The branch, master has been updated via 38c5bad4a85 kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs via 9bd26804852 heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket via ee4aa21c487 selftest: Properly check extra PAC buffers with Heimdal via 1f4f3018c50 heimdal:kdc: Always generate a PAC for S4U2Self via 192d6edfe91 tests/krb5: Add a test for S4U2Self with no authorization data required via 4b60e951649 kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets via 90025b6a4d2 kdc: Don't include extra PAC buffers in service tickets via e61983c7f2c Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers" via 73a48063469 tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests via 690a00a40c0 kdc: Always add the PAC if the header TGT is from an RODC via b6a25f5f016 kdc: Match Windows error code for mismatching sname via bac5f750594 tests/krb5: Add test for S4U2Self with wrong sname via d5d22bf84a7 kdc: Adjust SID mismatch error code to match Windows via f7a2fef8f49 heimdal:kdc: Adjust no-PAC error code to match Windows via 9cfb88ba048 s4:torture: Fix typo via 11fb9476ad3 heimdal:kdc: Fix error message for user-to-user via 749349efab9 tests/krb5: Add comments for tests that fail against Windows via ca80c47406e tests/krb5: Add tests for validation with requester SID PAC buffer via ebc9137cee9 tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2 via ec823c2a83c tests/krb5: Add TGS-REQ tests with FAST via 778029c1dc4 tests/krb5: Add tests for TGS requests with a non-TGT via 7574ba9f580 tests/krb5: Add tests for invalid TGTs via 28d501875a9 tests/krb5: Remove unnecessary expect_pac arguments via d95705172bc tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2 via e930274aa43 tests/krb5: Split out methods to create renewable or invalid tickets via a560c2e9ad8 tests/krb5: Allow PasswordKey_create() to use s2kparams via 167bd207048 tests/krb5: Run test_rpc against member server via f0b222e3ecf tests/krb5: Deduplicate AS-REQ tests via 57b1b76154d tests/krb5: Remove unused variable via ad4d6fb01fd selftest: Check received LDB error code when STRICT_CHECKING=0 from cbf312f02bc s3:winbind: Fix possible NULL pointer dereference
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 38c5bad4a853b19fe9a51fb059e150b153c4632a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 24 20:41:54 2021 +1300 kdc: Require that PAC_REQUESTER_SID buffer is present for TGTs Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Tue Nov 30 03:33:26 UTC 2021 on sn-devel-184 commit 9bd26804852d957f81cb311e5142f9190f9afa65 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Nov 23 19:38:35 2021 +1300 heimdal:kdc: Do not generate extra PAC buffers for S4U2Self service ticket Normally samba_wdc_get_pac() is used to generate the PAC for a TGT, but when generating a service ticket for S4U2Self, we want to avoid adding the additional PAC_ATTRIBUTES_INFO and PAC_REQUESTER_SID buffers. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ee4aa21c487fa80082a548b2e4f115a791e30340 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Nov 25 09:29:42 2021 +1300 selftest: Properly check extra PAC buffers with Heimdal Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1f4f3018c5001b289b91959a72d00575c8fc0ac1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Nov 23 17:30:50 2021 +1300 heimdal:kdc: Always generate a PAC for S4U2Self If we decided not to put a PAC into the ticket, mspac would be NULL here, and the resulting ticket would not contain a PAC. This could happen if there was a request to omit the PAC or the service did not require authorization data. Ensure that we always generate a PAC. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 192d6edfe912105ec344dc554f872a24c03540a3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Nov 25 12:46:40 2021 +1300 tests/krb5: Add a test for S4U2Self with no authorization data required Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 4b60e9516497c2e7f1545fe50887d0336b9893f2 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Nov 25 10:53:49 2021 +1300 kdc: Remove PAC_TYPE_ATTRIBUTES_INFO from RODC-issued tickets Windows ignores PAC_TYPE_ATTRIBUTES_INFO and always issues a PAC when presented with an RODC-issued TGT. By removing this PAC buffer from RODC-issued tickets, we ensure that an RODC-issued ticket will still result in a PAC if it is first renewed or validated by the main DC. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 90025b6a4d250a15c0f988a9a9150ecfb63069ef Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 24 20:42:22 2021 +1300 kdc: Don't include extra PAC buffers in service tickets Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e61983c7f2c4daade83b237efb990d0c0645b3a3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Nov 25 13:24:57 2021 +1300 Revert "CVE-2020-25719 s4/torture: Expect additional PAC buffers" This reverts commit fa4c9bcefdeed0a7106aab84df20b02435febc1f. We should not be generating these additional PAC buffers for service tickets, only for TGTs. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 73a48063469205099f02efdf3b8f0f1040dc7a3d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Nov 25 10:32:44 2021 +1300 tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requests Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 690a00a40c0a3f77da6e4dca42b630f2793a98b8 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Nov 23 20:15:41 2021 +1300 kdc: Always add the PAC if the header TGT is from an RODC Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b6a25f5f016aef39c3b1d7be8b3ecfe021c03c83 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Nov 23 20:00:07 2021 +1300 kdc: Match Windows error code for mismatching sname Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit bac5f75059450898937be891e863826e1350b62c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Nov 25 10:05:17 2021 +1300 tests/krb5: Add test for S4U2Self with wrong sname Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d5d22bf84a71492342287e54b555c9f024e7e71c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 24 20:41:45 2021 +1300 kdc: Adjust SID mismatch error code to match Windows Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f7a2fef8f49a86f63c3dc2f6a2d7d979fb53238a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 24 20:41:34 2021 +1300 heimdal:kdc: Adjust no-PAC error code to match Windows Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9cfb88ba04818b5e9cec3c96422e8e4a3080d490 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Nov 18 16:22:34 2021 +1300 s4:torture: Fix typo Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 11fb9476ad3c09415d12b3cdf7934c293cbefcb2 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Nov 18 13:14:51 2021 +1300 heimdal:kdc: Fix error message for user-to-user We were checking the wrong variable to see whether a PAC was found or not. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 749349efab9b401d33a4fc286473a924364a41c9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 24 15:32:32 2021 +1300 tests/krb5: Add comments for tests that fail against Windows Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ca80c47406e0f2b6fac2c55229306e21ccef9745 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 24 13:10:52 2021 +1300 tests/krb5: Add tests for validation with requester SID PAC buffer Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ebc9137cee94dee9dcf0e47d5bc0dc83de7aaaa1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 24 12:37:08 2021 +1300 tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2 We set EXPECT_EXTRA_PAC_BUFFERS to 0 for the moment. This signifies that these checks are currently not enforced, which avoids a lot of test failures. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ec823c2a83c639f1d7c422153a53d366750e5f2a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 24 12:09:18 2021 +1300 tests/krb5: Add TGS-REQ tests with FAST Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 778029c1dc443b87f4ed4b9d2c613d0e6fc45b0d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 24 12:10:45 2021 +1300 tests/krb5: Add tests for TGS requests with a non-TGT Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7574ba9f580fca552b80532a49d00e657fbdf4fd Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Nov 30 09:26:40 2021 +1300 tests/krb5: Add tests for invalid TGTs Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 28d501875a98fa2817262eb8ec68bf91528428c2 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 24 12:04:36 2021 +1300 tests/krb5: Remove unnecessary expect_pac arguments The value of expect_pac is not considered if we are expecting an error. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit d95705172bcf6fe24817800a4c0009e9cc8be595 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 24 11:52:31 2021 +1300 tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e930274aa43810d6485c3c8a7c82958ecb409630 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 24 11:40:35 2021 +1300 tests/krb5: Split out methods to create renewable or invalid tickets Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit a560c2e9ad8abb824d1805c86c656943745f81eb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 24 11:37:35 2021 +1300 tests/krb5: Allow PasswordKey_create() to use s2kparams Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 167bd2070483004cd0b9a96ffb40ea73c6ddf579 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 24 16:02:00 2021 +1300 tests/krb5: Run test_rpc against member server We were instead always running against the DC. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f0b222e3ecf72c8562bc97bedd9f3a92980b60d5 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 24 11:34:11 2021 +1300 tests/krb5: Deduplicate AS-REQ tests salt_tests was running the tests defined in the base class as well as its own tests. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 57b1b76154d699b9d70ad04fa5e94c4b30f0e4bf Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 24 11:53:18 2021 +1300 tests/krb5: Remove unused variable Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ad4d6fb01fd8083e68f07c427af8932574810cdc Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 24 11:30:38 2021 +1300 selftest: Check received LDB error code when STRICT_CHECKING=0 We were instead only checking the expected error. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: python/samba/tests/krb5/alias_tests.py | 7 +- python/samba/tests/krb5/as_req_tests.py | 163 ++--- python/samba/tests/krb5/kdc_tgs_tests.py | 739 +++++++++++++++++---- .../krb5/ms_kile_client_principal_lookup_tests.py | 39 +- python/samba/tests/krb5/raw_testcase.py | 50 +- python/samba/tests/krb5/rfc4120_constants.py | 1 + python/samba/tests/krb5/s4u_tests.py | 123 +++- python/samba/tests/krb5/salt_tests.py | 4 +- python/samba/tests/krb5/test_rpc.py | 17 +- selftest/knownfail_heimdal_kdc | 17 +- selftest/knownfail_mit_kdc | 41 +- source4/dsdb/tests/python/priv_attrs.py | 2 +- source4/heimdal/kdc/kerberos5.c | 2 +- source4/heimdal/kdc/krb5tgs.c | 18 +- source4/heimdal/kdc/windc.c | 5 +- source4/heimdal/kdc/windc_plugin.h | 2 + source4/kdc/db-glue.c | 2 +- source4/kdc/pac-glue.c | 6 +- source4/kdc/wdc-samba4.c | 48 +- source4/selftest/tests.py | 58 +- source4/torture/krb5/kdc-canon-heimdal.c | 2 +- source4/torture/rpc/remote_pac.c | 24 +- 22 files changed, 986 insertions(+), 384 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/alias_tests.py b/python/samba/tests/krb5/alias_tests.py index 60213845a44..1f63775c189 100755 --- a/python/samba/tests/krb5/alias_tests.py +++ b/python/samba/tests/krb5/alias_tests.py @@ -28,7 +28,7 @@ from samba.tests.krb5.kdc_base_test import KDCBaseTest from samba.tests.krb5.rfc4120_constants import ( AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5, - KDC_ERR_CLIENT_NAME_MISMATCH, + KDC_ERR_TGT_REVOKED, NT_PRINCIPAL, ) @@ -168,7 +168,7 @@ class AliasTests(KDCBaseTest): ctype=None) return [padata], req_body - expected_error_mode = KDC_ERR_CLIENT_NAME_MISMATCH + expected_error_mode = KDC_ERR_TGT_REVOKED # Make a request using S4U2Self. The request should fail. kdc_exchange_dict = self.tgs_exchange_dict( @@ -184,7 +184,8 @@ class AliasTests(KDCBaseTest): tgt=tgt, authenticator_subkey=authenticator_subkey, kdc_options='0', - expect_pac=True) + expect_pac=True, + expect_edata=False) rep = self._generic_kdc_exchange(kdc_exchange_dict, cname=None, diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 08081928363..315720f85d6 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -38,87 +38,8 @@ from samba.tests.krb5.rfc4120_constants import ( global_asn1_print = False global_hexdump = False -@DynamicTestCase -class AsReqKerberosTests(KDCBaseTest): - - @classmethod - def setUpDynamicTestCases(cls): - for (name, idx) in cls.etype_test_permutation_name_idx(): - for pac in [None, True, False]: - tname = "%s_pac_%s" % (name, pac) - targs = (idx, pac) - cls.generate_dynamic_test("test_as_req_no_preauth", tname, *targs) - - def setUp(self): - super(AsReqKerberosTests, self).setUp() - self.do_asn1_print = global_asn1_print - self.do_hexdump = global_hexdump - - def _test_as_req_nopreauth(self, - initial_etypes, - pac=None, - initial_kdc_options=None): - client_creds = self.get_client_creds() - client_account = client_creds.get_username() - client_as_etypes = self.get_default_enctypes() - krbtgt_creds = self.get_krbtgt_creds(require_keys=False) - krbtgt_account = krbtgt_creds.get_username() - realm = krbtgt_creds.get_realm() - - cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, - names=[client_account]) - sname = self.PrincipalName_create(name_type=NT_SRV_INST, - names=[krbtgt_account, realm]) - - expected_crealm = realm - expected_cname = cname - expected_srealm = realm - expected_sname = sname - expected_salt = client_creds.get_salt() - - if any(etype in client_as_etypes and etype in initial_etypes - for etype in (kcrypto.Enctype.AES256, - kcrypto.Enctype.AES128, - kcrypto.Enctype.RC4)): - expected_error_mode = KDC_ERR_PREAUTH_REQUIRED - else: - expected_error_mode = KDC_ERR_ETYPE_NOSUPP - - kdc_exchange_dict = self.as_exchange_dict( - expected_crealm=expected_crealm, - expected_cname=expected_cname, - expected_srealm=expected_srealm, - expected_sname=expected_sname, - generate_padata_fn=None, - check_error_fn=self.generic_check_kdc_error, - check_rep_fn=None, - expected_error_mode=expected_error_mode, - client_as_etypes=client_as_etypes, - expected_salt=expected_salt, - kdc_options=str(initial_kdc_options), - pac_request=pac) - - self._generic_kdc_exchange(kdc_exchange_dict, - cname=cname, - realm=realm, - sname=sname, - etypes=initial_etypes) - - def _test_as_req_no_preauth_with_args(self, etype_idx, pac): - name, etypes = self.etype_test_permutation_by_idx(etype_idx) - self._test_as_req_nopreauth( - pac=pac, - initial_etypes=etypes, - initial_kdc_options=krb5_asn1.KDCOptions('forwardable')) - - def test_as_req_enc_timestamp(self): - client_creds = self.get_client_creds() - self._run_as_req_enc_timestamp(client_creds) - - def test_as_req_enc_timestamp_mac(self): - client_creds = self.get_mach_creds() - self._run_as_req_enc_timestamp(client_creds) +class AsReqBaseTest(KDCBaseTest): def _run_as_req_enc_timestamp(self, client_creds): client_account = client_creds.get_username() client_as_etypes = self.get_default_enctypes() @@ -207,6 +128,88 @@ class AsReqKerberosTests(KDCBaseTest): return etype_info2 +@DynamicTestCase +class AsReqKerberosTests(AsReqBaseTest): + + @classmethod + def setUpDynamicTestCases(cls): + for (name, idx) in cls.etype_test_permutation_name_idx(): + for pac in [None, True, False]: + tname = "%s_pac_%s" % (name, pac) + targs = (idx, pac) + cls.generate_dynamic_test("test_as_req_no_preauth", tname, *targs) + + def setUp(self): + super(AsReqKerberosTests, self).setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def _test_as_req_nopreauth(self, + initial_etypes, + pac=None, + initial_kdc_options=None): + client_creds = self.get_client_creds() + client_account = client_creds.get_username() + client_as_etypes = self.get_default_enctypes() + krbtgt_creds = self.get_krbtgt_creds(require_keys=False) + krbtgt_account = krbtgt_creds.get_username() + realm = krbtgt_creds.get_realm() + + cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[client_account]) + sname = self.PrincipalName_create(name_type=NT_SRV_INST, + names=[krbtgt_account, realm]) + + expected_crealm = realm + expected_cname = cname + expected_srealm = realm + expected_sname = sname + expected_salt = client_creds.get_salt() + + if any(etype in client_as_etypes and etype in initial_etypes + for etype in (kcrypto.Enctype.AES256, + kcrypto.Enctype.AES128, + kcrypto.Enctype.RC4)): + expected_error_mode = KDC_ERR_PREAUTH_REQUIRED + else: + expected_error_mode = KDC_ERR_ETYPE_NOSUPP + + kdc_exchange_dict = self.as_exchange_dict( + expected_crealm=expected_crealm, + expected_cname=expected_cname, + expected_srealm=expected_srealm, + expected_sname=expected_sname, + generate_padata_fn=None, + check_error_fn=self.generic_check_kdc_error, + check_rep_fn=None, + expected_error_mode=expected_error_mode, + client_as_etypes=client_as_etypes, + expected_salt=expected_salt, + kdc_options=str(initial_kdc_options), + pac_request=pac) + + self._generic_kdc_exchange(kdc_exchange_dict, + cname=cname, + realm=realm, + sname=sname, + etypes=initial_etypes) + + def _test_as_req_no_preauth_with_args(self, etype_idx, pac): + name, etypes = self.etype_test_permutation_by_idx(etype_idx) + self._test_as_req_nopreauth( + pac=pac, + initial_etypes=etypes, + initial_kdc_options=krb5_asn1.KDCOptions('forwardable')) + + def test_as_req_enc_timestamp(self): + client_creds = self.get_client_creds() + self._run_as_req_enc_timestamp(client_creds) + + def test_as_req_enc_timestamp_mac(self): + client_creds = self.get_mach_creds() + self._run_as_req_enc_timestamp(client_creds) + + if __name__ == "__main__": global_asn1_print = False global_hexdump = False diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index abac5a47a56..2923d53772a 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -23,7 +23,7 @@ import os import ldb -from samba import dsdb, ntstatus +from samba import dsdb from samba.dcerpc import krb5pac, security @@ -32,20 +32,21 @@ os.environ["PYTHONUNBUFFERED"] = "1" import samba.tests.krb5.kcrypto as kcrypto from samba.tests.krb5.kdc_base_test import KDCBaseTest +from samba.tests.krb5.raw_testcase import Krb5EncryptionKey from samba.tests.krb5.rfc4120_constants import ( AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5, KRB_ERROR, KRB_TGS_REP, KDC_ERR_BADMATCH, - KDC_ERR_BADOPTION, - KDC_ERR_CLIENT_NAME_MISMATCH, KDC_ERR_GENERIC, KDC_ERR_MODIFIED, + KDC_ERR_NOT_US, KDC_ERR_POLICY, KDC_ERR_C_PRINCIPAL_UNKNOWN, KDC_ERR_S_PRINCIPAL_UNKNOWN, KDC_ERR_TGT_REVOKED, + KRB_ERR_TKT_NYV, KDC_ERR_WRONG_REALM, NT_PRINCIPAL, NT_SRV_INST, @@ -262,7 +263,7 @@ class KdcTgsTests(KDCBaseTest): authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256) if expect_error: - expected_error_mode = KDC_ERR_BADOPTION + expected_error_mode = KDC_ERR_TGT_REVOKED check_error_fn = self.generic_check_kdc_error check_rep_fn = None else: @@ -288,7 +289,8 @@ class KdcTgsTests(KDCBaseTest): authenticator_subkey=authenticator_subkey, kdc_options=kdc_options, pac_request=pac_request, - expect_pac=expect_pac) + expect_pac=expect_pac, + expect_edata=False) rep = self._generic_kdc_exchange(kdc_exchange_dict, cname=cname, @@ -413,7 +415,7 @@ class KdcTgsTests(KDCBaseTest): self.assertIsNone(pac) self._make_tgs_request(client_creds, service_creds, tgt, - expect_pac=False, expect_error=True) + expect_error=True) def test_remove_pac_client_no_auth_data_required(self): client_creds = self.get_cached_creds( @@ -428,7 +430,7 @@ class KdcTgsTests(KDCBaseTest): self.assertIsNone(pac) self._make_tgs_request(client_creds, service_creds, tgt, - expect_pac=False, expect_error=True) + expect_error=True) def test_remove_pac(self): client_creds = self.get_client_creds() @@ -441,7 +443,7 @@ class KdcTgsTests(KDCBaseTest): self.assertIsNone(pac) self._make_tgs_request(client_creds, service_creds, tgt, - expect_pac=False, expect_error=True) + expect_error=True) def test_upn_dns_info_ex_user(self): client_creds = self.get_client_creds() @@ -495,12 +497,18 @@ class KdcTgsTests(KDCBaseTest): def test_renew_req(self): creds = self._get_creds() tgt = self._get_tgt(creds, renewable=True) - self._renew_tgt(tgt, expected_error=0) + self._renew_tgt(tgt, expected_error=0, + expect_pac_attrs=True, + expect_pac_attrs_pac_request=True, + expect_requester_sid=True) def test_validate_req(self): creds = self._get_creds() tgt = self._get_tgt(creds, invalid=True) - self._validate_tgt(tgt, expected_error=0) + self._validate_tgt(tgt, expected_error=0, + expect_pac_attrs=True, + expect_pac_attrs_pac_request=True, + expect_requester_sid=True) def test_s4u2self_req(self): creds = self._get_creds() @@ -512,12 +520,37 @@ class KdcTgsTests(KDCBaseTest): tgt = self._get_tgt(creds) self._user2user(tgt, creds, expected_error=0) + def test_fast_req(self): + creds = self._get_creds() + tgt = self._get_tgt(creds) + self._fast(tgt, creds, expected_error=0) + + def test_tgs_req_invalid(self): + creds = self._get_creds() + tgt = self._get_tgt(creds, invalid=True) + self._run_tgs(tgt, expected_error=KRB_ERR_TKT_NYV) + + def test_s4u2self_req_invalid(self): + creds = self._get_creds() + tgt = self._get_tgt(creds, invalid=True) + self._s4u2self(tgt, creds, expected_error=KRB_ERR_TKT_NYV) + + def test_user2user_req_invalid(self): + creds = self._get_creds() + tgt = self._get_tgt(creds, invalid=True) + self._user2user(tgt, creds, expected_error=KRB_ERR_TKT_NYV) + + def test_fast_req_invalid(self): + creds = self._get_creds() + tgt = self._get_tgt(creds, invalid=True) + self._fast(tgt, creds, expected_error=KRB_ERR_TKT_NYV, + expected_sname=self.get_krbtgt_sname()) + def test_tgs_req_no_requester_sid(self): creds = self._get_creds() tgt = self._get_tgt(creds, remove_requester_sid=True) - self._run_tgs(tgt, expected_error=0, expect_pac=True, - expect_requester_sid=False) # Note: not expected + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_tgs_req_no_pac_attrs(self): creds = self._get_creds() @@ -531,11 +564,7 @@ class KdcTgsTests(KDCBaseTest): revealed_to_rodc=True) tgt = self._get_tgt(creds, from_rodc=True, remove_requester_sid=True) - samdb = self.get_samdb() - sid = self.get_objectSid(samdb, creds.get_dn()) - - self._run_tgs(tgt, expected_error=0, expect_pac=True, - expect_requester_sid=True, expected_sid=sid) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_tgs_req_from_rodc_no_pac_attrs(self): creds = self._get_creds(replication_allowed=True, @@ -548,101 +577,119 @@ class KdcTgsTests(KDCBaseTest): def test_tgs_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, remove_pac=True) - self._run_tgs(tgt, expected_error=KDC_ERR_BADOPTION) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_renew_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, renewable=True, remove_pac=True) - self._renew_tgt(tgt, expected_error=KDC_ERR_BADOPTION) + self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_validate_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, invalid=True, remove_pac=True) - self._validate_tgt(tgt, expected_error=KDC_ERR_BADOPTION) + self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_s4u2self_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, remove_pac=True) self._s4u2self(tgt, creds, - expected_error=(KDC_ERR_GENERIC, KDC_ERR_BADOPTION), - expected_status=ntstatus.NT_STATUS_INVALID_PARAMETER, - expect_edata=True) + expected_error=KDC_ERR_TGT_REVOKED, + expect_edata=False) def test_user2user_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, remove_pac=True) - self._user2user(tgt, creds, expected_error=KDC_ERR_BADOPTION) + self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) + + def test_fast_no_pac(self): + creds = self._get_creds() + tgt = self._get_tgt(creds, remove_pac=True) + self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED, + expected_sname=self.get_krbtgt_sname()) # Test making a request with authdata and without a PAC. def test_tgs_authdata_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) - self._run_tgs(tgt, expected_error=KDC_ERR_BADOPTION) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_renew_authdata_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, renewable=True, remove_pac=True, allow_empty_authdata=True) - self._renew_tgt(tgt, expected_error=KDC_ERR_BADOPTION) + self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_validate_authdata_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, invalid=True, remove_pac=True, allow_empty_authdata=True) - self._validate_tgt(tgt, expected_error=KDC_ERR_BADOPTION) + self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_s4u2self_authdata_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) self._s4u2self(tgt, creds, - expected_error=(KDC_ERR_GENERIC, KDC_ERR_BADOPTION), - expected_status=ntstatus.NT_STATUS_INVALID_PARAMETER, - expect_edata=True) + expected_error=KDC_ERR_TGT_REVOKED, + expect_edata=False) def test_user2user_authdata_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) - self._user2user(tgt, creds, expected_error=KDC_ERR_BADOPTION) + self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) + + def test_fast_authdata_no_pac(self): + creds = self._get_creds() + tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) + self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED, + expected_sname=self.get_krbtgt_sname()) # Test changing the SID in the PAC to that of another account. def test_tgs_sid_mismatch_existing(self): creds = self._get_creds() existing_rid = self._get_existing_rid() tgt = self._get_tgt(creds, new_rid=existing_rid) - self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_renew_sid_mismatch_existing(self): creds = self._get_creds() existing_rid = self._get_existing_rid() tgt = self._get_tgt(creds, renewable=True, new_rid=existing_rid) - self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_validate_sid_mismatch_existing(self): creds = self._get_creds() existing_rid = self._get_existing_rid() tgt = self._get_tgt(creds, invalid=True, new_rid=existing_rid) - self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_s4u2self_sid_mismatch_existing(self): creds = self._get_creds() existing_rid = self._get_existing_rid() tgt = self._get_tgt(creds, new_rid=existing_rid) self._s4u2self(tgt, creds, - expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + expected_error=KDC_ERR_TGT_REVOKED) def test_user2user_sid_mismatch_existing(self): creds = self._get_creds() existing_rid = self._get_existing_rid() tgt = self._get_tgt(creds, new_rid=existing_rid) self._user2user(tgt, creds, - expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + expected_error=KDC_ERR_TGT_REVOKED) + + def test_fast_sid_mismatch_existing(self): + creds = self._get_creds() + existing_rid = self._get_existing_rid() + tgt = self._get_tgt(creds, new_rid=existing_rid) + self._fast(tgt, creds, + expected_error=KDC_ERR_TGT_REVOKED, + expected_sname=self.get_krbtgt_sname()) -- Samba Shared Repository