[SCM] Samba Shared Repository - branch master updated
Stefan Metzmacher
metze at samba.org
Mon Jun 26 12:12:01 UTC 2023
The branch, master has been updated
via 7828c6535cd s4:kdc: Don’t overwrite error code
via 192024e8403 s4:kdc: Add comment to clarify that we fetch the client claims
via fcea53584de s4:kdc: clear client and device claims from trusts
via 7a4fa2c5643 s4:kdc: Make [client,device]_claims_blob const pointers
via ebc27cf32a6 s4:kdc: Remove unnecessary NULL check
via c69174c07c4 s4:kdc: pass krbtgt skdc_entries to samba_kdc_update_pac()
via 1ffca866c15 s4:kdc: adjust formatting of samba_kdc_update_pac() documentation
via b42fbc78395 s4:kdc: Enforce authentication policy service restrictions when getting a PAC
via 3240ac4ebef s4:kdc: Check authentication policy server restrictions
via 9a9f4799192 s4:kdc: Check authentication policy device restrictions
via f3714a3e3a3 s4:kdc: Add comment stating that policies aren’t looked up for S4U clients
via 8b1897f02ee tests/krb5: Test that client policies are not enforced with S4U
via 8e32075188f tests/krb5: Fix RBCD comments
via 456373ac19c tests/krb5: Don’t unnecessarily specify ‘id’
via 620c842da01 s4:kdc: Remove unused ‘server’ parameter in pac_verify()
via 67436de3e77 s4:kdc: Handle new KDC_AUTH_EVENT_CLIENT_FOUND audit event
via 19f867bc54e s4:kdc: Ensure that we don’t log PREAUTH_REQUIRED errors
via 8425ffc8f3b s4:kdc: Update Samba KDC plugin to match new Heimdal version
via 95c02a9794b third_party/heimdal: Import lorikeet-heimdal-202306192129 (commit 0096f9c1dc105d8ac9f7dd96d653b05228f7d280)
via 1abc2543cd4 tests/krb5: Add test for authenticating with disabled account and wrong password
via 9d7f1794937 tests/auth_log_pass_change: Fix flapping test
via 539cd516004 netcmd: domain: Fix typo
from ecff09d75df Align samba_kdc_update_pac() prototype in pac-glue.h with the implementation in pac-glue.c
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 7828c6535cd61ef9ff64417226fcd8ae9dad23e9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jun 26 17:09:22 2023 +1200
s4:kdc: Don’t overwrite error code
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
Autobuild-User(master): Stefan Metzmacher <metze at samba.org>
Autobuild-Date(master): Mon Jun 26 12:11:30 UTC 2023 on atb-devel-224
commit 192024e840333d99cf7028cb1abfcc9da5af335e
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 23 11:55:24 2023 +1200
s4:kdc: Add comment to clarify that we fetch the client claims
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit fcea53584deadd41ecd5ce47402eee36168bbc24
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 22 09:08:53 2023 +0200
s4:kdc: clear client and device claims from trusts
As we don't support the Claims Transformation Algorithm [MS-CTA]
we better clear claims as they have no valid meaning in our domain.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7a4fa2c5643d42bd8caba31e44df94812196fca4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jun 26 11:10:51 2023 +1200
s4:kdc: Make [client,device]_claims_blob const pointers
This is so that we can have them point to ‘null_data’ if we so choose.
We can’t assign the result of data_blob_talloc() to a const pointer, so
we go through an intermediary non-const pointer for the
device_claims_blob case.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit ebc27cf32a61d543a1fa2c73ca49e28077904e43
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jun 26 11:11:19 2023 +1200
s4:kdc: Remove unnecessary NULL check
pac_blobs_add_blob() already checks whether the blob argument is NULL,
and skips adding the blob if so.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit c69174c07c49589ed52a67781ed8862ffb47fea3
Author: Stefan Metzmacher <metze at samba.org>
Date: Thu Jun 22 09:18:51 2023 +0200
s4:kdc: pass krbtgt skdc_entries to samba_kdc_update_pac()
For now we only pass in the krbtgt that verified the client pac
and optionally the krbtgt that verified the device pac.
These can be different depending on the domain of the related
principals.
If we want to apply SID filtering in future we may also need
to pass in the krbtgt that verified the delegated_proxy_pac,
but that needs more research and if not required for the
following changes.
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1ffca866c1574f340cd56fd8c90d41a528bc649a
Author: Stefan Metzmacher <metze at samba.org>
Date: Fri Jun 23 11:20:59 2023 +1200
s4:kdc: adjust formatting of samba_kdc_update_pac() documentation
Signed-off-by: Stefan Metzmacher <metze at samba.org>
Reviewed-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b42fbc78395870c3caa33aa1c9636a59fde9e867
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 15:08:00 2023 +1200
s4:kdc: Enforce authentication policy service restrictions when getting a PAC
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 3240ac4ebef75c3e955259ad32054380996ae7cf
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 14:24:50 2023 +1200
s4:kdc: Check authentication policy server restrictions
For a constrained delegation request, we need to pass ‘delegated_proxy’
(and the delegated proxy PAC, if one was provided) into
samba_kdc_update_pac() so that we can verify that the delegating server
is allowed to authenticate to the target server.
The ‘const’ is entirely unnecessary in a function declaration, but we
add it just to be consistent.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9a9f4799192db27562d4a53d7900d9393b72c20d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Fri Jun 16 15:05:48 2023 +1200
s4:kdc: Check authentication policy device restrictions
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit f3714a3e3a3e15f93926b51968b3c8c96db1209a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 20 12:57:27 2023 +1200
s4:kdc: Add comment stating that policies aren’t looked up for S4U clients
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 8b1897f02eef9aabcbcc12aab1cf2547b4ac4e4f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 20 12:59:11 2023 +1200
tests/krb5: Test that client policies are not enforced with S4U
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 8e32075188f6ae1f01f664ca184b87cb048b6b1a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 20 12:56:45 2023 +1200
tests/krb5: Fix RBCD comments
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 456373ac19c60b02110fc346d9d45bf4d63b691f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 20 12:39:26 2023 +1200
tests/krb5: Don’t unnecessarily specify ‘id’
In tests where we have multiple accounts of the same type, we use the
‘id’ parameter to ensure that these accounts are all different, as some
restrictions are bypassed if an account authenticates to the selfsame
account. However, this is unnecessary if we already specify (with
‘use_cache=False’) that the cache is not to be used.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 620c842da01c36dd89a7a5f5ed14b6b9f7e0e60d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 20 11:21:27 2023 +1200
s4:kdc: Remove unused ‘server’ parameter in pac_verify()
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 67436de3e77af14695f5e6588e6f62d7f980271f
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 20 11:20:44 2023 +1200
s4:kdc: Handle new KDC_AUTH_EVENT_CLIENT_FOUND audit event
NOTE: This commit finally works again!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 19f867bc54e81ffd1b639f1b3651608c0460074c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 20 11:15:50 2023 +1200
s4:kdc: Ensure that we don’t log PREAUTH_REQUIRED errors
Such errors were not logged in the past, either, but that was accidental
— a result of failing too early for an authentication event to be set —
rather than the auditing being deliberately designed that way.
Now that we have added the KDC_AUTH_EVENT_CLIENT_FOUND event, we want to
ensure that PREAUTH_REQUIRED errors continue to go unlogged.
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 8425ffc8f3b87fb4fb88fdae24e3e3ced52643ab
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 20 11:14:50 2023 +1200
s4:kdc: Update Samba KDC plugin to match new Heimdal version
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 95c02a9794b624e89eccd73cb0a4401a7417040a
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 20 10:52:01 2023 +1200
third_party/heimdal: Import lorikeet-heimdal-202306192129 (commit 0096f9c1dc105d8ac9f7dd96d653b05228f7d280)
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 1abc2543cd44f3b9c4b5da4537f69c48bc2b6e02
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Jun 21 16:54:36 2023 +1200
tests/krb5: Add test for authenticating with disabled account and wrong password
This shows us that the client’s access is checked prior to passwords
being checked.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 9d7f1794937a8626a016422188213e7088d0d86b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Jun 20 10:11:50 2023 +1200
tests/auth_log_pass_change: Fix flapping test
It appears that discardMessages() is still not entirely reliable. Ensure
that we filter out any messages from the Administrator’s authentication.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
commit 539cd516004f3597f39885c5d2c39e2b3d9a0ab9
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Mon Jun 19 12:55:40 2023 +1200
netcmd: domain: Fix typo
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Reviewed-by: Stefan Metzmacher <metze at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/netcmd/domain/models/auth_silo.py | 2 +-
python/samba/tests/auth_log_pass_change.py | 10 +-
python/samba/tests/krb5/as_req_tests.py | 47 ++++-
python/samba/tests/krb5/authn_policy_tests.py | 248 +++++++++++++++++++++++--
python/samba/tests/krb5/kdc_base_test.py | 7 +-
selftest/knownfail_heimdal_kdc | 87 +--------
selftest/knownfail_mit_kdc | 10 +
source4/kdc/db-glue.c | 4 +
source4/kdc/hdb-samba4.c | 22 +++
source4/kdc/mit_samba.c | 14 +-
source4/kdc/pac-glue.c | 139 +++++++++++---
source4/kdc/pac-glue.h | 8 +-
source4/kdc/wdc-samba4.c | 161 +++++++++++++---
third_party/heimdal/kdc/fast.c | 20 +-
third_party/heimdal/kdc/kdc-accessors.h | 37 +++-
third_party/heimdal/kdc/kdc-audit.h | 1 +
third_party/heimdal/kdc/kdc-plugin.c | 52 ++++--
third_party/heimdal/kdc/kdc-plugin.h | 9 +-
third_party/heimdal/kdc/kdc_locl.h | 6 +-
third_party/heimdal/kdc/kerberos5.c | 35 ++--
third_party/heimdal/kdc/krb5tgs.c | 71 ++++---
third_party/heimdal/kdc/libkdc-exports.def | 6 +
third_party/heimdal/kdc/mssfu.c | 128 +++++++------
third_party/heimdal/kdc/pkinit.c | 2 +-
third_party/heimdal/kdc/version-script.map | 6 +
third_party/heimdal/lib/base/dict.c | 4 +-
third_party/heimdal/lib/krb5/changepw.c | 2 +-
third_party/heimdal/lib/krb5/crypto.c | 2 +-
third_party/heimdal/lib/krb5/deprecated.c | 37 ++--
third_party/heimdal/lib/krb5/init_creds.c | 2 +-
30 files changed, 866 insertions(+), 313 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/netcmd/domain/models/auth_silo.py b/python/samba/netcmd/domain/models/auth_silo.py
index e694e1874c6..e3228d5607b 100644
--- a/python/samba/netcmd/domain/models/auth_silo.py
+++ b/python/samba/netcmd/domain/models/auth_silo.py
@@ -75,7 +75,7 @@ class AuthenticationSilo(Model):
self.refresh(ldb, fields=["members"])
def remove_member(self, ldb, member):
- """Remove a member to the Authentication Silo.
+ """Remove a member from the Authentication Silo.
Rather than saving the silo object and writing the entire member
list out again, just remove one member only.
diff --git a/python/samba/tests/auth_log_pass_change.py b/python/samba/tests/auth_log_pass_change.py
index eef2d743684..bbc14a5a7e1 100644
--- a/python/samba/tests/auth_log_pass_change.py
+++ b/python/samba/tests/auth_log_pass_change.py
@@ -236,8 +236,14 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase):
#
def test_ldap_change_password_bad_user(self):
def isLastExpectedMessage(msg):
- # Accept any message we receive.
- return True
+ msg_type = msg["type"]
+
+ # Accept any message we receive, except for those produced while
+ # the Administrator authenticates in setUp().
+ return (msg_type != "Authentication" or (
+ "Administrator" not in msg[msg_type]["clientAccount"])) and (
+ msg_type != "Authorization" or (
+ "Administrator" not in msg[msg_type]["account"]))
new_password = samba.generate_random_password(32, 32)
try:
diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index e8712b5bf8a..eb5e16e539e 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -22,11 +22,13 @@ import os
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
+from samba import ntstatus
from samba.tests import DynamicTestCase
from samba.tests.krb5.kdc_base_test import KDCBaseTest
import samba.tests.krb5.kcrypto as kcrypto
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
from samba.tests.krb5.rfc4120_constants import (
+ KDC_ERR_CLIENT_REVOKED,
KDC_ERR_C_PRINCIPAL_UNKNOWN,
KDC_ERR_S_PRINCIPAL_UNKNOWN,
KDC_ERR_ETYPE_NOSUPP,
@@ -48,6 +50,8 @@ class AsReqBaseTest(KDCBaseTest):
name_type=NT_PRINCIPAL, etypes=None,
expected_error=None, expect_edata=None,
expected_pa_error=None, expect_pa_edata=None,
+ expect_status=None,
+ expect_pa_status=None,
kdc_options=None, till=None):
user_name = client_creds.get_username()
if client_account is None:
@@ -101,9 +105,10 @@ class AsReqBaseTest(KDCBaseTest):
expected_supported_etypes=krbtgt_supported_etypes,
expected_account_name=user_name,
pac_request=True,
- expect_edata=expect_edata)
+ expect_edata=expect_edata,
+ expected_status=expect_status)
- if expected_error is not None:
+ if rep['error-code'] != KDC_ERR_PREAUTH_REQUIRED:
return None
etype_info2 = kdc_exchange_dict['preauth_etype_info2']
@@ -148,6 +153,7 @@ class AsReqBaseTest(KDCBaseTest):
expected_supported_etypes=krbtgt_supported_etypes,
expected_account_name=user_name,
expect_edata=expect_pa_edata,
+ expected_status=expect_pa_status,
preauth_key=preauth_key,
ticket_decryption_key=krbtgt_decryption_key,
pac_request=True)
@@ -531,6 +537,43 @@ class AsReqKerberosTests(AsReqBaseTest):
client_creds,
till='99990913024805Z')
+ def test_logon_hours(self):
+ """Test making an AS-REQ with a logonHours attribute that disallows
+ logging in."""
+
+ client_creds = self.get_cached_creds(
+ account_type=self.AccountType.USER,
+ opts={'logon_hours': bytes(21)})
+
+ # Expect to get a CLIENT_REVOKED error.
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ expected_error=(KDC_ERR_CLIENT_REVOKED, KDC_ERR_PREAUTH_REQUIRED),
+ expect_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS,
+ expected_pa_error=KDC_ERR_CLIENT_REVOKED,
+ expect_pa_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS)
+
+ def test_logon_hours_wrong_password(self):
+ """Test making an AS-REQ with a wrong password and a logonHours
+ attribute that disallows logging in."""
+
+ # Use a non-cached account so that it is not locked out for other
+ # tests.
+ client_creds = self.get_cached_creds(
+ account_type=self.AccountType.USER,
+ opts={'logon_hours': bytes(21)},
+ use_cache=False)
+
+ client_creds.set_password('wrong password')
+
+ # Expect to get a CLIENT_REVOKED error.
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ expected_error=(KDC_ERR_CLIENT_REVOKED, KDC_ERR_PREAUTH_REQUIRED),
+ expect_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS,
+ expected_pa_error=KDC_ERR_CLIENT_REVOKED,
+ expect_pa_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS)
+
if __name__ == "__main__":
global_asn1_print = False
diff --git a/python/samba/tests/krb5/authn_policy_tests.py b/python/samba/tests/krb5/authn_policy_tests.py
index 29bde221a89..5ffdba41e99 100755
--- a/python/samba/tests/krb5/authn_policy_tests.py
+++ b/python/samba/tests/krb5/authn_policy_tests.py
@@ -4444,7 +4444,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
# Create a computer account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
- opts={'id': 1},
use_cache=False)
client_dn = client_creds.get_dn()
tgt = self.get_tgt(client_creds)
@@ -4479,7 +4478,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
# Create a computer account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
- opts={'id': 1},
use_cache=False)
client_dn = client_creds.get_dn()
tgt = self.get_tgt(client_creds)
@@ -4680,7 +4678,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
# Create a target account.
target_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
- opts={'id': 1},
use_cache=False)
target_spn = target_creds.get_spn()
@@ -4777,6 +4774,53 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
policy=target_policy,
checked_creds=service_creds)
+ def test_authn_policy_s4u2self_not_allowed_from(self):
+ # Create a machine account with which to perform FAST.
+ mach_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER)
+ mach_tgt = self.get_tgt(mach_creds)
+
+ # Create an authentication policy that applies to a user and explicitly
+ # denies authentication with any device.
+ denied = f'O:SYD:(D;;CR;;;WD)'
+ policy = self.create_authn_policy(enforced=True,
+ user_allowed_from=denied)
+
+ # Create a user account with the assigned policy.
+ client_creds = self._get_creds(account_type=self.AccountType.USER,
+ assigned_policy=policy)
+ client_cname = self.PrincipalName_create(
+ name_type=NT_PRINCIPAL,
+ names=[client_creds.get_username()])
+ client_realm = client_creds.get_realm()
+
+ # Create a computer account.
+ target_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER)
+ target_tgt = self.get_tgt(target_creds)
+
+ def generate_s4u2self_padata(_kdc_exchange_dict,
+ _callback_dict,
+ req_body):
+ padata = self.PA_S4U2Self_create(
+ name=client_cname,
+ realm=client_realm,
+ tgt_session_key=target_tgt.session_key,
+ ctype=None)
+
+ return [padata], req_body
+
+ # Show that obtaining a service ticket with S4U2Self is allowed,
+ # despite the client’s policy.
+ self._tgs_req(target_tgt, 0, target_creds, target_creds,
+ expected_cname=client_cname,
+ generate_fast_padata_fn=generate_s4u2self_padata,
+ armor_tgt=mach_tgt)
+
+ # The client’s policy does not apply for S4U2Self, and thus does not
+ # appear in the logs.
+ self.check_tgs_log(client_creds, target_creds, policy=None)
+
def test_authn_policy_allowed_to_user_allow_constrained_delegation(self):
samdb = self.get_samdb()
@@ -4803,7 +4847,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
# Create a target account.
target_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
- opts={'id': 1},
use_cache=False)
target_spn = target_creds.get_spn()
@@ -4889,7 +4932,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
# Create a target account.
target_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
- opts={'id': 1},
use_cache=False)
target_spn = target_creds.get_spn()
@@ -4949,6 +4991,186 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
event=AuditEvent.KERBEROS_SERVER_RESTRICTION,
reason=AuditReason.ACCESS_DENIED)
+ def test_authn_policy_constrained_delegation_not_allowed_from(self):
+ samdb = self.get_samdb()
+
+ client_creds = self.get_cached_creds(
+ account_type=self.AccountType.USER,
+ use_cache=False)
+ client_sid = client_creds.get_sid()
+
+ client_username = client_creds.get_username()
+ client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=[client_username])
+
+ client_tkt_options = 'forwardable'
+ expected_flags = krb5_asn1.TicketFlags(client_tkt_options)
+
+ client_tgt = self.get_tgt(client_creds,
+ kdc_options=client_tkt_options,
+ expected_flags=expected_flags)
+
+ # Create an authentication policy that applies to a user and explicitly
+ # denies authentication with any device.
+ denied = f'O:SYD:(D;;CR;;;WD)'
+ policy = self.create_authn_policy(enforced=True,
+ user_allowed_from=denied)
+
+ # Assign the policy to the client account.
+ self.add_attribute(samdb, str(client_creds.get_dn()),
+ 'msDS-AssignedAuthNPolicy', str(policy.dn))
+
+ # Create a machine account with which to perform FAST.
+ mach_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER)
+ mach_tgt = self.get_tgt(mach_creds)
+
+ # Create a target account.
+ target_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ use_cache=False)
+ target_spn = target_creds.get_spn()
+
+ service_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={
+ 'delegation_to_spn': target_spn,
+ })
+ service_tgt = self.get_tgt(service_creds)
+
+ client_service_tkt = self.get_service_ticket(
+ client_tgt,
+ service_creds,
+ kdc_options=client_tkt_options,
+ expected_flags=expected_flags)
+
+ kdc_options = str(krb5_asn1.KDCOptions('cname-in-addl-tkt'))
+
+ target_decryption_key = self.TicketDecryptionKey_from_creds(
+ target_creds)
+ target_etypes = target_creds.tgs_supported_enctypes
+
+ service_name = service_creds.get_username()
+ if service_name[-1] == '$':
+ service_name = service_name[:-1]
+ expected_transited_services = [
+ f'host/{service_name}@{service_creds.get_realm()}'
+ ]
+
+ # Don’t confuse the client’s TGS-REQ to the service, above, with the
+ # following constrained delegation request to the service.
+ self.discardMessages()
+
+ # Show that obtaining a service ticket with constrained delegation is
+ # allowed, despite the client’s policy.
+ self._tgs_req(service_tgt, 0, service_creds, target_creds,
+ armor_tgt=mach_tgt,
+ kdc_options=kdc_options,
+ expected_cname=client_cname,
+ expected_account_name=client_username,
+ additional_ticket=client_service_tkt,
+ decryption_key=target_decryption_key,
+ expected_sid=client_sid,
+ expected_supported_etypes=target_etypes,
+ expected_proxy_target=target_spn,
+ expected_transited_services=expected_transited_services)
+
+ self.check_tgs_log(client_creds, target_creds,
+ policy=None,
+ checked_creds=service_creds)
+
+ def test_authn_policy_rbcd_not_allowed_from(self):
+ samdb = self.get_samdb()
+ functional_level = self.get_domain_functional_level(samdb)
+
+ if functional_level < dsdb.DS_DOMAIN_FUNCTION_2008:
+ self.skipTest('RBCD requires FL2008')
+
+ client_creds = self.get_cached_creds(
+ account_type=self.AccountType.USER,
+ use_cache=False)
+ client_sid = client_creds.get_sid()
+
+ client_username = client_creds.get_username()
+ client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=[client_username])
+
+ client_tkt_options = 'forwardable'
+ expected_flags = krb5_asn1.TicketFlags(client_tkt_options)
+
+ client_tgt = self.get_tgt(client_creds,
+ kdc_options=client_tkt_options,
+ expected_flags=expected_flags)
+
+ # Create an authentication policy that applies to a user and explicitly
+ # denies authentication with any device.
+ denied = f'O:SYD:(D;;CR;;;WD)'
+ policy = self.create_authn_policy(enforced=True,
+ user_allowed_from=denied)
+
+ # Assign the policy to the client account.
+ self.add_attribute(samdb, str(client_creds.get_dn()),
+ 'msDS-AssignedAuthNPolicy', str(policy.dn))
+
+ # Create a machine account with which to perform FAST.
+ mach_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER)
+ mach_tgt = self.get_tgt(mach_creds)
+
+ service_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={'id': 1})
+ service_tgt = self.get_tgt(service_creds)
+
+ # Create a target account.
+ target_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={
+ 'delegation_from_dn': str(service_creds.get_dn()),
+ })
+
+ client_service_tkt = self.get_service_ticket(
+ client_tgt,
+ service_creds,
+ kdc_options=client_tkt_options,
+ expected_flags=expected_flags)
+
+ kdc_options = str(krb5_asn1.KDCOptions('cname-in-addl-tkt'))
+
+ target_decryption_key = self.TicketDecryptionKey_from_creds(
+ target_creds)
+ target_etypes = target_creds.tgs_supported_enctypes
+
+ service_name = service_creds.get_username()
+ if service_name[-1] == '$':
+ service_name = service_name[:-1]
+ expected_transited_services = [
+ f'host/{service_name}@{service_creds.get_realm()}'
+ ]
+
+ # Don’t confuse the client’s TGS-REQ to the service, above, with the
+ # following RBCD request to the service.
+ self.discardMessages()
+
+ # Show that obtaining a service ticket with RBCD is allowed, despite
+ # the client’s policy.
+ self._tgs_req(service_tgt, 0, service_creds, target_creds,
+ armor_tgt=mach_tgt,
+ kdc_options=kdc_options,
+ pac_options='1001', # supports claims, RBCD
+ expected_cname=client_cname,
+ expected_account_name=client_username,
+ additional_ticket=client_service_tkt,
+ decryption_key=target_decryption_key,
+ expected_sid=client_sid,
+ expected_supported_etypes=target_etypes,
+ expected_proxy_target=target_creds.get_spn(),
+ expected_transited_services=expected_transited_services)
+
+ self.check_tgs_log(client_creds, target_creds,
+ policy=None,
+ checked_creds=service_creds)
+
def test_authn_policy_allowed_to_user_allow_constrained_delegation_wrong_sname(self):
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
@@ -5079,7 +5301,7 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
]
# Don’t confuse the client’s TGS-REQ to the service, above, with the
- # following constrained delegation request to the service.
+ # following RBCD request to the service.
self.discardMessages()
# Show that obtaining a service ticket with RBCD is allowed.
@@ -5156,7 +5378,7 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
target_creds)
# Don’t confuse the client’s TGS-REQ to the service, above, with the
- # following constrained delegation request to the service.
+ # following RBCD request to the service.
self.discardMessages()
# Show that obtaining a service ticket with RBCD is not allowed.
@@ -5223,7 +5445,7 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
target_creds)
# Don’t confuse the client’s TGS-REQ to the service, above, with the
- # following constrained delegation request to the service.
+ # following RBCD request to the service.
self.discardMessages()
# Show that obtaining a service ticket with RBCD fails if the sname
@@ -5267,7 +5489,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
# Create a service account.
service_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
- opts={'id': 1},
use_cache=False)
service_dn_str = str(service_creds.get_dn())
service_spn = service_creds.get_spn()
@@ -5356,7 +5577,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
# Create a service account.
service_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
- opts={'id': 1},
use_cache=False)
service_dn_str = str(service_creds.get_dn())
service_spn = service_creds.get_spn()
@@ -5441,7 +5661,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
# Create a service account.
service_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
- opts={'id': 1},
use_cache=False)
service_dn_str = str(service_creds.get_dn())
service_sid = service_creds.get_sid()
@@ -5567,7 +5786,7 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
]
# Don’t confuse the client’s TGS-REQ to the service, above, with the
- # following constrained delegation request to the service.
+ # following RBCD request to the service.
self.discardMessages()
# Show that obtaining a service ticket to ourselves with RBCD is
@@ -5662,7 +5881,7 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
]
# Don’t confuse the client’s TGS-REQ to the service, above, with the
- # following constrained delegation request to the service.
+ # following RBCD request to the service.
self.discardMessages()
# Show that obtaining a service ticket to ourselves with RBCD is
@@ -5710,7 +5929,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
# Create a service account.
service_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
- opts={'id': 1},
use_cache=False)
service_dn_str = str(service_creds.get_dn())
service_sid = service_creds.get_sid()
@@ -5741,7 +5959,7 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests):
service_creds)
# Don’t confuse the client’s TGS-REQ to the service, above, with the
- # following constrained delegation request to the service.
+ # following RBCD request to the service.
self.discardMessages()
# Show that obtaining a service ticket to ourselves with RBCD
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 276fc089a6d..96ae43a0937 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
--
Samba Shared Repository
More information about the samba-cvs
mailing list