The branch, master has been updated via b3ee034b4d4 s4:kdc: prefer newer enctypes for preauth responses via bf71fa038e9 s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against via ab221c1b3e2 tests/krb5: Use admin creds for SamDB rather than user creds via fc857ea60e2 tests/krb5/as_canonicalization_tests.py: Refactor account creation via 3e621dcb696 tests/krb5: Deduplicate 'host' attribute initialisation via 381223117e0 tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value via d4c38678e0c tests/krb5/as_req_tests.py: Check the client kvno via d5e350a4a49 tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test via 0fd71ed3c37 tests/krb5/as_req_tests.py: Automatically obtain credentials via fd45bea7a88 tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials via ec5c2b040b6 tests/krb5/raw_testcase.py: Simplify conditionals via e1601f2b56f tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function via 22a90aea82b tests/krb5/raw_testcase.py: Cache obtained credentials via 6a77c2b9331 tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds via 948bbc9cecb tests/krb5/raw_testcase.py: Make env_get_var() a standalone method via 1f2ddd3c97e tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS via 7d4a0ed21be tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types via 210e544016a tests/krb5/kdc_base_test.py: Create loadparm only when needed via 364f1ce8d82 tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute via 4f5566be483 tests/krb5/kdc_base_test.py: Create database connection only when needed via 5afae39da0a tests/krb5/raw_testcase.py: Add get_admin_creds() via 5412bffb9b4 tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called via d91665d3313 selftest: run new as_req_tests against fl2008r2dc and fl2003dc via 01d86954d21 tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol via 6e2f2adc8e8 tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure via 69ce2a6408f tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds() via e3905035847 tests/krb5/raw_testcase.py: add methods to iterate over etype permutations via ee2ac2b8cca tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create() via b03fcfeb6c0 tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create() via 3abb3b41368 tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values via 34e079ce9a2 tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values via 61e1b179812 tests/krb5/raw_testcase.py: add assertElement*() via dff611976d6 tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future via c3222870b92 tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds() via d4492a8aaaf tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing via fef08add9ec Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} via 1f413b2b297 auth/credentials: allow credentials.Credentials to act as base class from 0e3ddc27ed6 vfs_default: use fsp_get_io_fd() for copy_file_range()
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit b3ee034b4d457607ef25a5b01da64e1eaf5906dd Author: Stefan Metzmacher <me...@samba.org> Date: Fri Apr 10 23:10:28 2020 +0200 s4:kdc: prefer newer enctypes for preauth responses This matches Windows KDCs, which was demonstrated by the krb5.as_req_tests tests. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Thu Jul 1 18:37:14 UTC 2021 on sn-devel-184 commit bf71fa038e9b97f770e06e88226e885d67342d47 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Jun 21 14:14:48 2021 +1200 s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against This enables us to more easily switch to a different algorithm to find the strongest key in _kdc_find_etype(). Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit ab221c1b3e24696aa0eed6aa970f310447657069 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 16 12:52:11 2021 +1200 tests/krb5: Use admin creds for SamDB rather than user creds This makes the purpose of each set of credentials more consistent, and makes some tests more convenient to run standalone as they no longer require user credentials. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit fc857ea60e2a66d20d4174cb121e0a6949f8a0c1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 16 11:49:05 2021 +1200 tests/krb5/as_canonicalization_tests.py: Refactor account creation Making this test a subclass of KDCBaseTest allows us to make use of its methods for obtaining credentials and creating accounts, which helps to eliminate some duplicated code. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 3e621dcb6966f75034bb948a2705358d43454202 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 16 11:01:50 2021 +1200 tests/krb5: Deduplicate 'host' attribute initialisation Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 381223117e0bae4c348d538bffaa8227b18ef3d1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 13:25:34 2021 +1200 tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value This is clearer than using the constant zero, which could be mistaken for a valid kvno value. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit d4c38678e0cc782965edfe40a0423fafb7d5a5ff Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 13:24:22 2021 +1200 tests/krb5/as_req_tests.py: Check the client kvno Ensure we have the correct kvno for the client, rather than an 'unknown' value. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit d5e350a4a490fecf570f1c248c9dde1466796166 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 21 11:07:45 2020 +0200 tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test Example commands: Windows 2012R2: SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=4 python/samba/tests/krb5/as_req_tests.py Windows 2008R2: SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py Samba: SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0fd71ed3c37c8cf326f9f676b7fddda3d2d24072 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 16 14:51:22 2021 +1200 tests/krb5/as_req_tests.py: Automatically obtain credentials The credentials for the client and krbtgt accounts are now fetched automatically rather than using environment variables, and the client account is now automatically created. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit fd45bea7a88837cbe4f99adf3a6b3f69ce32f34c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 16:07:16 2021 +1200 tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials Now if the client credentials are not supplied in the environment, we can fall back to creating a new user account. Similarly, if the krbtgt credentials are not supplied, we can fetch the credentials of the existing krbtgt account. Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ec5c2b040b63d06a17bcd7bd133c2d68d07df587 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 15:55:17 2021 +1200 tests/krb5/raw_testcase.py: Simplify conditionals Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit e1601f2b56f09a944c5cfb119502fdcf49a03c99 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 17:12:39 2021 +1200 tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function This allows us to use other methods of obtaining credentials if getting them from the environment fails. Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 22a90aea82ba6ef86bde835f2369daa6e23ed2fd Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 17:10:44 2021 +1200 tests/krb5/raw_testcase.py: Cache obtained credentials If credentials are used more than once, we can now use the credentials that we already obtained and so avoid fetching them again. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 6a77c2b93315503008627ce786388f281bd6bb87 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 16:55:02 2021 +1200 tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds This allows us to require encryption keys in the case that a password would not be required, such as for the krbtgt account. Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 948bbc9cecbfc1b33a338891d26a4a706864b9c6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 15:59:11 2021 +1200 tests/krb5/raw_testcase.py: Make env_get_var() a standalone method This allows it to be used elsewhere in the tests. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 1f2ddd3c97e3ff243c8bd0c17299f27b761f5e7f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 13:15:10 2021 +1200 tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS This requires admin credentials, and removes the need to pass these keys as environment variables. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 7d4a0ed21be49d13c2b815582f2d04f0c058bf3a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 15:12:38 2021 +1200 tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types This is done based on the domain functional level, which corresponds to the logic Samba uses to decide whether or not to generate a Primary:Kerberos-Newer-Keys element for the supplementalCredentials attribute. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 210e544016a3a4de1cdb76ce28a2148811ff07eb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 16 11:40:41 2021 +1200 tests/krb5/kdc_base_test.py: Create loadparm only when needed Now the .conf file is only loaded on its first use, which means that SMB_CONF_PATH need not be defined for tests that don't make use of it. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 364f1ce8d8221cb8926635fc864db782cee61cf9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 16 11:31:26 2021 +1200 tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute Credentials for tests are now obtained using the get_user_creds() method. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 4f5566be4839838e0e3e501a030bcf6e85ff5159 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 16 11:04:00 2021 +1200 tests/krb5/kdc_base_test.py: Create database connection only when needed Now the database connection is only created on its first use, which means database credentials are no longer required for tests that don't make use of it. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 5afae39da0ab408bb36dde3a7801634bd9cc24f6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 13:14:33 2021 +1200 tests/krb5/raw_testcase.py: Add get_admin_creds() This method allows obtaining credentials that can be used for administrative tasks such as creating accounts. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 5412bffb9b4fc13023e650bbc9436a79b60b6fa2 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 15:38:28 2021 +1200 tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called This allows accounts created for permutation tests to be reused, rather than having to be recreated for every test. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit d91665d33130aed11fa82d8d2796ab1627e04dc4 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 21 11:07:45 2020 +0200 selftest: run new as_req_tests against fl2008r2dc and fl2003dc There are a lot of things we should improve in our KDC in order to work like a Windows KDC. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 01d86954d217e38be333aa1ce7db1d3d9059cd4c Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 21 11:07:45 2020 +0200 tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol Example commands: Windows 2012R2: SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests Windows 2008R2: SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests Samba 4.14: SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6e2f2adc8e825634780077e24a9e437bdc68155a Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 21 11:07:45 2020 +0200 tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure This will allow us to write tests, which will all cross check almost every aspect of the KDC response (including encrypted parts). Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 69ce2a6408f78d41eb865b89726021ad7643b065 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 16 17:13:35 2020 +0200 tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds() This will allow building test_as_req_enc_timestamp() It also introduces ways to specify keys in hex formated environment variables ${PREFIX}_{AES256,AES128,RC4}_KEY_HEX. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e3905035847a5268c1a65366830cc739280ae437 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Apr 20 20:02:52 2020 +0200 tests/krb5/raw_testcase.py: add methods to iterate over etype permutations It's often useful to run tests over a lot of input parameter permutations. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ee2ac2b8ccafe3e6d560d893a4135a28e393914d Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 16 10:43:54 2020 +0200 tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create() This allows building the pre-authentication data that encodes the request for the KDC (or more likely a request not to include) the KRB5 PAC in the resulting ticket. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b03fcfeb6c005936818ce50d511e9f9cc75aa9fb Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 21 14:45:01 2020 +0200 tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create() This allows us to reuse body in future and calculate checksums on it. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3abb3b41368666535a216a98c3e7d15a5d498f7e Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 15 17:57:37 2020 +0200 tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint we allow the BitString_NamedValues_prettyPrint() routine to show more named values. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 34e079ce9a232a765fb3a2b25441434df35df54c Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 15 17:50:00 2020 +0200 tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint we allow the BitString_NamedValues_prettyPrint() routine to show more named values. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 61e1b179812e48797146584998afc5bd0168beae Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 15 13:49:52 2020 +0200 tests/krb5/raw_testcase.py: add assertElement*() These helper functions make writing subsequent Kerberos test clearer. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit dff611976d6a067614e37add99edae214815a68b Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 9 22:28:32 2020 +0200 tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future We should write tests as strict as possible in order to let them run against Windows servers. But at the same time we want to allow tests to be useful for Samba too... Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c3222870b92db7f867557c2896b7bf39915d469a Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 9 10:55:28 2020 +0200 tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds() These helpful functions allow us to build the various credentials that we will use in validating the KDC responses in this test. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d4492a8aaaf70cbe81af7e6703b4ea9fc1f24162 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 9 11:10:11 2020 +0200 tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing Update and re-generate the ASN.1 to allow an improved testsuite. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit fef08add9ec324fb0c3902e96c2a91c07646d499 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 15 16:50:55 2020 +0200 Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} This is a clearer name for the script Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1f413b2b2977687884781ca2399dadf6611ab461 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 9 21:04:44 2020 +0200 auth/credentials: allow credentials.Credentials to act as base class In tests it's useful to add more details. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: auth/credentials/pycredentials.c | 2 +- .../samba/tests/krb5/as_canonicalization_tests.py | 136 +-- python/samba/tests/krb5/as_req_tests.py | 207 ++++ python/samba/tests/krb5/kdc_base_test.py | 329 +++++- python/samba/tests/krb5/kdc_tgs_tests.py | 17 +- .../krb5/ms_kile_client_principal_lookup_tests.py | 88 +- .../{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} | 0 python/samba/tests/krb5/raw_testcase.py | 1181 ++++++++++++++++++-- python/samba/tests/krb5/rfc4120.asn1 | 70 +- python/samba/tests/krb5/rfc4120_constants.py | 11 + python/samba/tests/krb5/rfc4120_pyasn1.py | 134 ++- python/samba/tests/krb5/simple_tests.py | 6 +- python/samba/tests/krb5/test_ccache.py | 19 +- python/samba/tests/krb5/test_ldap.py | 14 +- python/samba/tests/krb5/test_rpc.py | 8 +- python/samba/tests/krb5/test_smb.py | 14 +- python/samba/tests/usage.py | 1 + selftest/knownfail | 6 +- selftest/knownfail_mit_kdc | 358 +++++- selftest/target/Samba4.pm | 2 +- source4/kdc/kdc-heimdal.c | 2 +- source4/selftest/tests.py | 49 +- source4/torture/krb5/kdc-heimdal.c | 104 +- 23 files changed, 2414 insertions(+), 344 deletions(-) create mode 100755 python/samba/tests/krb5/as_req_tests.py rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} (100%) Changeset truncated at 500 lines: diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index 798cdb41a00..08b78e9dfce 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -1437,7 +1437,7 @@ static struct PyModuleDef moduledef = { PyTypeObject PyCredentials = { .tp_name = "credentials.Credentials", .tp_new = py_creds_new, - .tp_flags = Py_TPFLAGS_DEFAULT, + .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, .tp_methods = py_creds_methods, }; diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index 43f532dc483..abb3f96a1e6 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -25,20 +25,11 @@ import pyasn1 sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" -from samba.tests.krb5.raw_testcase import RawKerberosTest +from samba.tests.krb5.kdc_base_test import KDCBaseTest import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 -import samba -from samba.auth import system_session -from samba.credentials import ( - Credentials, - DONT_USE_KERBEROS) +from samba.credentials import DONT_USE_KERBEROS from samba.dcerpc.misc import SEC_CHAN_WKSTA -from samba.dsdb import ( - UF_WORKSTATION_TRUST_ACCOUNT, - UF_PASSWD_NOTREQD, - UF_NORMAL_ACCOUNT) -from samba.samdb import SamDB -from samba.tests import delete_force, DynamicTestCase +from samba.tests import DynamicTestCase from samba.tests.krb5.rfc4120_constants import ( AES256_CTS_HMAC_SHA1_96, AES128_CTS_HMAC_SHA1_96, @@ -96,12 +87,12 @@ class TestData: else: client_name_type = NT_PRINCIPAL - self.cname = RawKerberosTest.PrincipalName_create( + self.cname = KDCBaseTest.PrincipalName_create( name_type=client_name_type, names=[self.user_name]) if TestOptions.AsReqSelf.is_set(options): self.sname = self.cname else: - self.sname = RawKerberosTest.PrincipalName_create( + self.sname = KDCBaseTest.PrincipalName_create( name_type=NT_SRV_INST, names=["krbtgt", self.realm]) self.canonicalize = TestOptions.Canonicalize.is_set(options) @@ -141,7 +132,7 @@ USER_NAME = "tstkrb5cnnusr" @DynamicTestCase -class KerberosASCanonicalizationTests(RawKerberosTest): +class KerberosASCanonicalizationTests(KDCBaseTest): @classmethod def setUpDynamicTestCases(cls): @@ -170,114 +161,37 @@ class KerberosASCanonicalizationTests(RawKerberosTest): name = build_test_name(ct, x) cls.generate_dynamic_test("test", name, x, ct) - @classmethod - def setUpClass(cls): - cls.lp = cls.get_loadparm(cls) - cls.username = os.environ["USERNAME"] - cls.password = os.environ["PASSWORD"] - cls.host = os.environ["SERVER"] - - c = Credentials() - c.set_username(cls.username) - c.set_password(cls.password) - try: - realm = os.environ["REALM"] - c.set_realm(realm) - except KeyError: - pass - try: - domain = os.environ["DOMAIN"] - c.set_domain(domain) - except KeyError: - pass + def user_account_creds(self): + if self.user_creds is None: + samdb = self.get_samdb() + self.user_creds, _ = self.create_account(samdb, USER_NAME) - c.guess() + return self.user_creds - cls.credentials = c + def machine_account_creds(self): + if self.machine_creds is None: + samdb = self.get_samdb() + self.machine_creds, _ = self.create_account(samdb, + MACHINE_NAME, + machine_account=True) + self.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA) + self.machine_creds.set_kerberos_state(DONT_USE_KERBEROS) - cls.session = system_session() - cls.ldb = SamDB(url="ldap://%s" % cls.host, - session_info=cls.session, - credentials=cls.credentials, - lp=cls.lp) - cls.create_machine_account() - cls.create_user_account() - - @classmethod - def tearDownClass(cls): - super(KerberosASCanonicalizationTests, cls).tearDownClass() - delete_force(cls.ldb, cls.machine_dn) - delete_force(cls.ldb, cls.user_dn) + return self.machine_creds def setUp(self): - super(KerberosASCanonicalizationTests, self).setUp() + super().setUp() self.do_asn1_print = global_asn1_print self.do_hexdump = global_hexdump - # - # Create a test user account - @classmethod - def create_user_account(cls): - cls.user_pass = samba.generate_random_password(32, 32) - cls.user_name = USER_NAME - cls.user_dn = "cn=%s,%s" % (cls.user_name, cls.ldb.domain_dn()) - - # remove the account if it exists, this will happen if a previous test - # run failed - delete_force(cls.ldb, cls.user_dn) - - utf16pw = ('"%s"' % cls.user_pass).encode('utf-16-le') - cls.ldb.add({ - "dn": cls.user_dn, - "objectclass": "user", - "sAMAccountName": "%s" % cls.user_name, - "userAccountControl": str(UF_NORMAL_ACCOUNT), - "unicodePwd": utf16pw}) - - cls.user_creds = Credentials() - cls.user_creds.guess(cls.lp) - cls.user_creds.set_realm(cls.ldb.domain_dns_name().upper()) - cls.user_creds.set_domain(cls.ldb.domain_netbios_name().upper()) - cls.user_creds.set_password(cls.user_pass) - cls.user_creds.set_username(cls.user_name) - cls.user_creds.set_workstation(cls.machine_name) - - # - # Create the machine account - @classmethod - def create_machine_account(cls): - cls.machine_pass = samba.generate_random_password(32, 32) - cls.machine_name = MACHINE_NAME - cls.machine_dn = "cn=%s,%s" % (cls.machine_name, cls.ldb.domain_dn()) - - # remove the account if it exists, this will happen if a previous test - # run failed - delete_force(cls.ldb, cls.machine_dn) - - utf16pw = ('"%s"' % cls.machine_pass).encode('utf-16-le') - cls.ldb.add({ - "dn": cls.machine_dn, - "objectclass": "computer", - "sAMAccountName": "%s$" % cls.machine_name, - "userAccountControl": - str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), - "unicodePwd": utf16pw}) - - cls.machine_creds = Credentials() - cls.machine_creds.guess(cls.lp) - cls.machine_creds.set_realm(cls.ldb.domain_dns_name().upper()) - cls.machine_creds.set_domain(cls.ldb.domain_netbios_name().upper()) - cls.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA) - cls.machine_creds.set_kerberos_state(DONT_USE_KERBEROS) - cls.machine_creds.set_password(cls.machine_pass) - cls.machine_creds.set_username(cls.machine_name + "$") - cls.machine_creds.set_workstation(cls.machine_name) + self.user_creds = None + self.machine_creds = None def _test_with_args(self, x, ct): if ct == CredentialsType.User: - creds = self.user_creds + creds = self.user_account_creds() elif ct == CredentialsType.Machine: - creds = self.machine_creds + creds = self.machine_account_creds() else: raise Exception("Unexpected credential type") data = TestData(x, creds) diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py new file mode 100755 index 00000000000..10e7b603609 --- /dev/null +++ b/python/samba/tests/krb5/as_req_tests.py @@ -0,0 +1,207 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests import DynamicTestCase +from samba.tests.krb5.kdc_base_test import KDCBaseTest +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +from samba.tests.krb5.rfc4120_constants import ( + KDC_ERR_PREAUTH_REQUIRED, + KU_PA_ENC_TIMESTAMP, + NT_PRINCIPAL, + NT_SRV_INST, + PADATA_ENC_TIMESTAMP +) + +global_asn1_print = False +global_hexdump = False + +@DynamicTestCase +class AsReqKerberosTests(KDCBaseTest): + + @classmethod + def setUpDynamicTestCases(cls): + for (name, idx) in cls.etype_test_permutation_name_idx(): + for pac in [None, True, False]: + tname = "%s_pac_%s" % (name, pac) + targs = (idx, pac) + cls.generate_dynamic_test("test_as_req_no_preauth", tname, *targs) + return + + def setUp(self): + super(AsReqKerberosTests, self).setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def _test_as_req_nopreauth(self, + initial_etypes, + initial_padata=None, + initial_kdc_options=None): + client_creds = self.get_client_creds() + client_account = client_creds.get_username() + client_as_etypes = client_creds.get_as_krb5_etypes() + krbtgt_creds = self.get_krbtgt_creds(require_keys=False) + krbtgt_account = krbtgt_creds.get_username() + realm = krbtgt_creds.get_realm() + + cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[client_account]) + sname = self.PrincipalName_create(name_type=NT_SRV_INST, + names=[krbtgt_account, realm]) + + expected_error_mode = KDC_ERR_PREAUTH_REQUIRED + expected_crealm = realm + expected_cname = cname + expected_srealm = realm + expected_sname = sname + expected_salt = client_creds.get_forced_salt() + + def _generate_padata_copy(_kdc_exchange_dict, + _callback_dict, + req_body): + return initial_padata, req_body + + kdc_exchange_dict = self.as_exchange_dict( + expected_crealm=expected_crealm, + expected_cname=expected_cname, + expected_srealm=expected_srealm, + expected_sname=expected_sname, + generate_padata_fn=_generate_padata_copy, + check_error_fn=self.generic_check_as_error, + check_rep_fn=self.generic_check_kdc_rep, + expected_error_mode=expected_error_mode, + client_as_etypes=client_as_etypes, + expected_salt=expected_salt) + + rep = self._generic_kdc_exchange(kdc_exchange_dict, + kdc_options=str(initial_kdc_options), + cname=cname, + realm=realm, + sname=sname, + etypes=initial_etypes) + + return kdc_exchange_dict['preauth_etype_info2'] + + def _test_as_req_no_preauth_with_args(self, etype_idx, pac): + name, etypes = self.etype_test_permutation_by_idx(etype_idx) + if pac is None: + padata = None + else: + pa_pac = self.KERB_PA_PAC_REQUEST_create(pac) + padata = [pa_pac] + return self._test_as_req_nopreauth( + initial_padata=padata, + initial_etypes=etypes, + initial_kdc_options=krb5_asn1.KDCOptions('forwardable')) + + def test_as_req_enc_timestamp(self): + client_creds = self.get_client_creds() + client_account = client_creds.get_username() + client_as_etypes = client_creds.get_as_krb5_etypes() + client_kvno = client_creds.get_kvno() + krbtgt_creds = self.get_krbtgt_creds(require_strongest_key=True) + krbtgt_account = krbtgt_creds.get_username() + realm = krbtgt_creds.get_realm() + + cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[client_account]) + sname = self.PrincipalName_create(name_type=NT_SRV_INST, + names=[krbtgt_account, realm]) + + expected_crealm = realm + expected_cname = cname + expected_srealm = realm + expected_sname = sname + expected_salt = client_creds.get_forced_salt() + + till = self.get_KerberosTime(offset=36000) + + pa_pac = self.KERB_PA_PAC_REQUEST_create(True) + initial_padata = [pa_pac] + initial_etypes = client_as_etypes + initial_kdc_options = krb5_asn1.KDCOptions('forwardable') + initial_error_mode = KDC_ERR_PREAUTH_REQUIRED + + etype_info2 = self._test_as_exchange(cname, + realm, + sname, + till, + client_as_etypes, + initial_error_mode, + expected_crealm, + expected_cname, + expected_srealm, + expected_sname, + expected_salt, + initial_etypes, + initial_padata, + initial_kdc_options) + self.assertIsNotNone(etype_info2) + + preauth_key = self.PasswordKey_from_etype_info2(client_creds, + etype_info2[0], + kvno=client_kvno) + + (patime, pausec) = self.get_KerberosTimeWithUsec() + pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + enc_pa_ts_usage = KU_PA_ENC_TIMESTAMP + pa_ts = self.EncryptedData_create(preauth_key, enc_pa_ts_usage, pa_ts) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) + + pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) + + preauth_padata = [pa_ts, pa_pac] + preauth_etypes = client_as_etypes + preauth_kdc_options = krb5_asn1.KDCOptions('forwardable') + preauth_error_mode = 0 # AS-REP + + krbtgt_decryption_key = ( + self.TicketDecryptionKey_from_creds(krbtgt_creds)) + + as_rep = self._test_as_exchange(cname, + realm, + sname, + till, + client_as_etypes, + preauth_error_mode, + expected_crealm, + expected_cname, + expected_srealm, + expected_sname, + expected_salt, + preauth_etypes, + preauth_padata, + preauth_kdc_options, + preauth_key=preauth_key, + ticket_decryption_key=krbtgt_decryption_key) + self.assertIsNotNone(as_rep) + return + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() + diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index e345f739e1c..0f5238a3de9 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -20,6 +20,8 @@ import sys import os from datetime import datetime, timezone import tempfile +import binascii +import struct sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" @@ -29,13 +31,21 @@ from ldb import SCOPE_BASE from samba import generate_random_password from samba.auth import system_session from samba.credentials import Credentials, SPECIFIED, MUST_USE_KERBEROS -from samba.dcerpc import krb5pac, krb5ccache -from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_NORMAL_ACCOUNT +from samba.dcerpc import drsblobs, drsuapi, misc, krb5pac, krb5ccache, security +from samba.drs_utils import drsuapi_connect +from samba.dsdb import ( + DS_DOMAIN_FUNCTION_2000, + DS_DOMAIN_FUNCTION_2008, + UF_WORKSTATION_TRUST_ACCOUNT, + UF_NORMAL_ACCOUNT +) from samba.ndr import ndr_pack, ndr_unpack +from samba import net from samba.samdb import SamDB from samba.tests import delete_force -from samba.tests.krb5.raw_testcase import RawKerberosTest +import samba.tests.krb5.kcrypto as kcrypto +from samba.tests.krb5.raw_testcase import KerberosCredentials, RawKerberosTest import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( AD_IF_RELEVANT, @@ -66,60 +76,88 @@ class KDCBaseTest(RawKerberosTest): @classmethod def setUpClass(cls): - cls.lp = cls.get_loadparm(cls) - cls.username = os.environ["USERNAME"] - cls.password = os.environ["PASSWORD"] - cls.host = os.environ["SERVER"] - - c = Credentials() - c.set_username(cls.username) - c.set_password(cls.password) - try: - realm = os.environ["REALM"] - c.set_realm(realm) - except KeyError: - pass - try: - domain = os.environ["DOMAIN"] - c.set_domain(domain) - except KeyError: - pass + super().setUpClass() + cls._lp = None - c.guess() + cls._ldb = None - cls.credentials = c + cls._functional_level = None - cls.session = system_session() - cls.ldb = SamDB(url="ldap://%s" % cls.host, - session_info=cls.session, - credentials=cls.credentials, - lp=cls.lp) - # fetch the dnsHostName from the RootDse - res = cls.ldb.search( - base="", expression="", scope=SCOPE_BASE, attrs=["dnsHostName"]) - cls.dns_host_name = str(res[0]['dnsHostName']) + # A set containing DNs of accounts created as part of testing. + cls.accounts = set() + + @classmethod + def tearDownClass(cls): + # Clean up any accounts created by create_account. This is + # done in tearDownClass() rather than tearDown(), so that + # accounts need only be created once for permutation tests. + if cls._ldb is not None: + for dn in cls.accounts: -- Samba Shared Repository