts
via 283a128129f python: Move dsdb_Dn to samdb
via beaae4c5d67 wscript: fix installing pre-commit with 'git worktree'
via 3ba31fd4de8 script/bisect-test.py: add support git worktree
via 0e62cfec458 wafsamba: add support git worktree to vcs_dir_contents()
from 2b97c11bca6 VERSION: Bump version up to Samba 4.13.13...
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test
- Log -----------------------------------------------------------------
commit 0cea7f53c01718ec1d5d86a415ca494e1899501f
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 22 10:50:36 2021 +1300
lib/krb5_wrap: Fix missing error check in new salt code
CID 1492905: Control flow issues (DEADCODE)
This was a regression in 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184
(cherry picked from commit 5094d986b7686f057195dcb10764295b88967019)
Autobuild-User(v4-13-test): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(v4-13-test): Wed Oct 27 23:29:34 UTC 2021 on sn-devel-184
commit 274f16103f69d98b9262575d043d84bb9a1b53eb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Oct 19 16:01:36 2021 +1300
dsdb: Allow special chars like "@" in samAccountName when generating the salt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184
(cherry picked from commit 5eeb441b771a1ffe1ba1c69b72e8795f525a58ed)
commit ae6d74c9ef81b7fda5617948f4cc7b1be7c279a9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:46:36 2021 +1300
tests/krb5: Add tests for account salt calculation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
[abartlet at samba.org backported from commit 46039baa81377df10e5b134e4bb064ed246795e4
as the no_preauth side of the testsuite shows differences in enctypes
in Samba 4.14. The change is only in salt calculation so this is
not vital]
commit d3b491c31164c8ac6c9f4c0a35742684efe0d61d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:45:47 2021 +1300
tests/krb5: Fix account salt calculation to match Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 25bdf4c994e4fdb74abbacb1e22237f3f2cc37fe)
commit a742af325f904396973bb274e5413c437dce487a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:45:08 2021 +1300
tests/krb5: Allow specifying the UPN for test accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 889476d1754f8ce2a41557ed3bf5242c1293584e)
commit 3f376eeaa88237a15a523cbf1c11a75e20f3ffc8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:44:19 2021 +1300
tests/krb5: Allow creating machine accounts without a trailing dollar
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit f4785ccfefe7c89f84ad847ca3c12f604172b321)
commit a2a173d70ad4e9ea54b336ef9660897ea6ed58d6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:41:39 2021 +1300
tests/krb5: Allow specifying prefix or suffix for test account names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 7e39994ed341883ac4c8c257220c19dbf70c7bc5)
commit 4056198f4c950b77569c247beaff1bbdf3acf8f5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 20 12:39:05 2021 +1300
tests/krb5: Decrease length of test account prefix
This allows us more room to test with different account names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit a5a6296e57cab2b53617d997c37b4e92d4124cc7)
commit 89b9cb8b786c3e4eb8691b5363390b68d8228a2d
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Oct 5 16:42:00 2021 +0200
selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
This is much more flexible and concentrates the logic in a single place.
We'll use winbindd => "offline" in other places soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de)
commit 88f824aeb3fab477b083de8b761535e284c2eb3e
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Oct 8 18:04:55 2021 +0200
selftest/Samba3: remove unused close(USERMAP); calls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit d998f7f8df215866ab32e05be772e24fc0b2131c
as offline login tests are not in Samba 4.14]
commit c9e54bbe242f4040758ef6c35a83de23fdb5c05e
Author: Andreas Schneider <asn at samba.org>
Date: Mon Oct 4 13:02:35 2021 +0200
waf: Allow building with MIT KRB5 >= 1.20
gssrpc/xdr.h:105:1: error: function declaration isn’t a prototype
[-Werror=strict-prototypes]
105 | typedef bool_t (*xdrproc_t)();
| ^~~~~~~
This can't be fixed, as the protoype is variadic. It can take up to three
arguments.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 5d8e794551b5df835f07e2bd8348fef746144601)
commit f01e4e19cf67ae9bcb939cdaacab78fac74fb56c
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 18 11:55:14 2021 +1300
selftest: Improve error handling and perl style when setting up users in Samba4.pm
This catches errors and avoids using global varibles (the old
style file handles are global).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 459200caba04fd83ed650b9cdfe5b158cf9a149f)
commit 2bf0e4224f85751fff4485e00e0d1fe13d5030bb
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 18 20:44:54 2021 +1300
selftest: Remove duplicate setup of $base_dn and $ldbmodify
These are already set up to the same values above for the full
DC and correct values for the (strange) s4member environment.
By not setting $base_dn again we avoid an error once we start
checking for them.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 2c0658d408f17af2abc223b0cb18d8d33e0ecd1a)
commit 38ebe186f421df13a9e593a6a9f0f14b77cbaba7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:40:09 2021 +1300
selftest: krb5 account creation: clarify account type as an enum
This makes the code clearer with a symbolic constant rather
than a True/False boolean.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 49306f74eb29a2192019fab9260f9d242f9d5fd9)
commit 18bce6fc477d94d7c5a361ceec3b6f3353647e71
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Fri Aug 6 11:08:10 2021 +1200
pytest: dynamic tests optionally add __doc__
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit aacb18f920349e13b562c7c97901a0be7b273137)
commit a64c25ff09707d2cccd80335f662571fed024972
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 16:27:40 2021 +1200
selftest: Increase account lockout windows to make test more realiable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 6292f0597f208d7953382341380921cf0fd0a8a8)
commit a203de481979f65ba4c3d0e4c079cafde55b7b40
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Wed Sep 8 17:01:26 2021 +1200
pytest/rodc_rwdc: try to avoid race.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit a169e013e66bab15e594ce49b805edebfcd503cf)
commit f7d6826afeafaae83a0164e8713c672e297eab6a
Author: Viktor Dukhovni <viktor at twosigma.com>
Date: Wed Aug 10 23:31:14 2016 +0000
HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm
to not be added to the transit path of issued tickets. This may, in
some cases, enable bypass of capath policy in Heimdal versions 1.5
through 7.2.
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
(similar to heimdal commit b1e699103f08d6a0ca46a122193c9da65f6cf837)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12998
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 20 10:58:37 UTC 2021 on sn-devel-184
(cherry picked from commit 7e961f3f7a815960ae25377d5b7515184d439690)
commit e9b12d2def935050fb8be3f1d3e0ab6713807f32
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 16:07:11 2021 +1300
tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Wed Oct 20 09:22:43 UTC 2021 on sn-devel-184
(cherry picked from commit 83a654a4efd39a6e792a6d49e0ecf586e9bc53ef)
commit 999208d3afa8f6fcb2e20ce3dd068d5f0c48cf86
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 18 16:05:19 2021 +1300
tests/krb5: Ensure PAC is not present if expect_pac is false
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit cc3d27596b9e8a8a46e8ba9c3c1a445477d458cf)
commit 3eb78cd43b6feb5fdee396881ca46e84371918f3
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 18 16:00:45 2021 +1300
kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
UF_NO_AUTH_DATA_REQUIRED on a server/service account should cause
the PAC to be stripped not to given an error if the PAC was still
present.
Tested against Windows 2019
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
(cherry picked from commit 031a8287642e3c4b9d0b7c6b51f3b1d79b227542)
commit 106dc4a049265e49f5b39c0bf0dbb3793aa34a61
Author: Andrew Bartlett <abartlet at samba.org>
Date: Mon Oct 18 15:21:50 2021 +1300
kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED
applies to services only, not to clients.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
[abartlet at samba.org backported from commit 92e8ce18a79e88c9b961dc20e39436c4cf653013
as there was a knownfail conflict with the test_remove_pac case
which succeeds on this branch]
commit fa32948c1d15ace180b5a9c7d80a1e0b25846d2a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:29:26 2021 +1300
tests/krb5: Add tests for requesting a service ticket without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Sun Oct 17 23:40:33 UTC 2021 on sn-devel-184
[abartlet at samba.org backported from commit 9d3a691920205f8a9dc05d0e173e25e6a335f139
as the MIT KDC 1.16 seen on the reference Ubuntu 18.04 does not fail
test_remove_pac]
commit 473278c1301bcefd623b10ea88f1ff7627fe7c1e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:27:25 2021 +1300
tests/krb5: Add method to get the PAC from a ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 288355896a2b6f460c42559ec46ff980ab57782e)
commit 033249c56e1b6a72d717aa64f1d09d107d6b67a2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:27:15 2021 +1300
tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0dc69c1327f72384628a869a00482f6528b8671b)
commit 33537398392db0d3352ae3ca9ff7d7df866a181c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 14:26:40 2021 +1300
tests/krb5: Allow get_tgt() to request including or omitting a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e086c6193f6da6fcb5d0bcada2199e9bc7ad25f5)
commit 543478fe985cd962f07e14bedd30660144382c54
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 15 12:12:30 2021 +1300
heimdal:kdc: Fix ticket signing without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d23d8e859357b0fac4d1f4a49f1dce6cf60d6216)
commit 4ff8af7d54df3ee51f13f9dbc7c80a83a9c08153
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Oct 15 13:09:20 2021 +1300
selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
The previous commit was correct on intention, but it was not noticed
as there is a race, that the incorrect rule was appended to.
These links are removed by remove_plausible_deleted_DN_links not
fix_all_old_dn_string_component_mismatch
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Fri Oct 15 10:00:47 UTC 2021 on sn-devel-184
(cherry picked from commit a7ad665e65f0701eb75cac5bc10a366ccd9689f4)
commit cb044703b29b2d80775305ebb01027199542af1d
Author: Nicolas Williams <nico at twosigma.com>
Date: Sun Oct 10 21:55:59 2021 -0500
krb5: Fix PAC signature leak affecting KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Cherry-picked from Heimdal commit
54581d2d52443a9a07ed5980df331f660b397dcf]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f6adfefbbb41b9100736134d0f975f1ec0c33c42)
commit 5919475dc9026c527a016b226586d5bab30cac1e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 16:08:39 2021 +1300
s4:kdc: Check ticket signature
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 02fa69c6c73c01d82807be4370e838f3e7c66f35)
commit 9d3419c3068b7ae08049df83927fdf23cad3d223
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:43:41 2021 +1300
heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
This lets us call it from Samba.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3bdce12789af1e7a7aba56691f184625a432410d)
commit 6fbde5488035897f92c7996c631a1d7fb92824bd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Aug 11 13:27:11 2021 +1200
s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 28a5a586c8e9cd155d676dcfcb81a2587ace99d1)
commit e5ca4a51c80cca54d4484032268716cee139792b
Author: Luke Howard <lukeh at padl.com>
Date: Thu Sep 23 17:51:51 2021 +1000
kdc: correctly generate PAC TGS signature
When generating an AS-REQ, the TGS signature was incorrectly generated using
the server key, which would fail to validate if the server was not also the
TGS. Fix this.
Patch from Isaac Bourkis <iboukris at gmail.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Backported from Heimdal commit
e7863e2af922809dad25a2e948e98c408944d551
- Samba's Heimdal version does not have the generate_pac() helper
function.
- Samba's Heimdal version does not use the 'r' context variable.
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 91e684f5dcb48b76e6a322c15acb53cbce5c275a)
commit 61fb0ba82c65734c6ed9b85b8dab4db72bd47fd0
Author: Luke Howard <lukeh at padl.com>
Date: Thu Sep 23 14:39:35 2021 +1000
kdc: use ticket client name when signing PAC
The principal in the PAC_LOGON_NAME buffer is expected to match the client name
in the ticket. Previously we were setting this to the canonical client name,
which would have broken PAC validation if the client did not request name
canonicalization
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Backported from Heimdal commit
3b0856cab2b25624deb1f6e0e67637ba96a647ac
- Renamed variable to avoid shadowing existing variable
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 75d1a7cd14b134506061ed64ddb9b99856231d2c)
commit 58bc0a4b7f1ec70e1d9e7a80dac6e85042cf7bc2
Author: Luke Howard <lukeh at padl.com>
Date: Sun Jan 6 17:54:58 2019 +1100
kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Backported from Heimdal commit
f1dd2b818aa0866960945edea02a6bc782ed697c
- Removed change to _kdc_find_etype() use_strongest_session_key
parameter since Samba's Heimdal version uses different logic
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit db30b71f79864a20b38a1f812a5df833f3a92de8)
commit 49bcbcbb4d6130440064db6d1a0bd888891f3a8f
Author: Luke Howard <lukeh at padl.com>
Date: Fri Sep 17 13:57:57 2021 +1000
krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
Return KRB5KRB_AP_ERR_INAPP_CKSUM instead of EINVAL when verifying a PAC, if
the checksum is absent or unkeyed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Cherry-picked from Heimdal commit
c4b99b48c4b18f30d504b427bc1961d7a71f631e]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d6a472e953545ec3858ca969c1a4191e4f27ba63)
commit c73825d0b0131b505ee2b75f75d55c21ad1f2d05
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sun Sep 19 15:16:58 2021 +0300
krb5: rework PAC validation loop
Avoid allocating the PAC on error.
Closes: #836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Cherry-picked from Heimdal commit
6df8be5091363a1c9a9165465ab8292f817bec81]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2773379603a5a625c5d1c6e62f29c442942ff570)
commit c17bfba30011b01fa23cf5742c7d4026b42839e9
Author: Isaac Boukris <iboukris at gmail.com>
Date: Sun Sep 19 15:04:14 2021 +0300
krb5: allow NULL parameter to krb5_pac_free()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Cherry-picked from Heimdal commit
b295167208a96e68515902138f6ce93972892ec5]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2d09de5c41e729bccc2d7949d8a3568a95e80e76)
commit 4114e57a371f4d873d280257c8f396945b872c4b
Author: Isaac Boukris <iboukris at gmail.com>
Date: Fri Aug 13 12:44:37 2021 +0300
kdc: sign ticket using Windows PAC
Split Windows PAC signing and verification logic, as the signing has to be when
the ticket is ready.
Create sign and verify the PAC KDC signature if the plugin did not, allowing
for S4U2Proxy to work, instead of KRB5SignedPath.
Use the header key to verify PAC server signature, as the same key used to
encrypt/decrypt the ticket should be used for PAC server signature, like U2U
tickets are signed witht the tgt session-key and not with the longterm key,
and so krbtgt should be no different and the header key should be used.
Lookup the delegated client in DB instead of passing the delegator DB entry.
Add PAC ticket-signatures and related functions.
Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests
against new KDC will not work if the evidence ticket was acquired from
an old KDC, and vide versa.
Closes: #767
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Backported from Heimdal commit
2ffaba9401d19c718764d4bd24180960290238e9
- Removed tests
- Adapted to Samba's version of Heimdal
- Addressed build failures with -O3
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit d7b03394a9012960d71489e775d40d10fd6f5232
due to conflicts in knownfail due to missing tests that crash the
MIT KDC]
commit ff31503bd41dd76c8d965b6a6c3e9904aa78c373
Author: Isaac Boukris <iboukris at gmail.com>
Date: Mon Dec 28 22:07:10 2020 +0200
kdc: remove KRB5SignedPath, to be replaced with PAC
KRB5SignedPath was a Heimdal-specific authorization data element used to
protect the authenticity of evidence tickets when used in constrained
delegation (without a Windows PAC).
Remove this, to be replaced with the Windows PAC which itself now supports
signing the entire ticket in the TGS key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton at samba.org Backported from Heimdal commit
bb1d8f2a8c2545bccdf2c9179ce9259bf1050086
- Removed tests
- Removed auditing hook (only present in Heimdal master)
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ccabc7f16cca5b0dcb46233e934e708167f1071b)
commit 6afc41b262ed2d308a89926c4f63139f26983d91
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:42:29 2021 +1300
s4/torture: Expect ticket checksum PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit d5002c34ce1ffef795dc83af3175ca0e04d17dfd
due to missing tests in Samba 4.14 that crashed the MIT KDC]
commit 1486a8a04b0fe7ba86b0378d7e9ee78c77cbe17f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 6 16:40:21 2021 +1300
s4:kdc: Fix debugging messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c14c61748b5a2d2a4f4de00615c476fcf381309e)
commit 8b363a630e55aaf507735ecbcb0d678906c065e4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 16:06:58 2021 +1300
s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7149eeaceb426470b1b8181749d2d081c2fb83a4)
commit 0e53c4353a28404cd57c9726f5701ab80adc8562
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:40:39 2021 +1300
tests/krb5: Fix duplicate account creation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3dede18c5a1801023a60cc55b99022b033428350)
commit f3c36a069981964baeec92efa15416491516748e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 15:41:35 2021 +1300
tests/krb5: Allow bypassing cache when creating accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3948701f1d0f3ccd06f6dad56ca72833d66b1d84)
commit 8b947965d4f86b7bbb36fd181e93430ed47a8250
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 12:07:40 2021 +1300
tests/krb5: Don't include empty AD-IF-RELEVANT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1a08399cd8169a525cc9e7aed99da84ef20e5b9c)
commit 2373c1ac1ef321d51ef2939df221f00510633778
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 15:03:04 2021 +1300
tests/krb5: Add constrained delegation tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 56ccdba54e0c7cf3409d8430ea1012e5d3d9b092)
commit 61ec92dc0964118fc6ffb5e4afa3d2ac52b22b6a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 6 16:35:47 2021 +1300
tests/krb5: Verify tickets obtained with get_service_ticket()
We only require the ticket checksum with Heimdal, because MIT currently
doesn't add it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d86eee2fd0fb72e52d878ceba0c476ca58abe6cf)
commit 6a1549a49557fa1149b30d3a626f6833e673b229
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 5 15:39:11 2021 +1300
tests/krb5: Require ticket checksums if decryption key is available
We perform this check conditionally, because MIT doesn't currently add
ticket checksums.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bf63221722903665e7b20991021fb5cdf4e4327e)
commit 91faad4ef6ba401267a2ec94a14c5fe6075d8075
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 14 16:58:15 2021 +1300
tests/krb5: Add TKT_SIG_SUPPORT environment variable
This lets us indicate that service tickets should be issued with ticket
checksums in the PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit ae2c57fb0332f94ac44d0886c5edbed707ef52fe
due to changes in other tests nearby in tests.py]
commit 518e990f496317c79148f2fc00838a0ac3bca959
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Oct 13 12:26:22 2021 +1300
selftest/dbcheck: Fix up RODC one-way links
Test accounts were replicated to the RODC and then deleted, causing
state links to remain in the database.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 40e5db4aabcd32834ee524857b77d36921f6bdfe)
commit 1ca795a0cb9a169dc428b966db095bf34f1bd597
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 5 16:32:01 2021 +1300
tests/krb5: Fix sha1 checksum type
Previously, sha1 signatures were being designated as rsa-md5-des3
signatures.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ebe729786806c69e95b26ffc410e887e203accb8)
commit 2c6b918ab92fb88f179edea773b2364aad262bde
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 5 19:47:22 2021 +1300
tests/krb5: Provide clearer assertion messages for test failures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5233f002000f196875af488b4f4d1df26fca90de)
commit d46f0d1793bed59026cb517dc7056a51fca1d5cb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Oct 8 11:48:41 2021 +1300
tests/krb5: Disable debugging output for tests
This reduces the time spent running the tests in a testenv.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit dfd613661eec4b81e162f2d86a8fa9266c2fdc03)
commit 90d58c72bd792d683c17aacdcfa4646963ee5ff0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:49:34 2021 +1300
tests/krb5: Simplify padata checking
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cf3ca6ac4567d7c7954ea4ecc8cc9dd5effcc094)
commit b08fd85bcb209ae249807e296d362d92bd2faa8f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:48:03 2021 +1300
tests/krb5: Check logon name in PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit e7c39cc44f2e16aecb01c0afc195911a474ef0b9)
commit 07ace448a5c64d9409f31d9be6dfe581bbb6a7f1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:45:45 2021 +1300
tests/krb5: Check padata types when STRICT_CHECKING=0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit bd22dcd9cc4dfda827f892224eb2da4a16564176
to Samba 4.14 due to conflicts in
knownfail as the test which crashes older MIT KDC versions is
omitted]
commit 54fb144fe9ad68a65d2acd4c78e69753db8c19c6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 12 11:34:59 2021 +1300
tests/krb5: Add environment variable to specify KDC FAST support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backportd from commit 238f52bad811688624e9fd4b1595266e2149094a
because tests.py changed in more recent releases with new tests nearby]
commit 8ee28d96b29845c631554fb1f3171e74028fe47f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 16:15:43 2021 +1300
tests/krb5: Fix padata checking at functional level 2003
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 72265227e9c2037b63cdfb01a456a86ac8932f59)
commit d82e7716f486154602767351136f18e232f7b3cc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:39:26 2021 +1300
tests/krb5: Clarify checksum type assertion message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ee2b7e2c77f021984ec583fa0c4c756979197b0f)
commit 07e242da411326ea36b9d6bf286db636abe68f0e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Oct 11 14:37:03 2021 +1300
tests/krb5: Use correct principal name type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 687c8f94c68af9f1e44771dfd7219eeb41382bba)
commit 5f72fd098f08787c42b7ea29c471f48beeb4a474
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Oct 14 16:43:05 2021 +1300
tests/krb5: Add compatability tests for ticket checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org: Backported from ec4b264bdf9ab64a728212580b344fbf35c3c673
to Samba 4.14 due to conflicts in
knownfail as the test which crashes older MIT KDC versions is
omitted]
commit 7f3d6f9d92598944b8940c44e05fa5565c67262a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 16:53:35 2021 +1300
tests/krb5: Add parameter to enforce presence of ticket checksums
This allows existing tests to pass before this functionality is
implemented.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ef24fe982d750a42be81808379b0254d8488c559)
commit b0f9a83846baef02de7958be3c25ff7e8480d446
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:52:01 2021 +1300
tests/krb5: Supply supported account enctypes in tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 248249dc0acac89d1495c3572cbd2cbe8bdca362)
commit 5bc46c831ef0fc19ee3a4d54f379b84bddc7446a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:48:50 2021 +1300
tests/krb5: Allow specifying options and expected flags when obtaining a ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 34020766bb7094d1ab5d4fc4c0ee89ccb81f39f1)
commit 129772e049dc15ccc3806801475d5fabb0b4aa33
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:41:23 2021 +1300
tests/krb5: Save account SPN
This is useful for testing delegation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bb58b4b58c66a6ada79e886dd0c44401e1c5878c)
commit e56da60d01b1b4546b3d92480f89cbf591e500f1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:26:54 2021 +1300
tests/krb5: Check constrained delegation PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0e232fa1c9e5760ae6b9a99b5e7aa5513b84aa8b)
commit cb49059ab461ecf66c0b4ae47b25b9fb8aeb9214
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:15:26 2021 +1300
tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit aa2e583fdea4fd93e4e71c54630e32a1035d1e2a)
commit 334361501a9e1eebcfb572e3179064cc403929fe
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 16:10:07 2021 +1300
tests/krb5: Add expect_claims parameter to kdc_exchange_dict
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7cfc225b549108739bd86e222f2f35eb96af4ea3)
commit 86e97e83ce4f63f613d1212a5cac3c370a4456b1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 15:48:58 2021 +1300
tests/krb5: Fix checking for presence of error data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ab92dc16d20b0996b8c46714652c15019c795095)
commit f1fad85fe183079b382eb5d59c7211de65890236
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 14:02:37 2021 +1300
tests/krb5: Remove unneeded parameters from ticket cache key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7fba83c6c6309a525742c38e904d3e473db99ef1)
commit 896eea26d352fadee91fcd2bfa81f3622e586fab
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 13:03:49 2021 +1300
tests/krb5: Fix assertElementFlags()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 788b3a29eea62f9f38ca8865c7cb7860bdc94bec)
commit 4f6e02bf1db79887947df43964bf4ced664a70ad
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 13:01:30 2021 +1300
tests/krb5: Make expected_sname checking more explicit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
[abartlet at samba.org backported from commit 8f6d369d709614e2f5c0684882c62f0476bcafa2
as Samba 4.14 as the test which crashes older MIT KDC versions is
omitted]
commit 8a6c15b431c41021feb3d030983634d6951ca55e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 12:16:58 2021 +1300
tests/krb5: Fix status code checking
The type used to encode the status code is actually KERB-ERROR-DATA,
rather than PA-DATA.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 012b6fcd1976c6570e9b92c133d8c21e543e5a4f)
commit 0e33a8d82fea2dc21adebe40c5c080069805c24b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 12:06:03 2021 +1300
tests/krb5: Fix handling authdata with missing PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a4bc712ee02f32c2d04dfc2d99d58931344e5ceb)
commit e3cd9b3649fb152ea3310d9220c5461bad08a5f8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 12:03:33 2021 +1300
tests/krb5: Allow excluding the PAC server checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit dcf45a151a198f7165cd332a26db78a5d8e8f8c5)
commit 2052395dd89b56b3c99d2b270a9eade67d042c7f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:59:42 2021 +1300
tests/krb5: Fix checksum generation and verification
The KDC and server checksums may be generated using the same key, but
only the KDC checksum should have an RODCIdentifier. To fix this,
instead of overriding the existing methods, add additional ones for
RODC-specific signatures, so that both types of signatures can be
generated or verified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a927cecafdd5ad6dc5189fa98cb42684c9c3b033)
commit d310714c22114c9dbf83ef57c7fdf0f94bb5c9a3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:56:21 2021 +1300
tests/krb5: Fix method for creating invalid length zeroed checksum
Previously the base class method was being used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ae09219c3a1c6d47817f51baf3784e8986c7478d)
commit 91d385abffb95ba5aab4dbc50b89c92d2316149d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:54:49 2021 +1300
tests/krb5: Introduce helper method for creating invalid length checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9d142dc3a452b0f06efc66f422402ee6e553ee7c)
commit 501d5e76a82bafd265b5fd754d75fe3372479cb1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:52:17 2021 +1300
tests/krb5: Add assertion to make failures clearer
These failures may occur if tests are not run against an RODC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit cda50b5c505072989abf84c209e16ff4efe2e628)
commit 1506b1c29bb02231628cbe7c9e319449ee9d4c34
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:50:36 2021 +1300
tests/krb5: Allow created accounts to use resource-based constrained delegation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit bba8cb8dce19e47a7b813efd9a7527e38856435e)
commit 39bba78a5d014bfc30a94cfbb630ea98e8ab0e00
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:47:39 2021 +1300
tests/krb5: Rename allowed_to_delegate_to parameter for clarity
This helps to distinguish resourced-based and non-resource-based
constrained delegation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 31817c383c2014224b1397fde610624663313246)
commit 528c950eff9e70b6063881b6c375fce9b2efea4b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 10:54:33 2021 +1300
tests/krb5: Fix PA-PAC-OPTIONS checking
Make the check work correctly if bits other than the claims bit are
specified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1fd00135fa4dff4331d86b228ccc01f834476997)
commit 7ba4cad1a769f7fe7b3755fc80b39009a838d73e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 30 10:51:01 2021 +1300
tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
These padata were not being sent if other FAST padata was not specified.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 6f1282e8d34073d8499ce919908b39645b017cb8)
commit 82606cd6f3140bc377f6177b6d813e659422e9e7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:23:17 2021 +1300
tests/krb5: Allow for missing msDS-KeyVersionNumber attribute
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ce433ff868d3cdf8e8a6e4995d89d6e036335fb6)
commit 5c1ab0b2697e6418b8aefc3bcee9bab7b41094b2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:16:51 2021 +1300
tests/krb5: Remove unused parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 8e4b21590836dab02c1864f6ac12b3879c4bd69c)
commit b047ed0c87d517e2d5b600e5d1358d21c8b12439
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 29 11:16:24 2021 +1300
tests/krb5: Rename method parameter
For class methods, the name given to the first parameter is generally 'cls'
rather than 'self'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit d501ddca3b7b9c39c0b3eccf19176e3122cf5b9d)
commit ab9034dd8246b43290914014a261ea7625260ca2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 15:10:35 2021 +1200
tests/krb5: Add classes for testing invalid checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Sep 23 19:28:44 UTC 2021 on sn-devel-184
(cherry picked from commit 5b331443d0698256ee7fcc040a1ab8137efe925d)
commit 0b5f8ac5b4d665b35a5a50bf3cca9def1c9c9f7c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 15:06:18 2021 +1200
tests/krb5: Add method to determine if principal is krbtgt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c0b81f0dd54d0d71b5d0f5a870b505e82d0e85b8)
commit 279bb102fe8be500cd487e87e1dd85b22153c322
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 14:10:07 2021 +1200
tests/krb5: Verify checksums of tickets obtained from the KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit ea7b550a500d9e458498d37688b67dafd3d9509d)
commit 65ff3ff171e97214b9b0585a4cf6913f07a0bb89
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 13:54:47 2021 +1200
tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1458cd9065de34c42bd5ec63feb2f66c25103982)
commit 74f90d6b1a6f4373d1ad4093070d0b80b1410b76
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 14:05:58 2021 +1200
tests/krb5: Simplify account creation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 394e8db261b10d130c5e5730989bf68f9bf4f85f)
commit dc44a5b6fdf4ddcf216ad48c2e3f745a604d4f10
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 22 11:41:45 2021 +1200
tests/krb5: Provide ticket enc-part key to tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f2f1f3a1e9269f0e7b93006bba2368a6ffbecc7c)
commit 5b2c7c0930df378782becb814a8cee8837c86a8e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 14:08:16 2021 +1200
tests/krb5: Fix checking for presence of authorization data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit f9284d8517edd9ffd96f0c24166a16366f97de8f)
commit 466f694f2fdf5f40668f85e70315de821854cfb9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 13:58:09 2021 +1200
tests/krb5: Add method to get DC credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 9d01043042f1caac98a23cf4d9aa9a02a31a9239)
commit 1e4e8d883b61867fd095fc7751c978429eb000b6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 13:59:24 2021 +1200
tests/krb5: Allow tgs_req() to check the returned ticket enc-part
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 38b4b334caf1b32f1479db3ada48b2028946f5e6)
commit 6d3e996b480f4a83f4f41f48d6ea3d0851eabac3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 13:54:39 2021 +1200
tests/krb5: Set key version number for all accounts created with create_account()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 054ec1a8cc4ae42918c7c06ef9c66c8a81242655)
commit e238315bbdfe6b67d5014b6559d77bc2071c8b9c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 17:11:28 2021 +1200
tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 14cd933a9d6af08deb680c9f688b166138d45ed9)
commit 4c561dbb3ca2cd6a792ab80b149960fed77721d4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 17:10:49 2021 +1200
tests/krb5: Get supported enctypes for credentials from database
Look up the account's msDS-SupportedEncryptionTypes attribute to get the
encryption types that it supports. Move the fallback to RC4 to when the
ticket decryption key is obtained.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit b6eaf2cf44fb66d8f302d4cab050827a67de3ea4)
commit 68da62728d242eab44e6a0d59c5c929b80692109
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 21:01:46 2021 +1200
tests/krb5: Add methods to convert between enctypes and bitfields
These methods are useful for converting a collection of encryption types
into msDS-SupportedEncryptionTypes bit flags, and vice versa.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 432eba9e09849e74f4c0f2d7826d45cbd2b7ce42)
commit 74b4bcc2b98a89bb44504a921026c87128e6727d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 17:01:12 2021 +1200
tests/krb5: Make get_default_enctypes() return a set of enctype constants
This is often more convenient than a bitfield.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7cedd383bcc1b5652ea65817b464d6e0485c7b8b)
commit 3d1e55d06076d611a2bf98505497029ae90e3cd7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 13:33:16 2021 +1200
tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4c67a53cdca206a118e82b356db0faf0ddc011ab)
commit bce8a8bd915ac59faa9c2bd5b2b8fe56695bf058
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 17 15:26:12 2021 +1200
tests/krb5: Add method for modifying a ticket and creating PAC checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1fcde7cb6ce50e0a08097841e92476f320560664)
commit 0eccbbc27480524d05ecb9cfb77578a83ca70ff9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 17 14:56:51 2021 +1200
tests/krb5: Add method to verify ticket PAC checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 12b5e72a35d632516980f6c051a5d83f913079e7)
commit 891195fa81e70e8369ee2d17f6bad981d1362315
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 17:20:22 2021 +1200
tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
Signatures created by an RODC have an RODCIdentifier appended to them
identifying the RODC's krbtgt account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Sep 21 23:55:39 UTC 2021 on sn-devel-184
(cherry picked from commit ec95b3042bf2649c0600cafb12818c27242b5098)
commit 454a8a7e687e400b79ad4b69c8fd4b7cc4912c85
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 16:54:57 2021 +1200
tests/krb5: Add methods for creating zeroed checksums and verifying checksums
Creating a zeroed checksum is needed for signing a PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a562882b15125902c5d89f094b8c9b1150f5d010)
commit b146689063243b930abe38004c558e1284ec598b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 11:51:20 2021 +1200
tests/krb5: Cache obtained tickets
Now tickets obtained with get_tgt() and get_service_ticket() make use of
a cache so they can be reused, unless the 'fresh' parameter is specified
as true.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 419e4061ced466ec7e5e23f815823b540ef4751c)
commit 3fdc427411c1b63622db5af1691b9b70ed4be833
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 11:51:05 2021 +1200
tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
The encpart is already contained in ticket_creds, so it no longer needs
to be returned as a separate value.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6193f7433b15579aa32b26a146287923c9d3844d)
commit c6a2b7f196e125fc07fdf23dc7a9b40cda9781fd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 13:24:46 2021 +1200
tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 59c1043be25b92db75ab5676601cb15426ef37a3)
commit a54629359b664b92c7b4e208284e40c1198f2ff3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 13:14:45 2021 +1200
tests/krb5: Allow get_tgt() to specify expected and unexpected flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 035a8f198555ad1eedf8e2e6c565fbbbe4fbe7ce)
commit 1c05c3f7433a176203a6d49e48a1fa658fd6ff32
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 13:14:06 2021 +1200
tests/krb5: Allow get_tgt() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 4ecfa82e71b0dd5b71aa97973033c5c72257a0c3)
commit 7446e1cd80149fddbeda8461ecb4092300fd9b0f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:41:46 2021 +1200
tests/krb5: Allow get_tgt() to get tickets from the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2d69805b1e3a8022f1418605e5f29ae0bbaa4a06)
commit b619f4cb768847462751b959b3e3b4e92cb99b0e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:38:38 2021 +1200
tests/krb5: Allow get_service_ticket() to get tickets from the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 5d3a135c2326edc9ca8f56bea24d2f52320f4fd6)
commit e380626903e5a68e643b740896a8ca4bcb69ab93
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:19:28 2021 +1200
tests/krb5: Set DN of created accounts to ldb.Dn type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 7645dfa5bedee7ef3f7debbf0fa7600bd1c4bd79)
commit a8c139de2af35ca0c243b430d6388b0327a358ac
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:13:51 2021 +1200
tests/krb5: Don't manually create PAC request and options in fast_tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit c226029655ca361560d93298a6729a021f2f6b75)
commit cb35919a14f8698c6b6275fb2c668d3a57829d75
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:06:51 2021 +1200
tests/krb5: Use PAC buffer type constants from krb5pac.idl
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 3504e99dc5bcc206ca2964012b7fdca541555416)
commit bb236fc2432316308dd4878240140f58ecc1e758
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:52:46 2021 +1200
tests/krb5: Allow as_req() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a5e62d681d81a422bac7bd89dc27ef2314d77457)
commit e93ed34f928efa89431f3ca48a89a741d17add6b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:25:01 2021 +1200
tests/krb5: Allow tgs_req() to send requests to the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 6403a09d94ab54f89d6e50601ae6b19ab7e6aae7)
commit d97a975e92a6008104456cc5d99ac5eb9ccc5122
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:18:12 2021 +1200
tests/krb5: Allow tgs_req() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1a3426da54463c3e454c1b76c3df4e96882e6aa9)
commit 2850771dfcb0efdfb9736ebea2818fe194aeeaa2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:16:27 2021 +1200
tests/krb5: Allow tgs_req() to send additional padata
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 1f0654b8facf3b9b2288d2569a573ff3a5ca4a82)
commit c106983b6faccbb797f2c8ffd6153eb1ec378e66
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:13:09 2021 +1200
tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 2a4d53dc12aa785f696e53ae3376f67375ce455f)
commit 286d69daf8b0afcbf83e4724a761466fb1f690f8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:22:28 2021 +1200
tests/krb5: Check correct flags element
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit 0061fa2c2a26d990ed2e47441bca8797fc9be356)
commit b2f980110151f2d9d55ffa03328a375a9ba46e03
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 15 20:56:28 2021 +1200
tests/krb5: Add helper method for modifying PACs
This method can remove or replace a PAC in an authorization-data
container, while additionally returning the original PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
(cherry picked from commit a281ae09bcf35277c830c4112567c72233fd66b8)
commit 3f2c977d478a1b2b4a9fd06f945f6c061b839466
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 10 14:02:22 2021 +1200
python/join: Check for correct msDS-KrbTgtLink attribute
Previously, the wrong case was used when checking for this attribute,
which meant krbtgt accounts were not being cleaned up.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 21a7717359082feaddfdf42788648c3d7574c28e)
commit 4b9b3e922562a1ec977039576471d42b06813b94
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:42:28 2021 +1200
python: Don't leak file handles
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit cde38d36b98f1d40e7b58cd4c4b4bedfab76c390)
commit b68eae6687b4610599c80a232beaaf0c4c97f4ff
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 21:24:31 2021 +1200
tests/krb5: Allow replicating accounts to the created RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 35292bd32225b39ad7a03c3aa53027458f0671eb)
commit 8c7d05440356f59f8b098fa10070c40a1cfacf10
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 21:24:05 2021 +1200
tests/krb5: Create RODC account for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit ef5666bc51ca80e1acdadd525a9c61762756c8e3)
commit c7491a9e760a1ef9a211de93f944948def4a92bd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 22:13:24 2021 +1200
tests/krb5: Allow replicating accounts to the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 3cc9e77f38f6698aa01abca4285a520c7c0cd2ac)
commit 329fcc65aa6f69e276ae5af85b173000e36cb05f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 20:58:01 2021 +1200
tests/krb5: Add get_secrets() method to get the secret attributes of a DN
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit af633992e31e839cdd7f77740c1f25d129be2f79)
commit 9b151de26530d4d5e4dfed381728fc271a064283
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 20:20:23 2021 +1200
tests/krb5: Add method to get RODC krbtgt credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit a5bf7aad54b7053417a24ae0918ee42ceed7bf21)
commit 7d6ad51b20c04ba25ae553ad744ef4c928fcc32b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 13 21:14:18 2021 +1200
tests/krb5: Sign-extend kvno from 32-bit integer
This helps to avoid problems with RODC kvnos that have the high bit set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 7bc52cecb442c4bcbd39372a8b98bb033e4d1540)
commit c2cbe6e9aab347945c855c27435ce1ec87614c36
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 8 11:28:52 2021 +1200
tests/krb5: Generate padata for FAST tests
This gives us access to parameters of kdc_exchange_dict and enables us
to simplify the logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 943079fd94fec66cdc2ba4ea1b2beb2971473004)
commit 860f77046507cb8ec28ead1b71ad4b7c9a93743b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 3 15:36:24 2021 +1200
tests/krb5: Add get_cached_creds() method to create persistent accounts for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit c9fd8ffd8927ef42fd555e690f966f65aa01332e)
commit 9926198bce0f1ba1d05965403d61d64ff05fea50
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 3 09:55:10 2021 +1200
tests/krb5: Get encpart decryption key from kdc_exchange_dict
Instead of using check_padata_fn to get the encpart decryption key, we
can get the key from the AS-REQ preauth phase or from the TGT, depending
on whether the message is an AS-REQ or a TGS-REQ. This allows removal of
check_padata_fn and some duplicated code.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 0e99382d73f44eed7e19e83e430938d587e762d0)
commit ac14815f849661c15c212f4fb0ad4a9de81ca74e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 3 09:40:02 2021 +1200
tests/krb5: Get expected cname from TGT for TGS-REQ messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit a5186f92803009c81eca2957e1bf2eb0ff7b6dff)
commit 36f8c7080a730a4ea1e4896a8d66408eb6eb4b7c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:26:43 2021 +1200
tests/krb5: Allow specifying status code to be checked
This allows us to check the status code that may be sent in an error
reply to a TGS-REQ message.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
(cherry picked from commit 4ba5e82ae53410ec9a0bc7d47b181a88c15d9387)
commit a57391cf431a60606fc2d1625b766155cf54bfc9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 3 09:18:32 2021 +1200
tests/krb5: Create testing accounts in appropriate containers
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Sep 14 00:01:44 UTC 2021 on sn-devel-184
(cherry picked from commit 01378a52a1cf0b6855492673455013d5719be45b)
commit 26b6b6e630b58cf67ab02971535b574728fbf8f7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:47:27 2021 +1200
tests/krb5: Check for presence of 'key-expiration' element
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit c3b746290278f7b5c1dea676e3fa28b9f15bcf94)
commit 39541dfa2d0c197b1dda28f5a81f4d41f7520b00
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:45:57 2021 +1200
tests/krb5: Check 'caddr' element
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit d3106a8d35225e826d548d3bea0d42edc3998c38)
commit eef81ead620c8c70b60aa10d0c743076032db53a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:43:41 2021 +1200
tests/krb5: Check for presence of 'renew-till' element
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 9cba5f9a1b098e49315e2e3d4c0b626884c04a64)
commit 829de7f89a71dad95df5c33c8a233a1da121a665
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:34:20 2021 +1200
tests/krb5: Allow Kerberos requests to be sent to DC or RODC
If run inside the 'rodc' testing environment, 'DC_SERVER' and 'SERVER'
refer to the hostnames of the DC and RODC respectively, and this commit
allows either one of them to be used as the KDC for Kerberos exchanges.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 0afb548a0a3221730c4a81d51bc31e99ec90e334)
commit 9bd79bfe7a844738237119f4801f8ce1912f43eb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:15:17 2021 +1200
tests/krb5: Make time assertion less strict
This assertion could fail if there was a time difference between the KDC
and the client.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 1974b872fb5a7da052305d01e2f1efc8d0637078)
commit af38bdc05696d69aaef5b39ad047d644494730d8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 19:13:11 2021 +1200
tests/krb5: Allow specifying ticket flags expected to be set or reset
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 85ddfc1afcf21797dab15431a5f375444c4d316e)
commit f86766afd9222884daf1a8c953a6cdb49550abae
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 17:46:02 2021 +1200
tests/krb5: Remove magic constants
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 571265257f335ba7f6f1b46daa0d657b8a8dff2b)
commit e4c5a3ea34f25a77e4934b61545c9a23cd68b0bc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 2 14:38:33 2021 +1200
tests/krb5: Don't create PAC request or options manually in fast_tests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 7556a4dfa64650939aef14a2fc4d10b9ed3d29f7)
commit 36eb76b6c2fe6b66e137e73f998e54364b305ad4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 2 14:37:27 2021 +1200
tests/krb5: Don't create PAC request manually in as_req_tests
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit bc21ba2592093c765751ed3e8083dcd3512997f8)
commit 99702d5d7db2acdcc3ccc7ce5607b9e693f4e7f7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 2 14:36:42 2021 +1200
tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit c0db1ba54d238d4b2da8895215d8314b068ce09c)
commit dcde84d9268f4e78de1ec28981bc371b713774d4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 2 14:27:00 2021 +1200
tests/krb5: Move padata generation methods to base class
This allows them to be used directly from RawKerberosTest.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 1f23b16ef3a900a1bda01bf2a5a3a3847e2e79d1)
commit 1837ddb34811e3277c0bdc35bc74fce99b7870a6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:35:58 2021 +1200
tests/krb5: Keep track of account DN in credentials object
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 9973b51e48a5d5f3e33c6e0da46e6231a42bd77a)
commit a2d8713c55c0eb995f68fb324396c2e9f21bfe62
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:34:46 2021 +1200
tests/krb5: Allow specifying additional User Account Control flags for account
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 9aa900857441ea7e1c2d6c60bfa1ddeb142bf3e3)
commit 9b75a279c030f0a2037f6d7f3825653b7c7fc2eb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:34:02 2021 +1200
tests/krb5: Allow specifying an OU to create accounts in
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 7aae0e9b100b8cb7d1da78b8cb9a4a5c20acffbd)
commit 4892fa1315fcd26a08cfc51eb002c53645d45663
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:31:56 2021 +1200
tests/krb5: Replace expected_cname_private with expected_anon parameter
This is used in the case where the KDC returns 'WELLKNOWN/ANONYMOUS' as
the cname, and makes the reply checking logic easier to follow. This
also removes the need to fetch the client credentials in the test
methods.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit bf55786fcd9a96daa9002661d6f5d9b3502ed8a7)
commit c978fcdf535bb41e02eb8d633d9c7ea146e3024a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:21:55 2021 +1200
tests/krb5: Use more compact dict lookup
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 3fd73b65a3db405db5a0a82cca6c808763d4f437)
commit 735d514ec11bc2df26cd146e286eb82bccaf080c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 16:05:39 2021 +1200
tests/krb5: Add KDCOptions flag for constrained delegation
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 08086c43987abecc588ebd32ec846ff7e27a83b6)
commit 20df014fb13ba1d6e8e0653ecbb9d43af9419fcb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:57:26 2021 +1200
tests/krb5: Use signed integers to represent key version numbers in ASN.1
As specified in 'MS-KILE 3.1.5.8: Key Version Numbers', Windows uses
signed 32-bit integers to represent key version numbers. This makes a
difference for an RODC with a msDS-SecondaryKrbTgtNumber greater than
32767, where the kvno should be encoded in four bytes rather than five.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 448b661bf8815a05f534926d8ee8d6f57d123c2c)
commit a91f36d7bc45642e920e69b37b8c96a67e90aef5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:50:26 2021 +1200
tests/krb5: Add methods to obtain the length of checksum types
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 9924dd976183ea62b08f116f8b8bacc698bb9b95)
commit efb8340f41f55813e31bb6783d6214136a805253
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:46:42 2021 +1200
tests/krb5: Calculate expected salt if not given explicitly
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit c6badf818e9db44461979a931c74fc5ab6e80132)
commit d5572676f51adb48a0e7740bc12205057f34fc44
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:40:59 2021 +1200
security.idl: Add well-known SIDs for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 0092b4a3ed58b2c256d4dd9117cce927a3edde12)
commit 0d0d609dc07af01f48f2135c639933d8204494e0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:39:19 2021 +1200
krb5pac.idl: Add ticket checksum PAC buffer type
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit ff2f38fae79220e16765e17671972f9a55eb7cce)
commit 6882fb5c3e6fe045c0f375a3ad04ab5a9144c651
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 17 16:43:00 2021 +1200
autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
This allows making a push to do a full test ignoring errors without
needing "HACK!!!" commits on top.
Use like this:
git push -o ci.variable='AUTOBUILD_FAIL_IMMEDIATELY=0'
RN: Samba CI runs can now continue past the first error if AUTOBUILD_FAIL_IMMEDIATELY=0 is set
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14841
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org
Reviewed-by: Noel Power <npower at samba.org>
[abartlet at samba.org backported from commit b81f6f3d71487085bb355392ce7f8eff2db5bb4d
due to changes in 4.15 and later for the autobuild dependent jobs work
that avoids rebuilding Samba in each task]
Autobuild-User(v4-14-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-14-test): Thu Sep 23 08:54:03 UTC 2021 on sn-devel-184
(cherry picked from commit f53c532c2292d07ab3374920bd83c1266663038e)
commit d4872f50bc4abee7fbb450c550a632f030a16d69
Author: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Date: Thu Oct 11 13:08:38 2018 +1300
python/join: use the provided krbtgt link in cleanup_old_accounts
Before we were putting it in an otherwise unused variable, and
deleting the previous krbtgt_dn, if any.
Signed-off-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: David Mulder <dmulder at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit 98f6ece5ad03a822180796873197383c17c3c6d9)
commit 283a128129f85552e36bcd7d49eaced9a25568ea
Author: David Mulder <dmulder at suse.com>
Date: Mon Sep 14 11:12:37 2020 -0600
python: Move dsdb_Dn to samdb
The import dsdb needed for dsdb_Dn causes import
errors when trying to import get_bytes/get_string
in some places.
Signed-off-by: David Mulder <dmulder at suse.com>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[abartlet at samba.org backported from commit 85d2ff2f0003b106ca84866b7e7893723f1dd93c
as the PY2 compat code is still in place in Samba 4.13]
commit beaae4c5d671f23ba5a844f7dc66e93538408ff7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 11 13:26:41 2021 +0200
wscript: fix installing pre-commit with 'git worktree'
.git is not always a directory, with 'git worktree' it's a file.
'git rev-parse --git-path hooks' is the generic way to find the
patch for the githooks.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Thu Aug 12 08:56:13 UTC 2021 on sn-devel-184
(cherry picked from commit 8858cf72af1cc15784749e58f184559a839dd4ef)
commit 3ba31fd4de81421c3f6073a93dade8af8de071d8
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 11 13:26:41 2021 +0200
script/bisect-test.py: add support git worktree
.git is not always a directory, with 'git worktree' it's a file.
Note we could also use 'git rev-parse --show-toplevel', but that's
a patch for another day.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c7f85146cb50795afcbb1c607e87d163d241c79a)
commit 0e62cfec458b524b137344824e5fd0d2d9be8718
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Aug 11 13:26:41 2021 +0200
wafsamba: add support git worktree to vcs_dir_contents()
.git is not always a directory, with 'git worktree' it's a file.
Note we could also use 'git rev-parse --show-toplevel', but that's
a patch for another day.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 2e2d2eaa10499537c9af07dd866ac8e613c3da02)
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/credentials_krb5.c | 12 +-
buildtools/wafsamba/samba_dist.py | 2 +-
lib/krb5_wrap/krb5_samba.c | 192 ++-
lib/krb5_wrap/krb5_samba.h | 13 +-
librpc/idl/krb5pac.idl | 7 +-
librpc/idl/security.idl | 3 +
python/samba/__init__.py | 12 +-
python/samba/common.py | 79 --
python/samba/dbchecker.py | 2 +-
python/samba/join.py | 7 +-
python/samba/kcc/kcc_utils.py | 2 +-
python/samba/kcc/ldif_import_export.py | 3 +-
python/samba/ms_schema.py | 6 +-
python/samba/samdb.py | 75 +
python/samba/schema.py | 9 +-
python/samba/tests/__init__.py | 3 +-
python/samba/tests/common.py | 4 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 11 +-
python/samba/tests/krb5/as_req_tests.py | 57 +-
python/samba/tests/krb5/compatability_tests.py | 48 +-
python/samba/tests/krb5/fast_tests.py | 476 ++-----
python/samba/tests/krb5/kcrypto.py | 28 +-
python/samba/tests/krb5/kdc_base_test.py | 1099 +++++++++++++--
python/samba/tests/krb5/kdc_tests.py | 4 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 137 +-
.../krb5/ms_kile_client_principal_lookup_tests.py | 93 +-
python/samba/tests/krb5/raw_testcase.py | 1461 +++++++++++++++-----
python/samba/tests/krb5/rfc4120.asn1 | 3 +-
python/samba/tests/krb5/rfc4120_constants.py | 11 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 3 +-
python/samba/tests/krb5/rodc_tests.py | 73 +
python/samba/tests/krb5/s4u_tests.py | 1074 +++++++++++++-
python/samba/tests/krb5/salt_tests.py | 327 +++++
python/samba/tests/krb5/simple_tests.py | 4 +-
python/samba/tests/krb5/test_ccache.py | 15 +-
python/samba/tests/krb5/test_ldap.py | 4 +-
python/samba/tests/krb5/test_rpc.py | 4 +-
python/samba/tests/krb5/test_smb.py | 4 +-
python/samba/tests/krb5/xrealm_tests.py | 4 +-
python/samba/tests/usage.py | 2 +
script/autobuild.py | 9 +-
script/bisect-test.py | 2 +-
selftest/knownfail.d/kdc-salt | 1 +
selftest/knownfail_heimdal_kdc | 134 ++
selftest/knownfail_mit_kdc | 53 +
selftest/target/Samba3.pm | 16 +-
selftest/target/Samba4.pm | 76 +-
source3/passdb/machine_account_secrets.c | 10 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 23 +-
source4/dsdb/tests/python/rodc_rwdc.py | 8 +-
source4/heimdal/kdc/kerberos5.c | 147 +-
source4/heimdal/kdc/krb5tgs.c | 665 +++------
source4/heimdal/kdc/windc.c | 15 +-
source4/heimdal/kdc/windc_plugin.h | 5 +-
source4/heimdal/lib/asn1/krb5.asn1 | 21 -
source4/heimdal/lib/krb5/authdata.c | 124 ++
source4/heimdal/lib/krb5/pac.c | 484 ++++++-
source4/heimdal/lib/krb5/version-script.map | 5 +
source4/heimdal_build/wscript_build | 2 +-
source4/kdc/mit_samba.c | 14 +-
source4/kdc/pac-glue.c | 10 +-
source4/kdc/pac-glue.h | 3 +-
source4/kdc/wdc-samba4.c | 356 +++--
source4/kdc/wscript_build | 1 +
source4/selftest/tests.py | 86 +-
source4/torture/drs/python/repl_rodc.py | 2 +-
source4/torture/rpc/remote_pac.c | 14 +-
testprogs/blackbox/dbcheck.sh | 2 +-
wscript | 20 +-
69 files changed, 5756 insertions(+), 1925 deletions(-)
create mode 100755 python/samba/tests/krb5/rodc_tests.py
create mode 100755 python/samba/tests/krb5/salt_tests.py
create mode 100644 selftest/knownfail.d/kdc-salt
create mode 100644 source4/heimdal/lib/krb5/authdata.c
Changeset truncated at 500 lines:
diff --git a/auth/credentials/credentials_krb5.c b/auth/credentials/credentials_krb5.c
index 20e677e521a..61e55f7032d 100644
--- a/auth/credentials/credentials_krb5.c
+++ b/auth/credentials/credentials_krb5.c
@@ -1199,12 +1199,12 @@ _PUBLIC_ int cli_credentials_get_keytab(struct cli_credentials *cred,
break;
}
- ret = smb_krb5_salt_principal(realm,
- username, /* sAMAccountName */
- upn, /* userPrincipalName */
- uac_flags,
- mem_ctx,
- &salt_principal);
+ ret = smb_krb5_salt_principal_str(realm,
+ username, /* sAMAccountName */
+ upn, /* userPrincipalName */
+ uac_flags,
+ mem_ctx,
+ &salt_principal);
if (ret) {
talloc_free(mem_ctx);
return ret;
diff --git a/buildtools/wafsamba/samba_dist.py b/buildtools/wafsamba/samba_dist.py
index c211a94d3db..0218cad6271 100644
--- a/buildtools/wafsamba/samba_dist.py
+++ b/buildtools/wafsamba/samba_dist.py
@@ -109,7 +109,7 @@ def vcs_dir_contents(path):
"""
repo = path
while repo != "/":
- if os.path.isdir(os.path.join(repo, ".git")):
+ if os.path.exists(os.path.join(repo, ".git")):
ls_files_cmd = [ 'git', 'ls-files', '--full-name',
os.path.relpath(path, repo) ]
cwd = None
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 20ce86c708d..fff5b4e2a22 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -456,19 +456,20 @@ int smb_krb5_get_pw_salt(krb5_context context,
*
* @see smb_krb5_salt_principal2data
*/
-int smb_krb5_salt_principal(const char *realm,
+int smb_krb5_salt_principal(krb5_context krb5_ctx,
+ const char *realm,
const char *sAMAccountName,
const char *userPrincipalName,
uint32_t uac_flags,
- TALLOC_CTX *mem_ctx,
- char **_salt_principal)
+ krb5_principal *salt_princ)
{
TALLOC_CTX *frame = talloc_stackframe();
char *upper_realm = NULL;
const char *principal = NULL;
int principal_len = 0;
+ krb5_error_code krb5_ret;
- *_salt_principal = NULL;
+ *salt_princ = NULL;
if (sAMAccountName == NULL) {
TALLOC_FREE(frame);
@@ -512,7 +513,6 @@ int smb_krb5_salt_principal(const char *realm,
*/
if (uac_flags & UF_TRUST_ACCOUNT_MASK) {
int computer_len = 0;
- char *tmp = NULL;
computer_len = strlen(sAMAccountName);
if (sAMAccountName[computer_len-1] == '$') {
@@ -520,60 +520,186 @@ int smb_krb5_salt_principal(const char *realm,
}
if (uac_flags & UF_INTERDOMAIN_TRUST_ACCOUNT) {
- principal = talloc_asprintf(frame, "krbtgt/%*.*s",
- computer_len, computer_len,
- sAMAccountName);
- if (principal == NULL) {
+ const char *krbtgt = "krbtgt";
+ krb5_ret = krb5_build_principal_ext(krb5_ctx,
+ salt_princ,
+ strlen(upper_realm),
+ upper_realm,
+ strlen(krbtgt),
+ krbtgt,
+ computer_len,
+ sAMAccountName,
+ 0);
+ if (krb5_ret != 0) {
TALLOC_FREE(frame);
- return ENOMEM;
+ return krb5_ret;
}
} else {
-
- tmp = talloc_asprintf(frame, "host/%*.*s.%s",
- computer_len, computer_len,
- sAMAccountName, realm);
+ const char *host = "host";
+ char *tmp = NULL;
+ char *tmp_lower = NULL;
+
+ tmp = talloc_asprintf(frame, "%*.*s.%s",
+ computer_len,
+ computer_len,
+ sAMAccountName,
+ realm);
if (tmp == NULL) {
TALLOC_FREE(frame);
return ENOMEM;
}
- principal = strlower_talloc(frame, tmp);
- TALLOC_FREE(tmp);
- if (principal == NULL) {
+ tmp_lower = strlower_talloc(frame, tmp);
+ if (tmp_lower == NULL) {
TALLOC_FREE(frame);
return ENOMEM;
}
- }
- principal_len = strlen(principal);
+ krb5_ret = krb5_build_principal_ext(krb5_ctx,
+ salt_princ,
+ strlen(upper_realm),
+ upper_realm,
+ strlen(host),
+ host,
+ strlen(tmp_lower),
+ tmp_lower,
+ 0);
+ if (krb5_ret != 0) {
+ TALLOC_FREE(frame);
+ return krb5_ret;
+ }
+ }
} else if (userPrincipalName != NULL) {
- char *p;
+ /*
+ * We parse the name not only to allow an easy
+ * replacement of the realm (no matter the realm in
+ * the UPN, the salt comes from the upper-case real
+ * realm, but also to correctly provide a salt when
+ * the UPN is host/foo.bar
+ *
+ * This can fail for a UPN of the form foo at bar@REALM
+ * (which is accepted by windows) however.
+ */
+ krb5_ret = krb5_parse_name(krb5_ctx,
+ userPrincipalName,
+ salt_princ);
- principal = userPrincipalName;
- p = strchr(principal, '@');
- if (p != NULL) {
- principal_len = PTR_DIFF(p, principal);
- } else {
- principal_len = strlen(principal);
+ if (krb5_ret != 0) {
+ TALLOC_FREE(frame);
+ return krb5_ret;
+ }
+
+ /*
+ * No matter what realm (including none) in the UPN,
+ * the realm is replaced with our upper-case realm
+ */
+ krb5_ret = smb_krb5_principal_set_realm(krb5_ctx,
+ *salt_princ,
+ upper_realm);
+ if (krb5_ret != 0) {
+ krb5_free_principal(krb5_ctx, *salt_princ);
+ TALLOC_FREE(frame);
+ return krb5_ret;
}
} else {
principal = sAMAccountName;
principal_len = strlen(principal);
- }
- *_salt_principal = talloc_asprintf(mem_ctx, "%*.*s@%s",
- principal_len, principal_len,
- principal, upper_realm);
- if (*_salt_principal == NULL) {
- TALLOC_FREE(frame);
- return ENOMEM;
+ krb5_ret = krb5_build_principal_ext(krb5_ctx,
+ salt_princ,
+ strlen(upper_realm),
+ upper_realm,
+ principal_len,
+ principal,
+ 0);
+ if (krb5_ret != 0) {
+ TALLOC_FREE(frame);
+ return krb5_ret;
+ }
}
TALLOC_FREE(frame);
return 0;
}
+/**
+ * @brief This constructs the salt principal used by active directory
+ *
+ * Most Kerberos encryption types require a salt in order to
+ * calculate the long term private key for user/computer object
+ * based on a password.
+ *
+ * The returned _salt_principal is a string in forms like this:
+ * - host/somehost.example.com at EXAMPLE.COM
+ * - SomeAccount at EXAMPLE.COM
+ * - SomePrincipal at EXAMPLE.COM
+ *
+ * This is not the form that's used as salt, it's just
+ * the human readable form. It needs to be converted by
+ * smb_krb5_salt_principal2data().
+ *
+ * @param[in] realm The realm the user/computer is added too.
+ *
+ * @param[in] sAMAccountName The sAMAccountName attribute of the object.
+ *
+ * @param[in] userPrincipalName The userPrincipalName attribute of the object
+ * or NULL is not available.
+ *
+ * @param[in] uac_flags UF_ACCOUNT_TYPE_MASKed userAccountControl field
+ *
+ * @param[in] mem_ctx The TALLOC_CTX to allocate _salt_principal.
+ *
+ * @param[out] _salt_principal The resulting principal as string.
+ *
+ * @retval 0 Success; otherwise - Kerberos error codes
+ *
+ * @see smb_krb5_salt_principal2data
+ */
+int smb_krb5_salt_principal_str(const char *realm,
+ const char *sAMAccountName,
+ const char *userPrincipalName,
+ uint32_t uac_flags,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_principal_str)
+{
+ krb5_principal salt_principal = NULL;
+ char *salt_principal_malloc;
+ krb5_context krb5_ctx;
+ krb5_error_code krb5_ret
+ = smb_krb5_init_context_common(&krb5_ctx);
+ if (krb5_ret != 0) {
+ DBG_ERR("kerberos init context failed (%s)\n",
+ error_message(krb5_ret));
+ return krb5_ret;
+ }
+
+ krb5_ret = smb_krb5_salt_principal(krb5_ctx,
+ realm,
+ sAMAccountName,
+ userPrincipalName,
+ uac_flags,
+ &salt_principal);
+
+ krb5_ret = krb5_unparse_name(krb5_ctx, salt_principal,
+ &salt_principal_malloc);
+ if (krb5_ret != 0) {
+ krb5_free_principal(krb5_ctx, salt_principal);
+ DBG_ERR("kerberos unparse of salt principal failed (%s)\n",
+ error_message(krb5_ret));
+ return krb5_ret;
+ }
+ krb5_free_principal(krb5_ctx, salt_principal);
+ *_salt_principal_str
+ = talloc_strdup(mem_ctx, salt_principal_malloc);
+ krb5_free_unparsed_name(krb5_ctx, salt_principal_malloc);
+
+ if (*_salt_principal_str == NULL) {
+ return ENOMEM;
+ }
+ return 0;
+}
+
/**
* @brief Converts the salt principal string into the salt data blob
*
diff --git a/lib/krb5_wrap/krb5_samba.h b/lib/krb5_wrap/krb5_samba.h
index ca9a893e4f7..56a2a975278 100644
--- a/lib/krb5_wrap/krb5_samba.h
+++ b/lib/krb5_wrap/krb5_samba.h
@@ -350,12 +350,19 @@ krb5_error_code ms_suptypes_to_ietf_enctypes(TALLOC_CTX *mem_ctx,
int smb_krb5_get_pw_salt(krb5_context context,
krb5_const_principal host_princ,
krb5_data *psalt);
-int smb_krb5_salt_principal(const char *realm,
+int smb_krb5_salt_principal(krb5_context krb5_ctx,
+ const char *realm,
const char *sAMAccountName,
const char *userPrincipalName,
uint32_t uac_flags,
- TALLOC_CTX *mem_ctx,
- char **_salt_principal);
+ krb5_principal *salt_princ);
+
+int smb_krb5_salt_principal_str(const char *realm,
+ const char *sAMAccountName,
+ const char *userPrincipalName,
+ uint32_t uac_flags,
+ TALLOC_CTX *mem_ctx,
+ char **_salt_principal);
int smb_krb5_salt_principal2data(krb5_context context,
const char *salt_principal,
TALLOC_CTX *mem_ctx,
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index fb360c1257f..515150ab9cd 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -112,7 +112,11 @@ interface krb5pac
PAC_TYPE_KDC_CHECKSUM = 7,
PAC_TYPE_LOGON_NAME = 10,
PAC_TYPE_CONSTRAINED_DELEGATION = 11,
- PAC_TYPE_UPN_DNS_INFO = 12
+ PAC_TYPE_UPN_DNS_INFO = 12,
+ PAC_TYPE_CLIENT_CLAIMS_INFO = 13,
+ PAC_TYPE_DEVICE_INFO = 14,
+ PAC_TYPE_DEVICE_CLAIMS_INFO = 15,
+ PAC_TYPE_TICKET_CHECKSUM = 16
} PAC_TYPE;
typedef struct {
@@ -128,6 +132,7 @@ interface krb5pac
[case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)]
PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
[case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
+ [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA ticket_checksum;
/* when new PAC info types are added they are supposed to be done
in such a way that they are backwards compatible with existing
servers. This makes it safe to just use a [default] for
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index a92e8f1518e..9845becd826 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -292,6 +292,9 @@ interface security
const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
+ const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
+ const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
+
/*
* http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
*/
diff --git a/python/samba/__init__.py b/python/samba/__init__.py
index d851bf3606c..e87e9c1b371 100644
--- a/python/samba/__init__.py
+++ b/python/samba/__init__.py
@@ -218,7 +218,8 @@ class Ldb(_Ldb):
:param ldif_path: Path to LDIF file.
"""
- self.add_ldif(open(ldif_path, 'r').read())
+ with open(ldif_path, 'r') as ldif_file:
+ self.add_ldif(ldif_file.read())
def add_ldif(self, ldif, controls=None):
"""Add data based on a LDIF string.
@@ -280,10 +281,11 @@ def read_and_sub_file(file_name, subst_vars):
:param file_name: File to be read (typically from setup directory)
param subst_vars: Optional variables to subsitute in the file.
"""
- data = open(file_name, 'r', encoding="utf-8").read()
- if subst_vars is not None:
- data = substitute_var(data, subst_vars)
- check_all_substituted(data)
+ with open(file_name, 'r', encoding="utf-8") as data_file:
+ data = data_file.read()
+ if subst_vars is not None:
+ data = substitute_var(data, subst_vars)
+ check_all_substituted(data)
return data
diff --git a/python/samba/common.py b/python/samba/common.py
index 8876e4f4faa..a8faa90065d 100644
--- a/python/samba/common.py
+++ b/python/samba/common.py
@@ -16,13 +16,6 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-
-import ldb
-from samba import dsdb
-from samba.ndr import ndr_pack
-from samba.dcerpc import misc
-import binascii
-
from samba.compat import PY3
@@ -74,75 +67,3 @@ def normalise_int32(ivalue):
return str(ivalue)
-class dsdb_Dn(object):
- '''a class for binary DN'''
-
- def __init__(self, samdb, dnstring, syntax_oid=None):
- '''create a dsdb_Dn'''
- if syntax_oid is None:
- # auto-detect based on string
- if dnstring.startswith("B:"):
- syntax_oid = dsdb.DSDB_SYNTAX_BINARY_DN
- elif dnstring.startswith("S:"):
- syntax_oid = dsdb.DSDB_SYNTAX_STRING_DN
- else:
- syntax_oid = dsdb.DSDB_SYNTAX_OR_NAME
- if syntax_oid in [dsdb.DSDB_SYNTAX_BINARY_DN, dsdb.DSDB_SYNTAX_STRING_DN]:
- # it is a binary DN
- colons = dnstring.split(':')
- if len(colons) < 4:
- raise RuntimeError("Invalid DN %s" % dnstring)
- prefix_len = 4 + len(colons[1]) + int(colons[1])
- self.prefix = dnstring[0:prefix_len]
- self.binary = self.prefix[3 + len(colons[1]):-1]
- self.dnstring = dnstring[prefix_len:]
- else:
- self.dnstring = dnstring
- self.prefix = ''
- self.binary = ''
- self.dn = ldb.Dn(samdb, self.dnstring)
-
- def __str__(self):
- return self.prefix + str(self.dn.extended_str(mode=1))
-
- def __cmp__(self, other):
- ''' compare dsdb_Dn values similar to parsed_dn_compare()'''
- dn1 = self
- dn2 = other
- guid1 = dn1.dn.get_extended_component("GUID")
- guid2 = dn2.dn.get_extended_component("GUID")
-
- v = cmp(guid1, guid2)
- if v != 0:
- return v
- v = cmp(dn1.binary, dn2.binary)
- return v
-
- # In Python3, __cmp__ is replaced by these 6 methods
- def __eq__(self, other):
- return self.__cmp__(other) == 0
-
- def __ne__(self, other):
- return self.__cmp__(other) != 0
-
- def __lt__(self, other):
- return self.__cmp__(other) < 0
-
- def __le__(self, other):
- return self.__cmp__(other) <= 0
-
- def __gt__(self, other):
- return self.__cmp__(other) > 0
-
- def __ge__(self, other):
- return self.__cmp__(other) >= 0
-
- def get_binary_integer(self):
- '''return binary part of a dsdb_Dn as an integer, or None'''
- if self.prefix == '':
- return None
- return int(self.binary, 16)
-
- def get_bytes(self):
- '''return binary as a byte string'''
- return binascii.unhexlify(self.binary)
diff --git a/python/samba/dbchecker.py b/python/samba/dbchecker.py
index d12833d9390..0085b4a8515 100644
--- a/python/samba/dbchecker.py
+++ b/python/samba/dbchecker.py
@@ -28,7 +28,7 @@ from samba.dcerpc import misc
from samba.dcerpc import drsuapi
from samba.ndr import ndr_unpack, ndr_pack
from samba.dcerpc import drsblobs
-from samba.common import dsdb_Dn
+from samba.samdb import dsdb_Dn
from samba.dcerpc import security
from samba.descriptor import get_wellknown_sds, get_diff_sds
from samba.auth import system_session, admin_session
diff --git a/python/samba/join.py b/python/samba/join.py
index 7273f3734d3..a512e18c226 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -258,8 +258,9 @@ class DCJoinContext(object):
ctx.del_noerror(res[0].dn, recursive=True)
- if "msDS-Krbtgtlink" in res[0]:
--
Samba Shared Repository
More information about the samba-cvs
mailing list