[SCM] Samba Shared Repository - branch master updated

Tue Sep 14 00:02:02 UTC 2021

The branch, master has been updated
       via  01378a52a1c tests/krb5: Create testing accounts in appropriate containers
       via  c3b74629027 tests/krb5: Check for presence of 'key-expiration' element
       via  d3106a8d352 tests/krb5: Check 'caddr' element
       via  9cba5f9a1b0 tests/krb5: Check for presence of 'renew-till' element
       via  0afb548a0a3 tests/krb5: Allow Kerberos requests to be sent to DC or RODC
       via  1974b872fb5 tests/krb5: Make time assertion less strict
       via  85ddfc1afcf tests/krb5: Allow specifying ticket flags expected to be set or reset
       via  571265257f3 tests/krb5: Remove magic constants
       via  7556a4dfa64 tests/krb5: Don't create PAC request or options manually in fast_tests
       via  bc21ba25920 tests/krb5: Don't create PAC request manually in as_req_tests
       via  c0db1ba54d2 tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
       via  1f23b16ef3a tests/krb5: Move padata generation methods to base class
       via  9973b51e48a tests/krb5: Keep track of account DN in credentials object
       via  9aa90085744 tests/krb5: Allow specifying additional User Account Control flags for account
       via  7aae0e9b100 tests/krb5: Allow specifying an OU to create accounts in
       via  bf55786fcd9 tests/krb5: Replace expected_cname_private with expected_anon parameter
       via  3fd73b65a3d tests/krb5: Use more compact dict lookup
       via  08086c43987 tests/krb5: Add KDCOptions flag for constrained delegation
       via  448b661bf88 tests/krb5: Use signed integers to represent key version numbers in ASN.1
       via  9924dd97618 tests/krb5: Add methods to obtain the length of checksum types
       via  c6badf818e9 tests/krb5: Calculate expected salt if not given explicitly
       via  0092b4a3ed5 security.idl: Add well-known SIDs for FAST
       via  ff2f38fae79 krb5pac.idl: Add ticket checksum PAC buffer type
      from  95d8cdf0c36 tsocket: set errno on some failures of tsocket_address_inet_from_strings

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 01378a52a1cf0b6855492673455013d5719be45b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Fri Sep 3 09:18:32 2021 +1200

    tests/krb5: Create testing accounts in appropriate containers
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
    Autobuild-Date(master): Tue Sep 14 00:01:44 UTC 2021 on sn-devel-184

commit c3b746290278f7b5c1dea676e3fa28b9f15bcf94
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 19:47:27 2021 +1200

    tests/krb5: Check for presence of 'key-expiration' element
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit d3106a8d35225e826d548d3bea0d42edc3998c38
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 19:45:57 2021 +1200

    tests/krb5: Check 'caddr' element
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit 9cba5f9a1b098e49315e2e3d4c0b626884c04a64
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 19:43:41 2021 +1200

    tests/krb5: Check for presence of 'renew-till' element
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit 0afb548a0a3221730c4a81d51bc31e99ec90e334
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 19:34:20 2021 +1200

    tests/krb5: Allow Kerberos requests to be sent to DC or RODC
    
    If run inside the 'rodc' testing environment, 'DC_SERVER' and 'SERVER'
    refer to the hostnames of the DC and RODC respectively, and this commit
    allows either one of them to be used as the KDC for Kerberos exchanges.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit 1974b872fb5a7da052305d01e2f1efc8d0637078
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 19:15:17 2021 +1200

    tests/krb5: Make time assertion less strict
    
    This assertion could fail if there was a time difference between the KDC
    and the client.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit 85ddfc1afcf21797dab15431a5f375444c4d316e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 19:13:11 2021 +1200

    tests/krb5: Allow specifying ticket flags expected to be set or reset
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit 571265257f335ba7f6f1b46daa0d657b8a8dff2b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 17:46:02 2021 +1200

    tests/krb5: Remove magic constants
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit 7556a4dfa64650939aef14a2fc4d10b9ed3d29f7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Sep 2 14:38:33 2021 +1200

    tests/krb5: Don't create PAC request or options manually in fast_tests
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit bc21ba2592093c765751ed3e8083dcd3512997f8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Sep 2 14:37:27 2021 +1200

    tests/krb5: Don't create PAC request manually in as_req_tests
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit c0db1ba54d238d4b2da8895215d8314b068ce09c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Sep 2 14:36:42 2021 +1200

    tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit 1f23b16ef3a900a1bda01bf2a5a3a3847e2e79d1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Thu Sep 2 14:27:00 2021 +1200

    tests/krb5: Move padata generation methods to base class
    
    This allows them to be used directly from RawKerberosTest.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit 9973b51e48a5d5f3e33c6e0da46e6231a42bd77a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 16:35:58 2021 +1200

    tests/krb5: Keep track of account DN in credentials object
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit 9aa900857441ea7e1c2d6c60bfa1ddeb142bf3e3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 16:34:46 2021 +1200

    tests/krb5: Allow specifying additional User Account Control flags for account
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit 7aae0e9b100b8cb7d1da78b8cb9a4a5c20acffbd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 16:34:02 2021 +1200

    tests/krb5: Allow specifying an OU to create accounts in
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit bf55786fcd9a96daa9002661d6f5d9b3502ed8a7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 16:31:56 2021 +1200

    tests/krb5: Replace expected_cname_private with expected_anon parameter
    
    This is used in the case where the KDC returns 'WELLKNOWN/ANONYMOUS' as
    the cname, and makes the reply checking logic easier to follow. This
    also removes the need to fetch the client credentials in the test
    methods.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit 3fd73b65a3db405db5a0a82cca6c808763d4f437
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 16:21:55 2021 +1200

    tests/krb5: Use more compact dict lookup
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit 08086c43987abecc588ebd32ec846ff7e27a83b6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 16:05:39 2021 +1200

    tests/krb5: Add KDCOptions flag for constrained delegation
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit 448b661bf8815a05f534926d8ee8d6f57d123c2c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 15:57:26 2021 +1200

    tests/krb5: Use signed integers to represent key version numbers in ASN.1
    
    As specified in 'MS-KILE 3.1.5.8: Key Version Numbers', Windows uses
    signed 32-bit integers to represent key version numbers. This makes a
    difference for an RODC with a msDS-SecondaryKrbTgtNumber greater than
    32767, where the kvno should be encoded in four bytes rather than five.
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit 9924dd976183ea62b08f116f8b8bacc698bb9b95
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 15:50:26 2021 +1200

    tests/krb5: Add methods to obtain the length of checksum types
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit c6badf818e9db44461979a931c74fc5ab6e80132
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 15:46:42 2021 +1200

    tests/krb5: Calculate expected salt if not given explicitly
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit 0092b4a3ed58b2c256d4dd9117cce927a3edde12
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 15:40:59 2021 +1200

    security.idl: Add well-known SIDs for FAST
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

commit ff2f38fae79220e16765e17671972f9a55eb7cce
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date:   Wed Sep 1 15:39:19 2021 +1200

    krb5pac.idl: Add ticket checksum PAC buffer type
    
    Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abartlet at samba.org>
    Reviewed-by: Isaac Boukris <iboukris at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 librpc/idl/krb5pac.idl                    |   4 +-
 librpc/idl/security.idl                   |   3 +
 python/samba/tests/krb5/as_req_tests.py   |  39 ++----
 python/samba/tests/krb5/fast_tests.py     |  82 ++++--------
 python/samba/tests/krb5/kcrypto.py        |  26 ++++
 python/samba/tests/krb5/kdc_base_test.py  |  25 +++-
 python/samba/tests/krb5/raw_testcase.py   | 204 +++++++++++++++++++++++-------
 python/samba/tests/krb5/rfc4120.asn1      |   3 +-
 python/samba/tests/krb5/rfc4120_pyasn1.py |   3 +-
 9 files changed, 255 insertions(+), 134 deletions(-)


Changeset truncated at 500 lines:

diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index fb360c1257f..3239d7656b6 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -112,7 +112,8 @@ interface krb5pac
 		PAC_TYPE_KDC_CHECKSUM = 7,
 		PAC_TYPE_LOGON_NAME = 10,
 		PAC_TYPE_CONSTRAINED_DELEGATION = 11,
-		PAC_TYPE_UPN_DNS_INFO = 12
+		PAC_TYPE_UPN_DNS_INFO = 12,
+		PAC_TYPE_TICKET_CHECKSUM = 16
 	} PAC_TYPE;
 
 	typedef struct {
@@ -128,6 +129,7 @@ interface krb5pac
 		[case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)]
 			PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
 		[case(PAC_TYPE_UPN_DNS_INFO)]	PAC_UPN_DNS_INFO upn_dns_info;
+		[case(PAC_TYPE_TICKET_CHECKSUM)]	PAC_SIGNATURE_DATA ticket_checksum;
 		/* when new PAC info types are added they are supposed to be done
 		   in such a way that they are backwards compatible with existing
 		   servers. This makes it safe to just use a [default] for
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 06bf7449a70..3df96dedbdd 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -295,6 +295,9 @@ interface security
 	const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY = "S-1-18-1";
 	const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
 
+	const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
+	const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
+
 	/*
 	 * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
 	 */
diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index 82ff3f4845c..35f88a0c920 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -56,7 +56,7 @@ class AsReqKerberosTests(KDCBaseTest):
 
     def _test_as_req_nopreauth(self,
                                initial_etypes,
-                               initial_padata=None,
+                               pac=None,
                                initial_kdc_options=None):
         client_creds = self.get_client_creds()
         client_account = client_creds.get_username()
@@ -74,7 +74,7 @@ class AsReqKerberosTests(KDCBaseTest):
         expected_cname = cname
         expected_srealm = realm
         expected_sname = sname
-        expected_salt = client_creds.get_forced_salt()
+        expected_salt = client_creds.get_salt()
 
         if any(etype in client_as_etypes and etype in initial_etypes
                for etype in (kcrypto.Enctype.AES256,
@@ -84,27 +84,19 @@ class AsReqKerberosTests(KDCBaseTest):
         else:
             expected_error_mode = KDC_ERR_ETYPE_NOSUPP
 
-        def _generate_padata_copy(_kdc_exchange_dict,
-                                  _callback_dict,
-                                  req_body):
-            return initial_padata, req_body
-
-        generate_padata_fn = (_generate_padata_copy
-                              if initial_padata is not None
-                              else None)
-
         kdc_exchange_dict = self.as_exchange_dict(
             expected_crealm=expected_crealm,
             expected_cname=expected_cname,
             expected_srealm=expected_srealm,
             expected_sname=expected_sname,
-            generate_padata_fn=generate_padata_fn,
+            generate_padata_fn=None,
             check_error_fn=self.generic_check_kdc_error,
             check_rep_fn=None,
             expected_error_mode=expected_error_mode,
             client_as_etypes=client_as_etypes,
             expected_salt=expected_salt,
-            kdc_options=str(initial_kdc_options))
+            kdc_options=str(initial_kdc_options),
+            pac_request=pac)
 
         self._generic_kdc_exchange(kdc_exchange_dict,
                                    cname=cname,
@@ -114,13 +106,8 @@ class AsReqKerberosTests(KDCBaseTest):
 
     def _test_as_req_no_preauth_with_args(self, etype_idx, pac):
         name, etypes = self.etype_test_permutation_by_idx(etype_idx)
-        if pac is None:
-            padata = None
-        else:
-            pa_pac = self.KERB_PA_PAC_REQUEST_create(pac)
-            padata = [pa_pac]
         self._test_as_req_nopreauth(
-                     initial_padata=padata,
+                     pac=pac,
                      initial_etypes=etypes,
                      initial_kdc_options=krb5_asn1.KDCOptions('forwardable'))
 
@@ -142,12 +129,10 @@ class AsReqKerberosTests(KDCBaseTest):
         expected_cname = cname
         expected_srealm = realm
         expected_sname = sname
-        expected_salt = client_creds.get_forced_salt()
+        expected_salt = client_creds.get_salt()
 
         till = self.get_KerberosTime(offset=36000)
 
-        pa_pac = self.KERB_PA_PAC_REQUEST_create(True)
-        initial_padata = [pa_pac]
         initial_etypes = client_as_etypes
         initial_kdc_options = krb5_asn1.KDCOptions('forwardable')
         initial_error_mode = KDC_ERR_PREAUTH_REQUIRED
@@ -164,8 +149,9 @@ class AsReqKerberosTests(KDCBaseTest):
                                                         expected_sname,
                                                         expected_salt,
                                                         initial_etypes,
-                                                        initial_padata,
-                                                        initial_kdc_options)
+                                                        None,
+                                                        initial_kdc_options,
+                                                        pac_request=True)
         etype_info2 = kdc_exchange_dict['preauth_etype_info2']
         self.assertIsNotNone(etype_info2)
 
@@ -183,7 +169,7 @@ class AsReqKerberosTests(KDCBaseTest):
 
         pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts)
 
-        preauth_padata = [pa_ts, pa_pac]
+        preauth_padata = [pa_ts]
         preauth_etypes = client_as_etypes
         preauth_kdc_options = krb5_asn1.KDCOptions('forwardable')
         preauth_error_mode = 0 # AS-REP
@@ -207,7 +193,8 @@ class AsReqKerberosTests(KDCBaseTest):
             preauth_padata,
             preauth_kdc_options,
             preauth_key=preauth_key,
-            ticket_decryption_key=krbtgt_decryption_key)
+            ticket_decryption_key=krbtgt_decryption_key,
+            pac_request=True)
         self.assertIsNotNone(as_rep)
 
 if __name__ == "__main__":
diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py
index 392d19f59b3..6f3738257b5 100755
--- a/python/samba/tests/krb5/fast_tests.py
+++ b/python/samba/tests/krb5/fast_tests.py
@@ -49,10 +49,8 @@ from samba.tests.krb5.rfc4120_constants import (
     KU_TICKET,
     NT_PRINCIPAL,
     NT_SRV_INST,
-    NT_WELLKNOWN,
     PADATA_FX_COOKIE,
     PADATA_FX_FAST,
-    PADATA_PAC_OPTIONS
 )
 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
 import samba.tests.krb5.kcrypto as kcrypto
@@ -1028,14 +1026,6 @@ class FAST_Tests(KDCBaseTest):
         ])
 
     def test_fast_hide_client_names(self):
-        user_creds = self.get_client_creds()
-        user_name = user_creds.get_username()
-        user_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
-                                               names=[user_name])
-
-        expected_cname = self.PrincipalName_create(
-            name_type=NT_WELLKNOWN, names=['WELLKNOWN', 'ANONYMOUS'])
-
         self._run_test_sequence([
             {
                 'rep_type': KRB_AS_REP,
@@ -1044,7 +1034,7 @@ class FAST_Tests(KDCBaseTest):
                 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
                 'gen_armor_tgt_fn': self.get_mach_tgt,
                 'fast_options': '01',  # hide client names
-                'expected_cname': expected_cname
+                'expected_anon': True
             },
             {
                 'rep_type': KRB_AS_REP,
@@ -1054,20 +1044,11 @@ class FAST_Tests(KDCBaseTest):
                 'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
                 'gen_armor_tgt_fn': self.get_mach_tgt,
                 'fast_options': '01',  # hide client names
-                'expected_cname': expected_cname,
-                'expected_cname_private': user_cname
+                'expected_anon': True
             }
         ])
 
     def test_fast_tgs_hide_client_names(self):
-        user_creds = self.get_client_creds()
-        user_name = user_creds.get_username()
-        user_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
-                                               names=[user_name])
-
-        expected_cname = self.PrincipalName_create(
-            name_type=NT_WELLKNOWN, names=['WELLKNOWN', 'ANONYMOUS'])
-
         self._run_test_sequence([
             {
                 'rep_type': KRB_TGS_REP,
@@ -1076,8 +1057,7 @@ class FAST_Tests(KDCBaseTest):
                 'gen_tgt_fn': self.get_user_tgt,
                 'fast_armor': None,
                 'fast_options': '01',  # hide client names
-                'expected_cname': expected_cname,
-                'expected_cname_private': user_cname
+                'expected_anon': True
             }
         ])
 
@@ -1156,8 +1136,6 @@ class FAST_Tests(KDCBaseTest):
                                                        'canonicalize,'
                                                        'renewable-ok'))
 
-        pac_request = self.get_pa_pac_request()
-
         client_creds = self.get_client_creds()
         target_creds = self.get_service_creds()
         krbtgt_creds = self.get_krbtgt_creds()
@@ -1259,8 +1237,8 @@ class FAST_Tests(KDCBaseTest):
                 srealm = target_realm
 
             expected_cname = kdc_dict.pop('expected_cname', client_cname)
-            expected_cname_private = kdc_dict.pop('expected_cname_private',
-                                                  None)
+            expected_anon = kdc_dict.pop('expected_anon',
+                                         False)
             expected_crealm = kdc_dict.pop('expected_crealm', client_realm)
             expected_sname = kdc_dict.pop('expected_sname', sname)
             expected_srealm = kdc_dict.pop('expected_srealm', srealm)
@@ -1313,7 +1291,7 @@ class FAST_Tests(KDCBaseTest):
                                       _callback_dict,
                                       req_body,
                                       padata):
-                return padata, req_body
+                return list(padata), req_body
 
             def _check_padata_preauth_key(_kdc_exchange_dict,
                                           _callback_dict,
@@ -1323,15 +1301,9 @@ class FAST_Tests(KDCBaseTest):
                 return preauth_key, as_rep_usage
 
             pac_options = kdc_dict.pop('pac_options', '1')  # claims support
-            pac_options = self.get_pa_pac_options(pac_options)
 
             kdc_options = kdc_dict.pop('kdc_options', kdc_options_default)
 
-            if rep_type == KRB_AS_REP:
-                padata = [pac_request, pac_options]
-            else:
-                padata = [pac_options]
-
             gen_padata_fn = kdc_dict.pop('gen_padata_fn', None)
             if gen_padata_fn is not None:
                 self.assertEqual(KRB_AS_REP, rep_type)
@@ -1341,10 +1313,10 @@ class FAST_Tests(KDCBaseTest):
                     client_creds,
                     preauth_etype_info2[0],
                     client_creds.get_kvno())
-                gen_padata = gen_padata_fn(preauth_key, armor_key)
-                padata.insert(0, gen_padata)
+                padata = [gen_padata_fn(preauth_key, armor_key)]
             else:
                 preauth_key = None
+                padata = []
 
             if rep_type == KRB_AS_REP:
                 check_padata_fn = _check_padata_preauth_key
@@ -1380,13 +1352,22 @@ class FAST_Tests(KDCBaseTest):
             inner_req = kdc_dict.pop('inner_req', None)
             outer_req = kdc_dict.pop('outer_req', None)
 
+            expected_flags = kdc_dict.pop('expected_flags', None)
+            if expected_flags is not None:
+                expected_flags = krb5_asn1.KDCOptions(expected_flags)
+            unexpected_flags = kdc_dict.pop('unexpected_flags', None)
+            if unexpected_flags is not None:
+                unexpected_flags = krb5_asn1.KDCOptions(unexpected_flags)
+
             if rep_type == KRB_AS_REP:
                 kdc_exchange_dict = self.as_exchange_dict(
                     expected_crealm=expected_crealm,
                     expected_cname=expected_cname,
-                    expected_cname_private=expected_cname_private,
+                    expected_anon=expected_anon,
                     expected_srealm=expected_srealm,
                     expected_sname=expected_sname,
+                    expected_flags=expected_flags,
+                    unexpected_flags=unexpected_flags,
                     ticket_decryption_key=krbtgt_decryption_key,
                     generate_fast_fn=generate_fast_fn,
                     generate_fast_armor_fn=generate_fast_armor_fn,
@@ -1408,14 +1389,18 @@ class FAST_Tests(KDCBaseTest):
                     armor_subkey=armor_subkey,
                     kdc_options=kdc_options,
                     inner_req=inner_req,
-                    outer_req=outer_req)
+                    outer_req=outer_req,
+                    pac_request=True,
+                    pac_options=pac_options)
             else:  # KRB_TGS_REP
                 kdc_exchange_dict = self.tgs_exchange_dict(
                     expected_crealm=expected_crealm,
                     expected_cname=expected_cname,
-                    expected_cname_private=expected_cname_private,
+                    expected_anon=expected_anon,
                     expected_srealm=expected_srealm,
                     expected_sname=expected_sname,
+                    expected_flags=expected_flags,
+                    unexpected_flags=unexpected_flags,
                     ticket_decryption_key=target_decryption_key,
                     generate_fast_fn=generate_fast_fn,
                     generate_fast_armor_fn=generate_fast_armor_fn,
@@ -1437,7 +1422,9 @@ class FAST_Tests(KDCBaseTest):
                     body_checksum_type=None,
                     kdc_options=kdc_options,
                     inner_req=inner_req,
-                    outer_req=outer_req)
+                    outer_req=outer_req,
+                    pac_request=None,
+                    pac_options=pac_options)
 
             repeat = kdc_dict.pop('repeat', 1)
             for _ in range(repeat):
@@ -1528,25 +1515,12 @@ class FAST_Tests(KDCBaseTest):
 
         return self.PA_DATA_create(PADATA_FX_COOKIE, cookie)
 
-    def get_pa_pac_request(self, request_pac=True):
-        pac_request = self.KERB_PA_PAC_REQUEST_create(request_pac)
-
-        return pac_request
-
-    def get_pa_pac_options(self, options):
-        pac_options = self.PA_PAC_OPTIONS_create(options)
-        pac_options = self.der_encode(pac_options,
-                                      asn1Spec=krb5_asn1.PA_PAC_OPTIONS())
-        pac_options = self.PA_DATA_create(PADATA_PAC_OPTIONS, pac_options)
-
-        return pac_options
-
     def check_kdc_fast_support(self):
         # Check that the KDC supports FAST
 
         samdb = self.get_samdb()
 
-        krbtgt_rid = 502
+        krbtgt_rid = security.DOMAIN_RID_KRBTGT
         krbtgt_sid = '%s-%d' % (samdb.get_domain_sid(), krbtgt_rid)
 
         res = samdb.search(base='<SID=%s>' % krbtgt_sid,
diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py
index ce7b00bda4c..4a4a12a66d4 100755
--- a/python/samba/tests/krb5/kcrypto.py
+++ b/python/samba/tests/krb5/kcrypto.py
@@ -478,6 +478,7 @@ class _ChecksumProfile(object):
     # define:
     #   * checksum
     #   * verify (if verification is not just checksum-and-compare)
+    #   * checksum_len
     @classmethod
     def verify(cls, key, keyusage, text, cksum):
         expected = cls.checksum(key, keyusage, text)
@@ -504,6 +505,10 @@ class _SimplifiedChecksum(_ChecksumProfile):
             raise ValueError('Wrong key type for checksum')
         super(_SimplifiedChecksum, cls).verify(key, keyusage, text, cksum)
 
+    @classmethod
+    def checksum_len(cls):
+        return cls.macsize
+
 
 class _SHA1AES128(_SimplifiedChecksum):
     macsize = 12
@@ -533,6 +538,10 @@ class _HMACMD5(_ChecksumProfile):
             raise ValueError('Wrong key type for checksum')
         super(_HMACMD5, cls).verify(key, keyusage, text, cksum)
 
+    @classmethod
+    def checksum_len(cls):
+        return hashes.MD5.digest_size
+
 
 class _MD5(_ChecksumProfile):
     @classmethod
@@ -540,6 +549,10 @@ class _MD5(_ChecksumProfile):
         # This is unkeyed!
         return SIMPLE_HASH(text, hashes.MD5)
 
+    @classmethod
+    def checksum_len(cls):
+        return hashes.MD5.digest_size
+
 
 class _SHA1(_ChecksumProfile):
     @classmethod
@@ -547,6 +560,10 @@ class _SHA1(_ChecksumProfile):
         # This is unkeyed!
         return SIMPLE_HASH(text, hashes.SHA1)
 
+    @classmethod
+    def checksum_len(cls):
+        return hashes.SHA1.digest_size
+
 
 class _CRC32(_ChecksumProfile):
     @classmethod
@@ -555,6 +572,10 @@ class _CRC32(_ChecksumProfile):
         cksum = (~crc32(text, 0xffffffff)) & 0xffffffff
         return pack('<I', cksum)
 
+    @classmethod
+    def checksum_len(cls):
+        return 4
+
 
 _enctype_table = {
     Enctype.DES3: _DES3CBC,
@@ -643,6 +664,11 @@ def verify_checksum(cksumtype, key, keyusage, text, cksum):
     c.verify(key, keyusage, text, cksum)
 
 
+def checksum_len(cksumtype):
+    c = _get_checksum_profile(cksumtype)
+    return c.checksum_len()
+
+
 def prfplus(key, pepper, ln):
     # Produce ln bytes of output using the RFC 6113 PRF+ function.
     out = b''
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index f5c1eba9151..49a3227c26e 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -34,6 +34,8 @@ from samba.drs_utils import drsuapi_connect
 from samba.dsdb import (
     DS_DOMAIN_FUNCTION_2000,
     DS_DOMAIN_FUNCTION_2008,
+    DS_GUID_COMPUTERS_CONTAINER,
+    DS_GUID_USERS_CONTAINER,
     UF_WORKSTATION_TRUST_ACCOUNT,
     UF_NORMAL_ACCOUNT
 )
@@ -116,7 +118,7 @@ class KDCBaseTest(RawKerberosTest):
             lp = self.get_lp()
 
             session = system_session()
-            type(self)._ldb = SamDB(url="ldap://%s" % self.host,
+            type(self)._ldb = SamDB(url="ldap://%s" % self.dc_host,
                                     session_info=session,
                                     credentials=creds,
                                     lp=lp)
@@ -151,12 +153,19 @@ class KDCBaseTest(RawKerberosTest):
         return default_enctypes
 
     def create_account(self, ldb, name, machine_account=False,
-                       spn=None, upn=None, additional_details=None):
+                       spn=None, upn=None, additional_details=None,
+                       ou=None, account_control=0):
         '''Create an account for testing.
            The dn of the created account is added to self.accounts,
            which is used by tearDownClass to clean up the created accounts.
         '''
-        dn = "cn=%s,%s" % (name, ldb.domain_dn())
+        if ou is None:
+            guid = (DS_GUID_COMPUTERS_CONTAINER if machine_account
+                    else DS_GUID_USERS_CONTAINER)
+
+            ou = ldb.get_wellknown_dn(ldb.get_default_basedn(), guid)
+
+        dn = "CN=%s,%s" % (name, ou)
 
         # remove the account if it exists, this will happen if a previous test
         # run failed
@@ -164,11 +173,11 @@ class KDCBaseTest(RawKerberosTest):
         if machine_account:
             object_class = "computer"
             account_name = "%s$" % name
-            account_control = str(UF_WORKSTATION_TRUST_ACCOUNT)
+            account_control |= UF_WORKSTATION_TRUST_ACCOUNT
         else:
             object_class = "user"
             account_name = name
-            account_control = str(UF_NORMAL_ACCOUNT)
+            account_control |= UF_NORMAL_ACCOUNT
 
         password = generate_random_password(32, 32)
         utf16pw = ('"%s"' % password).encode('utf-16-le')
@@ -177,7 +186,7 @@ class KDCBaseTest(RawKerberosTest):
             "dn": dn,


-- 
Samba Shared Repository

