[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Tue Sep 21 23:56:02 UTC 2021
The branch, master has been updated
via ec95b3042bf tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
via a562882b151 tests/krb5: Add methods for creating zeroed checksums and verifying checksums
via 419e4061ced tests/krb5: Cache obtained tickets
via 6193f7433b1 tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
via 59c1043be25 tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
via 035a8f19855 tests/krb5: Allow get_tgt() to specify expected and unexpected flags
via 4ecfa82e71b tests/krb5: Allow get_tgt() to specify different kdc-options
via 2d69805b1e3 tests/krb5: Allow get_tgt() to get tickets from the RODC
via 5d3a135c232 tests/krb5: Allow get_service_ticket() to get tickets from the RODC
via 7645dfa5bed tests/krb5: Set DN of created accounts to ldb.Dn type
via c226029655c tests/krb5: Don't manually create PAC request and options in fast_tests
via 3504e99dc5b tests/krb5: Use PAC buffer type constants from krb5pac.idl
via a5e62d681d8 tests/krb5: Allow as_req() to specify different kdc-options
via 6403a09d94a tests/krb5: Allow tgs_req() to send requests to the RODC
via 1a3426da544 tests/krb5: Allow tgs_req() to specify different kdc-options
via 1f0654b8fac tests/krb5: Allow tgs_req() to send additional padata
via 2a4d53dc12a tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
via 0061fa2c2a2 tests/krb5: Check correct flags element
via a281ae09bcf tests/krb5: Add helper method for modifying PACs
via b81f6f3d714 autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
via 21a77173590 python/join: Check for correct msDS-KrbTgtLink attribute
via cde38d36b98 python: Don't leak file handles
from 9a24d8e491f lib:cmdline: fix a comment
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit ec95b3042bf2649c0600cafb12818c27242b5098
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 17:20:22 2021 +1200
tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures
Signatures created by an RODC have an RODCIdentifier appended to them
identifying the RODC's krbtgt account.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Tue Sep 21 23:55:39 UTC 2021 on sn-devel-184
commit a562882b15125902c5d89f094b8c9b1150f5d010
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 16:54:57 2021 +1200
tests/krb5: Add methods for creating zeroed checksums and verifying checksums
Creating a zeroed checksum is needed for signing a PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 419e4061ced466ec7e5e23f815823b540ef4751c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 11:51:20 2021 +1200
tests/krb5: Cache obtained tickets
Now tickets obtained with get_tgt() and get_service_ticket() make use of
a cache so they can be reused, unless the 'fresh' parameter is specified
as true.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6193f7433b15579aa32b26a146287923c9d3844d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 11:51:05 2021 +1200
tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
The encpart is already contained in ticket_creds, so it no longer needs
to be returned as a separate value.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 59c1043be25b92db75ab5676601cb15426ef37a3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 13:24:46 2021 +1200
tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 035a8f198555ad1eedf8e2e6c565fbbbe4fbe7ce
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 13:14:45 2021 +1200
tests/krb5: Allow get_tgt() to specify expected and unexpected flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4ecfa82e71b0dd5b71aa97973033c5c72257a0c3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 13:14:06 2021 +1200
tests/krb5: Allow get_tgt() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2d69805b1e3a8022f1418605e5f29ae0bbaa4a06
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:41:46 2021 +1200
tests/krb5: Allow get_tgt() to get tickets from the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5d3a135c2326edc9ca8f56bea24d2f52320f4fd6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:38:38 2021 +1200
tests/krb5: Allow get_service_ticket() to get tickets from the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7645dfa5bedee7ef3f7debbf0fa7600bd1c4bd79
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:19:28 2021 +1200
tests/krb5: Set DN of created accounts to ldb.Dn type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c226029655ca361560d93298a6729a021f2f6b75
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:13:51 2021 +1200
tests/krb5: Don't manually create PAC request and options in fast_tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3504e99dc5bcc206ca2964012b7fdca541555416
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 12:06:51 2021 +1200
tests/krb5: Use PAC buffer type constants from krb5pac.idl
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a5e62d681d81a422bac7bd89dc27ef2314d77457
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:52:46 2021 +1200
tests/krb5: Allow as_req() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6403a09d94ab54f89d6e50601ae6b19ab7e6aae7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:25:01 2021 +1200
tests/krb5: Allow tgs_req() to send requests to the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1a3426da54463c3e454c1b76c3df4e96882e6aa9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:18:12 2021 +1200
tests/krb5: Allow tgs_req() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1f0654b8facf3b9b2288d2569a573ff3a5ca4a82
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:16:27 2021 +1200
tests/krb5: Allow tgs_req() to send additional padata
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 2a4d53dc12aa785f696e53ae3376f67375ce455f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:13:09 2021 +1200
tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0061fa2c2a26d990ed2e47441bca8797fc9be356
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Sep 16 11:22:28 2021 +1200
tests/krb5: Check correct flags element
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit a281ae09bcf35277c830c4112567c72233fd66b8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 15 20:56:28 2021 +1200
tests/krb5: Add helper method for modifying PACs
This method can remove or replace a PAC in an authorization-data
container, while additionally returning the original PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b81f6f3d71487085bb355392ce7f8eff2db5bb4d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Fri Sep 17 16:43:00 2021 +1200
autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable)
This allows making a push to do a full test ignoring errors without
needing "HACK!!!" commits on top.
Use like this:
git push -o ci.variable='AUTOBUILD_FAIL_IMMEDIATELY=0'
RN: Samba CI runs can now continue past the first error if AUTOBUILD_FAIL_IMMEDIATELY=0 is set
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14841
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Michael Adam <obnox at samba.org
Reviewed-by: Noel Power <npower at samba.org>
commit 21a7717359082feaddfdf42788648c3d7574c28e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 10 14:02:22 2021 +1200
python/join: Check for correct msDS-KrbTgtLink attribute
Previously, the wrong case was used when checking for this attribute,
which meant krbtgt accounts were not being cleaned up.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cde38d36b98f1d40e7b58cd4c4b4bedfab76c390
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 15:42:28 2021 +1200
python: Don't leak file handles
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Noel Power <npower at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/__init__.py | 12 +-
python/samba/join.py | 7 +-
python/samba/ms_schema.py | 6 +-
python/samba/schema.py | 9 +-
python/samba/tests/krb5/fast_tests.py | 138 +---------------
python/samba/tests/krb5/kdc_base_test.py | 276 +++++++++++++++++++++++++------
python/samba/tests/krb5/kdc_tgs_tests.py | 3 +-
python/samba/tests/krb5/raw_testcase.py | 115 +++++++++++--
script/autobuild.py | 9 +-
source4/selftest/tests.py | 18 +-
10 files changed, 370 insertions(+), 223 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/__init__.py b/python/samba/__init__.py
index 449e4826ffb..0e6a33322f8 100644
--- a/python/samba/__init__.py
+++ b/python/samba/__init__.py
@@ -217,7 +217,8 @@ class Ldb(_Ldb):
:param ldif_path: Path to LDIF file.
"""
- self.add_ldif(open(ldif_path, 'r').read())
+ with open(ldif_path, 'r') as ldif_file:
+ self.add_ldif(ldif_file.read())
def add_ldif(self, ldif, controls=None):
"""Add data based on a LDIF string.
@@ -279,10 +280,11 @@ def read_and_sub_file(file_name, subst_vars):
:param file_name: File to be read (typically from setup directory)
param subst_vars: Optional variables to subsitute in the file.
"""
- data = open(file_name, 'r', encoding="utf-8").read()
- if subst_vars is not None:
- data = substitute_var(data, subst_vars)
- check_all_substituted(data)
+ with open(file_name, 'r', encoding="utf-8") as data_file:
+ data = data_file.read()
+ if subst_vars is not None:
+ data = substitute_var(data, subst_vars)
+ check_all_substituted(data)
return data
diff --git a/python/samba/join.py b/python/samba/join.py
index b557eac03eb..4399367c817 100644
--- a/python/samba/join.py
+++ b/python/samba/join.py
@@ -256,8 +256,9 @@ class DCJoinContext(object):
ctx.del_noerror(res[0].dn, recursive=True)
- if "msDS-Krbtgtlink" in res[0]:
- ctx.new_krbtgt_dn = res[0]["msDS-Krbtgtlink"][0]
+ krbtgt_dn = res[0].get('msDS-KrbTgtLink', idx=0)
+ if krbtgt_dn is not None:
+ ctx.new_krbtgt_dn = krbtgt_dn
ctx.del_noerror(ctx.new_krbtgt_dn)
res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(),
@@ -336,7 +337,7 @@ class DCJoinContext(object):
attrs=["msDS-krbTgtLink", "userAccountControl", "serverReferenceBL", "rIDSetReferences"])
if len(res) == 0:
raise Exception("Could not find domain member account '%s' to promote to a DC, use 'samba-tool domain join' instead'" % ctx.samname)
- if "msDS-krbTgtLink" in res[0] or "serverReferenceBL" in res[0] or "rIDSetReferences" in res[0]:
+ if "msDS-KrbTgtLink" in res[0] or "serverReferenceBL" in res[0] or "rIDSetReferences" in res[0]:
raise Exception("Account '%s' appears to be an active DC, use 'samba-tool domain join' if you must re-create this account" % ctx.samname)
if (int(res[0]["userAccountControl"][0]) & (samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT |
samba.dsdb.UF_SERVER_TRUST_ACCOUNT) == 0):
diff --git a/python/samba/ms_schema.py b/python/samba/ms_schema.py
index b9ca3c61b72..2250fb55e3b 100644
--- a/python/samba/ms_schema.py
+++ b/python/samba/ms_schema.py
@@ -294,9 +294,9 @@ def __parse_schema_file(filename, objectClass):
out = []
from io import open
- f = open(filename, "r", encoding='latin-1')
- for entry in __read_raw_entries(f):
- out.append(__write_ldif_one(__transform_entry(entry, objectClass)))
+ with open(filename, "r", encoding='latin-1') as f:
+ for entry in __read_raw_entries(f):
+ out.append(__write_ldif_one(__transform_entry(entry, objectClass)))
return "\n\n".join(out)
diff --git a/python/samba/schema.py b/python/samba/schema.py
index 54fc9fc3125..a3adc162fa3 100644
--- a/python/samba/schema.py
+++ b/python/samba/schema.py
@@ -110,8 +110,13 @@ class Schema(object):
setup_path('ad-schema/%s' % Schema.base_schemas[base_schema][0]),
setup_path('ad-schema/%s' % Schema.base_schemas[base_schema][1]))
+ def read_file(file):
+ with open(file, 'rb') as data_file:
+ return data_file.read()
+
if files is not None:
- self.schema_data = "".join(get_string(open(file, 'rb').read()) for file in files)
+ self.schema_data = "".join(get_string(read_file(file))
+ for file in files)
self.schema_data = substitute_var(self.schema_data,
{"SCHEMADN": schemadn})
@@ -130,7 +135,7 @@ class Schema(object):
if override_prefixmap is not None:
self.prefixmap_data = override_prefixmap
else:
- self.prefixmap_data = open(setup_path("prefixMap.txt"), 'rb').read()
+ self.prefixmap_data = read_file(setup_path("prefixMap.txt"))
if additional_prefixmap is not None:
self.prefixmap_data += "".join("%s\n" % map for map in additional_prefixmap)
diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py
index ae696e88c78..44853365d1e 100755
--- a/python/samba/tests/krb5/fast_tests.py
+++ b/python/samba/tests/krb5/fast_tests.py
@@ -67,11 +67,9 @@ class FAST_Tests(KDCBaseTest):
super().setUpClass()
cls.user_tgt = None
- cls.user_enc_part = None
cls.user_service_ticket = None
cls.mach_tgt = None
- cls.mach_enc_part = None
cls.mach_service_ticket = None
def setUp(self):
@@ -1540,149 +1538,17 @@ class FAST_Tests(KDCBaseTest):
self.assertTrue(
security.KERB_ENCTYPE_CLAIMS_SUPPORTED & krbtgt_etypes)
- def get_service_ticket(self, tgt, target_creds, service='host'):
- etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
-
- key = tgt.session_key
- ticket = tgt.ticket
-
- cname = tgt.cname
- realm = tgt.crealm
-
- target_name = target_creds.get_username()[:-1]
- sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
- names=[service, target_name])
-
- rep, enc_part = self.tgs_req(cname, sname, realm, ticket, key, etype)
-
- service_ticket = rep['ticket']
-
- ticket_etype = service_ticket['enc-part']['etype']
- target_key = self.TicketDecryptionKey_from_creds(target_creds,
- etype=ticket_etype)
-
- session_key = self.EncryptionKey_import(enc_part['key'])
-
- service_ticket_creds = KerberosTicketCreds(service_ticket,
- session_key,
- crealm=realm,
- cname=cname,
- srealm=realm,
- sname=sname,
- decryption_key=target_key)
-
- return service_ticket_creds
-
- def get_tgt(self, creds):
- user_name = creds.get_username()
- realm = creds.get_realm()
-
- salt = creds.get_salt()
-
- etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
- cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
- names=[user_name])
- sname = self.PrincipalName_create(name_type=NT_SRV_INST,
- names=['krbtgt', realm])
-
- till = self.get_KerberosTime(offset=36000)
-
- krbtgt_creds = self.get_krbtgt_creds()
- ticket_decryption_key = (
- self.TicketDecryptionKey_from_creds(krbtgt_creds))
-
- kdc_options = str(krb5_asn1.KDCOptions('forwardable,'
- 'renewable,'
- 'canonicalize,'
- 'renewable-ok'))
-
- pac_request = self.get_pa_pac_request()
- pac_options = self.get_pa_pac_options('1') # supports claims
-
- padata = [pac_request, pac_options]
-
- rep, kdc_exchange_dict = self._test_as_exchange(
- cname=cname,
- realm=realm,
- sname=sname,
- till=till,
- client_as_etypes=etype,
- expected_error_mode=KDC_ERR_PREAUTH_REQUIRED,
- expected_crealm=realm,
- expected_cname=cname,
- expected_srealm=realm,
- expected_sname=sname,
- expected_salt=salt,
- etypes=etype,
- padata=padata,
- kdc_options=kdc_options,
- preauth_key=None,
- ticket_decryption_key=ticket_decryption_key)
- self.check_pre_authentication(rep)
-
- etype_info2 = kdc_exchange_dict['preauth_etype_info2']
-
- preauth_key = self.PasswordKey_from_etype_info2(creds,
- etype_info2[0],
- creds.get_kvno())
-
- ts_enc_padata = self.get_enc_timestamp_pa_data(creds, rep)
-
- padata = [ts_enc_padata, pac_request, pac_options]
-
- expected_realm = realm.upper()
-
- expected_sname = self.PrincipalName_create(
- name_type=NT_SRV_INST, names=['krbtgt', realm.upper()])
-
- rep, kdc_exchange_dict = self._test_as_exchange(
- cname=cname,
- realm=realm,
- sname=sname,
- till=till,
- client_as_etypes=etype,
- expected_error_mode=0,
- expected_crealm=expected_realm,
- expected_cname=cname,
- expected_srealm=expected_realm,
- expected_sname=expected_sname,
- expected_salt=salt,
- etypes=etype,
- padata=padata,
- kdc_options=kdc_options,
- preauth_key=preauth_key,
- ticket_decryption_key=ticket_decryption_key)
- self.check_as_reply(rep)
-
- tgt = rep['ticket']
-
- enc_part = self.get_as_rep_enc_data(preauth_key, rep)
- session_key = self.EncryptionKey_import(enc_part['key'])
-
- ticket_creds = KerberosTicketCreds(
- tgt,
- session_key,
- crealm=realm,
- cname=cname,
- srealm=realm,
- sname=sname,
- decryption_key=ticket_decryption_key)
-
- return ticket_creds, enc_part
-
def get_mach_tgt(self):
if self.mach_tgt is None:
mach_creds = self.get_mach_creds()
- type(self).mach_tgt, type(self).mach_enc_part = (
- self.get_tgt(mach_creds))
+ type(self).mach_tgt = self.get_tgt(mach_creds)
return self.mach_tgt
def get_user_tgt(self):
if self.user_tgt is None:
user_creds = self.get_client_creds()
- type(self).user_tgt, type(self).user_enc_part = (
- self.get_tgt(user_creds))
+ type(self).user_tgt = self.get_tgt(user_creds)
return self.user_tgt
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 0e138352b06..59175c7bb2f 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -52,7 +52,11 @@ from samba.samdb import SamDB, dsdb_Dn
from samba.tests import delete_force
import samba.tests.krb5.kcrypto as kcrypto
-from samba.tests.krb5.raw_testcase import KerberosCredentials, RawKerberosTest
+from samba.tests.krb5.raw_testcase import (
+ KerberosCredentials,
+ KerberosTicketCreds,
+ RawKerberosTest
+)
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
from samba.tests.krb5.rfc4120_constants import (
AD_IF_RELEVANT,
@@ -66,10 +70,10 @@ from samba.tests.krb5.rfc4120_constants import (
KU_AS_REP_ENC_PART,
KU_ENC_CHALLENGE_CLIENT,
KU_PA_ENC_TIMESTAMP,
- KU_TGS_REP_ENC_PART_SUB_KEY,
KU_TICKET,
NT_PRINCIPAL,
NT_SRV_HST,
+ NT_SRV_INST,
PADATA_ENCRYPTED_CHALLENGE,
PADATA_ENC_TIMESTAMP,
PADATA_ETYPE_INFO2,
@@ -106,6 +110,7 @@ class KDCBaseTest(RawKerberosTest):
cls.accounts = set()
cls.account_cache = {}
+ cls.tkt_cache = {}
cls._rodc_ctx = None
@@ -225,7 +230,7 @@ class KDCBaseTest(RawKerberosTest):
return default_enctypes
- def create_account(self, ldb, name, machine_account=False,
+ def create_account(self, samdb, name, machine_account=False,
spn=None, upn=None, additional_details=None,
ou=None, account_control=0):
'''Create an account for testing.
@@ -236,13 +241,13 @@ class KDCBaseTest(RawKerberosTest):
guid = (DS_GUID_COMPUTERS_CONTAINER if machine_account
else DS_GUID_USERS_CONTAINER)
- ou = ldb.get_wellknown_dn(ldb.get_default_basedn(), guid)
+ ou = samdb.get_wellknown_dn(samdb.get_default_basedn(), guid)
dn = "CN=%s,%s" % (name, ou)
# remove the account if it exists, this will happen if a previous test
# run failed
- delete_force(ldb, dn)
+ delete_force(samdb, dn)
if machine_account:
object_class = "computer"
account_name = "%s$" % name
@@ -267,19 +272,19 @@ class KDCBaseTest(RawKerberosTest):
details["userPrincipalName"] = upn
if additional_details is not None:
details.update(additional_details)
- ldb.add(details)
+ samdb.add(details)
creds = KerberosCredentials()
creds.guess(self.get_lp())
- creds.set_realm(ldb.domain_dns_name().upper())
- creds.set_domain(ldb.domain_netbios_name().upper())
+ creds.set_realm(samdb.domain_dns_name().upper())
+ creds.set_domain(samdb.domain_netbios_name().upper())
creds.set_password(password)
creds.set_username(account_name)
if machine_account:
creds.set_workstation(name)
else:
creds.set_workstation('')
- creds.set_dn(dn)
+ creds.set_dn(ldb.Dn(samdb, dn))
#
# Save the account name so it can be deleted in tearDownClass
self.accounts.add(dn)
@@ -910,12 +915,11 @@ class KDCBaseTest(RawKerberosTest):
fallback_creds_fn=download_krbtgt_creds)
return c
- def as_req(self, cname, sname, realm, etypes, padata=None):
+ def as_req(self, cname, sname, realm, etypes, padata=None, kdc_options=0):
'''Send a Kerberos AS_REQ, returns the undecoded response
'''
till = self.get_KerberosTime(offset=36000)
- kdc_options = 0
req = self.AS_REQ_create(padata=padata,
kdc_options=str(kdc_options),
@@ -1063,61 +1067,223 @@ class KDCBaseTest(RawKerberosTest):
else:
self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep)
- def tgs_req(self, cname, sname, realm, ticket, key, etypes):
+ def tgs_req(self, cname, sname, realm, ticket, key, etypes,
+ expected_error_mode=0, padata=None, kdc_options=0,
+ to_rodc=False):
'''Send a TGS-REQ, returns the response and the decrypted and
decoded enc-part
'''
- kdc_options = "0"
- till = self.get_KerberosTime(offset=36000)
- padata = []
-
subkey = self.RandomKey(key.etype)
(ctime, cusec) = self.get_KerberosTimeWithUsec()
- req = self.TGS_REQ_create(padata=padata,
- cusec=cusec,
- ctime=ctime,
- ticket=ticket,
- kdc_options=str(kdc_options),
- cname=cname,
- realm=realm,
- sname=sname,
- from_time=None,
- till_time=till,
- renew_time=None,
- nonce=0x7ffffffe,
- etypes=etypes,
- addresses=None,
- EncAuthorizationData=None,
- EncAuthorizationData_key=None,
- additional_tickets=None,
- ticket_session_key=key,
- authenticator_subkey=subkey)
- rep = self.send_recv_transaction(req)
- self.assertIsNotNone(rep)
+ tgt = KerberosTicketCreds(ticket,
+ key,
+ crealm=realm,
+ cname=cname)
- msg_type = rep['msg-type']
- enc_part = None
- if msg_type == KRB_TGS_REP:
- enc_part = subkey.decrypt(
- KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher'])
- enc_part = self.der_decode(
- enc_part, asn1Spec=krb5_asn1.EncTGSRepPart())
- return (rep, enc_part)
+ if not expected_error_mode:
+ check_error_fn = None
+ check_rep_fn = self.generic_check_kdc_rep
+ else:
+ check_error_fn = self.generic_check_kdc_error
+ check_rep_fn = None
+
+ def generate_padata(_kdc_exchange_dict,
+ _callback_dict,
+ req_body):
+
+ return padata, req_body
+
+ kdc_exchange_dict = self.tgs_exchange_dict(
+ expected_crealm=realm,
+ expected_cname=cname,
+ expected_srealm=realm,
+ expected_sname=sname,
+ expected_error_mode=expected_error_mode,
+ check_error_fn=check_error_fn,
+ check_rep_fn=check_rep_fn,
+ check_kdc_private_fn=self.generic_check_kdc_private,
+ generate_padata_fn=generate_padata if padata is not None else None,
+ tgt=tgt,
+ authenticator_subkey=subkey,
+ kdc_options=str(kdc_options),
+ to_rodc=to_rodc)
+
+ rep = self._generic_kdc_exchange(kdc_exchange_dict,
+ cname=None,
+ realm=realm,
+ sname=sname,
+ etypes=etypes)
+
+ if expected_error_mode:
+ enc_part = None
+ else:
+ ticket_creds = kdc_exchange_dict['rep_ticket_creds']
+ enc_part = ticket_creds.encpart_private
+
+ return rep, enc_part
+
+ def get_service_ticket(self, tgt, target_creds, service='host',
+ to_rodc=False, fresh=False):
+ user_name = tgt.cname['name-string'][0]
+ target_name = target_creds.get_username()
+ cache_key = (user_name, target_name, service, to_rodc)
+
+ if not fresh:
+ ticket = self.tkt_cache.get(cache_key)
+
+ if ticket is not None:
+ return ticket
+
+ etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
+
+ key = tgt.session_key
+ ticket = tgt.ticket
+
+ cname = tgt.cname
+ realm = tgt.crealm
+
+ target_name = target_creds.get_username()[:-1]
+ sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=[service, target_name])
+
+ rep, enc_part = self.tgs_req(cname, sname, realm, ticket, key, etype,
+ to_rodc=to_rodc)
+
+ service_ticket = rep['ticket']
+
+ ticket_etype = service_ticket['enc-part']['etype']
+ target_key = self.TicketDecryptionKey_from_creds(target_creds,
+ etype=ticket_etype)
+
+ session_key = self.EncryptionKey_import(enc_part['key'])
+
+ service_ticket_creds = KerberosTicketCreds(service_ticket,
--
Samba Shared Repository
More information about the samba-cvs
mailing list