The branch, master has been updated via 0f4eca775aa tests/krb5: Add tests for AS-REQ to self with FAST via 100be7eb8e7 tests/krb5: Correctly determine whether tickets are service tickets via 1eb91291b54 tests/krb5: Generate unique UPNs for enterprise tests via 3b23ae59ac4 s4:torture: Fix typo via 030afa6c01b s4:torture: Remove comments that are no longer relevant via bba30095ca1 kdc: Pad UPN_DNS_INFO PAC buffer via 31f3e815799 Revert "s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows" via 7dfcbc4e381 tests/krb5: Add tests for PAC buffer alignment via abbeb5c2175 s4:mitkdc: Call krb5_pac_init() in kdb_samba_db_sign_auth_data() via 3a3f7feac59 s4:mitkdc: Do not allocate the PAC buffer in samba_make_krb5_pac() via 731d9c42d07 s4:mitkdc: Pass NULL to ks_get_pac() as the client_key via e95fb04c5de s4:mitkdc: Add support for pac_attrs and requester_sid via b46a942f95b s4:mitkdc: Reset errno to 0 for com_err messages via c69bfa0939d s4:mitkdc: Use talloc_get_type_abort() in ks_get_context() via f00eb8485f4 s4:mitkdc: Initilalize is_error with errno instead of EPERM(1) from 5b526f4533b tdb: Raw performance torture to beat tdb_increment_seqnum
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 0f4eca775aa52cfe40a25ead90c560d76b286ad9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Dec 14 19:16:15 2021 +1300 tests/krb5: Add tests for AS-REQ to self with FAST Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Dec 15 04:33:11 UTC 2021 on sn-devel-184 commit 100be7eb8e70ba270a8e92957a5e47466160a901 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Dec 14 19:16:00 2021 +1300 tests/krb5: Correctly determine whether tickets are service tickets Previously we expected tickets to contain a ticket checksum if the sname was not the krbtgt. However, the ticket checksum should not be present if we are performing an AS-REQ to our own account. Now we determine a ticket is a service ticket only if the request is also a TGS-REQ. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1eb91291b54b194d8312dac6dd605c793eabfd53 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Dec 14 19:16:26 2021 +1300 tests/krb5: Generate unique UPNs for enterprise tests This helps to avoid problems with account creation on Windows due to UPN uniqueness constraints. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3b23ae59ac4953d20ca4422b567a15227a17c545 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Dec 9 13:18:54 2021 +1300 s4:torture: Fix typo Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 030afa6c01bfc0bfd20a204a5cc7c9d33032a1e7 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Dec 9 13:18:45 2021 +1300 s4:torture: Remove comments that are no longer relevant Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit bba30095ca14dd947cb32a4403e351b0523304dd Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Dec 10 14:59:22 2021 +1300 kdc: Pad UPN_DNS_INFO PAC buffer Padding this buffer to a multiple of 8 bytes allows the PAC buffer padding to match Windows. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 31f3e815799a205f48bebae666deb327e1058674 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Dec 14 19:19:42 2021 +1300 Revert "s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows" This alignment should be done on the Samba side instead. This reverts commit 28a5a586c8e9cd155d676dcfcb81a2587ace99d1. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7dfcbc4e381080b3e3e1777134aecef5522d1f01 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Dec 9 11:56:55 2021 +1300 tests/krb5: Add tests for PAC buffer alignment Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit abbeb5c2175ad9574d75e852c101887d6e642cb4 Author: Andreas Schneider <a...@samba.org> Date: Mon Dec 13 08:31:49 2021 +0100 s4:mitkdc: Call krb5_pac_init() in kdb_samba_db_sign_auth_data() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3a3f7feac59feba08438831cb02564e9b80cdc59 Author: Andreas Schneider <a...@samba.org> Date: Thu Oct 7 15:12:35 2021 +0200 s4:mitkdc: Do not allocate the PAC buffer in samba_make_krb5_pac() This will be allocated by the KDC in MIT KRB5 1.20 and newer. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 731d9c42d0775d9b1a7475ad2efbe23c2439f6db Author: Andreas Schneider <a...@samba.org> Date: Mon Dec 13 15:48:08 2021 +0100 s4:mitkdc: Pass NULL to ks_get_pac() as the client_key This is unused with MIT KRB5 < 1.20 as this is probably not the right key. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e95fb04c5dec9f0487010fb59b6ebf99effe873f Author: Andreas Schneider <a...@samba.org> Date: Mon Dec 13 08:33:05 2021 +0100 s4:mitkdc: Add support for pac_attrs and requester_sid Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b46a942f95bb28bceb84a14d1125d7f69fdc3fe7 Author: Andreas Schneider <a...@samba.org> Date: Wed Dec 8 09:17:32 2021 +0100 s4:mitkdc: Reset errno to 0 for com_err messages Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit c69bfa0939df3a8f15c917d7f9b8336fb0fef655 Author: Andreas Schneider <a...@samba.org> Date: Wed Dec 8 09:16:57 2021 +0100 s4:mitkdc: Use talloc_get_type_abort() in ks_get_context() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f00eb8485f429e100d09ae2d529a7b8a1f6a6d34 Author: Andreas Schneider <a...@cryptomilk.org> Date: Tue Oct 19 12:15:50 2021 +0200 s4:mitkdc: Initilalize is_error with errno instead of EPERM(1) Signed-off-by: Andreas Schneider <a...@cryptomilk.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: lib/util/data_blob.c | 21 ++++++ lib/util/data_blob.h | 7 ++ python/samba/tests/krb5/compatability_tests.py | 10 +-- python/samba/tests/krb5/fast_tests.py | 66 ++++++++++++++++-- python/samba/tests/krb5/kdc_base_test.py | 2 +- python/samba/tests/krb5/kdc_tgs_tests.py | 24 ++++--- python/samba/tests/krb5/pac_align_tests.py | 93 ++++++++++++++++++++++++++ python/samba/tests/krb5/raw_testcase.py | 18 ++--- python/samba/tests/krb5/rodc_tests.py | 4 +- python/samba/tests/usage.py | 1 + selftest/knownfail_heimdal_kdc | 1 + selftest/knownfail_mit_kdc | 14 +--- source4/heimdal/lib/krb5/pac.c | 14 +--- source4/kdc/mit-kdb/kdb_samba_common.c | 13 +++- source4/kdc/mit-kdb/kdb_samba_policies.c | 22 +++++- source4/kdc/mit_samba.c | 18 +++-- source4/kdc/mit_samba.h | 1 + source4/kdc/pac-glue.c | 56 ++++++++++------ source4/kdc/pac-glue.h | 2 +- source4/kdc/wdc-samba4.c | 8 ++- source4/selftest/tests.py | 13 ++++ source4/torture/krb5/kdc-canon-heimdal.c | 6 -- source4/torture/krb5/kdc-heimdal.c | 2 +- 23 files changed, 325 insertions(+), 91 deletions(-) create mode 100755 python/samba/tests/krb5/pac_align_tests.py Changeset truncated at 500 lines: diff --git a/lib/util/data_blob.c b/lib/util/data_blob.c index e528eb093a0..77b077f7ef9 100644 --- a/lib/util/data_blob.c +++ b/lib/util/data_blob.c @@ -245,3 +245,24 @@ _PUBLIC_ bool data_blob_append(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, return true; } +/** + pad the length of a data blob to a multiple of + 'pad'. 'pad' must be a power of two. +**/ +_PUBLIC_ bool data_blob_pad(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, + size_t pad) +{ + size_t old_len = blob->length; + size_t new_len = (old_len + pad - 1) & ~(pad - 1); + + if (new_len < old_len) { + return false; + } + + if (!data_blob_realloc(mem_ctx, blob, new_len)) { + return false; + } + + memset(blob->data + old_len, 0, new_len - old_len); + return true; +} diff --git a/lib/util/data_blob.h b/lib/util/data_blob.h index 799e9531cbd..7a0dc3b0014 100644 --- a/lib/util/data_blob.h +++ b/lib/util/data_blob.h @@ -126,6 +126,13 @@ _PUBLIC_ bool data_blob_realloc(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, size_t len _PUBLIC_ bool data_blob_append(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, const void *p, size_t length); +/** + pad the length of a data blob to a multiple of + 'pad'. 'pad' must be a power of two. +**/ +_PUBLIC_ bool data_blob_pad(TALLOC_CTX *mem_ctx, DATA_BLOB *blob, + size_t pad); + extern const DATA_BLOB data_blob_null; #endif /* _SAMBA_DATABLOB_H_ */ diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py index ed2dc565b6d..65e9e3788d5 100755 --- a/python/samba/tests/krb5/compatability_tests.py +++ b/python/samba/tests/krb5/compatability_tests.py @@ -132,13 +132,14 @@ class SimpleKerberosTests(KDCBaseTest): tgt = self.get_tgt(user_creds) # Ensure the PAC contains the expected checksums. - self.verify_ticket(tgt, key) + self.verify_ticket(tgt, key, service_ticket=False) # Get a service ticket from the DC. service_ticket = self.get_service_ticket(tgt, target_creds) # Ensure the PAC contains the expected checksums. - self.verify_ticket(service_ticket, key, expect_ticket_checksum=True) + self.verify_ticket(service_ticket, key, service_ticket=True, + expect_ticket_checksum=True) def test_mit_ticket_signature(self): # Ensure that a DC does not issue tickets signed with its krbtgt key. @@ -152,13 +153,14 @@ class SimpleKerberosTests(KDCBaseTest): tgt = self.get_tgt(user_creds) # Ensure the PAC contains the expected checksums. - self.verify_ticket(tgt, key) + self.verify_ticket(tgt, key, service_ticket=False) # Get a service ticket from the DC. service_ticket = self.get_service_ticket(tgt, target_creds) # Ensure the PAC does not contain the expected checksums. - self.verify_ticket(service_ticket, key, expect_ticket_checksum=False) + self.verify_ticket(service_ticket, key, service_ticket=True, + expect_ticket_checksum=False) def as_pre_auth_req(self, creds, etypes): user = creds.get_username() diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index 54b74c067e8..6a6fdfa786e 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -95,6 +95,23 @@ class FAST_Tests(KDCBaseTest): } ]) + def test_simple_as_req_self(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': False, + 'as_req_self': True + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': False, + 'gen_padata_fn': self.generate_enc_timestamp_padata, + 'as_req_self': True + } + ], client_account=self.AccountType.COMPUTER) + def test_simple_tgs(self): self._run_test_sequence([ { @@ -479,6 +496,27 @@ class FAST_Tests(KDCBaseTest): } ]) + def test_fast_encrypted_challenge_as_req_self(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'as_req_self': True + }, + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_mach_tgt, + 'as_req_self': True + } + ], client_account=self.AccountType.COMPUTER) + def test_fast_encrypted_challenge_wrong_key(self): self._run_test_sequence([ { @@ -1256,14 +1294,15 @@ class FAST_Tests(KDCBaseTest): return fast_padata - def _run_test_sequence(self, test_sequence): + def _run_test_sequence(self, test_sequence, + client_account=KDCBaseTest.AccountType.USER): if self.strict_checking: self.check_kdc_fast_support() kdc_options_default = str(krb5_asn1.KDCOptions('forwardable,' 'canonicalize')) - client_creds = self.get_client_creds() + client_creds = self.get_cached_creds(account_type=client_account) target_creds = self.get_service_creds() krbtgt_creds = self.get_krbtgt_creds() @@ -1289,6 +1328,10 @@ class FAST_Tests(KDCBaseTest): target_creds) target_etypes = target_creds.tgs_supported_enctypes + client_decryption_key = self.TicketDecryptionKey_from_creds( + client_creds) + client_etypes = client_creds.tgs_supported_enctypes + fast_cookie = None preauth_etype_info2 = None @@ -1350,10 +1393,16 @@ class FAST_Tests(KDCBaseTest): cname = client_cname if rep_type == KRB_AS_REP else None crealm = client_realm + as_req_self = kdc_dict.pop('as_req_self', False) + if as_req_self: + self.assertEqual(KRB_AS_REP, rep_type) + if 'sname' in kdc_dict: sname = kdc_dict.pop('sname') else: - if rep_type == KRB_AS_REP: + if as_req_self: + sname = client_cname + elif rep_type == KRB_AS_REP: sname = krbtgt_sname else: # KRB_TGS_REP sname = target_sname @@ -1493,16 +1542,23 @@ class FAST_Tests(KDCBaseTest): strict_edata_checking = kdc_dict.pop('strict_edata_checking', True) if rep_type == KRB_AS_REP: + if as_req_self: + expected_supported_etypes = client_etypes + decryption_key = client_decryption_key + else: + expected_supported_etypes = krbtgt_etypes + decryption_key = krbtgt_decryption_key + kdc_exchange_dict = self.as_exchange_dict( expected_crealm=expected_crealm, expected_cname=expected_cname, expected_anon=expected_anon, expected_srealm=expected_srealm, expected_sname=expected_sname, - expected_supported_etypes=krbtgt_etypes, + expected_supported_etypes=expected_supported_etypes, expected_flags=expected_flags, unexpected_flags=unexpected_flags, - ticket_decryption_key=krbtgt_decryption_key, + ticket_decryption_key=decryption_key, generate_fast_fn=generate_fast_fn, generate_fast_armor_fn=generate_fast_armor_fn, generate_fast_padata_fn=generate_fast_padata_fn, diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index aada0457461..d6cbaac60e0 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -1397,7 +1397,7 @@ class KDCBaseTest(RawKerberosTest): krbtgt_creds = self.get_krbtgt_creds() krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds) self.verify_ticket(service_ticket_creds, krbtgt_key, - expect_pac=expect_pac, + service_ticket=True, expect_pac=expect_pac, expect_ticket_checksum=self.tkt_sig_support) self.tkt_cache[cache_key] = service_ticket_creds diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index 740dd43f34d..b418a087df8 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -345,9 +345,10 @@ class KdcTgsTests(KDCBaseTest): self.assertIsNone(pac) def test_request_enterprise_canon(self): + upn = self.get_new_username() client_creds = self.get_cached_creds( account_type=self.AccountType.USER, - opts={'upn': 'tgs_enterprise0'}) + opts={'upn': upn}) service_creds = self.get_service_creds() user_name = client_creds.get_username() @@ -376,9 +377,10 @@ class KdcTgsTests(KDCBaseTest): kdc_options=kdc_options) def test_request_enterprise_canon_case(self): + upn = self.get_new_username() client_creds = self.get_cached_creds( account_type=self.AccountType.USER, - opts={'upn': 'tgs_enterprise1'}) + opts={'upn': upn}) service_creds = self.get_service_creds() user_name = client_creds.get_username() @@ -407,9 +409,10 @@ class KdcTgsTests(KDCBaseTest): kdc_options=kdc_options) def test_request_enterprise_canon_mac(self): + upn = self.get_new_username() client_creds = self.get_cached_creds( account_type=self.AccountType.COMPUTER, - opts={'upn': 'tgs_enterprise2'}) + opts={'upn': upn}) service_creds = self.get_service_creds() user_name = client_creds.get_username() @@ -438,9 +441,10 @@ class KdcTgsTests(KDCBaseTest): kdc_options=kdc_options) def test_request_enterprise_canon_case_mac(self): + upn = self.get_new_username() client_creds = self.get_cached_creds( account_type=self.AccountType.COMPUTER, - opts={'upn': 'tgs_enterprise3'}) + opts={'upn': upn}) service_creds = self.get_service_creds() user_name = client_creds.get_username() @@ -469,9 +473,10 @@ class KdcTgsTests(KDCBaseTest): kdc_options=kdc_options) def test_request_enterprise_no_canon(self): + upn = self.get_new_username() client_creds = self.get_cached_creds( account_type=self.AccountType.USER, - opts={'upn': 'tgs_enterprise4'}) + opts={'upn': upn}) service_creds = self.get_service_creds() user_name = client_creds.get_username() @@ -494,9 +499,10 @@ class KdcTgsTests(KDCBaseTest): kdc_options=kdc_options) def test_request_enterprise_no_canon_case(self): + upn = self.get_new_username() client_creds = self.get_cached_creds( account_type=self.AccountType.USER, - opts={'upn': 'tgs_enterprise5'}) + opts={'upn': upn}) service_creds = self.get_service_creds() user_name = client_creds.get_username() @@ -519,9 +525,10 @@ class KdcTgsTests(KDCBaseTest): kdc_options=kdc_options) def test_request_enterprise_no_canon_mac(self): + upn = self.get_new_username() client_creds = self.get_cached_creds( account_type=self.AccountType.COMPUTER, - opts={'upn': 'tgs_enterprise6'}) + opts={'upn': upn}) service_creds = self.get_service_creds() user_name = client_creds.get_username() @@ -544,9 +551,10 @@ class KdcTgsTests(KDCBaseTest): kdc_options=kdc_options) def test_request_enterprise_no_canon_case_mac(self): + upn = self.get_new_username() client_creds = self.get_cached_creds( account_type=self.AccountType.COMPUTER, - opts={'upn': 'tgs_enterprise7'}) + opts={'upn': upn}) service_creds = self.get_service_creds() user_name = client_creds.get_username() diff --git a/python/samba/tests/krb5/pac_align_tests.py b/python/samba/tests/krb5/pac_align_tests.py new file mode 100755 index 00000000000..ff8b608dde1 --- /dev/null +++ b/python/samba/tests/krb5/pac_align_tests.py @@ -0,0 +1,93 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import sys +import os + +from samba.dcerpc import krb5pac +from samba.ndr import ndr_unpack +from samba.tests import DynamicTestCase +from samba.tests.krb5.kdc_base_test import KDCBaseTest + +sys.path.insert(0, 'bin/python') +os.environ['PYTHONUNBUFFERED'] = '1' + +global_asn1_print = False +global_hexdump = False + + +@DynamicTestCase +class PacAlignTests(KDCBaseTest): + + base_name = 'krbpac' + + @classmethod + def setUpDynamicTestCases(cls): + for length in range(len(cls.base_name), 21): + cls.generate_dynamic_test('test_pac_align', + f'{length}_chars', + length) + + def setUp(self): + super().setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def _test_pac_align_with_args(self, length): + samdb = self.get_samdb() + + account_name = self.base_name + 'a' * (length - len(self.base_name)) + creds, _ = self.create_account(samdb, account_name) + + tgt = self.get_tgt(creds, expect_pac=True) + + pac_data = self.get_ticket_pac(tgt) + self.assertIsNotNone(pac_data) + + self.assertEqual(0, len(pac_data) & 7) + + pac = ndr_unpack(krb5pac.PAC_DATA_RAW, pac_data) + for pac_buffer in pac.buffers: + buffer_type = pac_buffer.type + buffer_size = pac_buffer.ndr_size + + with self.subTest(buffer_type=buffer_type): + if buffer_type == krb5pac.PAC_TYPE_LOGON_NAME: + self.assertEqual(length * 2 + 10, buffer_size) + elif buffer_type == krb5pac.PAC_TYPE_REQUESTER_SID: + self.assertEqual(28, buffer_size) + elif buffer_type in {krb5pac.PAC_TYPE_SRV_CHECKSUM, + krb5pac.PAC_TYPE_KDC_CHECKSUM, + krb5pac.PAC_TYPE_TICKET_CHECKSUM}: + self.assertEqual(0, buffer_size & 3, + f'buffer type was: {buffer_type}, ' + f'buffer size was: {buffer_size}') + else: + self.assertEqual(0, buffer_size & 7, + f'buffer type was: {buffer_type}, ' + f'buffer size was: {buffer_size}') + + rounded_len = (buffer_size + 7) & ~7 + self.assertEqual(rounded_len, len(pac_buffer.info.remaining)) + + +if __name__ == '__main__': + global_asn1_print = False + global_hexdump = False + import unittest + unittest.main() diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index cc004f04842..d11f628d7b6 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -2609,7 +2609,11 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNotNone(ticket_decryption_key) if ticket_decryption_key is not None: - self.verify_ticket(ticket_creds, krbtgt_keys, expect_pac=expect_pac, + service_ticket = (not self.is_tgs(expected_sname) + and rep_msg_type == KRB_TGS_REP) + self.verify_ticket(ticket_creds, krbtgt_keys, + service_ticket=service_ticket, + expect_pac=expect_pac, expect_ticket_checksum=expect_ticket_checksum or self.tkt_sig_support) @@ -2646,7 +2650,7 @@ class RawKerberosTest(TestCaseInTempDir): expected_types.append(krb5pac.PAC_TYPE_DEVICE_INFO) expected_types.append(krb5pac.PAC_TYPE_DEVICE_CLAIMS_INFO) - if not self.is_tgs(expected_sname): + if not self.is_tgs(expected_sname) and rep_msg_type == KRB_TGS_REP: expected_types.append(krb5pac.PAC_TYPE_TICKET_CHECKSUM) require_strict = {krb5pac.PAC_TYPE_CLIENT_CLAIMS_INFO, @@ -2655,7 +2659,7 @@ class RawKerberosTest(TestCaseInTempDir): if not self.tkt_sig_support: require_strict.add(krb5pac.PAC_TYPE_TICKET_CHECKSUM) - expect_extra_pac_buffers = rep_msg_type == KRB_AS_REP + expect_extra_pac_buffers = self.is_tgs(expected_sname) expect_pac_attrs = kdc_exchange_dict['expect_pac_attrs'] @@ -3271,11 +3275,9 @@ class RawKerberosTest(TestCaseInTempDir): ticket_blob) self.assertEqual(expected_checksum, checksum) - def verify_ticket(self, ticket, krbtgt_keys, expect_pac=True, + def verify_ticket(self, ticket, krbtgt_keys, service_ticket, + expect_pac=True, expect_ticket_checksum=True): - # Check if the ticket is a TGT. - is_tgt = self.is_tgt(ticket) - # Decrypt the ticket. key = ticket.decryption_key @@ -3374,7 +3376,7 @@ class RawKerberosTest(TestCaseInTempDir): kdc_ctype, kdc_checksum) - if is_tgt: + if not service_ticket: self.assertNotIn(krb5pac.PAC_TYPE_TICKET_CHECKSUM, checksums) else: ticket_checksum, ticket_ctype = checksums.get( diff --git a/python/samba/tests/krb5/rodc_tests.py b/python/samba/tests/krb5/rodc_tests.py index 0e252d90262..83ee35d650a 100755 --- a/python/samba/tests/krb5/rodc_tests.py +++ b/python/samba/tests/krb5/rodc_tests.py @@ -58,14 +58,14 @@ class RodcKerberosTests(KDCBaseTest): tgt = self.get_tgt(user_creds, to_rodc=True) # Ensure the PAC contains the expected checksums. - self.verify_ticket(tgt, rodc_key) + self.verify_ticket(tgt, rodc_key, service_ticket=False) # Get a service ticket from the RODC. service_ticket = self.get_service_ticket(tgt, target_creds, to_rodc=True) # Ensure the PAC contains the expected checksums. -- Samba Shared Repository