The branch, master has been updated via ec95b3042bf tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures via a562882b151 tests/krb5: Add methods for creating zeroed checksums and verifying checksums via 419e4061ced tests/krb5: Cache obtained tickets via 6193f7433b1 tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds via 59c1043be25 tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test via 035a8f19855 tests/krb5: Allow get_tgt() to specify expected and unexpected flags via 4ecfa82e71b tests/krb5: Allow get_tgt() to specify different kdc-options via 2d69805b1e3 tests/krb5: Allow get_tgt() to get tickets from the RODC via 5d3a135c232 tests/krb5: Allow get_service_ticket() to get tickets from the RODC via 7645dfa5bed tests/krb5: Set DN of created accounts to ldb.Dn type via c226029655c tests/krb5: Don't manually create PAC request and options in fast_tests via 3504e99dc5b tests/krb5: Use PAC buffer type constants from krb5pac.idl via a5e62d681d8 tests/krb5: Allow as_req() to specify different kdc-options via 6403a09d94a tests/krb5: Allow tgs_req() to send requests to the RODC via 1a3426da544 tests/krb5: Allow tgs_req() to specify different kdc-options via 1f0654b8fac tests/krb5: Allow tgs_req() to send additional padata via 2a4d53dc12a tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange via 0061fa2c2a2 tests/krb5: Check correct flags element via a281ae09bcf tests/krb5: Add helper method for modifying PACs via b81f6f3d714 autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable) via 21a77173590 python/join: Check for correct msDS-KrbTgtLink attribute via cde38d36b98 python: Don't leak file handles from 9a24d8e491f lib:cmdline: fix a comment
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit ec95b3042bf2649c0600cafb12818c27242b5098 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Sep 16 17:20:22 2021 +1200 tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures Signatures created by an RODC have an RODCIdentifier appended to them identifying the RODC's krbtgt account. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Tue Sep 21 23:55:39 UTC 2021 on sn-devel-184 commit a562882b15125902c5d89f094b8c9b1150f5d010 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Sep 16 16:54:57 2021 +1200 tests/krb5: Add methods for creating zeroed checksums and verifying checksums Creating a zeroed checksum is needed for signing a PAC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 419e4061ced466ec7e5e23f815823b540ef4751c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Sep 21 11:51:20 2021 +1200 tests/krb5: Cache obtained tickets Now tickets obtained with get_tgt() and get_service_ticket() make use of a cache so they can be reused, unless the 'fresh' parameter is specified as true. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6193f7433b15579aa32b26a146287923c9d3844d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Sep 21 11:51:05 2021 +1200 tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds The encpart is already contained in ticket_creds, so it no longer needs to be returned as a separate value. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 59c1043be25b92db75ab5676601cb15426ef37a3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Sep 16 13:24:46 2021 +1200 tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 035a8f198555ad1eedf8e2e6c565fbbbe4fbe7ce Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Sep 16 13:14:45 2021 +1200 tests/krb5: Allow get_tgt() to specify expected and unexpected flags BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4ecfa82e71b0dd5b71aa97973033c5c72257a0c3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Sep 16 13:14:06 2021 +1200 tests/krb5: Allow get_tgt() to specify different kdc-options BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2d69805b1e3a8022f1418605e5f29ae0bbaa4a06 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Sep 16 12:41:46 2021 +1200 tests/krb5: Allow get_tgt() to get tickets from the RODC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5d3a135c2326edc9ca8f56bea24d2f52320f4fd6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Sep 16 12:38:38 2021 +1200 tests/krb5: Allow get_service_ticket() to get tickets from the RODC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7645dfa5bedee7ef3f7debbf0fa7600bd1c4bd79 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Sep 16 12:19:28 2021 +1200 tests/krb5: Set DN of created accounts to ldb.Dn type BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c226029655ca361560d93298a6729a021f2f6b75 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Sep 16 12:13:51 2021 +1200 tests/krb5: Don't manually create PAC request and options in fast_tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3504e99dc5bcc206ca2964012b7fdca541555416 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Sep 16 12:06:51 2021 +1200 tests/krb5: Use PAC buffer type constants from krb5pac.idl BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a5e62d681d81a422bac7bd89dc27ef2314d77457 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Sep 16 11:52:46 2021 +1200 tests/krb5: Allow as_req() to specify different kdc-options BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6403a09d94ab54f89d6e50601ae6b19ab7e6aae7 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Sep 16 11:25:01 2021 +1200 tests/krb5: Allow tgs_req() to send requests to the RODC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1a3426da54463c3e454c1b76c3df4e96882e6aa9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Sep 16 11:18:12 2021 +1200 tests/krb5: Allow tgs_req() to specify different kdc-options BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1f0654b8facf3b9b2288d2569a573ff3a5ca4a82 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Sep 16 11:16:27 2021 +1200 tests/krb5: Allow tgs_req() to send additional padata BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 2a4d53dc12aa785f696e53ae3376f67375ce455f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Sep 16 11:13:09 2021 +1200 tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 0061fa2c2a26d990ed2e47441bca8797fc9be356 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Sep 16 11:22:28 2021 +1200 tests/krb5: Check correct flags element BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a281ae09bcf35277c830c4112567c72233fd66b8 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Sep 15 20:56:28 2021 +1200 tests/krb5: Add helper method for modifying PACs This method can remove or replace a PAC in an authorization-data container, while additionally returning the original PAC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Isaac Boukris <ibouk...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b81f6f3d71487085bb355392ce7f8eff2db5bb4d Author: Andrew Bartlett <abart...@samba.org> Date: Fri Sep 17 16:43:00 2021 +1200 autobuild: allow AUTOBUILD_FAIL_IMMEDIATELY=0 (say from a gitlab variable) This allows making a push to do a full test ignoring errors without needing "HACK!!!" commits on top. Use like this: git push -o ci.variable='AUTOBUILD_FAIL_IMMEDIATELY=0' RN: Samba CI runs can now continue past the first error if AUTOBUILD_FAIL_IMMEDIATELY=0 is set BUG: https://bugzilla.samba.org/show_bug.cgi?id=14841 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Michael Adam <ob...@samba.org Reviewed-by: Noel Power <npo...@samba.org> commit 21a7717359082feaddfdf42788648c3d7574c28e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Sep 10 14:02:22 2021 +1200 python/join: Check for correct msDS-KrbTgtLink attribute Previously, the wrong case was used when checking for this attribute, which meant krbtgt accounts were not being cleaned up. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit cde38d36b98f1d40e7b58cd4c4b4bedfab76c390 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Sep 1 15:42:28 2021 +1200 python: Don't leak file handles Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Noel Power <npo...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: python/samba/__init__.py | 12 +- python/samba/join.py | 7 +- python/samba/ms_schema.py | 6 +- python/samba/schema.py | 9 +- python/samba/tests/krb5/fast_tests.py | 138 +--------------- python/samba/tests/krb5/kdc_base_test.py | 276 +++++++++++++++++++++++++------ python/samba/tests/krb5/kdc_tgs_tests.py | 3 +- python/samba/tests/krb5/raw_testcase.py | 115 +++++++++++-- script/autobuild.py | 9 +- source4/selftest/tests.py | 18 +- 10 files changed, 370 insertions(+), 223 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/__init__.py b/python/samba/__init__.py index 449e4826ffb..0e6a33322f8 100644 --- a/python/samba/__init__.py +++ b/python/samba/__init__.py @@ -217,7 +217,8 @@ class Ldb(_Ldb): :param ldif_path: Path to LDIF file. """ - self.add_ldif(open(ldif_path, 'r').read()) + with open(ldif_path, 'r') as ldif_file: + self.add_ldif(ldif_file.read()) def add_ldif(self, ldif, controls=None): """Add data based on a LDIF string. @@ -279,10 +280,11 @@ def read_and_sub_file(file_name, subst_vars): :param file_name: File to be read (typically from setup directory) param subst_vars: Optional variables to subsitute in the file. """ - data = open(file_name, 'r', encoding="utf-8").read() - if subst_vars is not None: - data = substitute_var(data, subst_vars) - check_all_substituted(data) + with open(file_name, 'r', encoding="utf-8") as data_file: + data = data_file.read() + if subst_vars is not None: + data = substitute_var(data, subst_vars) + check_all_substituted(data) return data diff --git a/python/samba/join.py b/python/samba/join.py index b557eac03eb..4399367c817 100644 --- a/python/samba/join.py +++ b/python/samba/join.py @@ -256,8 +256,9 @@ class DCJoinContext(object): ctx.del_noerror(res[0].dn, recursive=True) - if "msDS-Krbtgtlink" in res[0]: - ctx.new_krbtgt_dn = res[0]["msDS-Krbtgtlink"][0] + krbtgt_dn = res[0].get('msDS-KrbTgtLink', idx=0) + if krbtgt_dn is not None: + ctx.new_krbtgt_dn = krbtgt_dn ctx.del_noerror(ctx.new_krbtgt_dn) res = ctx.samdb.search(base=ctx.samdb.get_default_basedn(), @@ -336,7 +337,7 @@ class DCJoinContext(object): attrs=["msDS-krbTgtLink", "userAccountControl", "serverReferenceBL", "rIDSetReferences"]) if len(res) == 0: raise Exception("Could not find domain member account '%s' to promote to a DC, use 'samba-tool domain join' instead'" % ctx.samname) - if "msDS-krbTgtLink" in res[0] or "serverReferenceBL" in res[0] or "rIDSetReferences" in res[0]: + if "msDS-KrbTgtLink" in res[0] or "serverReferenceBL" in res[0] or "rIDSetReferences" in res[0]: raise Exception("Account '%s' appears to be an active DC, use 'samba-tool domain join' if you must re-create this account" % ctx.samname) if (int(res[0]["userAccountControl"][0]) & (samba.dsdb.UF_WORKSTATION_TRUST_ACCOUNT | samba.dsdb.UF_SERVER_TRUST_ACCOUNT) == 0): diff --git a/python/samba/ms_schema.py b/python/samba/ms_schema.py index b9ca3c61b72..2250fb55e3b 100644 --- a/python/samba/ms_schema.py +++ b/python/samba/ms_schema.py @@ -294,9 +294,9 @@ def __parse_schema_file(filename, objectClass): out = [] from io import open - f = open(filename, "r", encoding='latin-1') - for entry in __read_raw_entries(f): - out.append(__write_ldif_one(__transform_entry(entry, objectClass))) + with open(filename, "r", encoding='latin-1') as f: + for entry in __read_raw_entries(f): + out.append(__write_ldif_one(__transform_entry(entry, objectClass))) return "\n\n".join(out) diff --git a/python/samba/schema.py b/python/samba/schema.py index 54fc9fc3125..a3adc162fa3 100644 --- a/python/samba/schema.py +++ b/python/samba/schema.py @@ -110,8 +110,13 @@ class Schema(object): setup_path('ad-schema/%s' % Schema.base_schemas[base_schema][0]), setup_path('ad-schema/%s' % Schema.base_schemas[base_schema][1])) + def read_file(file): + with open(file, 'rb') as data_file: + return data_file.read() + if files is not None: - self.schema_data = "".join(get_string(open(file, 'rb').read()) for file in files) + self.schema_data = "".join(get_string(read_file(file)) + for file in files) self.schema_data = substitute_var(self.schema_data, {"SCHEMADN": schemadn}) @@ -130,7 +135,7 @@ class Schema(object): if override_prefixmap is not None: self.prefixmap_data = override_prefixmap else: - self.prefixmap_data = open(setup_path("prefixMap.txt"), 'rb').read() + self.prefixmap_data = read_file(setup_path("prefixMap.txt")) if additional_prefixmap is not None: self.prefixmap_data += "".join("%s\n" % map for map in additional_prefixmap) diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index ae696e88c78..44853365d1e 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -67,11 +67,9 @@ class FAST_Tests(KDCBaseTest): super().setUpClass() cls.user_tgt = None - cls.user_enc_part = None cls.user_service_ticket = None cls.mach_tgt = None - cls.mach_enc_part = None cls.mach_service_ticket = None def setUp(self): @@ -1540,149 +1538,17 @@ class FAST_Tests(KDCBaseTest): self.assertTrue( security.KERB_ENCTYPE_CLAIMS_SUPPORTED & krbtgt_etypes) - def get_service_ticket(self, tgt, target_creds, service='host'): - etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) - - key = tgt.session_key - ticket = tgt.ticket - - cname = tgt.cname - realm = tgt.crealm - - target_name = target_creds.get_username()[:-1] - sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, - names=[service, target_name]) - - rep, enc_part = self.tgs_req(cname, sname, realm, ticket, key, etype) - - service_ticket = rep['ticket'] - - ticket_etype = service_ticket['enc-part']['etype'] - target_key = self.TicketDecryptionKey_from_creds(target_creds, - etype=ticket_etype) - - session_key = self.EncryptionKey_import(enc_part['key']) - - service_ticket_creds = KerberosTicketCreds(service_ticket, - session_key, - crealm=realm, - cname=cname, - srealm=realm, - sname=sname, - decryption_key=target_key) - - return service_ticket_creds - - def get_tgt(self, creds): - user_name = creds.get_username() - realm = creds.get_realm() - - salt = creds.get_salt() - - etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) - cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, - names=[user_name]) - sname = self.PrincipalName_create(name_type=NT_SRV_INST, - names=['krbtgt', realm]) - - till = self.get_KerberosTime(offset=36000) - - krbtgt_creds = self.get_krbtgt_creds() - ticket_decryption_key = ( - self.TicketDecryptionKey_from_creds(krbtgt_creds)) - - kdc_options = str(krb5_asn1.KDCOptions('forwardable,' - 'renewable,' - 'canonicalize,' - 'renewable-ok')) - - pac_request = self.get_pa_pac_request() - pac_options = self.get_pa_pac_options('1') # supports claims - - padata = [pac_request, pac_options] - - rep, kdc_exchange_dict = self._test_as_exchange( - cname=cname, - realm=realm, - sname=sname, - till=till, - client_as_etypes=etype, - expected_error_mode=KDC_ERR_PREAUTH_REQUIRED, - expected_crealm=realm, - expected_cname=cname, - expected_srealm=realm, - expected_sname=sname, - expected_salt=salt, - etypes=etype, - padata=padata, - kdc_options=kdc_options, - preauth_key=None, - ticket_decryption_key=ticket_decryption_key) - self.check_pre_authentication(rep) - - etype_info2 = kdc_exchange_dict['preauth_etype_info2'] - - preauth_key = self.PasswordKey_from_etype_info2(creds, - etype_info2[0], - creds.get_kvno()) - - ts_enc_padata = self.get_enc_timestamp_pa_data(creds, rep) - - padata = [ts_enc_padata, pac_request, pac_options] - - expected_realm = realm.upper() - - expected_sname = self.PrincipalName_create( - name_type=NT_SRV_INST, names=['krbtgt', realm.upper()]) - - rep, kdc_exchange_dict = self._test_as_exchange( - cname=cname, - realm=realm, - sname=sname, - till=till, - client_as_etypes=etype, - expected_error_mode=0, - expected_crealm=expected_realm, - expected_cname=cname, - expected_srealm=expected_realm, - expected_sname=expected_sname, - expected_salt=salt, - etypes=etype, - padata=padata, - kdc_options=kdc_options, - preauth_key=preauth_key, - ticket_decryption_key=ticket_decryption_key) - self.check_as_reply(rep) - - tgt = rep['ticket'] - - enc_part = self.get_as_rep_enc_data(preauth_key, rep) - session_key = self.EncryptionKey_import(enc_part['key']) - - ticket_creds = KerberosTicketCreds( - tgt, - session_key, - crealm=realm, - cname=cname, - srealm=realm, - sname=sname, - decryption_key=ticket_decryption_key) - - return ticket_creds, enc_part - def get_mach_tgt(self): if self.mach_tgt is None: mach_creds = self.get_mach_creds() - type(self).mach_tgt, type(self).mach_enc_part = ( - self.get_tgt(mach_creds)) + type(self).mach_tgt = self.get_tgt(mach_creds) return self.mach_tgt def get_user_tgt(self): if self.user_tgt is None: user_creds = self.get_client_creds() - type(self).user_tgt, type(self).user_enc_part = ( - self.get_tgt(user_creds)) + type(self).user_tgt = self.get_tgt(user_creds) return self.user_tgt diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 0e138352b06..59175c7bb2f 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -52,7 +52,11 @@ from samba.samdb import SamDB, dsdb_Dn from samba.tests import delete_force import samba.tests.krb5.kcrypto as kcrypto -from samba.tests.krb5.raw_testcase import KerberosCredentials, RawKerberosTest +from samba.tests.krb5.raw_testcase import ( + KerberosCredentials, + KerberosTicketCreds, + RawKerberosTest +) import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( AD_IF_RELEVANT, @@ -66,10 +70,10 @@ from samba.tests.krb5.rfc4120_constants import ( KU_AS_REP_ENC_PART, KU_ENC_CHALLENGE_CLIENT, KU_PA_ENC_TIMESTAMP, - KU_TGS_REP_ENC_PART_SUB_KEY, KU_TICKET, NT_PRINCIPAL, NT_SRV_HST, + NT_SRV_INST, PADATA_ENCRYPTED_CHALLENGE, PADATA_ENC_TIMESTAMP, PADATA_ETYPE_INFO2, @@ -106,6 +110,7 @@ class KDCBaseTest(RawKerberosTest): cls.accounts = set() cls.account_cache = {} + cls.tkt_cache = {} cls._rodc_ctx = None @@ -225,7 +230,7 @@ class KDCBaseTest(RawKerberosTest): return default_enctypes - def create_account(self, ldb, name, machine_account=False, + def create_account(self, samdb, name, machine_account=False, spn=None, upn=None, additional_details=None, ou=None, account_control=0): '''Create an account for testing. @@ -236,13 +241,13 @@ class KDCBaseTest(RawKerberosTest): guid = (DS_GUID_COMPUTERS_CONTAINER if machine_account else DS_GUID_USERS_CONTAINER) - ou = ldb.get_wellknown_dn(ldb.get_default_basedn(), guid) + ou = samdb.get_wellknown_dn(samdb.get_default_basedn(), guid) dn = "CN=%s,%s" % (name, ou) # remove the account if it exists, this will happen if a previous test # run failed - delete_force(ldb, dn) + delete_force(samdb, dn) if machine_account: object_class = "computer" account_name = "%s$" % name @@ -267,19 +272,19 @@ class KDCBaseTest(RawKerberosTest): details["userPrincipalName"] = upn if additional_details is not None: details.update(additional_details) - ldb.add(details) + samdb.add(details) creds = KerberosCredentials() creds.guess(self.get_lp()) - creds.set_realm(ldb.domain_dns_name().upper()) - creds.set_domain(ldb.domain_netbios_name().upper()) + creds.set_realm(samdb.domain_dns_name().upper()) + creds.set_domain(samdb.domain_netbios_name().upper()) creds.set_password(password) creds.set_username(account_name) if machine_account: creds.set_workstation(name) else: creds.set_workstation('') - creds.set_dn(dn) + creds.set_dn(ldb.Dn(samdb, dn)) # # Save the account name so it can be deleted in tearDownClass self.accounts.add(dn) @@ -910,12 +915,11 @@ class KDCBaseTest(RawKerberosTest): fallback_creds_fn=download_krbtgt_creds) return c - def as_req(self, cname, sname, realm, etypes, padata=None): + def as_req(self, cname, sname, realm, etypes, padata=None, kdc_options=0): '''Send a Kerberos AS_REQ, returns the undecoded response ''' till = self.get_KerberosTime(offset=36000) - kdc_options = 0 req = self.AS_REQ_create(padata=padata, kdc_options=str(kdc_options), @@ -1063,61 +1067,223 @@ class KDCBaseTest(RawKerberosTest): else: self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep) - def tgs_req(self, cname, sname, realm, ticket, key, etypes): + def tgs_req(self, cname, sname, realm, ticket, key, etypes, + expected_error_mode=0, padata=None, kdc_options=0, + to_rodc=False): '''Send a TGS-REQ, returns the response and the decrypted and decoded enc-part ''' - kdc_options = "0" - till = self.get_KerberosTime(offset=36000) - padata = [] - subkey = self.RandomKey(key.etype) (ctime, cusec) = self.get_KerberosTimeWithUsec() - req = self.TGS_REQ_create(padata=padata, - cusec=cusec, - ctime=ctime, - ticket=ticket, - kdc_options=str(kdc_options), - cname=cname, - realm=realm, - sname=sname, - from_time=None, - till_time=till, - renew_time=None, - nonce=0x7ffffffe, - etypes=etypes, - addresses=None, - EncAuthorizationData=None, - EncAuthorizationData_key=None, - additional_tickets=None, - ticket_session_key=key, - authenticator_subkey=subkey) - rep = self.send_recv_transaction(req) - self.assertIsNotNone(rep) + tgt = KerberosTicketCreds(ticket, + key, + crealm=realm, + cname=cname) - msg_type = rep['msg-type'] - enc_part = None - if msg_type == KRB_TGS_REP: - enc_part = subkey.decrypt( - KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) - enc_part = self.der_decode( - enc_part, asn1Spec=krb5_asn1.EncTGSRepPart()) - return (rep, enc_part) + if not expected_error_mode: + check_error_fn = None + check_rep_fn = self.generic_check_kdc_rep + else: + check_error_fn = self.generic_check_kdc_error + check_rep_fn = None + + def generate_padata(_kdc_exchange_dict, + _callback_dict, + req_body): + + return padata, req_body + + kdc_exchange_dict = self.tgs_exchange_dict( + expected_crealm=realm, + expected_cname=cname, + expected_srealm=realm, + expected_sname=sname, + expected_error_mode=expected_error_mode, + check_error_fn=check_error_fn, + check_rep_fn=check_rep_fn, + check_kdc_private_fn=self.generic_check_kdc_private, + generate_padata_fn=generate_padata if padata is not None else None, + tgt=tgt, + authenticator_subkey=subkey, + kdc_options=str(kdc_options), + to_rodc=to_rodc) + + rep = self._generic_kdc_exchange(kdc_exchange_dict, + cname=None, + realm=realm, + sname=sname, + etypes=etypes) + + if expected_error_mode: + enc_part = None + else: + ticket_creds = kdc_exchange_dict['rep_ticket_creds'] + enc_part = ticket_creds.encpart_private + + return rep, enc_part + + def get_service_ticket(self, tgt, target_creds, service='host', + to_rodc=False, fresh=False): + user_name = tgt.cname['name-string'][0] + target_name = target_creds.get_username() + cache_key = (user_name, target_name, service, to_rodc) + + if not fresh: + ticket = self.tkt_cache.get(cache_key) + + if ticket is not None: + return ticket + + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + + key = tgt.session_key + ticket = tgt.ticket + + cname = tgt.cname + realm = tgt.crealm + + target_name = target_creds.get_username()[:-1] + sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[service, target_name]) + + rep, enc_part = self.tgs_req(cname, sname, realm, ticket, key, etype, + to_rodc=to_rodc) + + service_ticket = rep['ticket'] + + ticket_etype = service_ticket['enc-part']['etype'] + target_key = self.TicketDecryptionKey_from_creds(target_creds, + etype=ticket_etype) + + session_key = self.EncryptionKey_import(enc_part['key']) + + service_ticket_creds = KerberosTicketCreds(service_ticket, -- Samba Shared Repository