[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Sep 23 19:29:01 UTC 2021
The branch, master has been updated
via 5b331443d06 tests/krb5: Add classes for testing invalid checksums
via c0b81f0dd54 tests/krb5: Add method to determine if principal is krbtgt
via ea7b550a500 tests/krb5: Verify checksums of tickets obtained from the KDC
via 1458cd9065d tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
via 394e8db261b tests/krb5: Simplify account creation
via f2f1f3a1e92 tests/krb5: Provide ticket enc-part key to tgs_req()
via f9284d8517e tests/krb5: Fix checking for presence of authorization data
via 9d01043042f tests/krb5: Add method to get DC credentials
via 38b4b334caf tests/krb5: Allow tgs_req() to check the returned ticket enc-part
via 054ec1a8cc4 tests/krb5: Set key version number for all accounts created with create_account()
via 14cd933a9d6 tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
via b6eaf2cf44f tests/krb5: Get supported enctypes for credentials from database
via 432eba9e098 tests/krb5: Add methods to convert between enctypes and bitfields
via 7cedd383bcc tests/krb5: Make get_default_enctypes() return a set of enctype constants
via 4c67a53cdca tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
via 1fcde7cb6ce tests/krb5: Add method for modifying a ticket and creating PAC checksums
via 12b5e72a35d tests/krb5: Add method to verify ticket PAC checksums
from 702ebb3d8c8 registry: skip root check when running with uid-wrapper enabled
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 5b331443d0698256ee7fcc040a1ab8137efe925d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 15:10:35 2021 +1200
tests/krb5: Add classes for testing invalid checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Sep 23 19:28:44 UTC 2021 on sn-devel-184
commit c0b81f0dd54d0d71b5d0f5a870b505e82d0e85b8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 15:06:18 2021 +1200
tests/krb5: Add method to determine if principal is krbtgt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ea7b550a500d9e458498d37688b67dafd3d9509d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 14:10:07 2021 +1200
tests/krb5: Verify checksums of tickets obtained from the KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1458cd9065de34c42bd5ec63feb2f66c25103982
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 13:54:47 2021 +1200
tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 394e8db261b10d130c5e5730989bf68f9bf4f85f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 14:05:58 2021 +1200
tests/krb5: Simplify account creation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f2f1f3a1e9269f0e7b93006bba2368a6ffbecc7c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 22 11:41:45 2021 +1200
tests/krb5: Provide ticket enc-part key to tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f9284d8517edd9ffd96f0c24166a16366f97de8f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 14:08:16 2021 +1200
tests/krb5: Fix checking for presence of authorization data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9d01043042f1caac98a23cf4d9aa9a02a31a9239
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 13:58:09 2021 +1200
tests/krb5: Add method to get DC credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 38b4b334caf1b32f1479db3ada48b2028946f5e6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 13:59:24 2021 +1200
tests/krb5: Allow tgs_req() to check the returned ticket enc-part
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 054ec1a8cc4ae42918c7c06ef9c66c8a81242655
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Sep 20 13:54:39 2021 +1200
tests/krb5: Set key version number for all accounts created with create_account()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 14cd933a9d6af08deb680c9f688b166138d45ed9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 17:11:28 2021 +1200
tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b6eaf2cf44fb66d8f302d4cab050827a67de3ea4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 17:10:49 2021 +1200
tests/krb5: Get supported enctypes for credentials from database
Look up the account's msDS-SupportedEncryptionTypes attribute to get the
encryption types that it supports. Move the fallback to RC4 to when the
ticket decryption key is obtained.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 432eba9e09849e74f4c0f2d7826d45cbd2b7ce42
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 21:01:46 2021 +1200
tests/krb5: Add methods to convert between enctypes and bitfields
These methods are useful for converting a collection of encryption types
into msDS-SupportedEncryptionTypes bit flags, and vice versa.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7cedd383bcc1b5652ea65817b464d6e0485c7b8b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 17:01:12 2021 +1200
tests/krb5: Make get_default_enctypes() return a set of enctype constants
This is often more convenient than a bitfield.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4c67a53cdca206a118e82b356db0faf0ddc011ab
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Sep 21 13:33:16 2021 +1200
tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1fcde7cb6ce50e0a08097841e92476f320560664
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 17 15:26:12 2021 +1200
tests/krb5: Add method for modifying a ticket and creating PAC checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 12b5e72a35d632516980f6c051a5d83f913079e7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Sep 17 14:56:51 2021 +1200
tests/krb5: Add method to verify ticket PAC checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/krb5/as_req_tests.py | 4 +-
python/samba/tests/krb5/fast_tests.py | 53 +--
python/samba/tests/krb5/kdc_base_test.py | 141 ++++--
python/samba/tests/krb5/kdc_tgs_tests.py | 6 +-
.../krb5/ms_kile_client_principal_lookup_tests.py | 46 +-
python/samba/tests/krb5/raw_testcase.py | 508 ++++++++++++++++++++-
6 files changed, 633 insertions(+), 125 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index 35f88a0c920..8d9b90fee69 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -60,7 +60,7 @@ class AsReqKerberosTests(KDCBaseTest):
initial_kdc_options=None):
client_creds = self.get_client_creds()
client_account = client_creds.get_username()
- client_as_etypes = client_creds.get_as_krb5_etypes()
+ client_as_etypes = self.get_default_enctypes()
krbtgt_creds = self.get_krbtgt_creds(require_keys=False)
krbtgt_account = krbtgt_creds.get_username()
realm = krbtgt_creds.get_realm()
@@ -114,7 +114,7 @@ class AsReqKerberosTests(KDCBaseTest):
def test_as_req_enc_timestamp(self):
client_creds = self.get_client_creds()
client_account = client_creds.get_username()
- client_as_etypes = client_creds.get_as_krb5_etypes()
+ client_as_etypes = self.get_default_enctypes()
client_kvno = client_creds.get_kvno()
krbtgt_creds = self.get_krbtgt_creds(require_strongest_key=True)
krbtgt_account = krbtgt_creds.get_username()
diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py
index 44853365d1e..5f396542d18 100755
--- a/python/samba/tests/krb5/fast_tests.py
+++ b/python/samba/tests/krb5/fast_tests.py
@@ -25,10 +25,7 @@ import collections
import ldb
from samba.dcerpc import security
-from samba.tests.krb5.raw_testcase import (
- KerberosTicketCreds,
- Krb5EncryptionKey
-)
+from samba.tests.krb5.raw_testcase import Krb5EncryptionKey
from samba.tests.krb5.kdc_base_test import KDCBaseTest
from samba.tests.krb5.rfc4120_constants import (
AD_FX_FAST_ARMOR,
@@ -45,7 +42,6 @@ from samba.tests.krb5.rfc4120_constants import (
KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS,
KRB_AS_REP,
KRB_TGS_REP,
- KU_TICKET,
NT_PRINCIPAL,
NT_SRV_INST,
PADATA_FX_COOKIE,
@@ -1173,6 +1169,7 @@ class FAST_Tests(KDCBaseTest):
name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm])
krbtgt_decryption_key = self.TicketDecryptionKey_from_creds(
krbtgt_creds)
+ krbtgt_etypes = krbtgt_creds.tgs_supported_enctypes
target_username = target_creds.get_username()[:-1]
target_realm = target_creds.get_realm()
@@ -1181,6 +1178,7 @@ class FAST_Tests(KDCBaseTest):
name_type=NT_SRV_INST, names=[target_service, target_username])
target_decryption_key = self.TicketDecryptionKey_from_creds(
target_creds)
+ target_etypes = target_creds.tgs_supported_enctypes
fast_cookie = None
preauth_etype_info2 = None
@@ -1369,6 +1367,7 @@ class FAST_Tests(KDCBaseTest):
expected_anon=expected_anon,
expected_srealm=expected_srealm,
expected_sname=expected_sname,
+ expected_supported_etypes=krbtgt_etypes,
expected_flags=expected_flags,
unexpected_flags=unexpected_flags,
ticket_decryption_key=krbtgt_decryption_key,
@@ -1402,6 +1401,7 @@ class FAST_Tests(KDCBaseTest):
expected_anon=expected_anon,
expected_srealm=expected_srealm,
expected_sname=expected_sname,
+ expected_supported_etypes=target_etypes,
expected_flags=expected_flags,
unexpected_flags=unexpected_flags,
ticket_decryption_key=target_decryption_key,
@@ -1471,44 +1471,19 @@ class FAST_Tests(KDCBaseTest):
def gen_tgt_fast_armor_auth_data(self):
user_tgt = self.get_user_tgt()
- ticket_decryption_key = user_tgt.decryption_key
+ auth_data = self.generate_fast_armor_auth_data()
+
+ def modify_fn(enc_part):
+ enc_part['authorization-data'].append(auth_data)
- tgt_encpart = self.getElementValue(user_tgt.ticket, 'enc-part')
- self.assertElementEqual(tgt_encpart, 'etype',
- ticket_decryption_key.etype)
- self.assertElementKVNO(tgt_encpart, 'kvno',
- ticket_decryption_key.kvno)
- tgt_cipher = self.getElementValue(tgt_encpart, 'cipher')
- tgt_decpart = ticket_decryption_key.decrypt(KU_TICKET, tgt_cipher)
- tgt_private = self.der_decode(tgt_decpart,
- asn1Spec=krb5_asn1.EncTicketPart())
+ return enc_part
- auth_data = self.generate_fast_armor_auth_data()
- tgt_private['authorization-data'].append(auth_data)
-
- # Re-encrypt the user TGT.
- tgt_private_new = self.der_encode(
- tgt_private,
- asn1Spec=krb5_asn1.EncTicketPart())
- tgt_encpart = self.EncryptedData_create(ticket_decryption_key,
- KU_TICKET,
- tgt_private_new)
- user_ticket = user_tgt.ticket.copy()
- user_ticket['enc-part'] = tgt_encpart
-
- user_tgt = KerberosTicketCreds(
- user_ticket,
- session_key=user_tgt.session_key,
- crealm=user_tgt.crealm,
- cname=user_tgt.cname,
- srealm=user_tgt.srealm,
- sname=user_tgt.sname,
- decryption_key=user_tgt.decryption_key,
- ticket_private=tgt_private,
- encpart_private=user_tgt.encpart_private)
+ checksum_keys = self.get_krbtgt_checksum_key()
# Use our modifed TGT to replace the one in the request.
- return user_tgt
+ return self.modified_ticket(user_tgt,
+ modify_fn=modify_fn,
+ checksum_keys=checksum_keys)
def create_fast_cookie(self, cookie):
self.assertIsNotNone(cookie)
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 59175c7bb2f..b71ae66bf54 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -222,11 +222,11 @@ class KDCBaseTest(RawKerberosTest):
functional_level = self.get_domain_functional_level(samdb)
# RC4 should always be supported
- default_enctypes = security.KERB_ENCTYPE_RC4_HMAC_MD5
+ default_enctypes = {kcrypto.Enctype.RC4}
if functional_level >= DS_DOMAIN_FUNCTION_2008:
# AES is only supported at functional level 2008 or higher
- default_enctypes |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
- default_enctypes |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ default_enctypes.add(kcrypto.Enctype.AES256)
+ default_enctypes.add(kcrypto.Enctype.AES128)
return default_enctypes
@@ -289,6 +289,14 @@ class KDCBaseTest(RawKerberosTest):
# Save the account name so it can be deleted in tearDownClass
self.accounts.add(dn)
+ self.creds_set_enctypes(creds)
+
+ res = samdb.search(base=dn,
+ scope=ldb.SCOPE_BASE,
+ attrs=['msDS-KeyVersionNumber'])
+ kvno = int(res[0]['msDS-KeyVersionNumber'][0])
+ creds.set_kvno(kvno)
+
return (creds, dn)
def create_rodc(self, ctx):
@@ -513,12 +521,7 @@ class KDCBaseTest(RawKerberosTest):
default_enctypes = self.get_default_enctypes()
- if default_enctypes & security.KERB_ENCTYPE_RC4_HMAC_MD5:
- self.assertIn(kcrypto.Enctype.RC4, keys)
- if default_enctypes & security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96:
- self.assertIn(kcrypto.Enctype.AES256, keys)
- if default_enctypes & security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96:
- self.assertIn(kcrypto.Enctype.AES128, keys)
+ self.assertCountEqual(default_enctypes, keys)
return keys
@@ -527,13 +530,28 @@ class KDCBaseTest(RawKerberosTest):
for enctype, key in keys.items():
creds.set_forced_key(enctype, key)
- supported_enctypes = 0
- if kcrypto.Enctype.AES256 in keys:
- supported_enctypes |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
- if kcrypto.Enctype.AES128 in keys:
- supported_enctypes |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
- if kcrypto.Enctype.RC4 in keys:
- supported_enctypes |= security.KERB_ENCTYPE_RC4_HMAC_MD5
+ def creds_set_enctypes(self, creds):
+ samdb = self.get_samdb()
+
+ res = samdb.search(creds.get_dn(),
+ scope=ldb.SCOPE_BASE,
+ attrs=['msDS-SupportedEncryptionTypes'])
+ supported_enctypes = res[0].get('msDS-SupportedEncryptionTypes', idx=0)
+
+ if supported_enctypes is None:
+ supported_enctypes = 0
+
+ creds.set_as_supported_enctypes(supported_enctypes)
+ creds.set_tgs_supported_enctypes(supported_enctypes)
+ creds.set_ap_supported_enctypes(supported_enctypes)
+
+ def creds_set_default_enctypes(self, creds, fast_support=False):
+ default_enctypes = self.get_default_enctypes()
+ supported_enctypes = KerberosCredentials.etypes_to_bits(
+ default_enctypes)
+
+ if fast_support:
+ supported_enctypes |= KerberosCredentials.fast_supported_bits
creds.set_as_supported_enctypes(supported_enctypes)
creds.set_tgs_supported_enctypes(supported_enctypes)
@@ -638,10 +656,8 @@ class KDCBaseTest(RawKerberosTest):
enctypes = supported_enctypes
if fast_support:
- fast_bits = (security.KERB_ENCTYPE_FAST_SUPPORTED |
- security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED |
- security.KERB_ENCTYPE_CLAIMS_SUPPORTED)
- enctypes = (enctypes or 0) | fast_bits
+ enctypes = enctypes or 0
+ enctypes |= KerberosCredentials.fast_supported_bits
if enctypes is not None:
details['msDS-SupportedEncryptionTypes'] = str(enctypes)
@@ -660,23 +676,9 @@ class KDCBaseTest(RawKerberosTest):
additional_details=details,
account_control=user_account_control)
- res = samdb.search(base=dn,
- scope=ldb.SCOPE_BASE,
- attrs=['msDS-KeyVersionNumber'])
- kvno = int(res[0]['msDS-KeyVersionNumber'][0])
- creds.set_kvno(kvno)
-
keys = self.get_keys(samdb, dn)
self.creds_set_keys(creds, keys)
- if machine_account:
- if supported_enctypes is not None:
- tgs_enctypes = supported_enctypes
- else:
- tgs_enctypes = security.KERB_ENCTYPE_RC4_HMAC_MD5
-
- creds.set_tgs_supported_enctypes(tgs_enctypes)
-
# Handle secret replication to the RODC.
if allowed_replication or revealed_to_rodc:
@@ -821,6 +823,11 @@ class KDCBaseTest(RawKerberosTest):
keys = self.get_keys(samdb, krbtgt_dn)
self.creds_set_keys(creds, keys)
+ # The RODC krbtgt account should support the default enctypes,
+ # although it might not have the msDS-SupportedEncryptionTypes
+ # attribute.
+ self.creds_set_default_enctypes(creds)
+
return creds
c = self._get_krb5_creds(prefix='RODC_KRBTGT',
@@ -865,6 +872,8 @@ class KDCBaseTest(RawKerberosTest):
keys = self.get_keys(samdb, dn)
self.creds_set_keys(creds, keys)
+ self.creds_set_enctypes(creds)
+
return creds
c = self._get_krb5_creds(prefix='MOCK_RODC_KRBTGT',
@@ -905,6 +914,12 @@ class KDCBaseTest(RawKerberosTest):
keys = self.get_keys(samdb, dn)
self.creds_set_keys(creds, keys)
+ # The krbtgt account should support the default enctypes, although
+ # it might not (on Samba) have the msDS-SupportedEncryptionTypes
+ # attribute.
+ self.creds_set_default_enctypes(creds,
+ fast_support=self.kdc_fast_support)
+
return creds
c = self._get_krb5_creds(prefix='KRBTGT',
@@ -915,6 +930,48 @@ class KDCBaseTest(RawKerberosTest):
fallback_creds_fn=download_krbtgt_creds)
return c
+ def get_dc_creds(self,
+ require_keys=True,
+ require_strongest_key=False):
+ if require_strongest_key:
+ self.assertTrue(require_keys)
+
+ def download_dc_creds():
+ samdb = self.get_samdb()
+
+ dc_rid = 1000
+ dc_sid = '%s-%d' % (samdb.get_domain_sid(), dc_rid)
+
+ res = samdb.search(base='<SID=%s>' % dc_sid,
+ scope=ldb.SCOPE_BASE,
+ attrs=['sAMAccountName',
+ 'msDS-KeyVersionNumber'])
+ dn = res[0].dn
+ username = str(res[0]['sAMAccountName'])
+
+ creds = KerberosCredentials()
+ creds.set_domain(self.env_get_var('DOMAIN', 'DC'))
+ creds.set_realm(self.env_get_var('REALM', 'DC'))
+ creds.set_username(username)
+
+ kvno = int(res[0]['msDS-KeyVersionNumber'][0])
+ creds.set_kvno(kvno)
+ creds.set_dn(dn)
+
+ keys = self.get_keys(samdb, dn)
+ self.creds_set_keys(creds, keys)
+
+ self.creds_set_enctypes(creds)
+
+ return creds
+
+ c = self._get_krb5_creds(prefix='DC',
+ allow_missing_password=True,
+ allow_missing_keys=not require_keys,
+ require_strongest_key=require_strongest_key,
+ fallback_creds_fn=download_dc_creds)
+ return c
+
def as_req(self, cname, sname, realm, etypes, padata=None, kdc_options=0):
'''Send a Kerberos AS_REQ, returns the undecoded response
'''
@@ -1069,7 +1126,7 @@ class KDCBaseTest(RawKerberosTest):
def tgs_req(self, cname, sname, realm, ticket, key, etypes,
expected_error_mode=0, padata=None, kdc_options=0,
- to_rodc=False):
+ to_rodc=False, service_creds=None, expect_pac=True):
'''Send a TGS-REQ, returns the response and the decrypted and
decoded enc-part
'''
@@ -1083,6 +1140,12 @@ class KDCBaseTest(RawKerberosTest):
crealm=realm,
cname=cname)
+ if service_creds is not None:
+ decryption_key = self.TicketDecryptionKey_from_creds(
+ service_creds)
+ else:
+ decryption_key = None
+
if not expected_error_mode:
check_error_fn = None
check_rep_fn = self.generic_check_kdc_rep
@@ -1105,10 +1168,12 @@ class KDCBaseTest(RawKerberosTest):
check_error_fn=check_error_fn,
check_rep_fn=check_rep_fn,
check_kdc_private_fn=self.generic_check_kdc_private,
+ ticket_decryption_key=decryption_key,
generate_padata_fn=generate_padata if padata is not None else None,
tgt=tgt,
authenticator_subkey=subkey,
kdc_options=str(kdc_options),
+ expect_pac=expect_pac,
to_rodc=to_rodc)
rep = self._generic_kdc_exchange(kdc_exchange_dict,
@@ -1150,7 +1215,8 @@ class KDCBaseTest(RawKerberosTest):
names=[service, target_name])
rep, enc_part = self.tgs_req(cname, sname, realm, ticket, key, etype,
- to_rodc=to_rodc)
+ to_rodc=to_rodc,
+ service_creds=target_creds)
service_ticket = rep['ticket']
@@ -1252,6 +1318,8 @@ class KDCBaseTest(RawKerberosTest):
expected_sname = self.PrincipalName_create(
name_type=NT_SRV_INST, names=['krbtgt', realm.upper()])
+ expected_etypes = krbtgt_creds.tgs_supported_enctypes
+
rep, kdc_exchange_dict = self._test_as_exchange(
cname=cname,
realm=realm,
@@ -1264,6 +1332,7 @@ class KDCBaseTest(RawKerberosTest):
expected_srealm=expected_realm,
expected_sname=expected_sname,
expected_salt=salt,
+ expected_supported_etypes=expected_etypes,
etypes=etype,
padata=padata,
kdc_options=kdc_options,
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index dad9e6b88df..0904233b01f 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -132,7 +132,8 @@ class KdcTgsTests(KDCBaseTest):
names=["ldap", samdb.host_dns_name()])
(rep, _) = self.tgs_req(
- cname, sname, uc.get_realm(), ticket, key, etype)
+ cname, sname, uc.get_realm(), ticket, key, etype,
+ service_creds=self.get_dc_creds())
self.check_tgs_reply(rep)
@@ -175,7 +176,8 @@ class KdcTgsTests(KDCBaseTest):
names=[mc.get_username()])
(rep, enc_part) = self.tgs_req(
- cname, sname, uc.get_realm(), ticket, key, etype)
+ cname, sname, uc.get_realm(), ticket, key, etype,
+ service_creds=mc)
self.check_tgs_reply(rep)
# Check the contents of the service ticket
diff --git a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
index 99c842701ea..501bc4892f4 100755
--- a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
+++ b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
@@ -126,7 +126,8 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
names=[mc.get_username()])
(rep, enc_part) = self.tgs_req(
- cname, sname, uc.get_realm(), ticket, key, etype)
+ cname, sname, uc.get_realm(), ticket, key, etype,
+ service_creds=mc)
self.check_tgs_reply(rep)
# Check the contents of the pac, and the ticket
@@ -185,7 +186,8 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
names=[mc.get_username()])
(rep, enc_part) = self.tgs_req(
- cname, sname, mc.get_realm(), ticket, key, etype)
+ cname, sname, mc.get_realm(), ticket, key, etype,
+ service_creds=mc)
self.check_tgs_reply(rep)
# Check the contents of the pac, and the ticket
@@ -247,7 +249,8 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
names=[mc.get_username()])
(rep, enc_part) = self.tgs_req(
- cname, sname, uc.get_realm(), ticket, key, etype)
+ cname, sname, uc.get_realm(), ticket, key, etype,
+ service_creds=mc)
self.check_tgs_reply(rep)
# Check the contents of the service ticket
@@ -279,15 +282,11 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
samdb = self.get_samdb()
user_name = "mskileusr"
alt_name = "mskilealtsec"
- (uc, dn) = self.create_account(samdb, user_name)
+ (uc, dn) = self.create_account(samdb, user_name,
+ account_control=UF_DONT_REQUIRE_PREAUTH)
realm = uc.get_realm().lower()
alt_sec = "Kerberos:%s@%s" % (alt_name, realm)
self.add_attribute(samdb, dn, "altSecurityIdentities", alt_sec)
- self.modify_attribute(
- samdb,
- dn,
- "userAccountControl",
- str(UF_NORMAL_ACCOUNT | UF_DONT_REQUIRE_PREAUTH))
mach_name = "mskilemac"
(mc, _) = self.create_account(samdb, mach_name, machine_account=True)
@@ -321,7 +320,8 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
names=[mc.get_username()])
(rep, enc_part) = self.tgs_req(
- cname, sname, uc.get_realm(), ticket, key, etype)
+ cname, sname, uc.get_realm(), ticket, key, etype,
+ service_creds=mc, expect_pac=False)
self.check_tgs_reply(rep)
# Check the contents of the service ticket
@@ -389,7 +389,8 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
names=[mc.get_username()])
(rep, enc_part) = self.tgs_req(
- cname, sname, uc.get_realm(), ticket, key, etype)
+ cname, sname, uc.get_realm(), ticket, key, etype,
+ service_creds=mc)
self.check_tgs_reply(rep)
# Check the contents of the pac, and the ticket
@@ -491,7 +492,8 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
names=[mc.get_username()])
(rep, enc_part) = self.tgs_req(
- cname, sname, uc.get_realm(), ticket, key, etype)
+ cname, sname, uc.get_realm(), ticket, key, etype,
--
Samba Shared Repository
More information about the samba-cvs
mailing list