[SCM] Samba Shared Repository - branch v4-14-test updated
Jule Anger
janger at samba.org
Thu Sep 16 08:08:44 UTC 2021
The branch, v4-14-test has been updated
via 53b48cbe9a8 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
via a21afdbcd7b kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
via 7b4c9eea253 tests/krb5: Allow expected_error_mode to be a container type
via 63e5d195a5a tests/krb5: Allow specifying parameters specific to the inner FAST request body
via 112e3625253 tests/krb5: Add tests for omitting sname in request
via f18cff2b0e1 tests/krb5: Check PADATA-PW-SALT element in e-data
via 12c9c5b7d29 tests/krb5: Check e-data element for TGS-REP errors without FAST
via 474ddf8fdda tests/krb5: Remove harmful and a-typical return in as_req testcase
via 2444c94cb3a CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
via 5c4de75af50 CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
via c64f0cb102a tests/krb5: Make cname checking less strict
via 7a938531dd0 tests/krb5: Make e-data checking less strict
via 6b0ac964d78 selftest: Remove knownfail for no_etypes FAST tests
via 54afeaec083 tests/krb5: Add FAST tests
via 8eafefbce03 initial FAST tests
via 6f483eb7c35 tests/krb5: Check PADATA-FX-ERROR in reply
via 977d1e068e9 tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
via a4e7e1bd671 tests/krb5: Check PADATA-PAC-OPTIONS in reply
via 7dc15c34d9e tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
via 531ed864922 tests/krb5: Make check_rep_padata() also work for checking TGS replies
via 2940dfb59c0 tests/krb5: Check PADATA-FX-COOKIE in reply
via 1df74663b1e tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
via d8aaacc66d9 tests/krb5: Adjust reply padata checking depending on whether FAST was sent
via 7cb152b6ba6 tests/krb5: Check reply FAST padata if request included FAST
via e1f72aaaa44 tests/krb5: Check sname is krbtgt for FAST generic error
via 1e02aaf49c6 tests/krb5: Add get_krbtgt_sname() method
via e2e7f2ec556 tests/krb5: Remove unused variables
via 4fd7b629abd tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
via 9380f54b200 tests/krb5: Add check_rep_padata() method to check padata in reply
via ff1d3928e04 tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
via 0f2acee95d2 tests/krb5: Include authdata in kdc_exchange_dict
via 14207a42625 tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
via ebd51dc4db4 tests/krb5: Check encrypted-pa-data
via b77aed56836 tests/krb5: Add methods to determine whether elements were included in the request
via afae6b431b8 tests/krb5: Add functions to get dicts of request padata
via 1cecb538d78 tests/krb5: Check FAST response
via d2b4a1883a3 tests/krb5: Add method to verify ticket checksum for FAST
via 7f8f1202964 tests/krb5: Add method to check PA-FX-FAST-REPLY
via 9064e5eb053 tests/krb5: Allow specifying parameters specific to the outer request body
via dec428538ca tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
via d51b727590f tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
via c4be77e9606 tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
via b2aee7dc371 tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
via 020d1c73af3 tests/krb5: Add methods to calculate keys for FAST
via 1b85d721a48 tests/krb5: Add method to generate FAST encrypted challenge padata
via 83f8c3f1e18 tests/krb5: Add more methods to create ASN1 objects for FAST
via 46f356d0b62 tests/krb5: Add more ASN1 definitions for FAST
via ce130f1bdf7 tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
via 4cca060c4dd tests/krb5: Ensure generated padata is not None
via c511763c119 tests/krb5: Add generate_ap_req() method
via 383ccffa5eb tests/krb5: Check nonce in EncKDCRepPart
via 972111f501f tests/krb5: Make checking less strict
via f5c4993213a tests/krb5: Check version number of obtained ticket
via 6fea68a9828 tests/krb5: Assert that more variables are not None
via fde5967c8dd tests/krb5: Ensure in assertElementPresent() that container elements are not empty
via 3795f815003 tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
via 5e41e264ebe tests/krb5: Include kdc_options in kdc_exchange_dict
via 8bef7b0c98a tests/krb5: Always specify expected error code
via 46e019d5088 tests/krb5: Add check_reply() method to check for AS or TGS reply
via be5047564fc tests/krb5: Add method to calculate account salt
via 49a987dc57e tests/krb5: Add more methods for obtaining machine and service credentials
via 989b352023b tests/krb5: Allow specifying additional details when creating an account
via 79ab000c197 tests/krb5: Use encryption with admin credentials
via 300ac82e720 tests/krb5: Add get_EpochFromKerberosTime()
via 29aa10b93ae tests/krb5: Make _test_as_exchange() return value more consistent
via 53c49a8c2a0 tests/krb5: Add method to return dict containing padata elements
via 885f56f4c91 tests/krb5: Add get_enc_timestamp_pa_data_from_key()
via 16d7c193bb4 tests/krb5: Refactor get_pa_data()
via 210b2368eea tests/krb5: Allow cf2 to automatically use the enctype of the first key
via 27ce461ad8f tests/krb5: Use credentials kvno when creating password key
via b695f407b9a tests/krb5: Check Kerberos protocol version number
via c562c5cbeeb tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
via 1676812b858 tests/krb5: Fix encpart_decryption_key with MIT KDC
via 4cc5bbdb71b tests/krb5: Fix callback_dict parameter
via 2261df73ce4 tests/krb5: Fix including enc-authorization-data
via b7e71204189 tests/krb5: Remove magic constants
via 27499d3583f tests/krb5: Simplify Python syntax
via 10578ae11f9 tests/krb5: Use more compact dict lookup
via 6955f08227b tests/krb5: Remove unneeded statements
via 0e276e08fb5 tests/krb5: formatting
via 27e3155358f tests/krb5: Fix method name typo
via b74fca8dd01 tests/krb5: Fix comment typo
via 82586e8bee9 tests/krb5: Fix ms_kile_client_principal_lookup_test errors
via 3df9870e6d3 pygensec: Don't modify Python bytes objects
via 8b281a05539 pygensec: Fix memory leaks
via 6cf0b28459d selftest: Add support for setting ENV variables in plantestsuite()
via b884b4ef585 selftest: Add support for setting ENV variables in plansmbtorture4testsuite()
via e04e2925be1 selftest: Re-format long lines in selftesthelpers.py
via 30142140927 selftest: add space after --list in output of selftesthelpers.py
via 6a3b7eb5b81 s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against
via b4022ea0b4a tests/krb5: Use admin creds for SamDB rather than user creds
via 477f765f1ab tests/krb5/as_canonicalization_tests.py: Refactor account creation
via 0e86cc3d59d tests/krb5: Deduplicate 'host' attribute initialisation
via de8c2bf0cc9 tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value
via 8565cc4ec48 tests/krb5/as_req_tests.py: Check the client kvno
via 8154d2cc3d2 tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test
via 6bc79db7b39 tests/krb5/as_req_tests.py: Automatically obtain credentials
via 7f33d712596 tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials
via 13667701cda tests/krb5/raw_testcase.py: Simplify conditionals
via b423bb95afc tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function
via 47b6072624c tests/krb5/raw_testcase.py: Cache obtained credentials
via 4d72aa9e098 tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds
via 9521952380b tests/krb5/raw_testcase.py: Make env_get_var() a standalone method
via d85f359789b tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS
via b91a08ce89e tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
via d6f5da02368 tests/krb5/kdc_base_test.py: Create loadparm only when needed
via 5ffa305eb2e tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute
via 9ce0d56ed48 tests/krb5/kdc_base_test.py: Create database connection only when needed
via c12cc693710 tests/krb5/raw_testcase.py: Add get_admin_creds()
via 461131ed517 tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called
via af9e564cacc selftest: run new as_req_tests against fl2008r2dc and fl2003dc
via acf7c56f209 tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol
via e24e1b1a536 tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure
via a03042d103b tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds()
via 150be099ae0 tests/krb5/raw_testcase.py: add methods to iterate over etype permutations
via b833bf902f7 tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create()
via ea7399d54e8 tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create()
via 6d21cb27cb3 tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values
via 6257fd9b3c1 tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values
via 1a2d9b500e4 tests/krb5/raw_testcase.py: add assertElement*()
via e089c45d44d tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future
via d48196e12f4 tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds()
via e63908db368 tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing
via e9a2916b5f3 Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}
via 8958105aa80 auth/credentials: allow credentials.Credentials to act as base class
via 72606c02824 python: Make credentials cache test run against Windows
via 29d8bacc8a4 python: Fix ticket timestamp conversion when local timezone is not UTC
via 0b937a91422 python: Fix erroneous increments of reference counts
via de40f47cfac python: Ensure reference counts are properly incremented
via 795e2b4d487 python: Add SMB credentials cache test
via 7439b5a91db pylibsmb: Add posix_whoami()
via e2b0cdcb507 libsmb: Ensure that whoami parses all the data provided to it
via 728d13309df libsmb: Check to see that whoami is not receiving more data than it requested
via 72a11b5eb38 libsmb: Avoid undefined behaviour when parsing whoami state
via 9dea3dd8b8e libsmb: Remove overflow check
via 76047162bb0 Revert "libsmb: Use sid_parse()"
via f8c0dff5b08 python: Add RPC credentials cache test
via 8667e6bcdd3 python: Add LDAP credentials cache test
via 876fe2503fe python: Add credentials cache test
via 43e20ad3ea2 krb5: Add Python functions to create a credentials cache containing a service ticket
via e7ec9b0779a librpc: Test parsing a Kerberos 5 credentials cache with ndrdump
via 0d08a120e77 krb5ccache.idl: Add definition for a Kerberos credentials cache
via c7525b69fe1 Revert "s4-test: fixed ndrdump test for top level build"
via b1ed4f5ff37 pygensec: Fix method documentation
via 6d7dbe77a9e auth:creds: Fix parameter in creds.set_named_ccache()
via c222cf2cd4f auth:creds: Remove unused variable
via b5d279057f6 tests python krb5: MS-KILE client principal look-up
via b30947fc856 librpc: Add py_descriptor_richcmp() equality function
from 551a39d890a ctdb-daemon: Don't mark a node as unhealthy when connecting to it
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-14-test
- Log -----------------------------------------------------------------
commit 53b48cbe9a8e20007f45568519c81f95c172a5ad
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 31 22:38:01 2021 +1200
tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
This allows our code to still pass with the error code that
MIT and Heimdal have chosen
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Sep 2 14:28:31 UTC 2021 on sn-devel-184
[abartlet at samba.org: Backported from 10baaf08523200e47451aa1862430977b0365b59
to Samba 4.14 due to conflicts in
knownfail as the test which crashes older MIT KDC versions is
omitted]
Autobuild-User(v4-14-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-14-test): Thu Sep 16 08:02:51 UTC 2021 on sn-devel-184
commit a21afdbcd7bd921341ae38b972914ec93e3d56c7
Author: Luke Howard <lukeh at padl.com>
Date: Tue Aug 31 17:38:16 2021 +1200
kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
If missing cname or sname in AS-REQ, return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN and
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This matches MIT behaviour.
[abartlet at samba.org Backported from Heimdal commit 892a1ffcaad98157e945c540b81f65edb14d29bd
and knownfail added. Further adapted knownfail for 4.14 due to conflicts
as the patch that adds a test which crashes old MIT versions is
omitted]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 7b4c9eea2534d04917d3272c34ad42f6c1378209
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Aug 31 19:42:33 2021 +1200
tests/krb5: Allow expected_error_mode to be a container type
This allows a range of possible error codes to be checked against, for
cases when the particular error code returned is not so important.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ebd673e976aea5dd481a75f180fd526995c4fda0)
commit 63e5d195a5a258b45b7f2556e2b2188c97d5616d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:26:45 2021 +1200
tests/krb5: Allow specifying parameters specific to the inner FAST request body
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c6d7e19ecfb264c6f79df5a20e830e4ea6fdb340)
commit 112e362525317efc8537fe6e9672bfd39f3930f8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:02:04 2021 +1200
tests/krb5: Add tests for omitting sname in request
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit bbbb13caf7bd2440c80f4f4775725b7863d16a5b)
commit f18cff2b0e1040462f25869e51123cb5dbd147e9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:00:37 2021 +1200
tests/krb5: Check PADATA-PW-SALT element in e-data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1e4d757394a0bbda587d5ff91801f88539b712b1)
commit 12c9c5b7d29a025deeb6d264b52022bf43638f4e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:00:21 2021 +1200
tests/krb5: Check e-data element for TGS-REP errors without FAST
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit e373c6461a88c44303ea8cdbebc2d78dd15dec4a)
commit 474ddf8fdda539a1878f3b83700d5ad06346c1aa
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 1 10:43:06 2021 +1200
tests/krb5: Remove harmful and a-typical return in as_req testcase
A test in a TestCase class should not return a value, the
test is determined by the assertions raised.
Other changes will shortly cause kdc_exchange_dict[preauth_etype_info2]
to not always be filled, so we need to remove this
rudundent code.
This also fixes a *lot* of tests against the MIT KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 3330eaf39c6174f2d90fe4d8e016efb97005d1e5)
commit 2444c94cb3a09aa2c5da5742c7f43064162dabe9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 12:25:06 2021 +1200
CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
Note: Without the previous patch, 'test_fast_tgs_outer_no_sname' would
crash the Heimdal KDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit b8e2515552ffa158fab1e86a39004de4cc419da5)
commit 5c4de75af508a1774c727c88e3515a6e6756e381
Author: Luke Howard <lukeh at padl.com>
Date: Fri Aug 27 11:42:48 2021 +1000
CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
In tgs_build_reply(), validate the server name in the TGS-REQ is present before
dereferencing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
[abartlet at samba.org backported from from Heimdal
commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference
to an earlier patch by Joseph Sutton]
RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0cb4b939f192376bf5e33637863a91a20f74c5a5)
commit c64f0cb102a42c52704c894c81d0d47ea436ebaa
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 14:43:53 2021 +1200
tests/krb5: Make cname checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
[abartlet at samba.org backported from commit
36798f5b651a02b74b6844c024101f7a026f1f68 as Samba 4.14 is tested
on MIT 1.16 and so the knownfails need to match this version]
commit 7a938531dd0173c31f4c197d6f1035fb28eb87fc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:35:59 2021 +1200
tests/krb5: Make e-data checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC, instead failing when obtaining a TGT for the user or machine.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
[abartlet at samba.org Backported from commit
79dda329f2a8382f1e46b50f4b9692e78d687826 as knownfail needed splitting
into only failing in the Heimdal case due likely because
b3ee034b4d457607ef25a5b01da64e1eaf5906dd
(s4:kdc: prefer newer enctypes for preauth responses) is not included
in the 4.14 backport. ]
commit 6b0ac964d78541f5bb08714c1a79d7fb492d10e1
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 7 17:23:32 2021 +1200
selftest: Remove knownfail for no_etypes FAST tests
These test pass because b3ee034b4d457607ef25a5b01da64e1eaf5906dd
(s4:kdc: prefer newer enctypes for preauth responses) is not included
in the 4.14 backport.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
commit 54afeaec08323c297e2db9239aaae6fe17b0299d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:58:44 2021 +1200
tests/krb5: Add FAST tests
Example command:
SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \
KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \
PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184
(cherry picked from commit 984a0db00c3f2e38b568a75eb1944f4d7bb7f854)
commit 8eafefbce03ac836bb842ec3113a2dcf8d7f2d65
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu Jun 10 09:56:58 2021 +1200
initial FAST tests
Currently incomplete, and tested only against MIT Kerberos.
[abartlet at samba.org
Originally "WIP inital FAST tests"
Samba's general policy that we don't push WIP patches, we polish
into a 'perfect' patch stream.
However, I think there are good reasons to keep this patch distinct
in this particular case.
Gary is being modest in titling this WIP (now removed from the title
to avoid confusion). They are not WIP in the normal sense of
partially or untested code or random unfinished thoughts. The primary
issue is that at that point where Gary had to finish up he had
trouble getting FAST support enabled on Windows, so couldn't test
against our standard reference. They are instead good, working
initial tests written against the RFC and tested against Samba's AD DC
in the mode backed by MIT Kerberos.
This preserves clear authorship for the two distinct bodies of work,
as in the next patch Joseph was able to extend and improve the tests
significantly. ]
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b7b62957bdce9929fabd3812b9378bdbd6c12966)
commit 6f483eb7c35ff9696292ef7a04837ad2d5bcc44d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:49:58 2021 +1200
tests/krb5: Check PADATA-FX-ERROR in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit aa2c221f4e1bfc3403de857e62eaeaee1577560c)
commit 977d1e068e95e8ccb4675b3a9ce5f2961305c24c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 11:50:16 2021 +1200
tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 66e1eb58bedf036ad25a868993d44480c4e0e055)
commit a4e7e1bd67176dc5c504605b6cc3a15fbe329745
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:50:20 2021 +1200
tests/krb5: Check PADATA-PAC-OPTIONS in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0c857f67a3a4a27aa4b799c9a61a1a1b59932c07)
commit 7dc15c34d9ea3adc696baf019482811846482ce3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:29:39 2021 +1200
tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 29070e74baa18d94642efcd36930b9bab216e10c)
commit 531ed8649223544298208b97875f552e3a1fc77c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 20:49:25 2021 +1200
tests/krb5: Make check_rep_padata() also work for checking TGS replies
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ab4e7028a6ac01eab9531c8a26507a912df54278)
commit 2940dfb59c03d3895bfac62ca14f5b7f56b842be
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:49:12 2021 +1200
tests/krb5: Check PADATA-FX-COOKIE in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 95b54078c2f82179283dfc397c4ec1f36d5edfe7)
commit 1df74663b1ead2a0990b77c2000737f86cf96bf5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:36:56 2021 +1200
tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2f7919db395c24f6890ffe4ee46a5e34df95fccd)
commit d8aaacc66d9a10685933d2b043de057872d74467
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:42:26 2021 +1200
tests/krb5: Adjust reply padata checking depending on whether FAST was sent
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 44a44109db96eab08a3da3683c34446bc13b295b)
commit 7cb152b6ba63188034dda6a42e4e4419e834c0c8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:31:39 2021 +1200
tests/krb5: Check reply FAST padata if request included FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 056fb71832e7aa16132c58ff393ab8b752ef6a93)
commit e1f72aaaa44c9d106f3abc436c91f146186030db
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:25:39 2021 +1200
tests/krb5: Check sname is krbtgt for FAST generic error
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 7a27b75621908a4a6449efaecb54eb20fa45aca0)
commit 1e02aaf49c6014fe7e9d9675b46d5f02bebde5c5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:15:00 2021 +1200
tests/krb5: Add get_krbtgt_sname() method
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit dbe98005d5873440063b91e56679937149535be7)
commit e2e7f2ec5560019b681cffed2289569c492e872d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:26:06 2021 +1200
tests/krb5: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5edbabeb26e110648d4588c90843e4715ec1ac5c)
commit 4fd7b629abdfc10077859121c80885b15dfb0829
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:35:32 2021 +1200
tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 705e45e37f4752e283a80626be10c38b29232359)
commit 9380f54b20072ff38dc5d6312559c8f9921cd7cc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:21:14 2021 +1200
tests/krb5: Add check_rep_padata() method to check padata in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 79b9aac65b7dbdc58275368eae9feb7d87bf6dab)
commit ff1d3928e04993092fe4272fb3f19ee16a42e8c0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:20:09 2021 +1200
tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1389ba346df81c9ea1e1143c4e819212939f6aeb)
commit 0f2acee95d24b603e50a7adcd985497c45f3a431
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:18:29 2021 +1200
tests/krb5: Include authdata in kdc_exchange_dict
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ea1ed63e8819926db1cf15974009601c7d37e944)
commit 14207a42625c6820b23f2e6cd18ed5913f66ea52
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:05:59 2021 +1200
tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
This is useful for testing the 'hide client names' FAST option.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2ee87dbf08e66e1dc812430026bfe214f9f5503d)
commit ebd51dc4db43c653367295090814fefa8563c0af
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:34:49 2021 +1200
tests/krb5: Check encrypted-pa-data
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0c029e780cf16a49c674593e8329eaf3b87aec69)
commit b77aed56836c522c7044ae7bd7e44d2f5cee977d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:21:01 2021 +1200
tests/krb5: Add methods to determine whether elements were included in the request
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 99e3b909edf27c751b959a3d0b672ddd2b7140e2)
commit afae6b431b88c696784ebc778070a8d8fea791d4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:20:44 2021 +1200
tests/krb5: Add functions to get dicts of request padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit dc7dac95ec509d90d8372005cd7b13fabd8e64c6)
commit 1cecb538d78931265e3445ff4456e54a46770dd9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:42:57 2021 +1200
tests/krb5: Check FAST response
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d878bd6404d26c8be45bb2016ec206ed79d4ef6e)
commit d2b4a1883a365cac3e9f4fe189fd2b85863fda3e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:10:13 2021 +1200
tests/krb5: Add method to verify ticket checksum for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4ca05402b36ba13a987b07b2402906764d3cd49b)
commit 7f8f12029644dfa4a28e564c842aa29b0ffaf94c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:04:37 2021 +1200
tests/krb5: Add method to check PA-FX-FAST-REPLY
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b62488113f6053755f9be9faa9b757e7193074fa)
commit 9064e5eb05311a6abaa340c378ff9942218a94d5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:01:36 2021 +1200
tests/krb5: Allow specifying parameters specific to the outer request body
This is useful for testing FAST.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 16ce1a1d304b87ed5b390fb87a4542c7c9a484fb)
commit dec428538cafc5e3843e2f1ca53b8625e628fe23
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:33:24 2021 +1200
tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0df385fc49cc2693c195209936a29e31216df16d)
commit d51b727590fdb73d89845ae4209b9b0439e8e791
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:33:10 2021 +1200
tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5c2cd71ae704b853a886c8af5e3cf50b53af7f9e)
commit c4be77e96065446fc6ad8e058097d24834f6bd22
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:19:46 2021 +1200
tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
This is needed for FAST.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d554b6dc0f4e14d154e487dc2a842321aa746155)
commit b2aee7dc37156207e086d3db01910fd894817652
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 20:49:12 2021 +1200
tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
This method will also be useful in checking TGS-REP error replies.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 74f332c6f9e31b933837cefee69b219054970713)
commit 020d1c73af30ae5992e186d25d874f5efa758361
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 12:49:05 2021 +1200
tests/krb5: Add methods to calculate keys for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 080894067469d60e2c71961c2d1c1990ba15b917)
commit 1b85d721a4826883a0f591d65c112ab750228c63
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 12:47:18 2021 +1200
tests/krb5: Add method to generate FAST encrypted challenge padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit aafc86896969d02ff1daecdf2668bfa642860082)
commit 83f8c3f1e189f02535af99aa5836a9a3bebc1a98
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:23:26 2021 +1200
tests/krb5: Add more methods to create ASN1 objects for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 69a66c0d2a7ed415c8d8acdb8da0f2f3d1abf60d)
commit 46f356d0b620babe4c7c65119823f8456049104a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:21:07 2021 +1200
tests/krb5: Add more ASN1 definitions for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ec702900295100ae4e48ba57242eee6670bf30d6)
commit ce130f1bdf7e3e9767b49ea51571df8aa6d9afcf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 13:59:36 2021 +1200
tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 025737deb5325d25b2ae4c57583c24ae1d0eca33)
commit 4cca060c4dd5d26b61f3213a0935dabe864d3cd9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:06:35 2021 +1200
tests/krb5: Ensure generated padata is not None
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b6f96dd6395a30e15fa906959cbe665757aaba8d)
commit c511763c1198f26d05504bcc5a564bb5b1b43a52
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 19:27:02 2021 +1200
tests/krb5: Add generate_ap_req() method
This method will be useful to generate an AP-REQ for use as FAST armor.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4824dd4e9f40abcbd4134b79e2b2b8fb960f47e7)
commit 383ccffa5eb60891cd1f911a1b903a23b36993be
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 12:52:42 2021 +1200
tests/krb5: Check nonce in EncKDCRepPart
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4951a105b0448854115a7ecc3d867be6f34b0dcf)
commit 972111f501fb4d22815b83acf38e26d0bd56c311
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:39:37 2021 +1200
tests/krb5: Make checking less strict
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6df0e406f1f823bf4d65cd478eb6f2424b69adcc)
[abartlet at samba.org Adapted to add knownfail because in this
Samba 4.14 backport we do not include
b3ee034b4d457607ef25a5b01da64e1eaf5906dd
(s4:kdc: prefer newer enctypes for preauth responses)]
commit f5c4993213a488e3bb69b8d019467d20bcde5731
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:34:19 2021 +1200
tests/krb5: Check version number of obtained ticket
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 98dc19e8c817fc66e253e544874a45b17b8bfa7b)
commit 6fea68a9828472bcde44995619edcb94bf896a9b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:39:42 2021 +1200
tests/krb5: Assert that more variables are not None
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 3d1066e923815782036bd11524fda110a2528951)
commit fde5967c8dd067321f16574dab5dd892e91e6a23
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 10:37:48 2021 +1200
tests/krb5: Ensure in assertElementPresent() that container elements are not empty
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ba3c92f77b20e1e0d298cd92399dc69535739c27)
commit 3795f8150036f46a5ae6371d1cd777b34bf8630f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:06:15 2021 +1200
tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
This means that there can no longer be surprises where a test receives a
reply when it was expecting an error, or vice versa.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 78818655505b3183251940e86270cd40bae73206)
commit 5e41e264ebe59278a293e2acf388f5f6e0bf6ef8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 10:35:40 2021 +1200
tests/krb5: Include kdc_options in kdc_exchange_dict
Make kdc_options an element of kdc_exchange_dict instead of a parameter
to _generic_kdc_exchange(). This allows testing code to adjust the reply
checking based on the options that were specified in the request.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 8fe9589da2d8fe6f5c47770c618ebabe028f6a95)
commit 8bef7b0c98a163fef60e2502231a7f17276226a3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 10:32:52 2021 +1200
tests/krb5: Always specify expected error code
Now the expected error code is always determined by the test code itself
rather than by generic_check_as_error().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 21c64fda8f98d451e028ea483dbe351b1280390c)
commit 46e019d5088d97afb3793d2cf16114e8f16cd3b9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:19:04 2021 +1200
tests/krb5: Add check_reply() method to check for AS or TGS reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 28fb50f511f3f693709aa9b41c001d6a5f9c3329)
commit be5047564fccf700fb53c6efdc1f1a69f03faa27
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 22 16:22:09 2021 +1200
tests/krb5: Add method to calculate account salt
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit f5689bb8fab82d5fcbdbd3c63b86e7618834aac5)
commit 49a987dc57e021bbe3b28c4a4bfde0a60f3ca8e8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:19:57 2021 +1200
tests/krb5: Add more methods for obtaining machine and service credentials
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 50d743bafc7aa9f7b4688bae652a501001e9fdbb)
commit 989b352023bd5f73578cd21d12c1d642b40822fd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 11:25:55 2021 +1200
tests/krb5: Allow specifying additional details when creating an account
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4790b6b04ae145a2ebb418dd734487a6ba28a30c)
commit 79ab000c197eba85630511273bf8c5ac51d6ab66
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Aug 3 15:58:19 2021 +1200
tests/krb5: Use encryption with admin credentials
This ensures that account creation using admin credentials succeeds.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ce379edf2e135b105b18d35e24d732389de94291)
commit 300ac82e72014ec65b48b6ab9a9d1cd2e8d52702
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 22 16:27:17 2021 +1200
tests/krb5: Add get_EpochFromKerberosTime()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit bab7503e3043002b1422b00f40cd03a0a29538aa)
commit 29aa10b93ae5d285af081ff8af6efa20df674353
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:27:47 2021 +1200
tests/krb5: Make _test_as_exchange() return value more consistent
Always return the reply and the kdc_exchange_dict so that the caller has
more potentially useful information.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit fe8912e4a85c5fd614ad3079b041c0e1975958e3)
commit 53c49a8c2a0fe224962312a79e274f51cee1dde5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 12:51:54 2021 +1200
tests/krb5: Add method to return dict containing padata elements
This makes checking multiple padata elements easier.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit cb332d83008aa97a60eaca9e008054f641d514d6)
commit 885f56f4c91b42f351ef351984f81306878f3cc1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:18:38 2021 +1200
tests/krb5: Add get_enc_timestamp_pa_data_from_key()
This makes it easier to create encrypted timestamp padata when the key
has already been obtained.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit f5a906f74f9665a894db3c13722022f732180620)
commit 16d7c193bb4e2b450e2f3632f0e0481f50d46229
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:16:01 2021 +1200
tests/krb5: Refactor get_pa_data()
The function now returns a single padata object rather than a list,
making it easier to combine multiple padata elements into a request. The
new name 'get_enc_timestamp_pa_data' also makes it clearer as to what
the method generates.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2c80f7f851a7a4ffbcde2c42b2c383b683b67731)
commit 210b2368eeac35b402ea0e57a2f9caa8c972c6d6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:24:52 2021 +1200
tests/krb5: Allow cf2 to automatically use the enctype of the first key
RFC6113 states: "Unless otherwise specified, the resulting enctype of
KRB-FX-CF2 is the enctype of k1." This change means the enctype no
longer has to be specified manually.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit a5e5f8fdfe8b6952592d7d682af893c79080826f)
commit 27ce461ad8f965e9e235773f505543111bf64997
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 11:28:37 2021 +1200
tests/krb5: Use credentials kvno when creating password key
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 17d5a267298ccd7272e86fd24c2c608511cf46b7)
commit b695f407b9a6423011d51228028115a447ce0130
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:07:59 2021 +1200
tests/krb5: Check Kerberos protocol version number
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d6a242e20004217a0ce02dc4ef620a121e5944da)
commit c562c5cbeeb3042c6ac08f6a8e0d92296e13362b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 17:00:09 2021 +1200
tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 8194b2a2611c6b1db2d29ec22c70e14decd1784b)
commit 1676812b858b0326a0c913fec9296c26964731ab
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:06:29 2021 +1200
tests/krb5: Fix encpart_decryption_key with MIT KDC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit a0c6538a97126671f9c7bcf3b581f3d98cbc7fd1)
commit 4cc5bbdb71b8a47a65f553dd79d6d37979670bd8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:12:34 2021 +1200
tests/krb5: Fix callback_dict parameter
Items contained in a default-created callback_dict should not be carried
over between unrelated calls to {as,tgs}_as_exchange_dict().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit bad5f4ee5fdf64ca9d775233fec24975e0b510bf)
commit 2261df73ce498ed75c8cd1fb3f7c1d9e675b736d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:14:08 2021 +1200
tests/krb5: Fix including enc-authorization-data
Remove the EncAuthorizationData parameters from AS_REQ_create(), since
it should only be present in the TGS-REQ form. Also, fix a call to
EncryptedData_create() to supply the key usage when creating
enc-authorization-data.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 67ff72395cec2e5170c0ebae8db416a1f226df72)
commit b7e71204189bca55d86645774b891a8c904e9459
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 13:49:27 2021 +1200
tests/krb5: Remove magic constants
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit a2b183c179e74634438c85a4b35518836ba59e47)
commit 27499d3583f0d9d168d4a649885e90148125e88f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Aug 3 15:03:00 2021 +1200
tests/krb5: Simplify Python syntax
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 41c3e410344280d691e5a21fa5240ef52e71bd2d)
commit 10578ae11f9edcd102ee0bb98b108ac35adf06ce
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 2 17:10:32 2021 +1200
tests/krb5: Use more compact dict lookup
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 38b3a361819c716adb773fb3b4507c28d7d26c0d)
commit 6955f08227b22686da81daf9e2f6cd0d96fe1d79
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 2 17:01:39 2021 +1200
tests/krb5: Remove unneeded statements
A return statement is redundant as the last statement in a method, as
methods will otherwise return None. Also, code blocks consisting of a
single 'pass' statement can be safely omitted.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1320ac0f91a9b0fc8156840ec498059ee10b5a2d)
commit 0e276e08fb567d7d21999c4b6041e8e9f53cd18a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 2 17:00:09 2021 +1200
tests/krb5: formatting
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit df6623363a7ec1a13af48a09e1d29fa8784e825c)
commit 27e3155358f67e574cea6deef919efffed19b14d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:17:52 2021 +1200
tests/krb5: Fix method name typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 7013a8edd1f628b8659f0836f3b37ccf13156ae2)
commit b74fca8dd0167aa9d7e5e018f4dcedd2fae944db
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 22 16:26:17 2021 +1200
tests/krb5: Fix comment typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 9eb4c4b7b1c2e8d124456e6a57262dc9c02d67d4)
commit 82586e8bee986fe651ad07b82a35cda30b455bea
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:15:23 2021 +1200
tests/krb5: Fix ms_kile_client_principal_lookup_test errors
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4797ced89095155c01e44727cf8b66ee4fb39710)
commit 3df9870e6d33c77afef37a9e3f229a44e29eb907
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 20 10:48:41 2021 +1200
pygensec: Don't modify Python bytes objects
gensec_update() and gensec_unwrap() can both modify their input buffers
(for example, during the inplace RRC operation on GSSAPI tokens).
However, buffers obtained from Python bytes objects must not be modified
in any way. Create a copy of the input buffer so the original isn't
modified.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6818d204897d0b7946dcfbedf79cd53fb9b3f159)
commit 8b281a0553980dea65403b032270e45a4dbf52df
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 19 17:29:39 2021 +1200
pygensec: Fix memory leaks
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 814df05f8c10e9d82e6082d42ece1df569db4385)
commit 6cf0b28459d15d848265974c34f2c86d7c8f45bb
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 27 13:45:03 2021 +0200
selftest: Add support for setting ENV variables in plantestsuite()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 48289b6964d28e153fec885aceca02c6a9b436ef)
commit b884b4ef5856f7822e3ccaacb12c7784d7f247c5
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 27 13:25:59 2021 +0200
selftest: Add support for setting ENV variables in plansmbtorture4testsuite()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 3db299e586fd9464b6e1b145f29b10c8ae325d3a)
commit e04e2925be1f9bc40b096da284173cf23856c082
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 27 08:50:54 2021 +0200
selftest: Re-format long lines in selftesthelpers.py
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 18976a9568b23759060377d09304e9d7badb143a)
commit 3014214092797e30732552fac1b974df1dcb7a4a
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 7 09:08:58 2021 +1200
selftest: add space after --list in output of selftesthelpers.py
Selected and backported from:
commit b113a3bbcd03ab6a62883fbca85ee8749e038887
Author: Volker Lendecke <vl at samba.org>
Date: Mon Apr 19 16:04:00 2021 +0200
torture: Show sddl_decode() failure for "GWFX" access mask
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(This allows subsequent patches to be cherry-picked cleanly)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit 6a3b7eb5b81ae8e7b86c2d5d3c676381234cd920
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jun 21 14:14:48 2021 +1200
s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against
This enables us to more easily switch to a different algorithm to find
the strongest key in _kdc_find_etype().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit bf71fa038e9b97f770e06e88226e885d67342d47)
commit b4022ea0b4a19e46a25f66deeb83c9e1e0d42c15
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 12:52:11 2021 +1200
tests/krb5: Use admin creds for SamDB rather than user creds
This makes the purpose of each set of credentials more consistent, and
makes some tests more convenient to run standalone as they no longer
require user credentials.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ab221c1b3e24696aa0eed6aa970f310447657069)
commit 477f765f1aba5d022ba9fc5af464c7f021559263
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 11:49:05 2021 +1200
tests/krb5/as_canonicalization_tests.py: Refactor account creation
Making this test a subclass of KDCBaseTest allows us to make use of its
methods for obtaining credentials and creating accounts, which helps to
eliminate some duplicated code.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit fc857ea60e2a66d20d4174cb121e0a6949f8a0c1)
commit 0e86cc3d59d879e07147b119796109d1cd69b696
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 11:01:50 2021 +1200
tests/krb5: Deduplicate 'host' attribute initialisation
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 3e621dcb6966f75034bb948a2705358d43454202)
commit de8c2bf0cc914e71a04c4f4eecd504b8616a7ad6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 13:25:34 2021 +1200
tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value
This is clearer than using the constant zero, which could be mistaken
for a valid kvno value.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 381223117e0bae4c348d538bffaa8227b18ef3d1)
commit 8565cc4ec48454409516e2d6d55165d5204fbea0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 13:24:22 2021 +1200
tests/krb5/as_req_tests.py: Check the client kvno
Ensure we have the correct kvno for the client, rather than an 'unknown'
value.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d4c38678e0cc782965edfe40a0423fafb7d5a5ff)
commit 8154d2cc3d2c6e045bc70ebedc406a59efdf6ac2
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 21 11:07:45 2020 +0200
tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test
Example commands:
Windows 2012R2:
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=4 python/samba/tests/krb5/as_req_tests.py
Windows 2008R2:
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py
Samba:
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d5e350a4a490fecf570f1c248c9dde1466796166)
commit 6bc79db7b396124bbcfce578046f15f068b332e9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 14:51:22 2021 +1200
tests/krb5/as_req_tests.py: Automatically obtain credentials
The credentials for the client and krbtgt accounts are now fetched
automatically rather than using environment variables, and the client
account is now automatically created.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0fd71ed3c37c8cf326f9f676b7fddda3d2d24072)
commit 7f33d712596c439a2b9a3ecfc11a9681fd32dd40
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 16:07:16 2021 +1200
tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials
Now if the client credentials are not supplied in the environment, we
can fall back to creating a new user account. Similarly, if the krbtgt
credentials are not supplied, we can fetch the credentials of the
existing krbtgt account.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit fd45bea7a88837cbe4f99adf3a6b3f69ce32f34c)
commit 13667701cda66706588d6f92f74d775cbeb8eaad
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 15:55:17 2021 +1200
tests/krb5/raw_testcase.py: Simplify conditionals
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ec5c2b040b63d06a17bcd7bd133c2d68d07df587)
commit b423bb95afcdbea82dd9f890a3e35c66169b5fab
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 17:12:39 2021 +1200
tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function
This allows us to use other methods of obtaining credentials if getting
them from the environment fails.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit e1601f2b56f09a944c5cfb119502fdcf49a03c99)
commit 47b6072624cb68814c09854b1b4e985aef652c2a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 17:10:44 2021 +1200
tests/krb5/raw_testcase.py: Cache obtained credentials
If credentials are used more than once, we can now use the credentials
that we already obtained and so avoid fetching them again.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 22a90aea82ba6ef86bde835f2369daa6e23ed2fd)
commit 4d72aa9e098353420303b6ee039aa50d99ac9e42
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 16:55:02 2021 +1200
tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds
This allows us to require encryption keys in the case that a password
would not be required, such as for the krbtgt account.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6a77c2b93315503008627ce786388f281bd6bb87)
commit 9521952380b0256effca169f26e9d3d4f5a65244
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 15:59:11 2021 +1200
tests/krb5/raw_testcase.py: Make env_get_var() a standalone method
This allows it to be used elsewhere in the tests.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 948bbc9cecbfc1b33a338891d26a4a706864b9c6)
commit d85f359789b597c530d8aff2eb6153e1c5629fff
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 13:15:10 2021 +1200
tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS
This requires admin credentials, and removes the need to pass these keys
as environment variables.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1f2ddd3c97e3ff243c8bd0c17299f27b761f5e7f)
commit b91a08ce89e7c0cafd42d17f900d8771adc5a6c6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 15:12:38 2021 +1200
tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
This is done based on the domain functional level, which corresponds to
the logic Samba uses to decide whether or not to generate a
Primary:Kerberos-Newer-Keys element for the supplementalCredentials
attribute.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 7d4a0ed21be49d13c2b815582f2d04f0c058bf3a)
commit d6f5da02368060cc5adb0912d78f36c962e22bd6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 11:40:41 2021 +1200
tests/krb5/kdc_base_test.py: Create loadparm only when needed
Now the .conf file is only loaded on its first use, which means that
SMB_CONF_PATH need not be defined for tests that don't make use of it.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 210e544016a3a4de1cdb76ce28a2148811ff07eb)
commit 5ffa305eb2e70a75ecc7cefc3d4a3bcf69d55a19
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 11:31:26 2021 +1200
tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute
Credentials for tests are now obtained using the get_user_creds()
method.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 364f1ce8d8221cb8926635fc864db782cee61cf9)
commit 9ce0d56ed4856cad7c66c9f1ebd002b736bcb75e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 11:04:00 2021 +1200
tests/krb5/kdc_base_test.py: Create database connection only when needed
Now the database connection is only created on its first use, which
means database credentials are no longer required for tests that don't
make use of it.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4f5566be4839838e0e3e501a030bcf6e85ff5159)
commit c12cc69371018076762e20db8732f13198d2134f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 13:14:33 2021 +1200
tests/krb5/raw_testcase.py: Add get_admin_creds()
This method allows obtaining credentials that can be used for
administrative tasks such as creating accounts.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5afae39da0ab408bb36dde3a7801634bd9cc24f6)
commit 461131ed517c3f7b158a99d3757f267f5233ed31
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 15:38:28 2021 +1200
tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called
This allows accounts created for permutation tests to be reused, rather
than having to be recreated for every test.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5412bffb9b4fc13023e650bbc9436a79b60b6fa2)
commit af9e564caccc23c4d243e2e9b3358e5514e578b2
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 21 11:07:45 2020 +0200
selftest: run new as_req_tests against fl2008r2dc and fl2003dc
There are a lot of things we should improve in our KDC
in order to work like a Windows KDC.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d91665d33130aed11fa82d8d2796ab1627e04dc4)
commit acf7c56f2095e171c69aa3c2d16ec176c6759f30
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 21 11:07:45 2020 +0200
tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol
Example commands:
Windows 2012R2:
SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
Windows 2008R2:
SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
Samba 4.14:
SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 01d86954d217e38be333aa1ce7db1d3d9059cd4c)
commit e24e1b1a5366ec2680667377ef50b390c6d4208b
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 21 11:07:45 2020 +0200
tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure
This will allow us to write tests, which will all cross check almost
every aspect of the KDC response (including encrypted parts).
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6e2f2adc8e825634780077e24a9e437bdc68155a)
commit a03042d103b410785036e4ccce52b7d107dd2505
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 16 17:13:35 2020 +0200
tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds()
This will allow building test_as_req_enc_timestamp()
It also introduces ways to specify keys in hex formated environment
variables ${PREFIX}_{AES256,AES128,RC4}_KEY_HEX.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 69ce2a6408f78d41eb865b89726021ad7643b065)
commit 150be099ae02b18aa66cb25fadd436bf2cf33aaf
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 20 20:02:52 2020 +0200
tests/krb5/raw_testcase.py: add methods to iterate over etype permutations
It's often useful to run tests over a lot of input parameter
permutations.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit e3905035847a5268c1a65366830cc739280ae437)
commit b833bf902f79e8928856fea3aa82b8934a7faf59
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 16 10:43:54 2020 +0200
tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create()
This allows building the pre-authentication data that encodes
the request for the KDC (or more likely a request not to include)
the KRB5 PAC in the resulting ticket.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ee2ac2b8ccafe3e6d560d893a4135a28e393914d)
commit ea7399d54e8c4209639f01418b2b118faad3b619
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 21 14:45:01 2020 +0200
tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create()
This allows us to reuse body in future and calculate checksums on it.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b03fcfeb6c005936818ce50d511e9f9cc75aa9fb)
commit 6d21cb27cb3db608eafcb7f3777c27b1e813e445
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 15 17:57:37 2020 +0200
tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values
By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint
we allow the BitString_NamedValues_prettyPrint() routine to show more named values.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 3abb3b41368666535a216a98c3e7d15a5d498f7e)
commit 6257fd9b3c17583b38e04247188f9b5cf017e1bb
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 15 17:50:00 2020 +0200
tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values
By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint
we allow the BitString_NamedValues_prettyPrint() routine to show more named values.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 34e079ce9a232a765fb3a2b25441434df35df54c)
commit 1a2d9b500e451229d42b7a3fa60fa5e65d49b5b7
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 15 13:49:52 2020 +0200
tests/krb5/raw_testcase.py: add assertElement*()
These helper functions make writing subsequent Kerberos test
clearer.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 61e1b179812e48797146584998afc5bd0168beae)
commit e089c45d44d6133ce67de091bb5c4d937097ea0c
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 9 22:28:32 2020 +0200
tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future
We should write tests as strict as possible in order to let them run
against Windows servers.
But at the same time we want to allow tests to be useful for Samba
too...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit dff611976d6a067614e37add99edae214815a68b)
commit d48196e12f4a25cdf028f55869131e4bed009b02
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 9 10:55:28 2020 +0200
tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds()
These helpful functions allow us to build the various credentials
that we will use in validating the KDC responses in this test.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit c3222870b92db7f867557c2896b7bf39915d469a)
commit e63908db368153b81451e073ac8edfa6921238cc
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 9 11:10:11 2020 +0200
tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing
Update and re-generate the ASN.1 to allow an improved testsuite.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d4492a8aaaf70cbe81af7e6703b4ea9fc1f24162)
commit e9a2916b5f3d0ed2af0f6e240beb2fd978253bf2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 15 16:50:55 2020 +0200
Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}
This is a clearer name for the script
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit fef08add9ec324fb0c3902e96c2a91c07646d499)
commit 8958105aa80bb6ec9218261bcaa3567d2b6a6a28
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 9 21:04:44 2020 +0200
auth/credentials: allow credentials.Credentials to act as base class
In tests it's useful to add more details.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1f413b2b2977687884781ca2399dadf6611ab461)
commit 72606c028240f3d36cb87af2b8ef283d987b825e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 10 15:06:06 2021 +1200
python: Make credentials cache test run against Windows
Windows, unlike Samba, requires the service principal name to be set
when requesting a ticket to that service.
Additionally, default_realm from the libdefaults section of krb5.conf
should be set so that the correct realm is used.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed May 19 02:22:01 UTC 2021 on sn-devel-184
(cherry picked from commit 7791acb074b84ec7b571a81f15b56d33e2214ce9)
commit 29d8bacc8a43928dae85e282ac8a61514bbda762
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 10 16:43:03 2021 +1200
python: Fix ticket timestamp conversion when local timezone is not UTC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b9006f33343ba8bb82ef8ffe1fd90c780961b41e)
commit 0b937a91422a0a42c25d19147ef514c392642739
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 3 14:43:04 2021 +1200
python: Fix erroneous increments of reference counts
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 66695f0f94775c4db24fb625fe78ff44d964b5ad)
commit de40f47cfacc4ec0e7cf784e2fb1268aefa10ea1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 3 14:42:10 2021 +1200
python: Ensure reference counts are properly incremented
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 290c1dc0975867a71c02e911708323d1f38b6f96)
commit 795e2b4d4871d1d1ecb2ffe268686c82622efc9c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Apr 30 08:58:11 2021 +1200
python: Add SMB credentials cache test
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service through SMB.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 78a0b57b51642df07deed8aeb6e39e608fafda60)
commit 7439b5a91db686a0c0b61b8d8f5741e06b3edc2a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Apr 30 12:49:24 2021 +1200
pylibsmb: Add posix_whoami()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 482559436f12a85adb3409433aac3ab06baa82b1)
commit e2b0cdcb5077bd002b1bd1761e0f82bbe003b957
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 3 16:24:42 2021 +1200
libsmb: Ensure that whoami parses all the data provided to it
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 9b96ebea5c6966b096cf1100a0895a9c41f2aa1d)
commit 728d13309df756acb5e533deaf66178b667e7dff
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 3 16:22:43 2021 +1200
libsmb: Check to see that whoami is not receiving more data than it requested
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 9e414233c84d2f2fa4a9415be9ee975eca8b9bfd)
commit 72a11b5eb38ce5511aba9e9b8b8777a3e92860bd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 3 16:16:51 2021 +1200
libsmb: Avoid undefined behaviour when parsing whoami state
If num_gids is such that the gids array would overflow the rdata buffer,
'p + 8' could produce a result pointing outside the buffer, and thus
result in undefined behaviour. To avoid this, we check num_gids against
the size of the buffer beforehand.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 9d8aeed33d8edf7a5dc96dbe35e4e164e2baeeeb)
commit 9dea3dd8b8eedddc7b0a64b2e37615f423b37c47
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 3 15:55:01 2021 +1200
libsmb: Remove overflow check
Pointer overflow is undefined, so this check does not accomplish
anything.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit db5b34c7682e36630908356cf674fddd18d8fa1f)
commit 76047162bb05cf92170352dba3007ffe8e3443b4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 3 15:48:43 2021 +1200
Revert "libsmb: Use sid_parse()"
This reverts commit afd5d34f5e1d13ba88448b3b94d353aa8361d1a9.
This code originally used ndr_pull_struct_blob() to pull one SID from a
buffer potentially containing multiple SIDs. When this was changed to
use sid_parse(), it was now attempting to parse the whole buffer as a
single SID with ndr_pull_struct_blob_all(), which would cause it to fail
if more than one SID was present.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2b487890d946df88abce67c3d07d74559f70f069)
commit f8c0dff5b0869011f26bd4f4ac3da5a485885343
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Apr 29 21:04:25 2021 +1200
python: Add RPC credentials cache test
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service through RPC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 072451a033da07c0cdaa005dd1020ef1c7951e99)
commit 8667e6bcdd39c7757283fb1e4c44458e04c5363c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Apr 29 20:58:11 2021 +1200
python: Add LDAP credentials cache test
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service through LDAP.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 7663b5c37fa3413f7c67c018107322494e4a6fd9)
commit 876fe2503fe3079fbca0cddfc26392b346f13150
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 28 11:06:33 2021 +1200
python: Add credentials cache test
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service using the normal
credentials system backed on to MIT/Heimdal Kerberos 5 libraries. This
will allow us to validate the output of the MIT/Heimdal libraries in the
future.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit c15f26ec40860782b22e862f9bdf665745387718)
commit 43e20ad3ea2f5cd3907793148fcc7fc989bd65f1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 28 11:02:47 2021 +1200
krb5: Add Python functions to create a credentials cache containing a service ticket
This is a FILE: format credentials cache readable by the MIT/Heimdal
Kerberos libraries. This allows us to glue the Python ASN1 Kerberos
system to the MIT/Heimdal one.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2d88a6ff3dbcf650b09ef9c8c37170ca6663b533)
commit e7ec9b0779a87679ba2a3a23482299e43a7171c7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 28 10:58:48 2021 +1200
librpc: Test parsing a Kerberos 5 credentials cache with ndrdump
This is the format used by the FILE: credentials cache type.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1f17b1edca9c1638ef404fadce3ca7a4d176de12)
commit 0d08a120e777d8bba1f577e852e10c5bd8f641a9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 28 10:57:00 2021 +1200
krb5ccache.idl: Add definition for a Kerberos credentials cache
Based on specifications found at
https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html
This is primarily designed for parsing and storing a single Kerberos
ticket, due to the limitations of PIDL.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 74fb2cc473cea0eebf641fc4d32d706bac8aa6f2)
commit c7525b69fe1428f69c3082abfe2e91088d00ac19
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Apr 15 10:32:41 2021 +1200
Revert "s4-test: fixed ndrdump test for top level build"
This essentially reverts commit
b84c0a9ed6d556eb2d3797d606edcd03f9766606, but the datapath is now in the
source4 directory.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6f144d49b5281a08bf7be550b949f4d91e8fe19b)
commit b1ed4f5ff37e9706b67802d12819124655bc8886
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 28 11:07:22 2021 +1200
pygensec: Fix method documentation
This changes the docstrings to use the correct method names.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 50ade4cadc766a196316fd5c5a57f8c502f0ea22)
commit 6d7dbe77a9e4c2664ea20bd32dfc0842e9bf8a08
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 28 10:55:13 2021 +1200
auth:creds: Fix parameter in creds.set_named_ccache()
Use the passed-in value for 'obtained' rather than always using
CRED_SPECIFIED.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2d05268aa0904221c452fc650fcdfb680efc20bb)
commit c222cf2cd4f2010cb5867a4fdfb0c0f4c071258b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 28 10:54:05 2021 +1200
auth:creds: Remove unused variable
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1ea2de561839ad948efab5112fbe4c1eae44d9ee)
commit b5d279057f6cad54c6bad9f7dba9549a62f87f04
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed Feb 17 12:15:50 2021 +1300
tests python krb5: MS-KILE client principal look-up
Tests of [MS-KILE]: Kerberos Protocol Extensions
section 3.3.5.6.1 Client Principal Lookup
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Apr 12 00:38:26 UTC 2021 on sn-devel-184
(cherry picked from commit 768d48fca9f8c7527c0d12e7acc8942b5fd36ac2)
commit b30947fc8561e08facd62402d9fe2be0d36de6ec
Author: Volker Lendecke <vl at samba.org>
Date: Fri Apr 16 17:22:12 2021 +0200
librpc: Add py_descriptor_richcmp() equality function
Only a python3 version. Do we still need the python2 flavor?
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 439b7ccdc1b1c91c66c1a7c83e340fa044c26377)
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/pycredentials.c | 8 +-
lib/talloc/pytalloc.c | 4 +-
libgpo/pygpo.c | 2 +-
librpc/idl/krb5ccache.idl | 115 +
librpc/idl/wscript_build | 1 +
librpc/wscript_build | 8 +-
python/samba/tests/blackbox/ndrdump.py | 45 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 140 +-
python/samba/tests/krb5/as_req_tests.py | 218 ++
python/samba/tests/krb5/compatability_tests.py | 4 -
python/samba/tests/krb5/fast_tests.py | 1691 +++++++++++++++
python/samba/tests/krb5/kcrypto.py | 12 +-
python/samba/tests/krb5/kdc_base_test.py | 663 +++++-
python/samba/tests/krb5/kdc_tests.py | 27 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 35 +-
.../krb5/ms_kile_client_principal_lookup_tests.py | 829 ++++++++
.../{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} | 0
python/samba/tests/krb5/raw_testcase.py | 2206 ++++++++++++++++++--
python/samba/tests/krb5/rfc4120.asn1 | 176 +-
python/samba/tests/krb5/rfc4120_constants.py | 56 +
python/samba/tests/krb5/rfc4120_pyasn1.py | 232 +-
python/samba/tests/krb5/s4u_tests.py | 4 -
python/samba/tests/krb5/simple_tests.py | 10 +-
python/samba/tests/krb5/test_ccache.py | 135 ++
python/samba/tests/krb5/test_ldap.py | 96 +
python/samba/tests/krb5/test_rpc.py | 79 +
python/samba/tests/krb5/test_smb.py | 110 +
python/samba/tests/krb5/xrealm_tests.py | 4 -
python/samba/tests/usage.py | 7 +
selftest/knownfail | 6 +-
selftest/knownfail_heimdal_kdc | 119 ++
selftest/knownfail_mit_kdc | 45 +
selftest/selftesthelpers.py | 42 +-
selftest/target/Samba4.pm | 2 +-
source3/libsmb/clifsinfo.c | 44 +-
source3/libsmb/pylibsmb.c | 139 +-
source3/passdb/py_passdb.c | 4 -
source3/selftest/ktest-krb5_ccache-2.txt | 1574 ++++++++++++++
source3/selftest/ktest-krb5_ccache-3.txt | 832 ++++++++
source4/auth/gensec/gensec_gssapi.c | 4 +
source4/auth/gensec/pygensec.c | 71 +-
source4/heimdal/kdc/kerberos5.c | 4 +-
source4/heimdal/kdc/krb5tgs.c | 4 +
source4/librpc/ndr/py_security.c | 37 +
source4/librpc/wscript_build | 7 +
source4/ntvfs/posix/python/pyposix_eadb.c | 2 +-
source4/ntvfs/posix/python/pyxattr_native.c | 4 +-
source4/ntvfs/posix/python/pyxattr_tdb.c | 2 +-
source4/selftest/tests.py | 55 +-
source4/torture/krb5/kdc-heimdal.c | 104 +-
50 files changed, 9518 insertions(+), 500 deletions(-)
create mode 100644 librpc/idl/krb5ccache.idl
create mode 100755 python/samba/tests/krb5/as_req_tests.py
create mode 100755 python/samba/tests/krb5/fast_tests.py
create mode 100755 python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} (100%)
create mode 100755 python/samba/tests/krb5/test_ccache.py
create mode 100755 python/samba/tests/krb5/test_ldap.py
create mode 100755 python/samba/tests/krb5/test_rpc.py
create mode 100755 python/samba/tests/krb5/test_smb.py
create mode 100644 source3/selftest/ktest-krb5_ccache-2.txt
create mode 100644 source3/selftest/ktest-krb5_ccache-3.txt
Changeset truncated at 500 lines:
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index 95dde276ef7..5a168e6dd7f 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -604,8 +604,6 @@ static PyObject *py_creds_get_forced_sasl_mech(PyObject *self, PyObject *unused)
static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args)
{
char *newval;
- enum credentials_obtained obt = CRED_SPECIFIED;
- int _obt = obt;
struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
if (creds == NULL) {
PyErr_Format(PyExc_TypeError, "Credentials expected");
@@ -615,7 +613,6 @@ static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args)
if (!PyArg_ParseTuple(args, "s", &newval)) {
return NULL;
}
- obt = _obt;
cli_credentials_set_forced_sasl_mech(creds, newval);
Py_RETURN_NONE;
@@ -803,6 +800,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args)
if (!PyArg_ParseTuple(args, "s|iO", &newval, &_obt, &py_lp_ctx))
return NULL;
+ obt = _obt;
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
@@ -818,7 +816,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args)
ret = cli_credentials_set_ccache(creds,
lp_ctx,
- newval, CRED_SPECIFIED,
+ newval, obt,
&error_string);
if (ret != 0) {
@@ -1433,7 +1431,7 @@ static struct PyModuleDef moduledef = {
PyTypeObject PyCredentials = {
.tp_name = "credentials.Credentials",
.tp_new = py_creds_new,
- .tp_flags = Py_TPFLAGS_DEFAULT,
+ .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE,
.tp_methods = py_creds_methods,
};
diff --git a/lib/talloc/pytalloc.c b/lib/talloc/pytalloc.c
index cc5a6a812ea..4d3826153b9 100644
--- a/lib/talloc/pytalloc.c
+++ b/lib/talloc/pytalloc.c
@@ -37,7 +37,7 @@ static PyObject *pytalloc_report_full(PyObject *self, PyObject *args)
} else {
talloc_report_full(pytalloc_get_mem_ctx(py_obj), stdout);
}
- return Py_None;
+ Py_RETURN_NONE;
}
/* enable null tracking */
@@ -45,7 +45,7 @@ static PyObject *pytalloc_enable_null_tracking(PyObject *self,
PyObject *Py_UNUSED(ignored))
{
talloc_enable_null_tracking();
- return Py_None;
+ Py_RETURN_NONE;
}
/* return the number of talloc blocks */
diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c
index 29c8b11886e..3452bc77d61 100644
--- a/libgpo/pygpo.c
+++ b/libgpo/pygpo.c
@@ -41,7 +41,7 @@ static PyObject* GPO_get_##ATTR(PyObject *self, void *closure) \
if (gpo_ptr->ATTR) \
return PyUnicode_FromString(gpo_ptr->ATTR); \
else \
- return Py_None; \
+ Py_RETURN_NONE; \
}
GPO_getter(ds_path)
GPO_getter(file_sys_path)
diff --git a/librpc/idl/krb5ccache.idl b/librpc/idl/krb5ccache.idl
new file mode 100644
index 00000000000..1f0cfa752a9
--- /dev/null
+++ b/librpc/idl/krb5ccache.idl
@@ -0,0 +1,115 @@
+/*
+ krb5 credentials cache (version 3 or 4)
+ specification: https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html
+*/
+
+#include "idl_types.h"
+
+[
+ uuid("1702b695-99ca-4f32-93e4-1e1c4d5ddb53"),
+ version(0.0),
+ pointer_default(unique),
+ helpstring("KRB5 credentials cache")
+]
+interface krb5ccache
+{
+ typedef struct {
+ uint32 name_type;
+ uint32 component_count;
+ [flag(STR_SIZE4|STR_NOTERM|STR_UTF8)] string realm;
+ [flag(STR_SIZE4|STR_NOTERM|STR_UTF8)] string components[component_count];
+ } PRINCIPAL;
+
+ typedef struct {
+ uint16 enctype;
+ DATA_BLOB data;
+ } KEYBLOCK;
+
+ typedef struct {
+ uint16 addrtype;
+ DATA_BLOB data;
+ } ADDRESS;
+
+ typedef struct {
+ uint32 count;
+ ADDRESS data[count];
+ } ADDRESSES;
+
+ typedef struct {
+ uint16 ad_type;
+ DATA_BLOB data;
+ } AUTHDATUM;
+
+ typedef struct {
+ uint32 count;
+ AUTHDATUM data[count];
+ } AUTHDATA;
+
+ typedef struct {
+ PRINCIPAL client;
+ PRINCIPAL server;
+ KEYBLOCK keyblock;
+ uint32 authtime;
+ uint32 starttime;
+ uint32 endtime;
+ uint32 renew_till;
+ uint8 is_skey;
+ uint32 ticket_flags;
+ ADDRESSES addresses;
+ AUTHDATA authdata;
+ DATA_BLOB ticket;
+ DATA_BLOB second_ticket;
+ } CREDENTIAL;
+
+ typedef struct {
+ [value(0)] int32 kdc_sec_offset;
+ [value(0)] int32 kdc_usec_offset;
+ } DELTATIME_TAG;
+
+ typedef [nodiscriminant] union {
+ [case(1)] DELTATIME_TAG deltatime_tag;
+ } FIELD;
+
+ typedef struct {
+ [value(1)] uint16 tag;
+ [subcontext(2),switch_is(tag)] FIELD field;
+ } V4TAG;
+
+ typedef struct {
+ V4TAG tag;
+ /*
+ * We should allow for more than one tag to be properly parsed, but that
+ * would require manual parsing.
+ */
+ [flag(NDR_REMAINING)] DATA_BLOB further_tags;
+ } V4TAGS;
+
+ typedef struct {
+ [subcontext(2)] V4TAGS v4tags;
+ } V4HEADER;
+
+ typedef [nodiscriminant] union {
+ /*
+ * We don't attempt to support file format versions 1 and 2 as they
+ * assume native CPU byte order, which makes no sense in PIDL.
+ */
+ [case(3)] ;
+ [case(4)] V4HEADER v4header;
+ } OPTIONAL_HEADER;
+
+ /* Public structures. */
+
+ typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct {
+ [value(5)] uint8 pvno;
+ [value(4)] uint8 version;
+ [switch_is(version)] OPTIONAL_HEADER optional_header;
+ PRINCIPAL principal;
+ CREDENTIAL cred;
+ [flag(NDR_REMAINING)] DATA_BLOB further_creds;
+ } CCACHE;
+
+ typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct {
+ CREDENTIAL cred;
+ [flag(NDR_REMAINING)] DATA_BLOB further_creds;
+ } MULTIPLE_CREDENTIALS;
+}
diff --git a/librpc/idl/wscript_build b/librpc/idl/wscript_build
index 928f54abde0..0cbd7f8fdfc 100644
--- a/librpc/idl/wscript_build
+++ b/librpc/idl/wscript_build
@@ -147,6 +147,7 @@ bld.SAMBA_PIDL_LIST('PIDL',
drsblobs.idl
idmap.idl
krb5pac.idl
+ krb5ccache.idl
messaging.idl
misc.idl
nbt.idl
diff --git a/librpc/wscript_build b/librpc/wscript_build
index 02b7640046e..e4632d538a4 100644
--- a/librpc/wscript_build
+++ b/librpc/wscript_build
@@ -374,6 +374,11 @@ bld.SAMBA_LIBRARY('ndr-krb5pac',
vnum='0.0.1'
)
+bld.SAMBA_SUBSYSTEM('NDR_KRB5CCACHE',
+ source='gen_ndr/ndr_krb5ccache.c',
+ deps='ndr NDR_COMPRESSION NDR_SECURITY ndr-standard asn1util'
+ )
+
bld.SAMBA_LIBRARY('ndr-standard',
source='',
vnum='0.0.1',
@@ -616,7 +621,8 @@ bld.SAMBA_LIBRARY('ndr-samba',
source=[],
deps='''NDR_DRSBLOBS NDR_DRSUAPI NDR_IDMAP NDR_NTLMSSP NDR_NEGOEX NDR_SCHANNEL NDR_MGMT
NDR_DNSSERVER NDR_EPMAPPER NDR_XATTR NDR_UNIXINFO NDR_NAMED_PIPE_AUTH NDR_DCOM
- NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_MDSSVC NDR_OPEN_FILES NDR_SMBXSRV''',
+ NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_MDSSVC NDR_OPEN_FILES NDR_SMBXSRV
+ NDR_KRB5CCACHE''',
private_library=True,
grouping_library=True
)
diff --git a/python/samba/tests/blackbox/ndrdump.py b/python/samba/tests/blackbox/ndrdump.py
index a33229e4740..7833ec98119 100644
--- a/python/samba/tests/blackbox/ndrdump.py
+++ b/python/samba/tests/blackbox/ndrdump.py
@@ -25,13 +25,7 @@ import os
import re
from samba.tests import BlackboxTestCase, BlackboxProcessError
-for p in ["../../../../../source4/librpc/tests",
- "../../../../../librpc/tests"]:
- data_path_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), p))
- print(data_path_dir)
- if os.path.exists(data_path_dir):
- break
-
+data_path_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), "../../../../../source4/librpc/tests"))
class NdrDumpTests(BlackboxTestCase):
"""Blackbox tests for ndrdump."""
@@ -326,6 +320,43 @@ dump OK
# convert expected to bytes for python 3
self.assertEqual(actual, expected.encode('utf-8'))
+ def test_ndrdump_Krb5ccache(self):
+ expected = open(self.data_path("../../../source3/selftest/"
+ "ktest-krb5_ccache-2.txt")).read()
+ try:
+ # Specify -d1 to match the generated output file, because ndrdump
+ # only outputs some additional info if this parameter is specified,
+ # and the --configfile parameter gives us an empty smb.conf to avoid
+ # extraneous output.
+ actual = self.check_output(
+ "ndrdump krb5ccache CCACHE struct "
+ "--configfile /dev/null -d1 --validate " +
+ self.data_path("../../../source3/selftest/"
+ "ktest-krb5_ccache-2"))
+ except BlackboxProcessError as e:
+ self.fail(e)
+ # check_output will return bytes
+ # convert expected to bytes for python 3
+ self.assertEqual(actual, expected.encode('utf-8'))
+
+ expected = open(self.data_path("../../../source3/selftest/"
+ "ktest-krb5_ccache-3.txt")).read()
+ try:
+ # Specify -d1 to match the generated output file, because ndrdump
+ # only outputs some additional info if this parameter is specified,
+ # and the --configfile parameter gives us an empty smb.conf to avoid
+ # extraneous output.
+ actual = self.check_output(
+ "ndrdump krb5ccache CCACHE struct "
+ "--configfile /dev/null -d1 --validate " +
+ self.data_path("../../../source3/selftest/"
+ "ktest-krb5_ccache-3"))
+ except BlackboxProcessError as e:
+ self.fail(e)
+ # check_output will return bytes
+ # convert expected to bytes for python 3
+ self.assertEqual(actual, expected.encode('utf-8'))
+
# This is a good example of a union with an empty default
# and no buffers to parse.
def test_ndrdump_fuzzed_spoolss_EnumForms(self):
diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py
index 43f532dc483..29d8cf418f5 100755
--- a/python/samba/tests/krb5/as_canonicalization_tests.py
+++ b/python/samba/tests/krb5/as_canonicalization_tests.py
@@ -25,20 +25,11 @@ import pyasn1
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
-from samba.tests.krb5.raw_testcase import RawKerberosTest
+from samba.tests.krb5.kdc_base_test import KDCBaseTest
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
-import samba
-from samba.auth import system_session
-from samba.credentials import (
- Credentials,
- DONT_USE_KERBEROS)
+from samba.credentials import DONT_USE_KERBEROS
from samba.dcerpc.misc import SEC_CHAN_WKSTA
-from samba.dsdb import (
- UF_WORKSTATION_TRUST_ACCOUNT,
- UF_PASSWD_NOTREQD,
- UF_NORMAL_ACCOUNT)
-from samba.samdb import SamDB
-from samba.tests import delete_force, DynamicTestCase
+from samba.tests import DynamicTestCase
from samba.tests.krb5.rfc4120_constants import (
AES256_CTS_HMAC_SHA1_96,
AES128_CTS_HMAC_SHA1_96,
@@ -96,12 +87,12 @@ class TestData:
else:
client_name_type = NT_PRINCIPAL
- self.cname = RawKerberosTest.PrincipalName_create(
+ self.cname = KDCBaseTest.PrincipalName_create(
name_type=client_name_type, names=[self.user_name])
if TestOptions.AsReqSelf.is_set(options):
self.sname = self.cname
else:
- self.sname = RawKerberosTest.PrincipalName_create(
+ self.sname = KDCBaseTest.PrincipalName_create(
name_type=NT_SRV_INST, names=["krbtgt", self.realm])
self.canonicalize = TestOptions.Canonicalize.is_set(options)
@@ -141,7 +132,7 @@ USER_NAME = "tstkrb5cnnusr"
@DynamicTestCase
-class KerberosASCanonicalizationTests(RawKerberosTest):
+class KerberosASCanonicalizationTests(KDCBaseTest):
@classmethod
def setUpDynamicTestCases(cls):
@@ -170,114 +161,37 @@ class KerberosASCanonicalizationTests(RawKerberosTest):
name = build_test_name(ct, x)
cls.generate_dynamic_test("test", name, x, ct)
- @classmethod
- def setUpClass(cls):
- cls.lp = cls.get_loadparm(cls)
- cls.username = os.environ["USERNAME"]
- cls.password = os.environ["PASSWORD"]
- cls.host = os.environ["SERVER"]
-
- c = Credentials()
- c.set_username(cls.username)
- c.set_password(cls.password)
- try:
- realm = os.environ["REALM"]
- c.set_realm(realm)
- except KeyError:
- pass
- try:
- domain = os.environ["DOMAIN"]
- c.set_domain(domain)
- except KeyError:
- pass
+ def user_account_creds(self):
+ if self.user_creds is None:
+ samdb = self.get_samdb()
+ self.user_creds, _ = self.create_account(samdb, USER_NAME)
- c.guess()
+ return self.user_creds
- cls.credentials = c
+ def machine_account_creds(self):
+ if self.machine_creds is None:
+ samdb = self.get_samdb()
+ self.machine_creds, _ = self.create_account(samdb,
+ MACHINE_NAME,
+ machine_account=True)
+ self.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA)
+ self.machine_creds.set_kerberos_state(DONT_USE_KERBEROS)
- cls.session = system_session()
- cls.ldb = SamDB(url="ldap://%s" % cls.host,
- session_info=cls.session,
- credentials=cls.credentials,
- lp=cls.lp)
- cls.create_machine_account()
- cls.create_user_account()
-
- @classmethod
- def tearDownClass(cls):
- super(KerberosASCanonicalizationTests, cls).tearDownClass()
- delete_force(cls.ldb, cls.machine_dn)
- delete_force(cls.ldb, cls.user_dn)
+ return self.machine_creds
def setUp(self):
- super(KerberosASCanonicalizationTests, self).setUp()
+ super().setUp()
self.do_asn1_print = global_asn1_print
self.do_hexdump = global_hexdump
- #
- # Create a test user account
- @classmethod
- def create_user_account(cls):
- cls.user_pass = samba.generate_random_password(32, 32)
- cls.user_name = USER_NAME
- cls.user_dn = "cn=%s,%s" % (cls.user_name, cls.ldb.domain_dn())
-
- # remove the account if it exists, this will happen if a previous test
- # run failed
- delete_force(cls.ldb, cls.user_dn)
-
- utf16pw = ('"%s"' % cls.user_pass).encode('utf-16-le')
- cls.ldb.add({
- "dn": cls.user_dn,
- "objectclass": "user",
- "sAMAccountName": "%s" % cls.user_name,
- "userAccountControl": str(UF_NORMAL_ACCOUNT),
- "unicodePwd": utf16pw})
-
- cls.user_creds = Credentials()
- cls.user_creds.guess(cls.lp)
- cls.user_creds.set_realm(cls.ldb.domain_dns_name().upper())
- cls.user_creds.set_domain(cls.ldb.domain_netbios_name().upper())
- cls.user_creds.set_password(cls.user_pass)
- cls.user_creds.set_username(cls.user_name)
- cls.user_creds.set_workstation(cls.machine_name)
-
- #
- # Create the machine account
- @classmethod
- def create_machine_account(cls):
- cls.machine_pass = samba.generate_random_password(32, 32)
- cls.machine_name = MACHINE_NAME
- cls.machine_dn = "cn=%s,%s" % (cls.machine_name, cls.ldb.domain_dn())
-
- # remove the account if it exists, this will happen if a previous test
- # run failed
- delete_force(cls.ldb, cls.machine_dn)
-
- utf16pw = ('"%s"' % cls.machine_pass).encode('utf-16-le')
- cls.ldb.add({
- "dn": cls.machine_dn,
- "objectclass": "computer",
- "sAMAccountName": "%s$" % cls.machine_name,
- "userAccountControl":
- str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD),
- "unicodePwd": utf16pw})
-
- cls.machine_creds = Credentials()
- cls.machine_creds.guess(cls.lp)
- cls.machine_creds.set_realm(cls.ldb.domain_dns_name().upper())
- cls.machine_creds.set_domain(cls.ldb.domain_netbios_name().upper())
- cls.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA)
- cls.machine_creds.set_kerberos_state(DONT_USE_KERBEROS)
- cls.machine_creds.set_password(cls.machine_pass)
- cls.machine_creds.set_username(cls.machine_name + "$")
- cls.machine_creds.set_workstation(cls.machine_name)
+ self.user_creds = None
+ self.machine_creds = None
def _test_with_args(self, x, ct):
if ct == CredentialsType.User:
- creds = self.user_creds
+ creds = self.user_account_creds()
elif ct == CredentialsType.Machine:
- creds = self.machine_creds
+ creds = self.machine_account_creds()
else:
raise Exception("Unexpected credential type")
data = TestData(x, creds)
@@ -343,8 +257,6 @@ class KerberosASCanonicalizationTests(RawKerberosTest):
nonce=0x7fffffff,
etypes=etypes,
addresses=None,
- EncAuthorizationData=None,
- EncAuthorizationData_key=None,
additional_tickets=None)
rep = self.send_recv_transaction(req)
self.assertIsNotNone(rep)
@@ -400,8 +312,6 @@ class KerberosASCanonicalizationTests(RawKerberosTest):
--
Samba Shared Repository
More information about the samba-cvs
mailing list