[SCM] Samba Shared Repository - branch v4-13-test updated
Jule Anger
janger at samba.org
Thu Sep 16 08:55:07 UTC 2021
The branch, v4-13-test has been updated
via b7d16fdc653 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
via 7a2a6e0bcb0 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
via 1e27b45f49c tests/krb5: Allow expected_error_mode to be a container type
via 57800189c5f tests/krb5: Allow specifying parameters specific to the inner FAST request body
via b5e11c10966 tests/krb5: Add tests for omitting sname in request
via cabc5b114dc tests/krb5: Check PADATA-PW-SALT element in e-data
via 8a8872f7070 tests/krb5: Check e-data element for TGS-REP errors without FAST
via bd76f6d47e7 tests/krb5: Remove harmful and a-typical return in as_req testcase
via d3a611377bd CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
via a67cda7159f CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
via 95de6d138ad tests/krb5: Make cname checking less strict
via 497b461238b tests/krb5: Make e-data checking less strict
via 17c7bc10695 selftest: Remove knownfail for no_etypes FAST tests
via 27e964233a5 tests/krb5: Add FAST tests
via 576e5ca2e9c initial FAST tests
via e7e79028093 tests/krb5: Check PADATA-FX-ERROR in reply
via 1fd611e9e7f tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
via 83073237a95 tests/krb5: Check PADATA-PAC-OPTIONS in reply
via 48199d18cc9 tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
via 8fa99e31658 tests/krb5: Make check_rep_padata() also work for checking TGS replies
via e1c4d715a61 tests/krb5: Check PADATA-FX-COOKIE in reply
via 2391eabfcf2 tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
via 40da4ffbf18 tests/krb5: Adjust reply padata checking depending on whether FAST was sent
via 0febff53f38 tests/krb5: Check reply FAST padata if request included FAST
via ee892faca94 tests/krb5: Check sname is krbtgt for FAST generic error
via 2356b4d9b75 tests/krb5: Add get_krbtgt_sname() method
via be4977249bc tests/krb5: Remove unused variables
via fef9198aafc tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
via 087cf5f9504 tests/krb5: Add check_rep_padata() method to check padata in reply
via efe112dfa56 tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
via bef5024da8c tests/krb5: Include authdata in kdc_exchange_dict
via 8eaa8e10383 tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
via 8a3b41f0483 tests/krb5: Check encrypted-pa-data
via 701e5c98399 tests/krb5: Add methods to determine whether elements were included in the request
via 64b5183a776 tests/krb5: Add functions to get dicts of request padata
via cedfc67ede4 tests/krb5: Check FAST response
via 5d39d4b36e8 tests/krb5: Add method to verify ticket checksum for FAST
via b551c801193 tests/krb5: Add method to check PA-FX-FAST-REPLY
via de8fbf93111 tests/krb5: Allow specifying parameters specific to the outer request body
via 3be408a3a83 tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
via 52eb693ac31 tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
via 25b6681c3cd tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
via a57e79c5fce tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
via 6264ed42420 tests/krb5: Add methods to calculate keys for FAST
via b7562c873e8 tests/krb5: Add method to generate FAST encrypted challenge padata
via 0e33a06673b tests/krb5: Add more methods to create ASN1 objects for FAST
via dbeafd158a4 tests/krb5: Add more ASN1 definitions for FAST
via 1ce82cbc9d6 tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
via 04a6c902ede tests/krb5: Ensure generated padata is not None
via a9e421c4bfa tests/krb5: Add generate_ap_req() method
via d9f406518ca tests/krb5: Check nonce in EncKDCRepPart
via d81a88a78f4 tests/krb5: Make checking less strict
via ee9b0a028c2 tests/krb5: Check version number of obtained ticket
via 1e451d724b0 tests/krb5: Assert that more variables are not None
via db6495a2377 tests/krb5: Ensure in assertElementPresent() that container elements are not empty
via 81408702949 tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
via cc1f6fcddbc tests/krb5: Include kdc_options in kdc_exchange_dict
via d82d3a20d32 tests/krb5: Always specify expected error code
via 235873ff334 tests/krb5: Add check_reply() method to check for AS or TGS reply
via dcd9320cd9c tests/krb5: Add method to calculate account salt
via afcf48e752c tests/krb5: Add more methods for obtaining machine and service credentials
via caca311af0a tests/krb5: Allow specifying additional details when creating an account
via 34faed8971c tests/krb5: Use encryption with admin credentials
via 5cada922527 tests/krb5: Add get_EpochFromKerberosTime()
via 2e42112ef96 tests/krb5: Make _test_as_exchange() return value more consistent
via ce7b1d71142 tests/krb5: Add method to return dict containing padata elements
via 11001fca4d2 tests/krb5: Add get_enc_timestamp_pa_data_from_key()
via ca5b9aff8f9 tests/krb5: Refactor get_pa_data()
via 70dd144a05f tests/krb5: Allow cf2 to automatically use the enctype of the first key
via 2ae49840a4f tests/krb5: Use credentials kvno when creating password key
via e2d952cfa02 tests/krb5: Check Kerberos protocol version number
via e79061f0626 tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
via 2f12714196c tests/krb5: Fix encpart_decryption_key with MIT KDC
via a4e70d45d3b tests/krb5: Fix callback_dict parameter
via 254bd5ad6ed tests/krb5: Fix including enc-authorization-data
via d4c3e11e247 tests/krb5: Remove magic constants
via cd3b4785b9a tests/krb5: Simplify Python syntax
via 80757c65b24 tests/krb5: Use more compact dict lookup
via c3ffa232c03 tests/krb5: Remove unneeded statements
via 70f6cf7afce tests/krb5: formatting
via fa26a95dda1 tests/krb5: Fix method name typo
via c76cf2bc054 tests/krb5: Fix comment typo
via 7b16ffcb46f tests/krb5: Fix ms_kile_client_principal_lookup_test errors
via 11cf6255573 pygensec: Don't modify Python bytes objects
via 52898d56abb pygensec: Fix memory leaks
via 3e013f04e19 selftest: add option to pass args to tests to planpythontestsuite()
via a5a26564a87 selftest: Add support for setting ENV variables in plantestsuite()
via f5e4fc453b1 selftest: Add support for setting ENV variables in plansmbtorture4testsuite()
via e6de4d851c0 selftest: Re-format long lines in selftesthelpers.py
via 63be60227a8 selftest: add space after --list in output of selftesthelpers.py
via e1a4921d5e3 s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against
via 07610622027 tests/krb5: Use admin creds for SamDB rather than user creds
via 09d0e89265c tests/krb5/as_canonicalization_tests.py: Refactor account creation
via 5a0af3e510e tests/krb5: Deduplicate 'host' attribute initialisation
via c76c9f15a78 tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value
via 75f534c0ac5 tests/krb5/as_req_tests.py: Check the client kvno
via 02f3bd6a821 tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test
via 9db32a6a456 tests/krb5/as_req_tests.py: Automatically obtain credentials
via 56b5ceb0c64 tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials
via ea9083dfd63 tests/krb5/raw_testcase.py: Simplify conditionals
via d88603f8b5c tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function
via 23496bb7cf3 tests/krb5/raw_testcase.py: Cache obtained credentials
via 7bd0c7f557b tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds
via 5b209e40ec2 tests/krb5/raw_testcase.py: Make env_get_var() a standalone method
via 44018e6131c tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS
via 1c0c89ac3bf tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
via 768f1d71b93 tests/krb5/kdc_base_test.py: Create loadparm only when needed
via 113fa4ecfd1 tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute
via 807773d382b tests/krb5/kdc_base_test.py: Create database connection only when needed
via 051487c6ab9 tests/krb5/raw_testcase.py: Add get_admin_creds()
via fa1a2eb7b9a tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called
via d371e8688c3 selftest: run new as_req_tests against fl2008r2dc and fl2003dc
via 99acba0be9e tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol
via ec49afa5a23 tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure
via 1b36e3bd7e2 tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds()
via e6682e51206 tests/krb5/raw_testcase.py: add methods to iterate over etype permutations
via 38c4f77b9e4 tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create()
via 697edd2e1db tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create()
via 1ec0efe26ff tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values
via 159384d02fb tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values
via bf799b23de2 tests/krb5/raw_testcase.py: add assertElement*()
via 5e69e2d7cd1 tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future
via ce264474d29 tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds()
via a83ea43c7ba tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing
via 9d32cb48194 Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}
via 019b77dbb85 auth/credentials: allow credentials.Credentials to act as base class
via 8737c731040 python: Make credentials cache test run against Windows
via 3a586a81f58 python: Fix ticket timestamp conversion when local timezone is not UTC
via 9bf0f33ad10 python: Fix erroneous increments of reference counts
via 73bba60d737 python: Ensure reference counts are properly incremented
via b32c1932054 python: Add SMB credentials cache test
via ff4d39737c5 pylibsmb: Add posix_whoami()
via d75226b9092 libsmb: Ensure that whoami parses all the data provided to it
via 1208a4dce1e libsmb: Check to see that whoami is not receiving more data than it requested
via e80ad4c0f29 libsmb: Avoid undefined behaviour when parsing whoami state
via 1a3cc9a4e2d libsmb: Remove overflow check
via 8e70f0c174a Revert "libsmb: Use sid_parse()"
via c40a90d7c7a python: Add RPC credentials cache test
via bb9ff0e143a python: Add LDAP credentials cache test
via 848458d1704 python: Add credentials cache test
via 02bfb9e2daf krb5: Add Python functions to create a credentials cache containing a service ticket
via 98727cd606c librpc: Test parsing a Kerberos 5 credentials cache with ndrdump
via 38d622f38ea krb5ccache.idl: Add definition for a Kerberos credentials cache
via a47b37c170f Revert "s4-test: fixed ndrdump test for top level build"
via 1854fc55a30 pygensec: Fix method documentation
via 522ebd8e7c9 auth:creds: Fix parameter in creds.set_named_ccache()
via 427185f8a99 auth:creds: Remove unused variable
via 1748470cc21 tests python krb5: MS-KILE client principal look-up
via 9e0cf55529a librpc: Add py_descriptor_richcmp() equality function
via 28dee15ee08 tests python krb5: PEP8 cleanups
via 03e4bbb8d85 tests python krb5: use key usage constants
via d9f914d0820 tests python krb5: Add key usage constants
via f38ba415847 tests python krb5: initial TGS tests
via 81923ea8232 tests python krb5: add test base class
via c8f1511ea49 tests python krb5: Add Authorization data ad-type constants
via bde787c8484 tests python krb5: Extra canonicalization tests
via f719d74eb7e tests python krb5: add arcfour salt tests
via f79c7c3217c tests python krb5: refactor compatability tests
via 82d2ce2a66b tests python krb5: Convert kdc-heimdal to python
via ab09ca1b0e9 tests python krb5: raw_testcase permit RC4 salts
via 7858fd1799d tests python krb5: Refactor compatability test constants
via 1543efaead3 tests python krb5: Refactor canonicalization test constants
via 8610d03794e tests python krb5: Add constants module
via fb05f15519c tests python krb5: Add python kerberos compatability tests
via a142057393f selftest: add heimdal kdc specific known fail
via d810539294b selftest: Windows 2019 implements the RemoveDollar behaviour for Enterprise principals
via ed2c276f765 selftest: Add in encrypted-pa-data from RFC 6806
via 08a296f9018 selftest: Fix formatting of failure (traceback and options swapped in format string)
via 657dde3bdf2 selftest: Make as_canonicalization_tests.py auto-detect the NT4 domain name
via a07052104f3 samdb: Add samdb.domain_netbios_name()
via 0242419a010 selftest: Make as_canonicalization_tests.py easier to run outside "make test"
via d08faae8bd0 selftest: Fix flipped machine and user constants
via d7ebc3b7055 selftest: Send enterprise principals tagged as such
via ca83a606256 tests python krb5: Add python kerberos canonicalization tests
via 8536b5f4397 tests python krb5: Add canonicalize flag to ASN1
via 71f30ca29b4 tests python krb5: Make PrincipalName_create a class method
via 44841d2b18b selftest: add mit kdc specific known fail
from cea68cbf537 ctdb-daemon: Don't mark a node as unhealthy when connecting to it
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test
- Log -----------------------------------------------------------------
commit b7d16fdc65397114bcc9199bbd4092f54d11e565
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Aug 31 22:38:01 2021 +1200
tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
This allows our code to still pass with the error code that
MIT and Heimdal have chosen
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
Autobuild-Date(master): Thu Sep 2 14:28:31 UTC 2021 on sn-devel-184
[abartlet at samba.org: Backported from 10baaf08523200e47451aa1862430977b0365b59
to Samba 4.14 due to conflicts in
knownfail as the test which crashes older MIT KDC versions is
omitted]
Autobuild-User(v4-13-test): Jule Anger <janger at samba.org>
Autobuild-Date(v4-13-test): Thu Sep 16 08:54:13 UTC 2021 on sn-devel-184
commit 7a2a6e0bcb0f9508322e940360b95eae52572cb2
Author: Luke Howard <lukeh at padl.com>
Date: Tue Aug 31 17:38:16 2021 +1200
kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field
If missing cname or sname in AS-REQ, return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN and
KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This matches MIT behaviour.
[abartlet at samba.org Backported from Heimdal commit 892a1ffcaad98157e945c540b81f65edb14d29bd
and knownfail added. Further adapted knownfail for 4.14 due to conflicts
as the patch that adds a test which crashes old MIT versions is
omitted]
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
commit 1e27b45f49c1a6d610ec498e48b4ed4f6e85c772
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Aug 31 19:42:33 2021 +1200
tests/krb5: Allow expected_error_mode to be a container type
This allows a range of possible error codes to be checked against, for
cases when the particular error code returned is not so important.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit ebd673e976aea5dd481a75f180fd526995c4fda0)
commit 57800189c5f4a92058ff293f8583805ebcf9928d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:26:45 2021 +1200
tests/krb5: Allow specifying parameters specific to the inner FAST request body
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit c6d7e19ecfb264c6f79df5a20e830e4ea6fdb340)
commit b5e11c10966dcbb9ca4e751c6c378e2f9ed6e358
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:02:04 2021 +1200
tests/krb5: Add tests for omitting sname in request
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit bbbb13caf7bd2440c80f4f4775725b7863d16a5b)
commit cabc5b114dc094e36b4c052ed524757990ec6321
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:00:37 2021 +1200
tests/krb5: Check PADATA-PW-SALT element in e-data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 1e4d757394a0bbda587d5ff91801f88539b712b1)
commit 8a8872f7070a6f2c89e2ba38d89df0e27bca9f71
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:00:21 2021 +1200
tests/krb5: Check e-data element for TGS-REP errors without FAST
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit e373c6461a88c44303ea8cdbebc2d78dd15dec4a)
commit bd76f6d47e756692243a77e7628324e333c566a0
Author: Andrew Bartlett <abartlet at samba.org>
Date: Wed Sep 1 10:43:06 2021 +1200
tests/krb5: Remove harmful and a-typical return in as_req testcase
A test in a TestCase class should not return a value, the
test is determined by the assertions raised.
Other changes will shortly cause kdc_exchange_dict[preauth_etype_info2]
to not always be filled, so we need to remove this
rudundent code.
This also fixes a *lot* of tests against the MIT KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 3330eaf39c6174f2d90fe4d8e016efb97005d1e5)
commit d3a611377bdda70e6940b6f3fff03cc6240f6a5b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 12:25:06 2021 +1200
CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
Note: Without the previous patch, 'test_fast_tgs_outer_no_sname' would
crash the Heimdal KDC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit b8e2515552ffa158fab1e86a39004de4cc419da5)
commit a67cda7159f3c7e9c381a13705011dd9c93742ae
Author: Luke Howard <lukeh at padl.com>
Date: Fri Aug 27 11:42:48 2021 +1000
CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ
In tgs_build_reply(), validate the server name in the TGS-REQ is present before
dereferencing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
[abartlet at samba.org backported from from Heimdal
commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference
to an earlier patch by Joseph Sutton]
RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ
Reviewed-by: Andreas Schneider <asn at samba.org>
(cherry picked from commit 0cb4b939f192376bf5e33637863a91a20f74c5a5)
commit 95de6d138adcd6f3fb5d098f5e13636910a3e0f7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Sep 1 14:43:53 2021 +1200
tests/krb5: Make cname checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
[abartlet at samba.org backported from commit
36798f5b651a02b74b6844c024101f7a026f1f68 as Samba 4.14 is tested
on MIT 1.16 and so the knownfails need to match this version]
commit 497b461238bf69eb5ff92c4b849b8f56bbcbac5e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Aug 27 13:35:59 2021 +1200
tests/krb5: Make e-data checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC, instead failing when obtaining a TGT for the user or machine.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
[abartlet at samba.org Backported from commit
79dda329f2a8382f1e46b50f4b9692e78d687826 as knownfail needed splitting
into only failing in the Heimdal case due likely because
b3ee034b4d457607ef25a5b01da64e1eaf5906dd
(s4:kdc: prefer newer enctypes for preauth responses) is not included
in the 4.14 backport. ]
commit 17c7bc10695d7b2ca1a06e02786dc08c26252fd6
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 7 17:23:32 2021 +1200
selftest: Remove knownfail for no_etypes FAST tests
These test pass because b3ee034b4d457607ef25a5b01da64e1eaf5906dd
(s4:kdc: prefer newer enctypes for preauth responses) is not included
in the 4.13 backport.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
commit 27e964233a55665de302e25e54e93109bdcfb1ac
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:58:44 2021 +1200
tests/krb5: Add FAST tests
Example command:
SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \
KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \
PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184
(cherry picked from commit 984a0db00c3f2e38b568a75eb1944f4d7bb7f854)
commit 576e5ca2e9cb04c3264962d0e8a256d3e3ec3306
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu Jun 10 09:56:58 2021 +1200
initial FAST tests
Currently incomplete, and tested only against MIT Kerberos.
[abartlet at samba.org
Originally "WIP inital FAST tests"
Samba's general policy that we don't push WIP patches, we polish
into a 'perfect' patch stream.
However, I think there are good reasons to keep this patch distinct
in this particular case.
Gary is being modest in titling this WIP (now removed from the title
to avoid confusion). They are not WIP in the normal sense of
partially or untested code or random unfinished thoughts. The primary
issue is that at that point where Gary had to finish up he had
trouble getting FAST support enabled on Windows, so couldn't test
against our standard reference. They are instead good, working
initial tests written against the RFC and tested against Samba's AD DC
in the mode backed by MIT Kerberos.
This preserves clear authorship for the two distinct bodies of work,
as in the next patch Joseph was able to extend and improve the tests
significantly. ]
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b7b62957bdce9929fabd3812b9378bdbd6c12966)
commit e7e79028093778d9dd028d8d408af2c75f21f211
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:49:58 2021 +1200
tests/krb5: Check PADATA-FX-ERROR in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit aa2c221f4e1bfc3403de857e62eaeaee1577560c)
commit 1fd611e9e7fbce83ea4f7ed6c7d8f4f1a04b3543
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 11:50:16 2021 +1200
tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 66e1eb58bedf036ad25a868993d44480c4e0e055)
commit 83073237a95f2e8e3288394362cb02bb1d3869b6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:50:20 2021 +1200
tests/krb5: Check PADATA-PAC-OPTIONS in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0c857f67a3a4a27aa4b799c9a61a1a1b59932c07)
commit 48199d18cc9141cf626af99d317836ceacad51f6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:29:39 2021 +1200
tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 29070e74baa18d94642efcd36930b9bab216e10c)
commit 8fa99e31658860bac6a03f83a5f588f29b26fd96
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 20:49:25 2021 +1200
tests/krb5: Make check_rep_padata() also work for checking TGS replies
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ab4e7028a6ac01eab9531c8a26507a912df54278)
commit e1c4d715a61e06ce996961f0723867e9faead8cb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:49:12 2021 +1200
tests/krb5: Check PADATA-FX-COOKIE in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 95b54078c2f82179283dfc397c4ec1f36d5edfe7)
commit 2391eabfcf29c682686ab2fc03ec1d648930ce0c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:36:56 2021 +1200
tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2f7919db395c24f6890ffe4ee46a5e34df95fccd)
commit 40da4ffbf18a53b2be308d6be6309943a6c2d3d9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:42:26 2021 +1200
tests/krb5: Adjust reply padata checking depending on whether FAST was sent
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 44a44109db96eab08a3da3683c34446bc13b295b)
commit 0febff53f3867d7905dbe8e01f2ecd9f701cec2b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:31:39 2021 +1200
tests/krb5: Check reply FAST padata if request included FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 056fb71832e7aa16132c58ff393ab8b752ef6a93)
commit ee892faca94611ec287b6240dddbfbfd83128888
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:25:39 2021 +1200
tests/krb5: Check sname is krbtgt for FAST generic error
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 7a27b75621908a4a6449efaecb54eb20fa45aca0)
commit 2356b4d9b7543ef06b20d6867d5dd1137b72650b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:15:00 2021 +1200
tests/krb5: Add get_krbtgt_sname() method
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit dbe98005d5873440063b91e56679937149535be7)
commit be4977249bc4b971d0d4257f85a5a0a6954dc6f4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:26:06 2021 +1200
tests/krb5: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5edbabeb26e110648d4588c90843e4715ec1ac5c)
commit fef9198aafc718fcf0b739591a9c5da3e300ab77
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:35:32 2021 +1200
tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 705e45e37f4752e283a80626be10c38b29232359)
commit 087cf5f9504eeb46e0a3c5ce4d8a7d91615861dc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 16:21:14 2021 +1200
tests/krb5: Add check_rep_padata() method to check padata in reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 79b9aac65b7dbdc58275368eae9feb7d87bf6dab)
commit efe112dfa56772091eb3e9334f083a550668d711
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:20:09 2021 +1200
tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1389ba346df81c9ea1e1143c4e819212939f6aeb)
commit bef5024da8ceb658c00ade1310a13f737a94bcdf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:18:29 2021 +1200
tests/krb5: Include authdata in kdc_exchange_dict
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ea1ed63e8819926db1cf15974009601c7d37e944)
commit 8eaa8e10383acc1395ff27ed0107341d581dc3cc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:05:59 2021 +1200
tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
This is useful for testing the 'hide client names' FAST option.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2ee87dbf08e66e1dc812430026bfe214f9f5503d)
commit 8a3b41f048396b83674bbd173ba94de65b6600b3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:34:49 2021 +1200
tests/krb5: Check encrypted-pa-data
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0c029e780cf16a49c674593e8329eaf3b87aec69)
commit 701e5c98399bb7b4ac7072e0da73dfde7d209d74
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:21:01 2021 +1200
tests/krb5: Add methods to determine whether elements were included in the request
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 99e3b909edf27c751b959a3d0b672ddd2b7140e2)
commit 64b5183a7764f25cd45126de331cfa51fa3bb0e9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:20:44 2021 +1200
tests/krb5: Add functions to get dicts of request padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit dc7dac95ec509d90d8372005cd7b13fabd8e64c6)
commit cedfc67ede46bc87a75db0514f3dbcbe29fac30e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:42:57 2021 +1200
tests/krb5: Check FAST response
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d878bd6404d26c8be45bb2016ec206ed79d4ef6e)
commit 5d39d4b36e88a12e69a78b934ba611a2ae3c7e67
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:10:13 2021 +1200
tests/krb5: Add method to verify ticket checksum for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4ca05402b36ba13a987b07b2402906764d3cd49b)
commit b551c801193d13698baca765a741c74b38ce78fd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:04:37 2021 +1200
tests/krb5: Add method to check PA-FX-FAST-REPLY
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b62488113f6053755f9be9faa9b757e7193074fa)
commit de8fbf93111284cc6bd62262421b69bfee604eb8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:01:36 2021 +1200
tests/krb5: Allow specifying parameters specific to the outer request body
This is useful for testing FAST.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 16ce1a1d304b87ed5b390fb87a4542c7c9a484fb)
commit 3be408a3a839a5956e808fd939095c04b9413cc9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:33:24 2021 +1200
tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0df385fc49cc2693c195209936a29e31216df16d)
commit 52eb693ac31dcf66b637bdf07061de2cb5c3bb5b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:33:10 2021 +1200
tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5c2cd71ae704b853a886c8af5e3cf50b53af7f9e)
commit 25b6681c3cd5c0eeb1a29913dd319ab00cf3ba51
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 29 10:19:46 2021 +1200
tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
This is needed for FAST.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d554b6dc0f4e14d154e487dc2a842321aa746155)
commit a57e79c5fcee8e2ecb5d60c05ed84dc116acb4c4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 20:49:12 2021 +1200
tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
This method will also be useful in checking TGS-REP error replies.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 74f332c6f9e31b933837cefee69b219054970713)
commit 6264ed424206bf728de193f1177c845283580ab4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 12:49:05 2021 +1200
tests/krb5: Add methods to calculate keys for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 080894067469d60e2c71961c2d1c1990ba15b917)
commit b7562c873e8091b210ca7d70cde68fda45c714dc
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 12:47:18 2021 +1200
tests/krb5: Add method to generate FAST encrypted challenge padata
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit aafc86896969d02ff1daecdf2668bfa642860082)
commit 0e33a06673b7d09a2dec878505776d82a2f09ecf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:23:26 2021 +1200
tests/krb5: Add more methods to create ASN1 objects for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 69a66c0d2a7ed415c8d8acdb8da0f2f3d1abf60d)
commit dbeafd158a46c48dd1cb0e88b6550e170129f4d2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:21:07 2021 +1200
tests/krb5: Add more ASN1 definitions for FAST
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ec702900295100ae4e48ba57242eee6670bf30d6)
commit 1ce82cbc9d65edcf0e665da8a400a2dd1b10a125
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 13:59:36 2021 +1200
tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 025737deb5325d25b2ae4c57583c24ae1d0eca33)
commit 04a6c902edeb0a7a030b8850e454f87403d9e83d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:06:35 2021 +1200
tests/krb5: Ensure generated padata is not None
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b6f96dd6395a30e15fa906959cbe665757aaba8d)
commit a9e421c4bfafc94b1472fb270f701da6db5b27c1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 19:27:02 2021 +1200
tests/krb5: Add generate_ap_req() method
This method will be useful to generate an AP-REQ for use as FAST armor.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4824dd4e9f40abcbd4134b79e2b2b8fb960f47e7)
commit d9f406518ca82afa8f748a59326d5fba7e3dd394
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 12:52:42 2021 +1200
tests/krb5: Check nonce in EncKDCRepPart
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4951a105b0448854115a7ecc3d867be6f34b0dcf)
commit d81a88a78f4c82edf6d3ebf1d8452df67fcbb750
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:39:37 2021 +1200
tests/krb5: Make checking less strict
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6df0e406f1f823bf4d65cd478eb6f2424b69adcc)
[abartlet at samba.org Adapted to add knownfail because in this
Samba 4.14 backport we do not include
b3ee034b4d457607ef25a5b01da64e1eaf5906dd
(s4:kdc: prefer newer enctypes for preauth responses)]
commit ee9b0a028c2e712e9dee6767eb7826cfa3af1da6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:34:19 2021 +1200
tests/krb5: Check version number of obtained ticket
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 98dc19e8c817fc66e253e544874a45b17b8bfa7b)
commit 1e451d724b0c0cba4c495c1a9fd6385c4ac021b9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:39:42 2021 +1200
tests/krb5: Assert that more variables are not None
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 3d1066e923815782036bd11524fda110a2528951)
commit db6495a2377c3bfb08f6173e881d3cd5a1ff973e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 10:37:48 2021 +1200
tests/krb5: Ensure in assertElementPresent() that container elements are not empty
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ba3c92f77b20e1e0d298cd92399dc69535739c27)
commit 814087029499d50d98e567b81384b9b6f7128088
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:06:15 2021 +1200
tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
This means that there can no longer be surprises where a test receives a
reply when it was expecting an error, or vice versa.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 78818655505b3183251940e86270cd40bae73206)
commit cc1f6fcddbc58d587797db27f24a04d8c6f50553
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 10:35:40 2021 +1200
tests/krb5: Include kdc_options in kdc_exchange_dict
Make kdc_options an element of kdc_exchange_dict instead of a parameter
to _generic_kdc_exchange(). This allows testing code to adjust the reply
checking based on the options that were specified in the request.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 8fe9589da2d8fe6f5c47770c618ebabe028f6a95)
commit d82d3a20d320a9921ef6cbc31cd945b011875281
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 10:32:52 2021 +1200
tests/krb5: Always specify expected error code
Now the expected error code is always determined by the test code itself
rather than by generic_check_as_error().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 21c64fda8f98d451e028ea483dbe351b1280390c)
commit 235873ff334c6362f2392ac896b6fe9e03b8df1b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:19:04 2021 +1200
tests/krb5: Add check_reply() method to check for AS or TGS reply
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 28fb50f511f3f693709aa9b41c001d6a5f9c3329)
commit dcd9320cd9cbce87c25715d0de862d2ac81f2fbb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 22 16:22:09 2021 +1200
tests/krb5: Add method to calculate account salt
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit f5689bb8fab82d5fcbdbd3c63b86e7618834aac5)
commit afcf48e752c07180717fc1184f8cfc65cc0657ad
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:19:57 2021 +1200
tests/krb5: Add more methods for obtaining machine and service credentials
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 50d743bafc7aa9f7b4688bae652a501001e9fdbb)
commit caca311af0a851417453b856e9858fd3bb39357c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 11:25:55 2021 +1200
tests/krb5: Allow specifying additional details when creating an account
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4790b6b04ae145a2ebb418dd734487a6ba28a30c)
commit 34faed8971ca1ef537733d5878f7ebe162d3aa35
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Aug 3 15:58:19 2021 +1200
tests/krb5: Use encryption with admin credentials
This ensures that account creation using admin credentials succeeds.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ce379edf2e135b105b18d35e24d732389de94291)
commit 5cada92252775e26ca056a43629dca14193f1489
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 22 16:27:17 2021 +1200
tests/krb5: Add get_EpochFromKerberosTime()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit bab7503e3043002b1422b00f40cd03a0a29538aa)
commit 2e42112ef964878c03ceff1727d69fed28438195
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:27:47 2021 +1200
tests/krb5: Make _test_as_exchange() return value more consistent
Always return the reply and the kdc_exchange_dict so that the caller has
more potentially useful information.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit fe8912e4a85c5fd614ad3079b041c0e1975958e3)
commit ce7b1d711428c01d26d9666a480bd50b87441a41
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 12:51:54 2021 +1200
tests/krb5: Add method to return dict containing padata elements
This makes checking multiple padata elements easier.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit cb332d83008aa97a60eaca9e008054f641d514d6)
commit 11001fca4d279de3ef5c74cd7ac86b75a45d8903
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:18:38 2021 +1200
tests/krb5: Add get_enc_timestamp_pa_data_from_key()
This makes it easier to create encrypted timestamp padata when the key
has already been obtained.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit f5a906f74f9665a894db3c13722022f732180620)
commit ca5b9aff8f94e465378b4385fae9d008c2ac32d5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:16:01 2021 +1200
tests/krb5: Refactor get_pa_data()
The function now returns a single padata object rather than a list,
making it easier to combine multiple padata elements into a request. The
new name 'get_enc_timestamp_pa_data' also makes it clearer as to what
the method generates.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2c80f7f851a7a4ffbcde2c42b2c383b683b67731)
commit 70dd144a05fb13cf6cab82629e2a4f41910f1c5a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:24:52 2021 +1200
tests/krb5: Allow cf2 to automatically use the enctype of the first key
RFC6113 states: "Unless otherwise specified, the resulting enctype of
KRB-FX-CF2 is the enctype of k1." This change means the enctype no
longer has to be specified manually.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit a5e5f8fdfe8b6952592d7d682af893c79080826f)
commit 2ae49840a4f38cd3a47018111dbe2996e6deec6a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 11:28:37 2021 +1200
tests/krb5: Use credentials kvno when creating password key
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 17d5a267298ccd7272e86fd24c2c608511cf46b7)
commit e2d952cfa02a6d24f5e2cba0c5f04005cf83b1f1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 15:07:59 2021 +1200
tests/krb5: Check Kerberos protocol version number
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d6a242e20004217a0ce02dc4ef620a121e5944da)
commit e79061f0626f9dd88e74f43ff09b4e1c955007d1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jul 28 17:00:09 2021 +1200
tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 8194b2a2611c6b1db2d29ec22c70e14decd1784b)
commit 2f12714196c32f3051e1d8a2819484d4cb9c80b1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 14:06:29 2021 +1200
tests/krb5: Fix encpart_decryption_key with MIT KDC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit a0c6538a97126671f9c7bcf3b581f3d98cbc7fd1)
commit a4e70d45d3be5d85b24fbdab07be4a2b68bc7552
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 11:12:34 2021 +1200
tests/krb5: Fix callback_dict parameter
Items contained in a default-created callback_dict should not be carried
over between unrelated calls to {as,tgs}_as_exchange_dict().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit bad5f4ee5fdf64ca9d775233fec24975e0b510bf)
commit 254bd5ad6ed30df41a2178a58ff74eacb7491a97
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:14:08 2021 +1200
tests/krb5: Fix including enc-authorization-data
Remove the EncAuthorizationData parameters from AS_REQ_create(), since
it should only be present in the TGS-REQ form. Also, fix a call to
EncryptedData_create() to supply the key usage when creating
enc-authorization-data.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 67ff72395cec2e5170c0ebae8db416a1f226df72)
commit d4c3e11e247a1e83182fe0689113b3c4294e63b3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 27 13:49:27 2021 +1200
tests/krb5: Remove magic constants
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit a2b183c179e74634438c85a4b35518836ba59e47)
commit cd3b4785b9ab608ec73ada85e92980ad8ec536ae
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Aug 3 15:03:00 2021 +1200
tests/krb5: Simplify Python syntax
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 41c3e410344280d691e5a21fa5240ef52e71bd2d)
commit 80757c65b243dd87dae2b7a155d0fec6e26aa2a7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 2 17:10:32 2021 +1200
tests/krb5: Use more compact dict lookup
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 38b3a361819c716adb773fb3b4507c28d7d26c0d)
commit c3ffa232c03e60770a85aa6b119785218dca5826
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 2 17:01:39 2021 +1200
tests/krb5: Remove unneeded statements
A return statement is redundant as the last statement in a method, as
methods will otherwise return None. Also, code blocks consisting of a
single 'pass' statement can be safely omitted.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1320ac0f91a9b0fc8156840ec498059ee10b5a2d)
commit 70f6cf7afcecebc8a862f09754723bedc4ef5941
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Aug 2 17:00:09 2021 +1200
tests/krb5: formatting
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit df6623363a7ec1a13af48a09e1d29fa8784e825c)
commit fa26a95dda13e9b5acb4d88ed4c2063f425351c7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 6 10:17:52 2021 +1200
tests/krb5: Fix method name typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 7013a8edd1f628b8659f0836f3b37ccf13156ae2)
commit c76cf2bc054ea3a183a72eab559adf7d20fa82d6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Jul 22 16:26:17 2021 +1200
tests/krb5: Fix comment typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 9eb4c4b7b1c2e8d124456e6a57262dc9c02d67d4)
commit 7b16ffcb46f6b2d7f390c9bb4d93d031dd3f397d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 26 17:15:23 2021 +1200
tests/krb5: Fix ms_kile_client_principal_lookup_test errors
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4797ced89095155c01e44727cf8b66ee4fb39710)
commit 11cf625557351bd2bc73d8d858d2817f5fe680b6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jul 20 10:48:41 2021 +1200
pygensec: Don't modify Python bytes objects
gensec_update() and gensec_unwrap() can both modify their input buffers
(for example, during the inplace RRC operation on GSSAPI tokens).
However, buffers obtained from Python bytes objects must not be modified
in any way. Create a copy of the input buffer so the original isn't
modified.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6818d204897d0b7946dcfbedf79cd53fb9b3f159)
commit 52898d56abb0ec7ce29d9a03d0220fe887eeae1f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jul 19 17:29:39 2021 +1200
pygensec: Fix memory leaks
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 814df05f8c10e9d82e6082d42ece1df569db4385)
commit 3e013f04e190576272a513597eb14171b6c40a1b
Author: Björn Baumbach <bb at sernet.de>
Date: Fri Jul 24 12:18:11 2020 +0200
selftest: add option to pass args to tests to planpythontestsuite()
The logic is basically a copy from planoldpythontestsuite().
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Björn Baumbach <bb at sernet.de>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 3e9f0e97255de1b4235c4dca6912635386328746)
commit a5a26564a87ea04e1d4abcf44af6e94465fb83f5
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 27 13:45:03 2021 +0200
selftest: Add support for setting ENV variables in plantestsuite()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 48289b6964d28e153fec885aceca02c6a9b436ef)
commit f5e4fc453b1056d933219344eb582a07746bea93
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 27 13:25:59 2021 +0200
selftest: Add support for setting ENV variables in plansmbtorture4testsuite()
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 3db299e586fd9464b6e1b145f29b10c8ae325d3a)
commit e6de4d851c006838d99b3b77cfe250f1b6821d99
Author: Andreas Schneider <asn at samba.org>
Date: Tue Jul 27 08:50:54 2021 +0200
selftest: Re-format long lines in selftesthelpers.py
Signed-off-by: Andreas Schneider <asn at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 18976a9568b23759060377d09304e9d7badb143a)
commit 63be60227a86c10d866a78148a1bed339c2d407b
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Sep 7 09:08:58 2021 +1200
selftest: add space after --list in output of selftesthelpers.py
Selected and backported from:
commit b113a3bbcd03ab6a62883fbca85ee8749e038887
Author: Volker Lendecke <vl at samba.org>
Date: Mon Apr 19 16:04:00 2021 +0200
torture: Show sddl_decode() failure for "GWFX" access mask
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(This allows subsequent patches to be cherry-picked cleanly)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
commit e1a4921d5e3589b565810b9d1af98f30e521b746
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jun 21 14:14:48 2021 +1200
s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against
This enables us to more easily switch to a different algorithm to find
the strongest key in _kdc_find_etype().
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit bf71fa038e9b97f770e06e88226e885d67342d47)
commit 07610622027d22e242e430be49da90a564d5666b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 12:52:11 2021 +1200
tests/krb5: Use admin creds for SamDB rather than user creds
This makes the purpose of each set of credentials more consistent, and
makes some tests more convenient to run standalone as they no longer
require user credentials.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ab221c1b3e24696aa0eed6aa970f310447657069)
commit 09d0e89265c3d780fcea6afe369f09d800628932
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 11:49:05 2021 +1200
tests/krb5/as_canonicalization_tests.py: Refactor account creation
Making this test a subclass of KDCBaseTest allows us to make use of its
methods for obtaining credentials and creating accounts, which helps to
eliminate some duplicated code.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit fc857ea60e2a66d20d4174cb121e0a6949f8a0c1)
commit 5a0af3e510e296755cfc1e28a86695045416705a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 11:01:50 2021 +1200
tests/krb5: Deduplicate 'host' attribute initialisation
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 3e621dcb6966f75034bb948a2705358d43454202)
commit c76c9f15a780ac05e92827ad42c78e49de14bfb7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 13:25:34 2021 +1200
tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value
This is clearer than using the constant zero, which could be mistaken
for a valid kvno value.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 381223117e0bae4c348d538bffaa8227b18ef3d1)
commit 75f534c0ac5b21cb10e1975490c1153672e78bf7
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 13:24:22 2021 +1200
tests/krb5/as_req_tests.py: Check the client kvno
Ensure we have the correct kvno for the client, rather than an 'unknown'
value.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d4c38678e0cc782965edfe40a0423fafb7d5a5ff)
commit 02f3bd6a821b85e140f272d745cdb6d7eb8b3c0c
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 21 11:07:45 2020 +0200
tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test
Example commands:
Windows 2012R2:
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=4 python/samba/tests/krb5/as_req_tests.py
Windows 2008R2:
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py
Samba:
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d5e350a4a490fecf570f1c248c9dde1466796166)
commit 9db32a6a456b6b678d76527f73a8f5d30593e72f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 14:51:22 2021 +1200
tests/krb5/as_req_tests.py: Automatically obtain credentials
The credentials for the client and krbtgt accounts are now fetched
automatically rather than using environment variables, and the client
account is now automatically created.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0fd71ed3c37c8cf326f9f676b7fddda3d2d24072)
commit 56b5ceb0c647a4733aed758481922617d48522dd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 16:07:16 2021 +1200
tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials
Now if the client credentials are not supplied in the environment, we
can fall back to creating a new user account. Similarly, if the krbtgt
credentials are not supplied, we can fetch the credentials of the
existing krbtgt account.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit fd45bea7a88837cbe4f99adf3a6b3f69ce32f34c)
commit ea9083dfd631cb1ec836551dc6c3361652cf18b6
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 15:55:17 2021 +1200
tests/krb5/raw_testcase.py: Simplify conditionals
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ec5c2b040b63d06a17bcd7bd133c2d68d07df587)
commit d88603f8b5c58a26226ca01319a2edcf4f7d6d0b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 17:12:39 2021 +1200
tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function
This allows us to use other methods of obtaining credentials if getting
them from the environment fails.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit e1601f2b56f09a944c5cfb119502fdcf49a03c99)
commit 23496bb7cf35463bde5d80b4e418e608ee01e3a2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 17:10:44 2021 +1200
tests/krb5/raw_testcase.py: Cache obtained credentials
If credentials are used more than once, we can now use the credentials
that we already obtained and so avoid fetching them again.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 22a90aea82ba6ef86bde835f2369daa6e23ed2fd)
commit 7bd0c7f557b2a95a6d21a8a1505a4fe9c3f2ea53
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 16:55:02 2021 +1200
tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds
This allows us to require encryption keys in the case that a password
would not be required, such as for the krbtgt account.
Pair-Programmed-With: Stefan Metzmacher <metze at samba.org>
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6a77c2b93315503008627ce786388f281bd6bb87)
commit 5b209e40ec26ca906397d7c1cb6667f1bd5df403
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 15:59:11 2021 +1200
tests/krb5/raw_testcase.py: Make env_get_var() a standalone method
This allows it to be used elsewhere in the tests.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 948bbc9cecbfc1b33a338891d26a4a706864b9c6)
commit 44018e6131c5c945af57876aa971ee209bec5528
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 13:15:10 2021 +1200
tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS
This requires admin credentials, and removes the need to pass these keys
as environment variables.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1f2ddd3c97e3ff243c8bd0c17299f27b761f5e7f)
commit 1c0c89ac3bf4985efea12181ee6c0658084bd7c2
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 15:12:38 2021 +1200
tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
This is done based on the domain functional level, which corresponds to
the logic Samba uses to decide whether or not to generate a
Primary:Kerberos-Newer-Keys element for the supplementalCredentials
attribute.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 7d4a0ed21be49d13c2b815582f2d04f0c058bf3a)
commit 768f1d71b93b482dc04705004045f14277b28aa4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 11:40:41 2021 +1200
tests/krb5/kdc_base_test.py: Create loadparm only when needed
Now the .conf file is only loaded on its first use, which means that
SMB_CONF_PATH need not be defined for tests that don't make use of it.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 210e544016a3a4de1cdb76ce28a2148811ff07eb)
commit 113fa4ecfd1be51049474a9d5d2ec25c5b35bc92
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 11:31:26 2021 +1200
tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute
Credentials for tests are now obtained using the get_user_creds()
method.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 364f1ce8d8221cb8926635fc864db782cee61cf9)
commit 807773d382b17d07ad77dc700bbd9ea39819138b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 16 11:04:00 2021 +1200
tests/krb5/kdc_base_test.py: Create database connection only when needed
Now the database connection is only created on its first use, which
means database credentials are no longer required for tests that don't
make use of it.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 4f5566be4839838e0e3e501a030bcf6e85ff5159)
commit 051487c6ab941c174b820d70c4ce10838162349d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 13:14:33 2021 +1200
tests/krb5/raw_testcase.py: Add get_admin_creds()
This method allows obtaining credentials that can be used for
administrative tasks such as creating accounts.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5afae39da0ab408bb36dde3a7801634bd9cc24f6)
commit fa1a2eb7b9a7e36c223ced4dbb7208ecb19fa577
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 15 15:38:28 2021 +1200
tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called
This allows accounts created for permutation tests to be reused, rather
than having to be recreated for every test.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5412bffb9b4fc13023e650bbc9436a79b60b6fa2)
commit d371e8688c34ea67f8e2375dd569dabad84bb4b5
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 21 11:07:45 2020 +0200
selftest: run new as_req_tests against fl2008r2dc and fl2003dc
There are a lot of things we should improve in our KDC
in order to work like a Windows KDC.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d91665d33130aed11fa82d8d2796ab1627e04dc4)
commit 99acba0be9e24f9a877f7046f6d7af127d0d4d17
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 21 11:07:45 2020 +0200
tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol
Example commands:
Windows 2012R2:
SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
Windows 2008R2:
SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
Samba 4.14:
SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 01d86954d217e38be333aa1ce7db1d3d9059cd4c)
commit ec49afa5a23a62fa8eaa88f036da31aa6ac097b7
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 21 11:07:45 2020 +0200
tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure
This will allow us to write tests, which will all cross check almost
every aspect of the KDC response (including encrypted parts).
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6e2f2adc8e825634780077e24a9e437bdc68155a)
commit 1b36e3bd7e2c65f0a67168b7da658d7fb26532e0
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 16 17:13:35 2020 +0200
tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds()
This will allow building test_as_req_enc_timestamp()
It also introduces ways to specify keys in hex formated environment
variables ${PREFIX}_{AES256,AES128,RC4}_KEY_HEX.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 69ce2a6408f78d41eb865b89726021ad7643b065)
commit e6682e512067280d117cd5c72b51ce8de7c81438
Author: Stefan Metzmacher <metze at samba.org>
Date: Mon Apr 20 20:02:52 2020 +0200
tests/krb5/raw_testcase.py: add methods to iterate over etype permutations
It's often useful to run tests over a lot of input parameter
permutations.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit e3905035847a5268c1a65366830cc739280ae437)
commit 38c4f77b9e4f86830497d0781dfbfd667d0f2fe8
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 16 10:43:54 2020 +0200
tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create()
This allows building the pre-authentication data that encodes
the request for the KDC (or more likely a request not to include)
the KRB5 PAC in the resulting ticket.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ee2ac2b8ccafe3e6d560d893a4135a28e393914d)
commit 697edd2e1db15e5facafb7775d513117d1ce200a
Author: Stefan Metzmacher <metze at samba.org>
Date: Tue Apr 21 14:45:01 2020 +0200
tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create()
This allows us to reuse body in future and calculate checksums on it.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b03fcfeb6c005936818ce50d511e9f9cc75aa9fb)
commit 1ec0efe26ff7941897796e8bf983683f5e3e10e2
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 15 17:57:37 2020 +0200
tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values
By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint
we allow the BitString_NamedValues_prettyPrint() routine to show more named values.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 3abb3b41368666535a216a98c3e7d15a5d498f7e)
commit 159384d02fbe41ebd54c2d2a5ea45d0c82063adb
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 15 17:50:00 2020 +0200
tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values
By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint
we allow the BitString_NamedValues_prettyPrint() routine to show more named values.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 34e079ce9a232a765fb3a2b25441434df35df54c)
commit bf799b23de251510c1587394ae68c43d480c1232
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 15 13:49:52 2020 +0200
tests/krb5/raw_testcase.py: add assertElement*()
These helper functions make writing subsequent Kerberos test
clearer.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 61e1b179812e48797146584998afc5bd0168beae)
commit 5e69e2d7cd1106117293bdcc02b88fa6bf979baa
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 9 22:28:32 2020 +0200
tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future
We should write tests as strict as possible in order to let them run
against Windows servers.
But at the same time we want to allow tests to be useful for Samba
too...
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit dff611976d6a067614e37add99edae214815a68b)
commit ce264474d2939f1bd4046f30aa84b4487f4a45f3
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 9 10:55:28 2020 +0200
tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds()
These helpful functions allow us to build the various credentials
that we will use in validating the KDC responses in this test.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit c3222870b92db7f867557c2896b7bf39915d469a)
commit a83ea43c7ba421197638e58f150cf681418b3004
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 9 11:10:11 2020 +0200
tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing
Update and re-generate the ASN.1 to allow an improved testsuite.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d4492a8aaaf70cbe81af7e6703b4ea9fc1f24162)
commit 9d32cb48194a3c2f04bada32a7bfc67bdd422d10
Author: Stefan Metzmacher <metze at samba.org>
Date: Wed Apr 15 16:50:55 2020 +0200
Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}
This is a clearer name for the script
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit fef08add9ec324fb0c3902e96c2a91c07646d499)
commit 019b77dbb85d006165f061f0035d41193447a3f1
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Apr 9 21:04:44 2020 +0200
auth/credentials: allow credentials.Credentials to act as base class
In tests it's useful to add more details.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1f413b2b2977687884781ca2399dadf6611ab461)
commit 8737c731040a1e0a85c70bac71ac88539b1437bd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 10 15:06:06 2021 +1200
python: Make credentials cache test run against Windows
Windows, unlike Samba, requires the service principal name to be set
when requesting a ticket to that service.
Additionally, default_realm from the libdefaults section of krb5.conf
should be set so that the correct realm is used.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Jeremy Allison <jra at samba.org>
Autobuild-Date(master): Wed May 19 02:22:01 UTC 2021 on sn-devel-184
(cherry picked from commit 7791acb074b84ec7b571a81f15b56d33e2214ce9)
commit 3a586a81f589d4b2f92714ee4a060eb5dac4f1af
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 10 16:43:03 2021 +1200
python: Fix ticket timestamp conversion when local timezone is not UTC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b9006f33343ba8bb82ef8ffe1fd90c780961b41e)
commit 9bf0f33ad1057bc9d1e61464b5343b08ebe19774
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 3 14:43:04 2021 +1200
python: Fix erroneous increments of reference counts
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 66695f0f94775c4db24fb625fe78ff44d964b5ad)
commit 73bba60d737482a4edf6a5cf9c5ce06958a1d5c3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 3 14:42:10 2021 +1200
python: Ensure reference counts are properly incremented
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 290c1dc0975867a71c02e911708323d1f38b6f96)
commit b32c193205473b585bfaf5d9e50e42e2a75eadcf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Apr 30 08:58:11 2021 +1200
python: Add SMB credentials cache test
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service through SMB.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 78a0b57b51642df07deed8aeb6e39e608fafda60)
commit ff4d39737c57599a5858148696b7b81464565bd1
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Apr 30 12:49:24 2021 +1200
pylibsmb: Add posix_whoami()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
[abartlet at samba.org backport from commit
482559436f12a85adb3409433aac3ab06baa82b1 as the 4.13 backport
doesn't have ealier pylibsmb changes including
752a8f870de2bb087802a1287d7fb6c7624ac631
(s3:pylibsmb: remove unused SECINFO_DEFAULT_FLAGS)]
commit d75226b90925a35537d21a4f27c68031ed187056
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 3 16:24:42 2021 +1200
libsmb: Ensure that whoami parses all the data provided to it
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 9b96ebea5c6966b096cf1100a0895a9c41f2aa1d)
commit 1208a4dce1e8542be4b5444509545c9ab28828a0
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 3 16:22:43 2021 +1200
libsmb: Check to see that whoami is not receiving more data than it requested
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 9e414233c84d2f2fa4a9415be9ee975eca8b9bfd)
commit e80ad4c0f2917a0ec6ed47eb82c30262b65c13ec
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 3 16:16:51 2021 +1200
libsmb: Avoid undefined behaviour when parsing whoami state
If num_gids is such that the gids array would overflow the rdata buffer,
'p + 8' could produce a result pointing outside the buffer, and thus
result in undefined behaviour. To avoid this, we check num_gids against
the size of the buffer beforehand.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 9d8aeed33d8edf7a5dc96dbe35e4e164e2baeeeb)
commit 1a3cc9a4e2d888f07b13b6b12efbc971ee13ef2b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 3 15:55:01 2021 +1200
libsmb: Remove overflow check
Pointer overflow is undefined, so this check does not accomplish
anything.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit db5b34c7682e36630908356cf674fddd18d8fa1f)
commit 8e70f0c174a9c95c221ab148ab30a06e0afa4de5
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon May 3 15:48:43 2021 +1200
Revert "libsmb: Use sid_parse()"
This reverts commit afd5d34f5e1d13ba88448b3b94d353aa8361d1a9.
This code originally used ndr_pull_struct_blob() to pull one SID from a
buffer potentially containing multiple SIDs. When this was changed to
use sid_parse(), it was now attempting to parse the whole buffer as a
single SID with ndr_pull_struct_blob_all(), which would cause it to fail
if more than one SID was present.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2b487890d946df88abce67c3d07d74559f70f069)
commit c40a90d7c7afdfdba86e8941caa52fb2bb4f7ff9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Apr 29 21:04:25 2021 +1200
python: Add RPC credentials cache test
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service through RPC.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 072451a033da07c0cdaa005dd1020ef1c7951e99)
commit bb9ff0e143ac3551a8b6a1c660bbec603f347c2f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Apr 29 20:58:11 2021 +1200
python: Add LDAP credentials cache test
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service through LDAP.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 7663b5c37fa3413f7c67c018107322494e4a6fd9)
commit 848458d1704ef4cb632996a5949d00bf8fd3d9f3
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 28 11:06:33 2021 +1200
python: Add credentials cache test
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service using the normal
credentials system backed on to MIT/Heimdal Kerberos 5 libraries. This
will allow us to validate the output of the MIT/Heimdal libraries in the
future.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit c15f26ec40860782b22e862f9bdf665745387718)
commit 02bfb9e2daffa319261089dba068893c203eaf94
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 28 11:02:47 2021 +1200
krb5: Add Python functions to create a credentials cache containing a service ticket
This is a FILE: format credentials cache readable by the MIT/Heimdal
Kerberos libraries. This allows us to glue the Python ASN1 Kerberos
system to the MIT/Heimdal one.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2d88a6ff3dbcf650b09ef9c8c37170ca6663b533)
commit 98727cd606ca5e63486908756c9aad327fcd43dd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 28 10:58:48 2021 +1200
librpc: Test parsing a Kerberos 5 credentials cache with ndrdump
This is the format used by the FILE: credentials cache type.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1f17b1edca9c1638ef404fadce3ca7a4d176de12)
commit 38d622f38ea8b3f3a3d6cf9db76c108b5ea082fb
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 28 10:57:00 2021 +1200
krb5ccache.idl: Add definition for a Kerberos credentials cache
Based on specifications found at
https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html
This is primarily designed for parsing and storing a single Kerberos
ticket, due to the limitations of PIDL.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 74fb2cc473cea0eebf641fc4d32d706bac8aa6f2)
commit a47b37c170fe67f61844aa1d3bfc4a15130ac7a8
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Apr 15 10:32:41 2021 +1200
Revert "s4-test: fixed ndrdump test for top level build"
This essentially reverts commit
b84c0a9ed6d556eb2d3797d606edcd03f9766606, but the datapath is now in the
source4 directory.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 6f144d49b5281a08bf7be550b949f4d91e8fe19b)
commit 1854fc55a30f2a7efd106e4d4cf1f2a77338251f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 28 11:07:22 2021 +1200
pygensec: Fix method documentation
This changes the docstrings to use the correct method names.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 50ade4cadc766a196316fd5c5a57f8c502f0ea22)
commit 522ebd8e7c977c6f5aa5791766d7f9044049c877
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 28 10:55:13 2021 +1200
auth:creds: Fix parameter in creds.set_named_ccache()
Use the passed-in value for 'obtained' rather than always using
CRED_SPECIFIED.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2d05268aa0904221c452fc650fcdfb680efc20bb)
commit 427185f8a9949920ca87807043167cb91ecafcb9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Apr 28 10:54:05 2021 +1200
auth:creds: Remove unused variable
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1ea2de561839ad948efab5112fbe4c1eae44d9ee)
commit 1748470cc2155719dae5b587791c6bd223a5ae79
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed Feb 17 12:15:50 2021 +1300
tests python krb5: MS-KILE client principal look-up
Tests of [MS-KILE]: Kerberos Protocol Extensions
section 3.3.5.6.1 Client Principal Lookup
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Isaac Boukris <iboukris at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Apr 12 00:38:26 UTC 2021 on sn-devel-184
(cherry picked from commit 768d48fca9f8c7527c0d12e7acc8942b5fd36ac2)
commit 9e0cf55529a85853be21a42f80db88cbf5652bc9
Author: Volker Lendecke <vl at samba.org>
Date: Fri Apr 16 17:22:12 2021 +0200
librpc: Add py_descriptor_richcmp() equality function
Only a python3 version. Do we still need the python2 flavor?
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Jeremy Allison <jra at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 439b7ccdc1b1c91c66c1a7c83e340fa044c26377)
commit 28dee15ee08489635424c3053bb5629889c6f1a3
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Dec 11 11:55:01 2020 +1300
tests python krb5: PEP8 cleanups
Fix all the PEP8 warnings in samba/tests/krb5. With the exception of
rfc4120_pyasn1.py, which is generated from rfc4120.asn1.
As these tests are new, it makes sense to ensure that they conform to
PEP8. And set an aspirational goal for the rest of our python code.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Gary Lockyer <gary at samba.org>
Autobuild-Date(master): Mon Dec 21 21:29:28 UTC 2020 on sn-devel-184
(cherry picked from commit c00d537526ca881c540ff66e703ad9c96dd1face)
commit 03e4bbb8d855b54898a52ade9358114b1a7bab69
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu Dec 10 16:27:17 2020 +1300
tests python krb5: use key usage constants
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 03676a4a5c55ab5f4958a86cbd4d7be0f0a8a294)
commit d9f914d0820bc9fb102ac8c9de2590e8ac3e64af
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu Dec 10 16:26:06 2020 +1300
tests python krb5: Add key usage constants
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d8ed73b75ad67da99be392b2db18fe2e1ffed87f)
commit f38ba41584718d54c0ed2c4ba093856d32f386bf
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon Nov 30 14:19:15 2020 +1300
tests python krb5: initial TGS tests
Initial tests on the KDC TGS
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1ed461a142f68f5de5e21b873ebddfcf5ae0ca1e)
commit 81923ea82324e1ff7b94ea7da2c65a56ec9ba091
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Mon Nov 30 14:16:28 2020 +1300
tests python krb5: add test base class
Add a base class for the KDC tests to reduce the amount of code
duplication in the tests.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 0f232ed42fb2671d025643cafb19891373562e4a)
commit c8f1511ea49e4005740b0f0ef085c123ec581832
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Thu Dec 10 10:15:28 2020 +1300
tests python krb5: Add Authorization data ad-type constants
Add constants for the Authorization Data Type values.
RFC 4120 7.5.4. Authorization Data Types
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d74c9dcf3aaa613abfac49288f427484468bf6e1)
commit bde787c8484114fa4861283935ba8e1a695661e2
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed Nov 18 14:49:28 2020 +1300
tests python krb5: Extra canonicalization tests
Add tests that set the server name to the client name for the machine
account in the kerberos AS_REQ. This replicates the TEST_AS_REQ_SELF
test phase in source4/torture/krb5/kdc-canon-heimdal.c.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Mon Nov 30 05:21:42 UTC 2020 on sn-devel-184
(cherry picked from commit 7f7e2b0e1e17321d800de787098bb2b2c8259ecd)
commit f719d74eb7ef06969ad60f23627779a50cc68b70
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Nov 10 16:57:11 2020 +1300
tests python krb5: add arcfour salt tests
MIT kerberos returns a salt when ARCFOUR_HMAC_MD5 encryption selected,
Heimdal does not.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Nov 12 22:54:22 UTC 2020 on sn-devel-184
(cherry picked from commit 2ba6d596ff0a3580eca9285fd83569bcb147ce77)
commit f79c7c3217c26ca5c35e7d624603c1a626cb1a40
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Nov 10 16:56:46 2020 +1300
tests python krb5: refactor compatability tests
Refactor to aid the adding of tests for the inclusion of a salt when
ARCFOUR_HMAC_MD5 encryption selected
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d492355f293e2da400318665035b056dfaba852c)
commit 82d2ce2a66b82b9d0d2102f458e7f8b9fd54cee0
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Fri Nov 6 09:07:04 2020 +1300
tests python krb5: Convert kdc-heimdal to python
Implement the tests in source4/torture/krb5/kdc-heimdal.c in python.
The following tests were not re-implemented as they are client side
tests for the "Orpheus Lyre" attack:
TORTURE_KRB5_TEST_CHANGE_SERVER_OUT
TORTURE_KRB5_TEST_CHANGE_SERVER_IN
TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit a00a1c9745033dae05eee17cfa4e2c5354a81e68)
commit ab09ca1b0e9ea3f56b17a9cd480b931f60acedd9
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Nov 10 13:51:39 2020 +1300
tests python krb5: raw_testcase permit RC4 salts
MIT kerberos returns a salt when ARCFOUR_HMAC_MD5, this commit removes
the check that a salt is not returned. A test for the difference
between MIT and Heimdal will be added in the subsequent commits.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1bab87c50baf0fecb5d4cd09e1a9896730c6377e)
commit 7858fd1799d7b2363ab3c481551974fb9a905f64
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Nov 10 11:20:58 2020 +1300
tests python krb5: Refactor compatability test constants
Modify tests to use the constants defined in rfc4120_constants.py
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 82a413f48b7ef71feb68fc34f7ca753d45eb8974)
commit 1543efaead3a7adcef28687ba9b1ba51882b5227
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Nov 10 11:20:03 2020 +1300
tests python krb5: Refactor canonicalization test constants
Modify tests to use the constants defined in rfc4120_constants.py
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 97b830cbcac53fcf49bbcd272812d1ba019bac51)
commit 8610d03794eef7d81bb02631d1285cc1f4ebc3a6
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Nov 10 11:19:02 2020 +1300
tests python krb5: Add constants module
Extract the constants used in the tests into a separate module.
To reduce code duplication
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 532c941fbb8fc5fc5da4aa2d0e170229076e9aa7)
commit fb05f15519cb908da44f25f547444ac85369df0e
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed Nov 4 13:58:24 2020 +1300
tests python krb5: Add python kerberos compatability tests
Add new python test to document the differences between the MIT and
Heimdal Kerberos implementations.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 1e1d8b9c83f32c06ecab31214a20b77529ee038e)
commit a142057393fdc8f69de16658ae180e138f3c504f
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Wed Nov 4 13:54:46 2020 +1300
selftest: add heimdal kdc specific known fail
Add a heimdal kerberos specific known fail, will be needed by subsequent
commits.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 5cb5134377f099353e0f91c44cc11e45d548d40f)
commit d810539294b92cb5d19f553d895fa04073bd4736
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 10 13:50:37 2020 +1300
selftest: Windows 2019 implements the RemoveDollar behaviour for Enterprise principals
This is documented in MS-KILE.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
Autobuild-User(master): Gary Lockyer <gary at samba.org>
Autobuild-Date(master): Wed Nov 11 02:38:46 UTC 2020 on sn-devel-184
(cherry picked from commit f214a3ba5a3e9f129f10062392ae03edd62d8186)
commit ed2c276f76519ba1bade37778d860f8eb7cab1fd
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 10 11:27:06 2020 +1300
selftest: Add in encrypted-pa-data from RFC 6806
This comes from Windows 2019 which supports FAST.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit fc77ece0e2b5fd324809e17a9b208cc7854cee4b)
commit 08a296f901883fae5578ea13142786ce83a0b0ca
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 10 11:21:24 2020 +1300
selftest: Fix formatting of failure (traceback and options swapped in format string)
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit ab8c0a181bebe17a597af49790f6e7b17e13c29b)
commit 657dde3bdf23ec96f5686d5fc5e81349297278d8
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 10 13:47:30 2020 +1300
selftest: Make as_canonicalization_tests.py auto-detect the NT4 domain name
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 2693f12fbe321e0f4932b1f74d7006dbac140e8e)
commit a07052104f34c6e9777797c9993aa5fc07ecd032
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 10 13:46:28 2020 +1300
samdb: Add samdb.domain_netbios_name()
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
[abartlet at samba.org: Backported from commit
d79218dbba3d0f26d6a0e22b3c91b0731bf641dd as this backport
to Samba 4.13 does not include 07ce48088824bba2054e029edfa6fbae972c1921
(samba-tool: Create unix user with modified template homedir)]
commit 0242419a01075e93d4c7cdcb636260694a6f6eab
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 10 11:12:13 2020 +1300
selftest: Make as_canonicalization_tests.py easier to run outside "make test"
This takes the realm from the LDAP base DN and so avoids one
easy mistake to make. So far the NT4 domain name is not
auto-detected, so much be read from the smb.conf.
By using .guess() the smb.conf is read for the unspecified
parts (eg workstation for an NTLM login to the LDAP server if
the target server is an IP address).
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d85e71f449037fa035fa2fae6b64caf695c53cb3)
commit d08faae8bd0da140772946e3dfe75e484438ef39
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 10 11:09:59 2020 +1300
selftest: Fix flipped machine and user constants
This naturally does not change the test, but reduces developer
confusion.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 579a3c641c72b65f6ba39141a55c765b517bd7f8)
commit d7ebc3b705519e3fabd464e0d81586111df8e97d
Author: Andrew Bartlett <abartlet at samba.org>
Date: Tue Nov 10 11:09:13 2020 +1300
selftest: Send enterprise principals tagged as such
This test passed against Samba but failed against Windows when
an enterprise principal (user at domain.com@REALM) was encoded as
NT_PRINCIPAL.
Signed-off-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Gary Lockyer <gary at catalyst.net.nz>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit d7f731ed3577b407370d8fe7a62b4c3ee2dd9c75)
commit ca83a606256d2270683afeb9eba3f6254df9480c
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Oct 27 09:32:21 2020 +1300
tests python krb5: Add python kerberos canonicalization tests
Add python canonicalization tests, loosely based on the code in
source4/torture/krb5/kdc-canon-heimdal.c. The long term goal is to move
the integration level tests out of kdc-canon-heimdal, leaving it as a
heimdal library unit test.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 005435dc4d7de9d442c7513edec8c782fe20fda3)
commit 8536b5f4397b568c5af334652a6db36f88e6d786
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Oct 27 09:31:24 2020 +1300
tests python krb5: Add canonicalize flag to ASN1
Add the canonicalize flag to KerberosFlags, so that it can be used in
python based canonicalization tests.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 41c8aa4b991aad306d731b08d068c480eb5c7fed)
commit 71f30ca29b4356abb908d09c25dddd8758533ddf
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Oct 27 09:29:56 2020 +1300
tests python krb5: Make PrincipalName_create a class method
Make PrincipalName_create a class method, so it can be used in helper
classes.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit b14dca7c1c063e069517ff01b33c63a000d398c3)
commit 44841d2b18bea264e126264c44744d4018031e8c
Author: Gary Lockyer <gary at catalyst.net.nz>
Date: Tue Nov 3 09:25:48 2020 +1300
selftest: add mit kdc specific known fail
Add a MIT kerberos specific known fail, will be needed by subsequent
commits.
Signed-off-by: Gary Lockyer <gary at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817
(cherry picked from commit 04248f5e868d38498bdc8f9705c9a60fcfe79c09)
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/pycredentials.c | 8 +-
lib/talloc/pytalloc.c | 4 +-
libgpo/pygpo.c | 2 +-
librpc/idl/krb5ccache.idl | 115 +
librpc/idl/wscript_build | 1 +
librpc/wscript_build | 8 +-
python/samba/netcmd/user.py | 10 +-
python/samba/samdb.py | 15 +
python/samba/tests/blackbox/ndrdump.py | 45 +-
.../samba/tests/krb5/as_canonicalization_tests.py | 434 ++++
python/samba/tests/krb5/as_req_tests.py | 218 ++
python/samba/tests/krb5/compatability_tests.py | 227 ++
python/samba/tests/krb5/fast_tests.py | 1691 +++++++++++++
python/samba/tests/krb5/kcrypto.py | 79 +-
python/samba/tests/krb5/kdc_base_test.py | 913 +++++++
python/samba/tests/krb5/kdc_tests.py | 228 ++
python/samba/tests/krb5/kdc_tgs_tests.py | 213 ++
.../krb5/ms_kile_client_principal_lookup_tests.py | 829 +++++++
.../{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} | 0
python/samba/tests/krb5/raw_testcase.py | 2511 +++++++++++++++++---
python/samba/tests/krb5/rfc4120.asn1 | 187 +-
python/samba/tests/krb5/rfc4120_constants.py | 171 ++
python/samba/tests/krb5/rfc4120_pyasn1.py | 241 +-
python/samba/tests/krb5/s4u_tests.py | 38 +-
python/samba/tests/krb5/simple_tests.py | 49 +-
python/samba/tests/krb5/test_ccache.py | 135 ++
python/samba/tests/krb5/test_ldap.py | 96 +
python/samba/tests/krb5/test_rpc.py | 79 +
python/samba/tests/krb5/test_smb.py | 110 +
python/samba/tests/krb5/xrealm_tests.py | 45 +-
python/samba/tests/samdb.py | 13 +-
python/samba/tests/usage.py | 13 +
selftest/knownfail | 6 +-
selftest/knownfail.d/kdc-enterprise | 63 +
selftest/knownfail_heimdal_kdc | 123 +
selftest/knownfail_mit_kdc | 322 +++
selftest/selftesthelpers.py | 58 +-
selftest/target/Samba4.pm | 2 +-
selftest/tests.py | 1 +
selftest/wscript | 5 +
source3/libsmb/clifsinfo.c | 44 +-
source3/libsmb/pylibsmb.c | 138 +-
source3/passdb/py_passdb.c | 4 -
source3/selftest/ktest-krb5_ccache-2.txt | 1574 ++++++++++++
source3/selftest/ktest-krb5_ccache-3.txt | 832 +++++++
source4/auth/gensec/gensec_gssapi.c | 4 +
source4/auth/gensec/pygensec.c | 71 +-
source4/heimdal/kdc/kerberos5.c | 4 +-
source4/heimdal/kdc/krb5tgs.c | 4 +
source4/librpc/ndr/py_security.c | 37 +
source4/librpc/wscript_build | 7 +
source4/ntvfs/posix/python/pyposix_eadb.c | 2 +-
source4/ntvfs/posix/python/pyxattr_native.c | 4 +-
source4/ntvfs/posix/python/pyxattr_tdb.c | 2 +-
source4/selftest/tests.py | 57 +
source4/torture/krb5/kdc-heimdal.c | 104 +-
56 files changed, 11725 insertions(+), 471 deletions(-)
create mode 100644 librpc/idl/krb5ccache.idl
create mode 100755 python/samba/tests/krb5/as_canonicalization_tests.py
create mode 100755 python/samba/tests/krb5/as_req_tests.py
create mode 100755 python/samba/tests/krb5/compatability_tests.py
create mode 100755 python/samba/tests/krb5/fast_tests.py
create mode 100644 python/samba/tests/krb5/kdc_base_test.py
create mode 100755 python/samba/tests/krb5/kdc_tests.py
create mode 100755 python/samba/tests/krb5/kdc_tgs_tests.py
create mode 100755 python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} (100%)
create mode 100644 python/samba/tests/krb5/rfc4120_constants.py
create mode 100755 python/samba/tests/krb5/test_ccache.py
create mode 100755 python/samba/tests/krb5/test_ldap.py
create mode 100755 python/samba/tests/krb5/test_rpc.py
create mode 100755 python/samba/tests/krb5/test_smb.py
create mode 100644 selftest/knownfail.d/kdc-enterprise
create mode 100644 selftest/knownfail_heimdal_kdc
create mode 100644 selftest/knownfail_mit_kdc
create mode 100644 source3/selftest/ktest-krb5_ccache-2.txt
create mode 100644 source3/selftest/ktest-krb5_ccache-3.txt
Changeset truncated at 500 lines:
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index a5d0f9e051c..e583b83d9a4 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -603,8 +603,6 @@ static PyObject *py_creds_get_forced_sasl_mech(PyObject *self, PyObject *unused)
static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args)
{
char *newval;
- enum credentials_obtained obt = CRED_SPECIFIED;
- int _obt = obt;
struct cli_credentials *creds = PyCredentials_AsCliCredentials(self);
if (creds == NULL) {
PyErr_Format(PyExc_TypeError, "Credentials expected");
@@ -614,7 +612,6 @@ static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args)
if (!PyArg_ParseTuple(args, "s", &newval)) {
return NULL;
}
- obt = _obt;
cli_credentials_set_forced_sasl_mech(creds, newval);
Py_RETURN_NONE;
@@ -766,6 +763,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args)
if (!PyArg_ParseTuple(args, "s|iO", &newval, &_obt, &py_lp_ctx))
return NULL;
+ obt = _obt;
mem_ctx = talloc_new(NULL);
if (mem_ctx == NULL) {
@@ -781,7 +779,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args)
ret = cli_credentials_set_ccache(creds,
lp_ctx,
- newval, CRED_SPECIFIED,
+ newval, obt,
&error_string);
if (ret != 0) {
@@ -1223,7 +1221,7 @@ static struct PyModuleDef moduledef = {
PyTypeObject PyCredentials = {
.tp_name = "credentials.Credentials",
.tp_new = py_creds_new,
- .tp_flags = Py_TPFLAGS_DEFAULT,
+ .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE,
.tp_methods = py_creds_methods,
};
diff --git a/lib/talloc/pytalloc.c b/lib/talloc/pytalloc.c
index cc5a6a812ea..4d3826153b9 100644
--- a/lib/talloc/pytalloc.c
+++ b/lib/talloc/pytalloc.c
@@ -37,7 +37,7 @@ static PyObject *pytalloc_report_full(PyObject *self, PyObject *args)
} else {
talloc_report_full(pytalloc_get_mem_ctx(py_obj), stdout);
}
- return Py_None;
+ Py_RETURN_NONE;
}
/* enable null tracking */
@@ -45,7 +45,7 @@ static PyObject *pytalloc_enable_null_tracking(PyObject *self,
PyObject *Py_UNUSED(ignored))
{
talloc_enable_null_tracking();
- return Py_None;
+ Py_RETURN_NONE;
}
/* return the number of talloc blocks */
diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c
index 29c8b11886e..3452bc77d61 100644
--- a/libgpo/pygpo.c
+++ b/libgpo/pygpo.c
@@ -41,7 +41,7 @@ static PyObject* GPO_get_##ATTR(PyObject *self, void *closure) \
if (gpo_ptr->ATTR) \
return PyUnicode_FromString(gpo_ptr->ATTR); \
else \
- return Py_None; \
+ Py_RETURN_NONE; \
}
GPO_getter(ds_path)
GPO_getter(file_sys_path)
diff --git a/librpc/idl/krb5ccache.idl b/librpc/idl/krb5ccache.idl
new file mode 100644
index 00000000000..1f0cfa752a9
--- /dev/null
+++ b/librpc/idl/krb5ccache.idl
@@ -0,0 +1,115 @@
+/*
+ krb5 credentials cache (version 3 or 4)
+ specification: https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html
+*/
+
+#include "idl_types.h"
+
+[
+ uuid("1702b695-99ca-4f32-93e4-1e1c4d5ddb53"),
+ version(0.0),
+ pointer_default(unique),
+ helpstring("KRB5 credentials cache")
+]
+interface krb5ccache
+{
+ typedef struct {
+ uint32 name_type;
+ uint32 component_count;
+ [flag(STR_SIZE4|STR_NOTERM|STR_UTF8)] string realm;
+ [flag(STR_SIZE4|STR_NOTERM|STR_UTF8)] string components[component_count];
+ } PRINCIPAL;
+
+ typedef struct {
+ uint16 enctype;
+ DATA_BLOB data;
+ } KEYBLOCK;
+
+ typedef struct {
+ uint16 addrtype;
+ DATA_BLOB data;
+ } ADDRESS;
+
+ typedef struct {
+ uint32 count;
+ ADDRESS data[count];
+ } ADDRESSES;
+
+ typedef struct {
+ uint16 ad_type;
+ DATA_BLOB data;
+ } AUTHDATUM;
+
+ typedef struct {
+ uint32 count;
+ AUTHDATUM data[count];
+ } AUTHDATA;
+
+ typedef struct {
+ PRINCIPAL client;
+ PRINCIPAL server;
+ KEYBLOCK keyblock;
+ uint32 authtime;
+ uint32 starttime;
+ uint32 endtime;
+ uint32 renew_till;
+ uint8 is_skey;
+ uint32 ticket_flags;
+ ADDRESSES addresses;
+ AUTHDATA authdata;
+ DATA_BLOB ticket;
+ DATA_BLOB second_ticket;
+ } CREDENTIAL;
+
+ typedef struct {
+ [value(0)] int32 kdc_sec_offset;
+ [value(0)] int32 kdc_usec_offset;
+ } DELTATIME_TAG;
+
+ typedef [nodiscriminant] union {
+ [case(1)] DELTATIME_TAG deltatime_tag;
+ } FIELD;
+
+ typedef struct {
+ [value(1)] uint16 tag;
+ [subcontext(2),switch_is(tag)] FIELD field;
+ } V4TAG;
+
+ typedef struct {
+ V4TAG tag;
+ /*
+ * We should allow for more than one tag to be properly parsed, but that
+ * would require manual parsing.
+ */
+ [flag(NDR_REMAINING)] DATA_BLOB further_tags;
+ } V4TAGS;
+
+ typedef struct {
+ [subcontext(2)] V4TAGS v4tags;
+ } V4HEADER;
+
+ typedef [nodiscriminant] union {
+ /*
+ * We don't attempt to support file format versions 1 and 2 as they
+ * assume native CPU byte order, which makes no sense in PIDL.
+ */
+ [case(3)] ;
+ [case(4)] V4HEADER v4header;
+ } OPTIONAL_HEADER;
+
+ /* Public structures. */
+
+ typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct {
+ [value(5)] uint8 pvno;
+ [value(4)] uint8 version;
+ [switch_is(version)] OPTIONAL_HEADER optional_header;
+ PRINCIPAL principal;
+ CREDENTIAL cred;
+ [flag(NDR_REMAINING)] DATA_BLOB further_creds;
+ } CCACHE;
+
+ typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct {
+ CREDENTIAL cred;
+ [flag(NDR_REMAINING)] DATA_BLOB further_creds;
+ } MULTIPLE_CREDENTIALS;
+}
diff --git a/librpc/idl/wscript_build b/librpc/idl/wscript_build
index 928f54abde0..0cbd7f8fdfc 100644
--- a/librpc/idl/wscript_build
+++ b/librpc/idl/wscript_build
@@ -147,6 +147,7 @@ bld.SAMBA_PIDL_LIST('PIDL',
drsblobs.idl
idmap.idl
krb5pac.idl
+ krb5ccache.idl
messaging.idl
misc.idl
nbt.idl
diff --git a/librpc/wscript_build b/librpc/wscript_build
index 27b180fa63d..8f31d59d3b5 100644
--- a/librpc/wscript_build
+++ b/librpc/wscript_build
@@ -374,6 +374,11 @@ bld.SAMBA_LIBRARY('ndr-krb5pac',
vnum='0.0.1'
)
+bld.SAMBA_SUBSYSTEM('NDR_KRB5CCACHE',
+ source='gen_ndr/ndr_krb5ccache.c',
+ deps='ndr NDR_COMPRESSION NDR_SECURITY ndr-standard asn1util'
+ )
+
bld.SAMBA_LIBRARY('ndr-standard',
source='',
vnum='0.0.1',
@@ -616,7 +621,8 @@ bld.SAMBA_LIBRARY('ndr-samba',
source=[],
deps='''NDR_DRSBLOBS NDR_DRSUAPI NDR_IDMAP NDR_NTLMSSP NDR_NEGOEX NDR_SCHANNEL NDR_MGMT
NDR_DNSSERVER NDR_EPMAPPER NDR_XATTR NDR_UNIXINFO NDR_NAMED_PIPE_AUTH NDR_DCOM
- NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_MDSSVC NDR_OPEN_FILES NDR_SMBXSRV''',
+ NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_MDSSVC NDR_OPEN_FILES NDR_SMBXSRV
+ NDR_KRB5CCACHE''',
private_library=True,
grouping_library=True
)
diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py
index 7d4464e2aa9..ad5d2fbd485 100644
--- a/python/samba/netcmd/user.py
+++ b/python/samba/netcmd/user.py
@@ -3001,14 +3001,8 @@ The users gecos field will be set to 'User4 test'
if unix_home is None:
# obtain nETBIOS Domain Name
- filter = "(&(objectClass=crossRef)(nETBIOSName=*))"
- searchdn = ("CN=Partitions,CN=Configuration," + domaindn)
- try:
- res = samdb.search(searchdn,
- scope=ldb.SCOPE_SUBTREE,
- expression=filter)
- unix_domain = res[0]["nETBIOSName"][0]
- except IndexError:
+ unix_domain = samdb.domain_netbios_name()
+ if unix_domain is None:
raise CommandError('Unable to find Unix domain')
unix_home = "/home/{0}/{1}".format(unix_domain, username)
diff --git a/python/samba/samdb.py b/python/samba/samdb.py
index d13c5e3b7a2..36d668c4586 100644
--- a/python/samba/samdb.py
+++ b/python/samba/samdb.py
@@ -928,6 +928,21 @@ accountExpires: %u
domain_dn = self.get_default_basedn()
return domain_dn.canonical_str().split('/')[0]
+ def domain_netbios_name(self):
+ """return the NetBIOS name of the domain root"""
+ domain_dn = self.get_default_basedn()
+ dns_name = self.domain_dns_name()
+ filter = "(&(objectClass=crossRef)(nETBIOSName=*)(ncName=%s)(dnsroot=%s))" % (domain_dn, dns_name)
+ partitions_dn = self.get_partitions_dn()
+ res = self.search(partitions_dn,
+ scope=ldb.SCOPE_ONELEVEL,
+ expression=filter)
+ try:
+ netbios_domain = res[0]["nETBIOSName"][0].decode()
+ except IndexError:
+ return None
+ return netbios_domain
+
def forest_dns_name(self):
"""return the DNS name of the forest root"""
forest_dn = self.get_root_basedn()
diff --git a/python/samba/tests/blackbox/ndrdump.py b/python/samba/tests/blackbox/ndrdump.py
index a33229e4740..7833ec98119 100644
--- a/python/samba/tests/blackbox/ndrdump.py
+++ b/python/samba/tests/blackbox/ndrdump.py
@@ -25,13 +25,7 @@ import os
import re
from samba.tests import BlackboxTestCase, BlackboxProcessError
-for p in ["../../../../../source4/librpc/tests",
- "../../../../../librpc/tests"]:
- data_path_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), p))
- print(data_path_dir)
- if os.path.exists(data_path_dir):
- break
-
+data_path_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), "../../../../../source4/librpc/tests"))
class NdrDumpTests(BlackboxTestCase):
"""Blackbox tests for ndrdump."""
@@ -326,6 +320,43 @@ dump OK
# convert expected to bytes for python 3
self.assertEqual(actual, expected.encode('utf-8'))
+ def test_ndrdump_Krb5ccache(self):
+ expected = open(self.data_path("../../../source3/selftest/"
+ "ktest-krb5_ccache-2.txt")).read()
+ try:
+ # Specify -d1 to match the generated output file, because ndrdump
+ # only outputs some additional info if this parameter is specified,
+ # and the --configfile parameter gives us an empty smb.conf to avoid
+ # extraneous output.
+ actual = self.check_output(
+ "ndrdump krb5ccache CCACHE struct "
+ "--configfile /dev/null -d1 --validate " +
+ self.data_path("../../../source3/selftest/"
+ "ktest-krb5_ccache-2"))
+ except BlackboxProcessError as e:
+ self.fail(e)
+ # check_output will return bytes
+ # convert expected to bytes for python 3
+ self.assertEqual(actual, expected.encode('utf-8'))
+
+ expected = open(self.data_path("../../../source3/selftest/"
+ "ktest-krb5_ccache-3.txt")).read()
+ try:
+ # Specify -d1 to match the generated output file, because ndrdump
+ # only outputs some additional info if this parameter is specified,
+ # and the --configfile parameter gives us an empty smb.conf to avoid
+ # extraneous output.
+ actual = self.check_output(
+ "ndrdump krb5ccache CCACHE struct "
+ "--configfile /dev/null -d1 --validate " +
+ self.data_path("../../../source3/selftest/"
+ "ktest-krb5_ccache-3"))
+ except BlackboxProcessError as e:
+ self.fail(e)
+ # check_output will return bytes
+ # convert expected to bytes for python 3
+ self.assertEqual(actual, expected.encode('utf-8'))
+
# This is a good example of a union with an empty default
# and no buffers to parse.
def test_ndrdump_fuzzed_spoolss_EnumForms(self):
diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py
new file mode 100755
index 00000000000..29d8cf418f5
--- /dev/null
+++ b/python/samba/tests/krb5/as_canonicalization_tests.py
@@ -0,0 +1,434 @@
+#!/usr/bin/env python3
+# Unix SMB/CIFS implementation.
+#
+# Copyright (C) Catalyst IT Ltd. 2020
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import os
+from enum import Enum, unique
+import pyasn1
+
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+
+from samba.tests.krb5.kdc_base_test import KDCBaseTest
+import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
+from samba.credentials import DONT_USE_KERBEROS
+from samba.dcerpc.misc import SEC_CHAN_WKSTA
+from samba.tests import DynamicTestCase
+from samba.tests.krb5.rfc4120_constants import (
+ AES256_CTS_HMAC_SHA1_96,
+ AES128_CTS_HMAC_SHA1_96,
+ ARCFOUR_HMAC_MD5,
+ KDC_ERR_PREAUTH_REQUIRED,
+ KRB_AS_REP,
+ KU_AS_REP_ENC_PART,
+ KRB_ERROR,
+ KU_PA_ENC_TIMESTAMP,
+ PADATA_ENC_TIMESTAMP,
+ NT_ENTERPRISE_PRINCIPAL,
+ NT_PRINCIPAL,
+ NT_SRV_INST,
+)
+
+global_asn1_print = False
+global_hexdump = False
+
+
+ at unique
+class TestOptions(Enum):
+ Canonicalize = 1
+ Enterprise = 2
+ UpperRealm = 4
+ UpperUserName = 8
+ NetbiosRealm = 16
+ UPN = 32
+ RemoveDollar = 64
+ AsReqSelf = 128
+ Last = 256
+
+ def is_set(self, x):
+ return self.value & x
+
+
+ at unique
+class CredentialsType(Enum):
+ User = 1
+ Machine = 2
+
+ def is_set(self, x):
+ return self.value & x
+
+
+class TestData:
+
+ def __init__(self, options, creds):
+ self.options = options
+ self.user_creds = creds
+ self.user_name = self._get_username(options, creds)
+ self.realm = self._get_realm(options, creds)
+
+ if TestOptions.Enterprise.is_set(options):
+ client_name_type = NT_ENTERPRISE_PRINCIPAL
+ else:
+ client_name_type = NT_PRINCIPAL
+
+ self.cname = KDCBaseTest.PrincipalName_create(
+ name_type=client_name_type, names=[self.user_name])
+ if TestOptions.AsReqSelf.is_set(options):
+ self.sname = self.cname
+ else:
+ self.sname = KDCBaseTest.PrincipalName_create(
+ name_type=NT_SRV_INST, names=["krbtgt", self.realm])
+ self.canonicalize = TestOptions.Canonicalize.is_set(options)
+
+ def _get_realm(self, options, creds):
+ realm = creds.get_realm()
+ if TestOptions.NetbiosRealm.is_set(options):
+ realm = creds.get_domain()
+ if TestOptions.UpperRealm.is_set(options):
+ realm = realm.upper()
+ else:
+ realm = realm.lower()
+ return realm
+
+ def _get_username(self, options, creds):
+ name = creds.get_username()
+ if TestOptions.RemoveDollar.is_set(options) and name.endswith("$"):
+ name = name[:-1]
+ if TestOptions.Enterprise.is_set(options):
+ realm = creds.get_realm()
+ name = "{0}@{1}".format(name, realm)
+ if TestOptions.UpperUserName.is_set(options):
+ name = name.upper()
+ return name
+
+ def __repr__(self):
+ rep = "Test Data: "
+ rep += "options = '" + "{:08b}".format(self.options) + "'"
+ rep += "user name = '" + self.user_name + "'"
+ rep += ", realm = '" + self.realm + "'"
+ rep += ", cname = '" + str(self.cname) + "'"
+ rep += ", sname = '" + str(self.sname) + "'"
+ return rep
+
+
+MACHINE_NAME = "tstkrb5cnnmch"
+USER_NAME = "tstkrb5cnnusr"
+
+
+ at DynamicTestCase
+class KerberosASCanonicalizationTests(KDCBaseTest):
+
+ @classmethod
+ def setUpDynamicTestCases(cls):
+
+ def skip(ct, options):
+ ''' Filter out any mutually exclusive test options '''
+ if ct != CredentialsType.Machine and\
+ TestOptions.RemoveDollar.is_set(options):
--
Samba Shared Repository
More information about the samba-cvs
mailing list