[SCM] Samba Shared Repository - branch master updated
Andrew Bartlett
abartlet at samba.org
Thu May 16 03:15:01 UTC 2024
The branch, master has been updated
via 01849ab1bca s4:kdc: Implement KDC plugin hardware authentication policy
via 0582cf6077c s4:kdc: Remove trailing whitespace
via 09bcd48f790 third_party/heimdal: Import lorikeet-heimdal-202405090452 (commit 49c8e97b7221db53355258059ef385c856e1385f)
via d36bfbf632e tests/krb5: Adjust tests to pass against newer Windows versions that include ticket checksums in response to AS‐REQs
via f3ff4915adf s4:kdc: Initialize local variable just in case (CID 1596759)
via 3b90753b552 s4:kdc: Free target principal string to avoid memory leak (CID 1596760)
via 7e7bb259a60 s4:kdc: Initialize pointer variable just in case (CID 1596762)
via e1460c9e342 s4:dsdb: Make map containing default attribute values static
via 927c672faff s4:dsdb: Do not set lockoutTime for trust accounts
via 4c759c26752 s4:dsdb: Make use of userAccountControl helper function
via 1b8b8550aaa s4:dsdb: Add userAccountControl helper function
via 0e93456a66b s4:dsdb: Remove redundant user flags macro
via 32199b9bcfd s4:auth: Accept previous gMSA password for NTLM authentication five minutes after a password change
via fbdeb4b0b47 lib:crypto: Add constant denoting maximum GKDI clock skew in minutes
via c167ac53016 s4:libnet: Remove unnecessary declarations
via 33ed55ce8f5 s4:libnet: Remove trailing whitespace
via 5c4f2623c52 tests/krb5: Add more tests for gMSAs
via 6f094180106 tests/krb5: Test viewing gMSA passwords after performing simple binds
via f9cbda9cf0e tests/krb5: Test that computers (and, by extension, gMSAs) cannot perform interactive logons
via 336a58473ad tests/krb5: Don’t pass gMSA as ‘domain_joined_mach_creds’ parameter
via ad0740751e8 tests/krb5: Test performing NTLMSSP logons at different times
via e5357c75a60 s4:auth: Let dsdb gMSA time influence NTLM previous password allowed period
via 92d010af2d0 s4:dsdb: Let dsdb gMSA time influence pwdLastSet
via 9fac9b776e7 tests/krb5: Test that gMSA passwords cannot be viewed over an unsealed connection
via aa4347ff23e tests/krb5: Add ‘expect_success’ parameter to gensec_ntlmssp_logon()
via 41e71406a14 tests/krb5: Make use of gmsa_series_for_account() method
via 577aa790425 tests/krb5: Add quantized_time() method
via 65fe09007f8 tests/krb5: Read current time from correct SamDB
via fdaa2943697 python:tests: Pass ServerPasswordSet2() parameters in correct order
via cb357a011b0 python:tests: Remove unnecessary ‘pass’ statement
via e875193c1ca python:tests: Remove unused netlogon connection parameter
via 170dd47eae5 s4:libcli: Add more controls to our list of known controls
via 526652d162f s4:libcli: Fix code spelling
via e4045cd5b15 s4:setup: Update name of dsdb password change control
via f5cbe497897 s4:dsdb: Fix code spelling
via cbebffd56da s4:dsdb: Remove trailing whitespace
via 359b3b63213 lib:fuzzing: Fix undefined shift
via be076b30972 lib:fuzzing: Remove unused variable
via 7b02221c4f5 auth:credentials: Check for NT hash being NULL
from 2b495c44a2a smbd: Fix a typo in a few places
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 01849ab1bcaad9e96b388cad178182d6a77ac3cb
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon May 13 10:58:51 2024 +1200
s4:kdc: Implement KDC plugin hardware authentication policy
NOTE: This commit finally works again!
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet at samba.org>
Autobuild-Date(master): Thu May 16 03:14:47 UTC 2024 on atb-devel-224
commit 0582cf6077c3f6866f38e85440c8ed464b303bdd
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Wed May 15 16:28:12 2024 +1200
s4:kdc: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 09bcd48f79043e54fdce840f70e370b9a507d0fc
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Thu May 9 16:57:14 2024 +1200
third_party/heimdal: Import lorikeet-heimdal-202405090452 (commit 49c8e97b7221db53355258059ef385c856e1385f)
NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN!
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit d36bfbf632ed0d3c53c9ef24eac682cb91274ec8
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue May 14 13:05:31 2024 +1200
tests/krb5: Adjust tests to pass against newer Windows versions that include ticket checksums in response to AS‐REQs
A lot of these tests are going to start failing, so skip them until
we’ve implemented the corresponding behaviour for the KDC.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f3ff4915adfd63f287147c73fd69050c5b7de580
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon May 6 12:20:44 2024 +1200
s4:kdc: Initialize local variable just in case (CID 1596759)
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 3b90753b552c52e3d085d58e9d97633d4a2210f5
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon May 6 12:19:18 2024 +1200
s4:kdc: Free target principal string to avoid memory leak (CID 1596760)
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7e7bb259a600e71d04afafa07ffef4a3bddf4883
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon May 6 12:17:20 2024 +1200
s4:kdc: Initialize pointer variable just in case (CID 1596762)
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e1460c9e34285861ea7d06457d0f854d4bb8fe5f
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 30 17:51:18 2024 +1200
s4:dsdb: Make map containing default attribute values static
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 927c672fafff17cf7024e49e7a5e7a06dc4b1f29
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon Apr 29 17:04:11 2024 +1200
s4:dsdb: Do not set lockoutTime for trust accounts
This matches the behaviour of Windows.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 4c759c2675231bf5ef8e6ebe57c118ec36047bdb
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Thu May 9 13:53:00 2024 +1200
s4:dsdb: Make use of userAccountControl helper function
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 1b8b8550aaa909d27504ea80bd2b1e4f40092081
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Wed May 1 12:38:04 2024 +1200
s4:dsdb: Add userAccountControl helper function
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 0e93456a66bdf8f2f6e68669e94e9acac915c21d
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Thu May 9 13:19:35 2024 +1200
s4:dsdb: Remove redundant user flags macro
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 32199b9bcfddd6fbd4fc54ab8a6c5180adcf2024
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Wed Apr 24 15:49:27 2024 +1200
s4:auth: Accept previous gMSA password for NTLM authentication five minutes after a password change
gMSA password changes are usually triggered when the DC needs to fetch
the account’s keys and notices they are out of date.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fbdeb4b0b47db09dea56fec379f487ea709f994f
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 16 16:05:55 2024 +1200
lib:crypto: Add constant denoting maximum GKDI clock skew in minutes
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit c167ac53016ba7ce0068bdae6a0b6a05b2dc6189
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Wed Apr 24 12:32:52 2024 +1200
s4:libnet: Remove unnecessary declarations
This declaration is a hold‐over from the Python 2 module initialization
pattern.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 33ed55ce8f58f5b833a0554fb719441a98f93a47
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Wed Apr 24 12:34:36 2024 +1200
s4:libnet: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 5c4f2623c52a65372ed3247e64152ba5ea5da845
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 30 16:34:53 2024 +1200
tests/krb5: Add more tests for gMSAs
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 6f0941801065943ba88614d190d5446d8e92df2f
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Apr 26 14:53:03 2024 +1200
tests/krb5: Test viewing gMSA passwords after performing simple binds
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f9cbda9cf0e6e5dfe9403d2f26edda640e52e88a
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Apr 26 12:50:51 2024 +1200
tests/krb5: Test that computers (and, by extension, gMSAs) cannot perform interactive logons
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 336a58473adfa402af2c9dd9fba7de5cd468dc72
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 30 16:28:44 2024 +1200
tests/krb5: Don’t pass gMSA as ‘domain_joined_mach_creds’ parameter
We just want to test whether a gMSA can use netlogon.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit ad0740751e8e47a0dcc6e537739ecadf95e90a70
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Apr 26 13:20:54 2024 +1200
tests/krb5: Test performing NTLMSSP logons at different times
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e5357c75a6090a5cd375bf063c8ceb0dd11dc9a9
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Wed May 1 14:58:31 2024 +1200
s4:auth: Let dsdb gMSA time influence NTLM previous password allowed period
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 92d010af2d074a371e7659a5d53f95ad6612ed1e
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Wed May 1 15:00:19 2024 +1200
s4:dsdb: Let dsdb gMSA time influence pwdLastSet
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 9fac9b776e7aeef9b918d0c0f02edc4df0e49ddd
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Fri Apr 26 13:08:23 2024 +1200
tests/krb5: Test that gMSA passwords cannot be viewed over an unsealed connection
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit aa4347ff23e358693920c9b0507eae1c60acd26b
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Wed Apr 24 17:22:45 2024 +1200
tests/krb5: Add ‘expect_success’ parameter to gensec_ntlmssp_logon()
View with ‘git show -b’.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 41e71406a1401c60ac163dee46505191075c9def
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Wed Apr 24 17:20:14 2024 +1200
tests/krb5: Make use of gmsa_series_for_account() method
This allows us to replace a call to
expected_current_gmsa_password_blob() with one to
expected_gmsa_password_blob(), a method which allows us to specify the
exact key we expect.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 577aa790425502b25b0e9a98f1f82070d53ce4c7
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Wed Apr 24 17:18:09 2024 +1200
tests/krb5: Add quantized_time() method
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 65fe09007f87322aaf35b610add2776b54005ec9
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Wed Apr 24 17:16:55 2024 +1200
tests/krb5: Read current time from correct SamDB
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit fdaa29436976c4aec94c239ee9d65eb6d8f920f5
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 30 14:36:07 2024 +1200
python:tests: Pass ServerPasswordSet2() parameters in correct order
‘account_name’ and ‘server_name’ are passed in the wrong order. While
Samba ignores the account name parameter and doesn’t have a problem with
it missing its trailing dollar, Windows checks it and requires the
trailing dollar to be present.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cb357a011b04f37cb6610a94ae5c4af30a56e423
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 30 14:35:13 2024 +1200
python:tests: Remove unnecessary ‘pass’ statement
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e875193c1ca7025d4929090dce731a074a9dd4e1
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue Apr 30 14:34:44 2024 +1200
python:tests: Remove unused netlogon connection parameter
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 170dd47eae5ece962262814d05bfcedb3426b433
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon Apr 29 17:03:39 2024 +1200
s4:libcli: Add more controls to our list of known controls
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 526652d162f929426bdefac57ca346dd1c9c5d95
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon Apr 29 17:48:01 2024 +1200
s4:libcli: Fix code spelling
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit e4045cd5b15f0c60b8fc7c49936888731ce60274
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon Apr 29 17:02:39 2024 +1200
s4:setup: Update name of dsdb password change control
Commit 0a907c2f45c34efcac784738c9d75303b9d04d2f renamed this control to
DSDB_CONTROL_PASSWORD_CHANGE_OLD_PW_CHECKED_OID.
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit f5cbe497897f8f7ceae6de1f6134b336a8d91186
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon Apr 29 17:02:06 2024 +1200
s4:dsdb: Fix code spelling
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit cbebffd56da42cd439293c638e3637917beae8bb
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Mon Apr 29 17:01:52 2024 +1200
s4:dsdb: Remove trailing whitespace
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 359b3b63213ccb4c9e77fd8afc0e7a2c78f41c32
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue May 14 16:42:31 2024 +1200
lib:fuzzing: Fix undefined shift
../../lib/fuzzing/fuzz_stable_sort_r_unstable.c:47:22: runtime error: left shift of negative value -34
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit be076b3097231930214e6628e455ed03a9767106
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue May 14 16:44:11 2024 +1200
lib:fuzzing: Remove unused variable
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
commit 7b02221c4f5571255d2d6124ba1ea5c8fcda6eb4
Author: Jo Sutton <josutton at catalyst.net.nz>
Date: Tue May 7 11:43:48 2024 +1200
auth:credentials: Check for NT hash being NULL
Signed-off-by: Jo Sutton <josutton at catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet at samba.org>
-----------------------------------------------------------------------
Summary of changes:
auth/credentials/pycredentials.c | 3 +
lib/crypto/gkdi.h | 1 +
lib/fuzzing/fuzz_stable_sort_r_unstable.c | 3 +-
python/samba/tests/krb5/gmsa_tests.py | 750 +++++++++++++++++++++++-
python/samba/tests/krb5/raw_testcase.py | 10 +-
python/samba/tests/py_credentials.py | 31 +-
selftest/knownfail.d/gmsa | 3 +
selftest/knownfail_mit_kdc | 6 -
selftest/knownfail_mit_kdc_1_20 | 68 ---
source4/auth/ntlm/auth_sam.c | 35 +-
source4/dsdb/common/util.c | 16 +-
source4/dsdb/samdb/ldb_modules/extended_dn_in.c | 42 +-
source4/dsdb/samdb/ldb_modules/operational.c | 15 +-
source4/dsdb/samdb/ldb_modules/password_hash.c | 10 +-
source4/kdc/kpasswd-service-heimdal.c | 6 +-
source4/kdc/wdc-samba4.c | 24 +-
source4/libcli/ldap/ldap_controls.c | 24 +-
source4/libnet/libnet_export_keytab.c | 2 +-
source4/libnet/libnet_export_keytab.h | 8 +-
source4/libnet/py_net_dckeytab.c | 3 -
source4/setup/schema_samba4.ldif | 2 +-
third_party/heimdal/kdc/kdc-plugin.c | 29 +-
third_party/heimdal/kdc/kdc-plugin.h | 13 +-
third_party/heimdal/kdc/kerberos5.c | 59 +-
24 files changed, 960 insertions(+), 203 deletions(-)
create mode 100644 selftest/knownfail.d/gmsa
Changeset truncated at 500 lines:
diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c
index 0bcb894f920..8008bd0418d 100644
--- a/auth/credentials/pycredentials.c
+++ b/auth/credentials/pycredentials.c
@@ -544,6 +544,9 @@ static PyObject *py_creds_get_nt_hash(PyObject *self, PyObject *unused)
return NULL;
}
ntpw = cli_credentials_get_nt_hash(creds, creds);
+ if (ntpw == NULL) {
+ Py_RETURN_NONE;
+ }
ret = PyBytes_FromStringAndSize(discard_const_p(char, ntpw->hash), 16);
TALLOC_FREE(ntpw);
diff --git a/lib/crypto/gkdi.h b/lib/crypto/gkdi.h
index ea0f8b9357f..1c028999f3e 100644
--- a/lib/crypto/gkdi.h
+++ b/lib/crypto/gkdi.h
@@ -129,6 +129,7 @@ static const int gkdi_l1_key_iteration = 32;
static const int gkdi_l2_key_iteration = 32;
static const int64_t gkdi_key_cycle_duration = 360000000000; /* ten hours */
+static const int gkdi_max_clock_skew_mins = 5;
static const int64_t gkdi_max_clock_skew = 3000000000; /* five minutes */
#define GKDI_KEY_LEN 64
diff --git a/lib/fuzzing/fuzz_stable_sort_r_unstable.c b/lib/fuzzing/fuzz_stable_sort_r_unstable.c
index cd4d7915ad3..45abc6a535c 100644
--- a/lib/fuzzing/fuzz_stable_sort_r_unstable.c
+++ b/lib/fuzzing/fuzz_stable_sort_r_unstable.c
@@ -44,7 +44,7 @@ static int cmp_int8(int8_t *_a, int8_t *_b, int8_t *ctx)
/* aim for sustained chaos. */
c += a;
c ^= b;
- c ^= (c >> 5) + (c << 3);
+ c ^= (c >> 5) + ((uint8_t)c << 3);
*ctx = (c + 99) | 1;
}
switch((c >> 1) & 7) {
@@ -73,7 +73,6 @@ static int cmp_int8(int8_t *_a, int8_t *_b, int8_t *ctx)
int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
{
- size_t i;
int8_t buf2[MAX_SIZE];
int8_t aux[MAX_SIZE];
int8_t context;
diff --git a/python/samba/tests/krb5/gmsa_tests.py b/python/samba/tests/krb5/gmsa_tests.py
index eff5a69f155..7077c0c95a5 100755
--- a/python/samba/tests/krb5/gmsa_tests.py
+++ b/python/samba/tests/krb5/gmsa_tests.py
@@ -23,15 +23,23 @@ import os
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
-from typing import Iterable, NewType, Optional, Tuple, TypeVar
+from typing import Callable, Iterable, NewType, Optional, Tuple, TypeVar
import datetime
from itertools import chain
import ldb
-from samba import auth, dsdb, gensec, werror
-from samba.dcerpc import gkdi, gmsa, misc, netlogon, security
+from samba import (
+ auth,
+ dsdb,
+ generate_random_password,
+ gensec,
+ ntstatus,
+ NTSTATUSError,
+ werror,
+)
+from samba.dcerpc import gkdi, gmsa, misc, netlogon, security, srvsvc
from samba.ndr import ndr_pack, ndr_unpack
from samba.nt_time import (
nt_time_delta_from_timedelta,
@@ -100,6 +108,12 @@ class GmsaSeries:
int(self.start_of_interval(n) + self.rollover_interval - two_minutes)
)
+ def outside_previous_password_valid_window(self, n: int) -> NtTime:
+ return NtTime(self.start_of_interval(n) + MAX_CLOCK_SKEW)
+
+ def within_previous_password_valid_window(self, n: int) -> NtTime:
+ return NtTime(self.outside_previous_password_valid_window(n) - 1)
+
class GmsaTests(GkdiBaseTest, KDCBaseTest):
def _as_req(
@@ -300,6 +314,37 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
self.future_gkid(), gkdi_rollover_interval(managed_password_interval)
)
+ def gmsa_series_for_account(
+ self, samdb: SamDB, creds: KerberosCredentials, managed_password_interval: int
+ ) -> GmsaSeries:
+ gmsa_object = self.get_gmsa_object(samdb, creds.get_dn())
+ current_nt_time = self.current_nt_time(samdb)
+ gkid = Gkid.from_nt_time(
+ self.account_quantized_time(gmsa_object, current_nt_time)
+ )
+ return GmsaSeries(gkid, gkdi_rollover_interval(managed_password_interval))
+
+ def quantized_time(
+ self, key_start_time: NtTime, time: NtTime, gkdi_rollover_interval: NtTimeDelta
+ ) -> NtTime:
+ self.assertLessEqual(key_start_time, time)
+
+ time_since_key_start = NtTimeDelta(time - key_start_time)
+ quantized_time_since_key_start = NtTimeDelta(
+ time_since_key_start // gkdi_rollover_interval * gkdi_rollover_interval
+ )
+ return NtTime(key_start_time + quantized_time_since_key_start)
+
+ def account_quantized_time(self, gmsa_object: Gmsa, time: NtTime) -> NtTime:
+ pwd_id_blob = gmsa_object.get("msDS-ManagedPasswordId", idx=0)
+ self.assertIsNotNone(pwd_id_blob, "SAM should have initialized password ID")
+
+ pwd_id = ndr_unpack(gkdi.KeyEnvelope, pwd_id_blob)
+ key_start_time = Gkid.from_key_envelope(pwd_id).start_nt_time()
+
+ gkdi_rollover_interval = self.gmsa_rollover_interval(gmsa_object)
+ return self.quantized_time(key_start_time, time, gkdi_rollover_interval)
+
def expected_gmsa_password_blob(
self,
samdb: SamDB,
@@ -360,11 +405,9 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
current_time = self.current_nt_time(samdb)
- time_since_key_start = NtTimeDelta(current_time - key_start_time)
- quantized_time_since_key_start = NtTimeDelta(
- time_since_key_start // gkdi_rollover_interval * gkdi_rollover_interval
+ new_key_start_time = self.quantized_time(
+ key_start_time, current_time, gkdi_rollover_interval
)
- new_key_start_time = NtTime(key_start_time + quantized_time_since_key_start)
new_key_expiration_time = NtTime(new_key_start_time + gkdi_rollover_interval)
account_sid = creds.get_sid()
@@ -508,8 +551,8 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
# Perform a gensec logon using NTLMSSP. As samdb is passed in as a
# parameter, it can have a time set on it with set_db_time().
def gensec_ntlmssp_logon(
- self, client_creds: Credentials, samdb: SamDB
- ) -> "auth.session_info":
+ self, client_creds: Credentials, samdb: SamDB, expect_success: bool = True
+ ) -> "Optional[auth.session_info]":
lp = self.get_lp()
lp.set("server role", "active directory domain controller")
@@ -544,9 +587,17 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
server_to_client
)
if not server_finished:
- server_finished, server_to_client = gensec_server.update(
- client_to_server
- )
+ try:
+ server_finished, server_to_client = gensec_server.update(
+ client_to_server
+ )
+ except NTSTATUSError as err:
+ self.assertFalse(expect_success, "got an unexpected error")
+
+ self.assertEqual(ntstatus.NT_STATUS_WRONG_PASSWORD, err.args[0])
+ return None
+
+ self.assertTrue(expect_success, "expected to get an error")
# Retrieve the SIDs from the security token.
return gensec_server.session_info()
@@ -698,6 +749,47 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
self.gmsa_account(msa_membership=deny_world_sddl), expect_access=False
)
+ def test_retrieving_password_over_sealed_connection(self):
+ lp = self.get_lp()
+ samdb = SamDB(
+ f"ldap://{self.dc_host}",
+ credentials=self.get_admin_creds(),
+ session_info=auth.system_session(lp),
+ lp=lp,
+ )
+
+ self.check_managed_password_access(
+ self.gmsa_account(), samdb=samdb, expect_access=True
+ )
+
+ def test_retrieving_password_over_unsealed_connection(self):
+ # Requires --use-kerberos=required, or it automatically upgrades to an
+ # encrypted connection.
+
+ # Remove FEATURE_SEAL which gets added by insta_creds.
+ creds = self.insta_creds(template=self.get_admin_creds())
+ creds.set_gensec_features(creds.get_gensec_features() & ~gensec.FEATURE_SEAL)
+
+ lp = self.get_lp()
+
+ sasl_wrap = lp.get("client ldap sasl wrapping")
+ self.addCleanup(lp.set, "client ldap sasl wrapping", sasl_wrap)
+ lp.set("client ldap sasl wrapping", "sign")
+
+ # Create a second ldb connection without seal.
+ samdb = SamDB(
+ f"ldap://{self.dc_host}",
+ credentials=creds,
+ session_info=auth.system_session(lp),
+ lp=lp,
+ )
+
+ self.check_managed_password_access(
+ self.gmsa_account(),
+ samdb=samdb,
+ expected_werror=werror.WERR_DS_CONFIDENTIALITY_REQUIRED,
+ )
+
def test_retrieving_denied_password_over_unsealed_connection(self):
# Requires --use-kerberos=required, or it automatically upgrades to an
# encrypted connection.
@@ -728,6 +820,39 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
expected_werror=werror.WERR_DS_CONFIDENTIALITY_REQUIRED,
)
+ def test_retrieving_password_after_encrypted_simple_bind(self):
+ """Test retrieving the managed password using a simple bind with encryption."""
+ admin_sid = self.get_samdb().get_admin_sid()
+
+ creds = self.insta_creds(template=self.get_admin_creds())
+ creds.set_bind_dn(admin_sid)
+ samdb = SamDB(
+ url=f"ldaps://{self.dc_host}", credentials=creds, lp=self.get_lp()
+ )
+
+ self.check_managed_password_access(
+ self.gmsa_account(), samdb=samdb, expect_access=True
+ )
+
+ def test_retrieving_password_after_unencrypted_simple_bind(self):
+ """Test retrieving the managed password using a simple bind without encryption."""
+ admin_sid = self.get_samdb().get_admin_sid()
+
+ creds = self.insta_creds(template=self.get_admin_creds())
+ creds.set_bind_dn(admin_sid)
+ try:
+ samdb = SamDB(
+ url=f"ldap://{self.dc_host}", credentials=creds, lp=self.get_lp()
+ )
+ except ldb.LdbError:
+ self.fail("failed to perform simple bind")
+
+ self.check_managed_password_access(
+ self.gmsa_account(),
+ samdb=samdb,
+ expected_werror=werror.WERR_DS_CONFIDENTIALITY_REQUIRED,
+ )
+
def future_gkid(self) -> Gkid:
"""Return (6333, 26, 5)—an arbitrary GKID far enough in the future that
it’s situated beyond any reasonable rollover period. But not so far in
@@ -906,7 +1031,7 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
creds = self.gmsa_account(samdb=local_samdb, interval=password_interval)
dn = creds.get_dn()
- current_nt_time = self.current_nt_time(local_samdb)
+ current_nt_time = self.current_nt_time(samdb)
self.set_db_time(local_samdb, current_nt_time)
# Search the local database for the account’s keys.
@@ -983,7 +1108,7 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
creds = self.gmsa_account(samdb=local_samdb, interval=password_interval)
dn = creds.get_dn()
- current_nt_time = self.current_nt_time(local_samdb)
+ current_nt_time = self.current_nt_time(samdb)
self.set_db_time(local_samdb, current_nt_time)
# Search the local database for the account’s keys.
@@ -1001,8 +1126,14 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
self.assertEqual(creds.get_nt_hash(), previous_nt_hash)
# Calculate the password with which to authenticate.
- managed_pwd = self.expected_current_gmsa_password_blob(
- samdb, creds, future_key_is_acceptable=False
+ current_series = self.gmsa_series_for_account(
+ local_samdb, creds, password_interval
+ )
+ managed_pwd = self.expected_gmsa_password_blob(
+ local_samdb,
+ creds,
+ current_series.interval_gkid(0),
+ query_expiration_gkid=current_series.interval_gkid(1),
)
# Set the new password.
@@ -1054,13 +1185,396 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
# Ensure that they match.
self.assertEqual(security.dom_sid(creds.get_sid()), token_sids[0])
+ def test_gmsa_can_perform_gensec_ntlmssp_logon_when_current_key_is_valid(self):
+ """Test that we can perform a gensec logon at a time when we are sure
+ the current gMSA password is valid."""
+
+ password_interval = 18
+
+ samdb = self.get_local_samdb()
+ series = self.gmsa_series(password_interval)
+ self.set_db_time(samdb, series.start_of_interval(0))
+
+ creds = self.gmsa_account(
+ samdb=samdb, interval=password_interval, kerberos_enabled=False
+ )
+
+ # Perform a gensec logon.
+ session = self.gensec_ntlmssp_logon(creds, samdb)
+
+ # Ensure that the first SID contained within the security token is the gMSA’s SID.
+ token = session.security_token
+ token_sids = token.sids
+ self.assertGreater(len(token_sids), 0)
+
+ # Ensure that they match.
+ self.assertEqual(security.dom_sid(creds.get_sid()), token_sids[0])
+
+ def test_gmsa_can_perform_gensec_ntlmssp_logon_when_current_key_is_expired(self):
+ """Test that we can perform a gensec logon using NTLMSSP at a time when
+ the current gMSA password has expired."""
+
+ password_interval = 40
+
+ samdb = self.get_local_samdb()
+ series = self.gmsa_series(password_interval)
+ self.set_db_time(samdb, series.start_of_interval(0))
+
+ creds = self.gmsa_account(
+ samdb=samdb, interval=password_interval, kerberos_enabled=False
+ )
+
+ # Set the time to the moment the original password has expired, and
+ # perform a gensec logon.
+ expired_time = series.start_of_interval(1)
+ self.set_db_time(samdb, expired_time)
+
+ # Calculate the password with which to authenticate.
+ current_series = self.gmsa_series_for_account(samdb, creds, password_interval)
+ managed_pwd = self.expected_gmsa_password_blob(
+ samdb,
+ creds,
+ current_series.interval_gkid(0),
+ previous_gkid=current_series.interval_gkid(-1),
+ query_expiration_gkid=current_series.interval_gkid(1),
+ )
+
+ # Set the new password.
+ self.assertIsNotNone(
+ managed_pwd.passwords.current, "current password must be present"
+ )
+ creds.set_utf16_password(managed_pwd.passwords.current)
+
+ # Perform a gensec logon.
+ session = self.gensec_ntlmssp_logon(creds, samdb)
+
+ # Ensure that the first SID contained within the security token is the gMSA’s SID.
+ token = session.security_token
+ token_sids = token.sids
+ self.assertGreater(len(token_sids), 0)
+
+ # Ensure that they match.
+ self.assertEqual(security.dom_sid(creds.get_sid()), token_sids[0])
+
+ def test_gmsa_can_perform_gensec_ntlmssp_logon_when_next_key_is_expired(self):
+ password_interval = 42
+
+ samdb = self.get_local_samdb()
+ series = self.gmsa_series(password_interval)
+ self.set_db_time(samdb, series.start_of_interval(0))
+
+ creds = self.gmsa_account(
+ samdb=samdb, interval=password_interval, kerberos_enabled=False
+ )
+
+ expired_time = series.start_of_interval(2)
+ self.set_db_time(samdb, expired_time)
+
+ # Calculate the password with which to authenticate.
+ current_series = self.gmsa_series_for_account(samdb, creds, password_interval)
+ managed_pwd = self.expected_gmsa_password_blob(
+ samdb,
+ creds,
+ current_series.interval_gkid(0),
+ previous_gkid=current_series.interval_gkid(-1),
+ query_expiration_gkid=current_series.interval_gkid(1),
+ )
+
+ # Set the new password.
+ self.assertIsNotNone(
+ managed_pwd.passwords.current, "current password must be present"
+ )
+ creds.set_utf16_password(managed_pwd.passwords.current)
+
+ # Perform a gensec logon.
+ session = self.gensec_ntlmssp_logon(creds, samdb)
+
+ # Ensure that the first SID contained within the security token is the gMSA’s SID.
+ token = session.security_token
+ token_sids = token.sids
+ self.assertGreater(len(token_sids), 0)
+
+ # Ensure that they match.
+ self.assertEqual(security.dom_sid(creds.get_sid()), token_sids[0])
+
+ def test_gmsa_can_perform_gensec_ntlmssp_logon_during_clock_skew_window_when_current_key_is_valid(
+ self,
+ ):
+ password_interval = 43
+
+ samdb = self.get_local_samdb()
+ series = self.gmsa_series(password_interval)
+ self.set_db_time(samdb, series.start_of_interval(0))
+
+ creds = self.gmsa_account(
+ samdb=samdb, interval=password_interval, kerberos_enabled=False
+ )
+
+ self.set_db_time(samdb, series.during_skew_window(0))
+
+ # Calculate the password with which to authenticate.
+ current_series = self.gmsa_series_for_account(samdb, creds, password_interval)
+ managed_pwd = self.expected_gmsa_password_blob(
+ samdb,
+ creds,
+ current_series.interval_gkid(0),
+ previous_gkid=current_series.interval_gkid(-1),
+ query_expiration_gkid=current_series.interval_gkid(1),
+ )
+
+ # Set the new password.
+ self.assertIsNotNone(
+ managed_pwd.passwords.current, "current password must be present"
+ )
+ creds.set_utf16_password(managed_pwd.passwords.current)
+
+ # Perform a gensec logon.
+ session = self.gensec_ntlmssp_logon(creds, samdb)
+
+ # Ensure that the first SID contained within the security token is the gMSA’s SID.
+ token = session.security_token
+ token_sids = token.sids
+ self.assertGreater(len(token_sids), 0)
+
+ # Ensure that they match.
+ self.assertEqual(security.dom_sid(creds.get_sid()), token_sids[0])
+
+ def test_gmsa_can_perform_gensec_ntlmssp_logon_during_clock_skew_window_when_current_key_is_expired(
+ self,
+ ):
+ password_interval = 44
+
+ samdb = self.get_local_samdb()
+ series = self.gmsa_series(password_interval)
+ self.set_db_time(samdb, series.start_of_interval(0))
+
+ creds = self.gmsa_account(
+ samdb=samdb, interval=password_interval, kerberos_enabled=False
+ )
+
+ self.set_db_time(samdb, series.during_skew_window(1))
+
+ # Calculate the password with which to authenticate.
+ current_series = self.gmsa_series_for_account(samdb, creds, password_interval)
+ managed_pwd = self.expected_gmsa_password_blob(
+ samdb,
+ creds,
+ current_series.interval_gkid(0),
+ previous_gkid=current_series.interval_gkid(-1),
+ query_expiration_gkid=current_series.interval_gkid(1),
+ )
+
+ # Set the new password.
+ self.assertIsNotNone(
+ managed_pwd.passwords.current, "current password must be present"
+ )
+ creds.set_utf16_password(managed_pwd.passwords.current)
+
+ # Perform a gensec logon.
+ session = self.gensec_ntlmssp_logon(creds, samdb)
+
+ # Ensure that the first SID contained within the security token is the gMSA’s SID.
+ token = session.security_token
+ token_sids = token.sids
+ self.assertGreater(len(token_sids), 0)
+
+ # Ensure that they match.
+ self.assertEqual(security.dom_sid(creds.get_sid()), token_sids[0])
+
+ def test_gmsa_can_perform_gensec_ntlmssp_logon_during_clock_skew_window_when_next_key_is_expired(
+ self,
--
Samba Shared Repository
More information about the samba-cvs
mailing list