[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu Nov 2 20:14:01 UTC 2023
The branch, master has been updated
via 3ef68efca29 tests/krb5: Fix comments
via 62373eeef06 tests/krb5: Test RODC‐issued TGTs that already contain device info/claims
via 86fb7d17ff7 tests/krb5: Don’t reuse SID S-1-2-3-4
via 224408f9592 tests/krb5: Test target authentication policies when the TGT already contains device info/claims
via 622ac53f222 tests/krb5: Add tests for PACs containing extraneous buffers
via 69d588a8702 tests/krb5: Pass a list of PAC modification functions
via 6e999eab1c3 tests/krb5: Test performing a FAST‐armored TGS‐REQ when the TGT already contains device info/claims
via 014c939bdd7 tests/krb5: Add support to test framework for existing device info or claims buffers
via e468a7d6271 tests/krb5: Always expect client claims
via 7048f380eb2 tests/krb5: Ensure that device SIDs and claims are present only if we expect them to be
via 51a4443b044 tests/krb5: No longer pass two‐component form of TGS principal
via 6033b1c00dc tests/krb5: Remove unused import
via b0a09a69cc8 selftest/flapping: Mark smb2.multichannel.bugs.bug_15346(nt4_dc) flapping
via 687b1b99314 tests: Convert the regression test for bug15505 to python
via 9dd5e12cfa4 tests: Make clean_file() handle directories
via b5392b552ed tests: Allow to specify share names in smb2symlink tests
from 1372ef0ef46 s4:rpc_server: Properly initialize ‘lsa_CreateTrustedDomainEx2’ structure (CID 1499404)
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 3ef68efca292651a7b83166767452a6986175924
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 1 09:33:10 2023 +1300
tests/krb5: Fix comments
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu Nov 2 20:13:50 UTC 2023 on atb-devel-224
commit 62373eeef069a7631093f237b4ca95c3992fb346
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 2 14:32:58 2023 +1300
tests/krb5: Test RODC‐issued TGTs that already contain device info/claims
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 86fb7d17ff7683c66ce74e16b3be927b97ea5e5d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 2 14:32:00 2023 +1300
tests/krb5: Don’t reuse SID S-1-2-3-4
We’re already using it in ‘client_sids’ to work around a bug in Windows.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 224408f9592442a503c6b33454b9dcefec64331d
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 1 16:59:21 2023 +1300
tests/krb5: Test target authentication policies when the TGT already contains device info/claims
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 622ac53f2229c005a7f35779298af8405549c0d4
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 2 15:29:32 2023 +1300
tests/krb5: Add tests for PACs containing extraneous buffers
Test that the KDC removes these buffers from RODC‐issued PACs.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 69d588a8702fa5b973e33bf7cea1d01fcf112b1c
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Thu Nov 2 15:27:24 2023 +1300
tests/krb5: Pass a list of PAC modification functions
This is simpler than chaining functions together.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6e999eab1c3ffd79730f9003f7f284b51a840a15
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 1 13:55:14 2023 +1300
tests/krb5: Test performing a FAST‐armored TGS‐REQ when the TGT already contains device info/claims
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 014c939bdd7f49c484ec36f0ec9159aa7012edcd
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 1 10:16:57 2023 +1300
tests/krb5: Add support to test framework for existing device info or claims buffers
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e468a7d62716ff28e84f753fe187828e94f2c50b
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 1 13:39:28 2023 +1300
tests/krb5: Always expect client claims
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7048f380eb28e9d411fae27fba45b66a08de0a54
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 1 13:38:24 2023 +1300
tests/krb5: Ensure that device SIDs and claims are present only if we expect them to be
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 51a4443b04490d412b018f3ef303f77cb7304d10
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 1 13:07:54 2023 +1300
tests/krb5: No longer pass two‐component form of TGS principal
Samba now handles one‐component TGS principals more correctly.
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6033b1c00dc080a8f0445bae6a8c4ccd54934237
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Wed Nov 1 12:05:50 2023 +1300
tests/krb5: Remove unused import
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b0a09a69cc8f44077363fe6ecbab8e237e769b13
Author: Joseph Sutton <josephsutton at catalyst.net.nz>
Date: Tue Oct 31 07:29:57 2023 +1300
selftest/flapping: Mark smb2.multichannel.bugs.bug_15346(nt4_dc) flapping
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15498
Signed-off-by: Joseph Sutton <josephsutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 687b1b993149de0785ad1134366a7917b2d1f57a
Author: Volker Lendecke <vl at samba.org>
Date: Wed Nov 1 15:39:12 2023 +0100
tests: Convert the regression test for bug15505 to python
The shell version is flapping, but I can't really figure out
why. Maybe this version is not flapping, and it also shows the failure
if you revert 952d6c2cf48.
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9dd5e12cfa46fe5e9c3653f2e85d0a7f9c59e74c
Author: Volker Lendecke <vl at samba.org>
Date: Wed Nov 1 15:38:55 2023 +0100
tests: Make clean_file() handle directories
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit b5392b552ed6b995196a91118bad11239eee25f7
Author: Volker Lendecke <vl at samba.org>
Date: Wed Nov 1 14:22:09 2023 +0100
tests: Allow to specify share names in smb2symlink tests
Signed-off-by: Volker Lendecke <vl at samba.org>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/krb5/conditional_ace_tests.py | 408 +++++++++++++++++++----
python/samba/tests/krb5/device_tests.py | 2 +-
python/samba/tests/krb5/kdc_base_test.py | 23 ++
python/samba/tests/krb5/kdc_tgs_tests.py | 62 +++-
python/samba/tests/krb5/raw_testcase.py | 8 +
python/samba/tests/krb5/s4u_tests.py | 2 +-
python/samba/tests/smb2symlink.py | 53 ++-
selftest/flapping.d/smb2-multichannel | 3 +
selftest/knownfail_heimdal_kdc | 34 ++
selftest/knownfail_mit_kdc | 46 +++
source3/script/tests/test_smbclient_s3.sh | 39 ---
11 files changed, 557 insertions(+), 123 deletions(-)
create mode 100644 selftest/flapping.d/smb2-multichannel
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py
index b04a0bbaa3f..de26a920ae0 100755
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -45,7 +45,6 @@ from samba.tests.krb5.raw_testcase import RawKerberosTest
from samba.tests.krb5.rfc4120_constants import (
KDC_ERR_BADOPTION,
KDC_ERR_GENERIC,
- KDC_ERR_MODIFIED,
KDC_ERR_POLICY,
NT_PRINCIPAL,
)
@@ -3420,16 +3419,10 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
client_creds = self._get_creds(account_type=self.AccountType.USER,
assigned_policy=client_policy)
- # FIXME: we need to pass this parameter only because Samba doesn’t
- # handle ‘krbtgt at REALM’ principals correctly (see
- # https://bugzilla.samba.org/show_bug.cgi?id=15482).
- krbtgt_sname = self.get_krbtgt_sname()
-
# Show that authentication succeeds.
self._armored_as_req(client_creds,
self.get_krbtgt_creds(),
- mach_tgt,
- target_sname=krbtgt_sname)
+ mach_tgt)
self.check_as_log(client_creds,
armor_creds=mach_creds,
@@ -3808,16 +3801,10 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
client_creds = self._get_creds(account_type=self.AccountType.USER,
assigned_policy=client_policy)
- # FIXME: we need to pass this parameter only because Samba doesn’t
- # handle ‘krbtgt at REALM’ principals correctly (see
- # https://bugzilla.samba.org/show_bug.cgi?id=15482).
- krbtgt_sname = self.get_krbtgt_sname()
-
# Show that authentication succeeds.
self._armored_as_req(client_creds,
self.get_krbtgt_creds(),
- mach_tgt,
- target_sname=krbtgt_sname)
+ mach_tgt)
self.check_as_log(client_creds,
armor_creds=mach_creds,
@@ -3934,17 +3921,11 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
krbtgt_creds = self.get_krbtgt_creds()
- # FIXME: we need to pass this parameter only because Samba doesn’t
- # handle ‘krbtgt at REALM’ principals correctly (see
- # https://bugzilla.samba.org/show_bug.cgi?id=15482).
- krbtgt_sname = self.get_krbtgt_sname()
-
# Test whether authentication succeeds or fails.
self._armored_as_req(
client_creds,
krbtgt_creds,
mach_tgt,
- target_sname=krbtgt_sname,
expected_error=0 if expect_in_group else KDC_ERR_POLICY)
policy_success_args = {}
@@ -3976,7 +3957,6 @@ class DeviceRestrictionTests(ConditionalAceBaseTests):
client_creds,
krbtgt_creds,
mach_tgt,
- target_sname=krbtgt_sname,
expected_error=KDC_ERR_POLICY if expect_in_group else 0)
self.check_as_log(client_creds,
@@ -4275,13 +4255,236 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests):
def test_pac_device_info(self):
self._run_pac_device_info_test()
+ def test_pac_device_info_target_policy(self):
+ target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}')
+ self._run_pac_device_info_test(target_policy=target_policy)
+
+ def test_pac_device_info_rodc_issued(self):
+ self._run_pac_device_info_test(rodc_issued=True)
+
+ def test_pac_device_info_existing_device_info(self):
+ self._run_pac_device_info_test(existing_device_info=True)
+
+ def test_pac_device_info_existing_device_info_target_policy(self):
+ target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}')
+ self._run_pac_device_info_test(target_policy=target_policy,
+ existing_device_info=True)
+
+ def test_pac_device_info_existing_device_info_rodc_issued(self):
+ self._run_pac_device_info_test(rodc_issued=True,
+ existing_device_info=True)
+
+ def test_pac_device_info_existing_device_claims(self):
+ self._run_pac_device_info_test(existing_device_claims=True)
+
+ def test_pac_device_info_existing_device_claims_target_policy(self):
+ target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}')
+ self._run_pac_device_info_test(target_policy=target_policy,
+ existing_device_claims=True)
+
+ def test_pac_device_info_existing_device_claims_rodc_issued(self):
+ self._run_pac_device_info_test(rodc_issued=True,
+ existing_device_claims=True)
+
+ def test_pac_device_info_existing_device_info_and_claims(self):
+ self._run_pac_device_info_test(existing_device_claims=True,
+ existing_device_info=True)
+
+ def test_pac_device_info_existing_device_info_and_claims_target_policy(self):
+ target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}')
+ self._run_pac_device_info_test(target_policy=target_policy,
+ existing_device_claims=True,
+ existing_device_info=True)
+
+ def test_pac_device_info_existing_device_info_and_claims_rodc_issued(self):
+ self._run_pac_device_info_test(rodc_issued=True,
+ existing_device_claims=True,
+ existing_device_info=True)
+
def test_pac_device_info_no_compound_id_support(self):
self._run_pac_device_info_test(compound_id_support=False)
+ def test_pac_device_info_no_compound_id_support_target_policy(self):
+ target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}')
+ self._run_pac_device_info_test(target_policy=target_policy,
+ compound_id_support=False)
+
+ def test_pac_device_info_no_compound_id_support_rodc_issued(self):
+ self._run_pac_device_info_test(rodc_issued=True,
+ compound_id_support=False)
+
+ def test_pac_device_info_no_compound_id_support_existing_device_info(self):
+ self._run_pac_device_info_test(compound_id_support=False,
+ existing_device_info=True)
+
+ def test_pac_device_info_no_compound_id_support_existing_device_info_target_policy(self):
+ target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}')
+ self._run_pac_device_info_test(target_policy=target_policy,
+ compound_id_support=False,
+ existing_device_info=True)
+
+ def test_pac_device_info_no_compound_id_support_existing_device_info_rodc_issued(self):
+ self._run_pac_device_info_test(rodc_issued=True,
+ compound_id_support=False,
+ existing_device_info=True)
+
+ def test_pac_device_info_no_compound_id_support_existing_device_claims(self):
+ self._run_pac_device_info_test(compound_id_support=False,
+ existing_device_claims=True)
+
+ def test_pac_device_info_no_compound_id_support_existing_device_claims_target_policy(self):
+ target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}')
+ self._run_pac_device_info_test(target_policy=target_policy,
+ compound_id_support=False,
+ existing_device_claims=True)
+
+ def test_pac_device_info_no_compound_id_support_existing_device_claims_rodc_issued(self):
+ self._run_pac_device_info_test(rodc_issued=True,
+ compound_id_support=False,
+ existing_device_claims=True)
+
+ def test_pac_device_info_no_compound_id_support_existing_device_info_and_claims(self):
+ self._run_pac_device_info_test(compound_id_support=False,
+ existing_device_claims=True,
+ existing_device_info=True)
+
+ def test_pac_device_info_no_compound_id_support_existing_device_info_and_claims_target_policy(self):
+ target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}')
+ self._run_pac_device_info_test(target_policy=target_policy,
+ compound_id_support=False,
+ existing_device_claims=True,
+ existing_device_info=True)
+
+ def test_pac_device_info_no_compound_id_support_existing_device_info_and_claims_rodc_issued(self):
+ self._run_pac_device_info_test(rodc_issued=True,
+ compound_id_support=False,
+ existing_device_claims=True,
+ existing_device_info=True)
+
+ def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info(self):
+ self._run_pac_device_info_test(device_claims_valid=False,
+ compound_id_support=False,
+ existing_device_info=True)
+
+ def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_target_policy(self):
+ target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}')
+ self._run_pac_device_info_test(target_policy=target_policy,
+ device_claims_valid=False,
+ compound_id_support=False,
+ existing_device_info=True)
+
+ def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_rodc_issued(self):
+ self._run_pac_device_info_test(rodc_issued=True,
+ device_claims_valid=False,
+ compound_id_support=False,
+ existing_device_info=True)
+
+ def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims(self):
+ self._run_pac_device_info_test(device_claims_valid=False,
+ compound_id_support=False,
+ existing_device_claims=True)
+
+ def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_target_policy(self):
+ target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}')
+ self._run_pac_device_info_test(target_policy=target_policy,
+ device_claims_valid=False,
+ compound_id_support=False,
+ existing_device_claims=True)
+
+ def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_rodc_issued(self):
+ self._run_pac_device_info_test(rodc_issued=True,
+ device_claims_valid=False,
+ compound_id_support=False,
+ existing_device_claims=True)
+
+ def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_and_claims(self):
+ self._run_pac_device_info_test(device_claims_valid=False,
+ compound_id_support=False,
+ existing_device_claims=True,
+ existing_device_info=True)
+
+ def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_and_claims_target_policy(self):
+ target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}')
+ self._run_pac_device_info_test(target_policy=target_policy,
+ device_claims_valid=False,
+ compound_id_support=False,
+ existing_device_claims=True,
+ existing_device_info=True)
+
+ def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_and_claims_rodc_issued(self):
+ self._run_pac_device_info_test(rodc_issued=True,
+ device_claims_valid=False,
+ compound_id_support=False,
+ existing_device_claims=True,
+ existing_device_info=True)
+
def test_pac_device_info_no_claims_valid(self):
self._run_pac_device_info_test(device_claims_valid=False)
- def _run_pac_device_info_test(self, compound_id_support=True, device_claims_valid=True):
+ def test_pac_device_info_no_claims_valid_target_policy(self):
+ target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}')
+ self._run_pac_device_info_test(target_policy=target_policy,
+ device_claims_valid=False)
+
+ def test_pac_device_info_no_claims_valid_rodc_issued(self):
+ self._run_pac_device_info_test(rodc_issued=True,
+ device_claims_valid=False)
+
+ def test_pac_device_info_no_claims_valid_existing_device_info(self):
+ self._run_pac_device_info_test(device_claims_valid=False,
+ existing_device_info=True)
+
+ def test_pac_device_info_no_claims_valid_existing_device_info_target_policy(self):
+ target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}')
+ self._run_pac_device_info_test(target_policy=target_policy,
+ device_claims_valid=False,
+ existing_device_info=True)
+
+ def test_pac_device_info_no_claims_valid_existing_device_info_rodc_issued(self):
+ self._run_pac_device_info_test(rodc_issued=True,
+ device_claims_valid=False,
+ existing_device_info=True)
+
+ def test_pac_device_info_no_claims_valid_existing_device_claims(self):
+ self._run_pac_device_info_test(device_claims_valid=False,
+ existing_device_claims=True)
+
+ def test_pac_device_info_no_claims_valid_existing_device_claims_target_policy(self):
+ target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}')
+ self._run_pac_device_info_test(target_policy=target_policy,
+ device_claims_valid=False,
+ existing_device_claims=True)
+
+ def test_pac_device_info_no_claims_valid_existing_device_claims_rodc_issued(self):
+ self._run_pac_device_info_test(rodc_issued=True,
+ device_claims_valid=False,
+ existing_device_claims=True)
+
+ def test_pac_device_info_no_claims_valid_existing_device_info_and_claims(self):
+ self._run_pac_device_info_test(device_claims_valid=False,
+ existing_device_claims=True,
+ existing_device_info=True)
+
+ def test_pac_device_info_no_claims_valid_existing_device_info_and_claims_target_policy(self):
+ target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}')
+ self._run_pac_device_info_test(target_policy=target_policy,
+ device_claims_valid=False,
+ existing_device_claims=True,
+ existing_device_info=True)
+
+ def test_pac_device_info_no_claims_valid_existing_device_info_and_claims_rodc_issued(self):
+ self._run_pac_device_info_test(rodc_issued=True,
+ device_claims_valid=False,
+ existing_device_claims=True,
+ existing_device_info=True)
+
+ def _run_pac_device_info_test(self, *,
+ target_policy=None,
+ rodc_issued=False,
+ compound_id_support=True,
+ device_claims_valid=True,
+ existing_device_claims=False,
+ existing_device_info=False):
"""Test the groups of the client and the device after performing a
FAST‐armored TGS‐REQ.
"""
@@ -4295,13 +4498,16 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests):
]),
]
- expected_client_claims = {
- client_claim_id: {
- 'source_type': claims.CLAIMS_SOURCE_TYPE_AD,
- 'type': claims.CLAIM_TYPE_STRING,
- 'values': (client_claim_value,),
- },
- }
+ if not rodc_issued:
+ expected_client_claims = {
+ client_claim_id: {
+ 'source_type': claims.CLAIMS_SOURCE_TYPE_AD,
+ 'type': claims.CLAIM_TYPE_STRING,
+ 'values': (client_claim_value,),
+ },
+ }
+ else:
+ expected_client_claims = None
device_claim_id = 'the name of the device’s client claim'
device_claim_value = 'the value of the device’s client claim'
@@ -4312,7 +4518,26 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests):
]),
]
- if compound_id_support:
+ existing_claim_id = 'the name of an existing device claim'
+ existing_claim_value = 'the value of an existing device claim'
+
+ existing_claims = [
+ (claims.CLAIMS_SOURCE_TYPE_CERTIFICATE, [
+ (existing_claim_id, claims.CLAIM_TYPE_STRING, [existing_claim_value]),
+ ]),
+ ]
+
+ if rodc_issued:
+ expected_device_claims = None
+ elif existing_device_info and existing_device_claims:
+ expected_device_claims = {
+ existing_claim_id: {
+ 'source_type': claims.CLAIMS_SOURCE_TYPE_CERTIFICATE,
+ 'type': claims.CLAIM_TYPE_STRING,
+ 'values': (existing_claim_value,),
+ },
+ }
+ elif compound_id_support and not existing_device_info and not existing_device_claims:
expected_device_claims = {
device_claim_id: {
'source_type': claims.CLAIMS_SOURCE_TYPE_AD,
@@ -4338,16 +4563,26 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests):
('S-1-2-3-4', SidType.EXTRA_SID, self.default_attrs),
}
+ device_sid_0 = 'S-1-3-4-5'
+ device_sid_1 = 'S-1-4-5-6'
+
+ policy_sids = {
+ 'device_0': device_sid_0,
+ 'device_1': device_sid_1,
+ }
+
device_sids = {
(security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
(security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
- ('S-1-2-3-4', SidType.EXTRA_SID, self.resource_attrs),
- ('S-1-3-4-5', SidType.EXTRA_SID, self.resource_attrs),
+ (device_sid_0, SidType.EXTRA_SID, self.resource_attrs),
+ (device_sid_1, SidType.EXTRA_SID, self.resource_attrs),
}
if device_claims_valid:
device_sids.add((security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs))
+ checksum_key = self.get_krbtgt_checksum_key()
+
# Modify the machine account’s TGT to contain only the SID of the
# machine account’s primary group.
mach_tgt = self.modified_ticket(
@@ -4357,42 +4592,109 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests):
new_sids=device_sids),
partial(self.set_pac_claims, client_claims=device_claims),
],
- checksum_keys=self.get_krbtgt_checksum_key())
+ checksum_keys=checksum_key)
# Create a user account.
- client_creds = self._get_creds(account_type=self.AccountType.USER)
+ client_creds = self.get_cached_creds(
+ account_type=self.AccountType.USER,
+ opts={
+ 'allowed_replication_mock': rodc_issued,
+ 'revealed_to_mock_rodc': rodc_issued,
+ })
client_tgt = self.get_tgt(client_creds)
+ client_modify_pac_fns = [
+ partial(self.set_pac_sids,
+ new_sids=client_sids),
+ partial(self.set_pac_claims, client_claims=client_claims),
+ ]
+
+ if existing_device_claims:
+ client_modify_pac_fns.append(
+ partial(self.set_pac_claims, device_claims=existing_claims))
+ if existing_device_info:
+ # These are different from the SIDs in the device’s TGT.
+ existing_sid_0 = 'S-1-7-8-9'
+ existing_sid_1 = 'S-1-9-8-7'
+
+ policy_sids.update({
+ 'existing_0': existing_sid_0,
+ 'existing_1': existing_sid_1,
+ })
+
+ existing_sids = {
+ (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
+ (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+ (existing_sid_0, SidType.EXTRA_SID, self.resource_attrs),
+ (existing_sid_1, SidType.EXTRA_SID, self.resource_attrs),
+ }
+
+ client_modify_pac_fns.append(partial(
+ self.set_pac_device_sids, new_sids=existing_sids, user_rid=mach_creds.get_rid()))
+
+ if rodc_issued:
+ rodc_krbtgt_creds = self.get_mock_rodc_krbtgt_creds()
+ rodc_krbtgt_key = self.TicketDecryptionKey_from_creds(rodc_krbtgt_creds)
+ rodc_checksum_key = {
+ krb5pac.PAC_TYPE_KDC_CHECKSUM: rodc_krbtgt_key,
+ }
+
# Modify the client’s TGT to contain only the SID of the client’s
# primary group.
client_tgt = self.modified_ticket(
client_tgt,
- modify_pac_fn=[
- partial(self.set_pac_sids,
- new_sids=client_sids),
- partial(self.set_pac_claims, client_claims=client_claims),
- ],
- checksum_keys=self.get_krbtgt_checksum_key())
+ modify_pac_fn=client_modify_pac_fns,
+ new_ticket_key=rodc_krbtgt_key if rodc_issued else None,
+ checksum_keys=rodc_checksum_key if rodc_issued else checksum_key)
- # Indicate that Compound Identity is supported.
- target_creds, _ = self.get_target(to_krbtgt=False, compound_id=compound_id_support)
+ if target_policy is None:
+ policy = None
+ assigned_policy = None
+ else:
+ policy = self.create_authn_policy(
+ enforced=True,
+ computer_allowed_to=target_policy.format_map(policy_sids))
+ assigned_policy = str(policy.dn)
+
+ target_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={
+ 'supported_enctypes':
+ security.KERB_ENCTYPE_RC4_HMAC_MD5
+ | security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ # Indicate that Compound Identity is supported.
+ 'compound_id_support': compound_id_support,
+ 'assigned_policy': assigned_policy,
+ })
expected_sids = {
(security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
(security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
- ('S-1-2-3-4', SidType.EXTRA_SID, self.default_attrs),
# The client’s groups are not to include the Asserted Identity and
# Claims Valid SIDs.
}
+ if rodc_issued:
+ expected_sids.add((security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs))
+ else:
+ expected_sids.add(('S-1-2-3-4', SidType.EXTRA_SID, self.default_attrs))
- if compound_id_support:
+ if rodc_issued:
+ expected_device_sids = None
+ elif existing_device_info:
+ expected_device_sids = {
+ (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
--
Samba Shared Repository
More information about the samba-cvs
mailing list