The branch, master has been updated
       via  3e2eb1b0236 s4:kdc: Add client claims blob if it is present
       via  2e8e93fdd19 s4:kdc: Refactor PAC handling
       via  fa901e7346d s4:kdc: Avoid copying data if not needed
       via  47ef49fd91f s4:kdc: Don't pass a NULL pointer into 
krb5_pac_add_buffer()
       via  ca8b8d1d4af s4:kdc: Fix typo
       via  dfaae871fd2 s4:kdc: Make some parameters const
       via  218db60ea92 s4:kdc: Comment parameter names
       via  6fd5afd0424 s4:kdc: Replace 'is_untrusted' with 'is_trusted'
       via  eb74be91bbd auth: Clear EXTRA_SIDS flag if no Extra SIDs are present
       via  19c871bf6e0 dsdb periodic: DNS: Add missing newlines to debug 
messages
       via  3c5296d9aea winbindd: Show warning message on tc connection errors 
too
       via  ed0b850e3dc wafsamba: Remove unused configure check
       via  0f244bd1145 selftest: Clean up socket when finished
       via  dfe759c1fd9 selftest: Don't use invalid escape sequences
       via  5c8fbeb61e6 tests/krb5: Test that denied attributes are still 
issued in claims
       via  fd64bae7b4e tests/krb5: Add functions to fetch the schemaIDGUID of 
an attribute or class
       via  1b5c57c3059 tests/krb5: Check that test parameters are not going 
unseen
       via  a85d26fd741 tests/krb5: Test that claims are generated even if 
PAC-OPTIONS are not set
       via  223ef8b7850 tests/krb5: Test that RODC-issued device groups are 
regenerated
       via  e1a573a6595 tests/krb5: Test that RODC-issued claims are regenerated
       via  9d759472920 tests/krb5: Add tests for RODC-issued armor tickets
       via  ee43e004e9e tests/krb5: Add tests for constrained delegation with 
RODC-issued tickets
       via  883d2642848 tests/krb5: Add remove_client_claims_tgt_from_rodc()
       via  7a5562f2824 tests/krb5: Let ticket_with_sids() create RODC-issued 
tickets
       via  04b6f769d16 tests/krb5: Add signed_by_rodc()
       via  a9f127e6e27 tests/krb5: Move issued_by_rodc() to base class
       via  3a6e2a283c3 tests/krb5: Fix additional_details account creation 
caching
       via  9a2f6cdc00d tests/krb5: Add simple resource-based constrained 
delegation test
       via  addfef3d582 tests/krb5: Only add AES enctype bits at domain 
functional level 2008 and above
       via  12a1fabd121 tests/krb5: Cache drsuapi connection
       via  f90a46765a0 tests/krb5: Generate full ticket signatures with 
trailing RODC id
       via  7e7c692adbc python:ndr: Use f-string to format exception message
      from  795bab56291 lib:ldb: Correctly cast pointers for 
assert_string_equal()

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 3e2eb1b02366c380f1ca4d112f10e2663c1b2fef
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Fri Mar 17 09:04:51 2023 +1300

    s4:kdc: Add client claims blob if it is present
    
    Until we support claims we just return an empty blob,
    that matches what Windows is doing without defined claims.
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
    Autobuild-Date(master): Mon Mar 20 01:25:07 UTC 2023 on atb-devel-224

commit 2e8e93fdd196f885b1811457e3a6d2d9c5c63f05
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Fri Mar 17 08:02:24 2023 +1300

    s4:kdc: Refactor PAC handling
    
    It's getting unwieldy adding new PAC buffer types when each one has to
    have its own handling. It also makes the possibility of mistakes more
    likely.
    
    Add a new container, 'struct pac_blobs', containing the types of PAC
    buffers in a given PAC, with an index for quick access to the types we
    support specifically. We can add new blobs (overriding existing ones) by
    calling pac_blobs_add_blob(), and override certain blobs that must be
    present with pac_blobs_replace_existing().
    
    This removes the need to have a complicated 'switch' statement with
    different logic for each PAC buffer type, or a dozen index variables.
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit fa901e7346d36ae64a7ceab5dcf76bc210a67c93
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Fri Mar 17 09:16:17 2023 +1300

    s4:kdc: Avoid copying data if not needed
    
    krb5_pac_add_buffer() makes its own copy of the data we pass in. We
    don't need to make yet another copy.
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 47ef49fd91f050ce4a79a8471b3e66c808f48752
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Fri Mar 17 09:25:52 2023 +1300

    s4:kdc: Don't pass a NULL pointer into krb5_pac_add_buffer()
    
    Heimdal contains an assertion that the data pointer is not NULL. We need
    to pass in a pointer to some dummy data instead.
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit ca8b8d1d4af0a2445efef723eaa4160399e87162
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 16:47:15 2023 +1300

    s4:kdc: Fix typo
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit dfaae871fd2da8e817601e5c6315b5259b594416
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Fri Mar 17 08:07:52 2023 +1300

    s4:kdc: Make some parameters const
    
    As these parameters are not assigned to, make them const.
    
    Const specifiers for non-pointer types, such as in 'const
    krb5_principal', don't do anything in function declarations. Remove
    them.
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 218db60ea9254b68a1011cc30248121ee10a8320
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 16:07:35 2023 +1300

    s4:kdc: Comment parameter names
    
    Make it clear what these parameters actually are.
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 6fd5afd0424404871694fa2b1c87b2e6f56de89b
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 14:29:15 2023 +1300

    s4:kdc: Replace 'is_untrusted' with 'is_trusted'
    
    A double negative is just confusing and prone to error.
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit eb74be91bbde618ed32910af0c768c554c72c184
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Mon Feb 27 15:56:40 2023 +1300

    auth: Clear EXTRA_SIDS flag if no Extra SIDs are present
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 19c871bf6e0a0e52674aae3af1080d6295f9f138
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Tue Mar 7 10:38:27 2023 +1300

    dsdb periodic: DNS: Add missing newlines to debug messages
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 3c5296d9aea38521e6df8834a856d510106300a8
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Tue Mar 7 11:13:41 2023 +1300

    winbindd: Show warning message on tc connection errors too
    
    Some of these conditions could never be hit.
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit ed0b850e3dc13dba1f7291d8ed45e93fd1cb9c94
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Wed Nov 2 14:57:03 2022 +1300

    wafsamba: Remove unused configure check
    
    This check would trigger compiler warnings due to the extra argument
    passed to eprintf(). HAVE__VA_ARGS__MACRO isn't used anywhere, so we can
    remove the check.
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 0f244bd1145f9cd72c930bcf91a8497ba1a26a09
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Tue Mar 7 16:40:37 2023 +1300

    selftest: Clean up socket when finished
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit dfe759c1fd911eb475ed46fe5d66f5cf4eb9055c
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Wed Mar 15 11:31:43 2023 +1300

    selftest: Don't use invalid escape sequences
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 5c8fbeb61e6e5ce99a5b000bfe37a74ff456d449
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 11:25:24 2023 +1300

    tests/krb5: Test that denied attributes are still issued in claims
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit fd64bae7b4ea788c3fe8b00d288431bc66dfe104
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 11:27:22 2023 +1300

    tests/krb5: Add functions to fetch the schemaIDGUID of an attribute or class
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 1b5c57c305958fcef755dd22753bdd22b613a3ac
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 11:14:46 2023 +1300

    tests/krb5: Check that test parameters are not going unseen
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit a85d26fd741add9d9f2ea20fdbfb271ab0ceadea
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 11:18:49 2023 +1300

    tests/krb5: Test that claims are generated even if PAC-OPTIONS are not set
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 223ef8b785068ab7bed1224b1b0ff73bc8f90df7
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 11:30:39 2023 +1300

    tests/krb5: Test that RODC-issued device groups are regenerated
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit e1a573a6595363e05a3baef5ffe625317aaef9de
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 11:30:56 2023 +1300

    tests/krb5: Test that RODC-issued claims are regenerated
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 9d7594729207fc2a1139d2fa1a3f7a17c8df096f
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 11:06:19 2023 +1300

    tests/krb5: Add tests for RODC-issued armor tickets
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit ee43e004e9efd594e12acce16b1798d9a4e37eff
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 11:32:49 2023 +1300

    tests/krb5: Add tests for constrained delegation with RODC-issued tickets
    
    This works as long as both tickets are issued by the same RODC.
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 883d26428486b7b041b327e6d28b551d856059c1
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 11:24:42 2023 +1300

    tests/krb5: Add remove_client_claims_tgt_from_rodc()
    
    This method removes the PAC_CLIENT_CLAIMS_INFO buffer *and* makes it
    appear as if a ticket were issued by an RODC. Because that's more
    efficient than decrypting and modifying the ticket twice.
    
    View with 'git show -b'.
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 7a5562f2824f115dbdef777a7c268439f81eff9d
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 11:29:37 2023 +1300

    tests/krb5: Let ticket_with_sids() create RODC-issued tickets
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 04b6f769d160d9d4e0e5bc7a961d473de2e0689b
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 11:22:31 2023 +1300

    tests/krb5: Add signed_by_rodc()
    
    This can be used to modify a service ticket to appear as if it were
    signed by an RODC krbtgt.
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit a9f127e6e2762872140deec69149f3e91440600a
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 11:23:40 2023 +1300

    tests/krb5: Move issued_by_rodc() to base class
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 3a6e2a283c3985bbcb74b776d6ba597323813bbd
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 11:13:21 2023 +1300

    tests/krb5: Fix additional_details account creation caching
    
    In Python, maps are not hashable and hence cannot be used as cache keys.
    To get around this, we were converting the account details map to a
    tuple of (key, value) pairs with the following expression:
    
    ((k, v) for k, v in details.items())
    
    However, this was actually creating a lazily-evaluated generator object.
    The hash of this object was based on its address in memory, not on its
    contents, which meant that account options with the same details could
    have different hash values if the generators occupied different memory
    addresses, or (less likely) that account options with different details
    could hash to the same value if the second generator happened to inhabit
    the same memory address as the first one. The result was that account
    caching didn't work as intended.
    
    Attempt to fix that by using a frozenset instead of a generator object,
    and making sure that all our values are tuples (and thus hashable).
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 9a2f6cdc00d3e11498a11dd705807dc18deaac27
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 11:28:04 2023 +1300

    tests/krb5: Add simple resource-based constrained delegation test
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit addfef3d582102805a38d5ad67ad8b11dee1bf04
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Thu Mar 16 12:15:46 2023 +1300

    tests/krb5: Only add AES enctype bits at domain functional level 2008 and 
above
    
    At lower levels we should not expect these bits to be present.
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 12a1fabd121b2d54d94ed971c3af0c6c3b3d59c7
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Tue Mar 7 15:28:21 2023 +1300

    tests/krb5: Cache drsuapi connection
    
    We call get_keys() a lot, and it's more efficient if we aren't creating
    a new connection for every new account we create.
    
    To allow us to maintain a single cached connection, remove the samdb
    parameter from get_keys() and get_secrets(). No-one was using it anyway.
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit f90a46765a008cfaa333159b25661ee83637a5dd
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Tue Mar 14 11:53:45 2023 +1300

    tests/krb5: Generate full ticket signatures with trailing RODC id
    
    This matches the use of make_rodc_zeroed_checksum() in the preceeding
    loop, and means that RODC-signed service tickets no longer fail to
    decrypt.
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 7e7c692adbce9f82828f0754a3fa79602b84337b
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Tue Mar 14 11:50:17 2023 +1300

    python:ndr: Use f-string to format exception message
    
    If 'object' happened to be a tuple, we would get one of the following
    errors:
    
    TypeError: not enough arguments for format string
    TypeError: not all arguments converted during string formatting
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

-----------------------------------------------------------------------

Summary of changes:
 auth/auth_sam_reply.c                            |   1 +
 buildtools/wafsamba/wscript                      |   5 -
 librpc/idl/krb5pac.idl                           |   8 +
 python/samba/ndr.py                              |   2 +-
 python/samba/tests/krb5/claims_tests.py          | 530 +++++++++++++++--
 python/samba/tests/krb5/device_tests.py          |  76 ++-
 python/samba/tests/krb5/fast_tests.py            |  44 ++
 python/samba/tests/krb5/kdc_base_test.py         | 121 +++-
 python/samba/tests/krb5/kpasswd_tests.py         |  13 -
 python/samba/tests/krb5/nt_hash_tests.py         |   1 -
 python/samba/tests/krb5/protected_users_tests.py |   2 +-
 python/samba/tests/krb5/raw_testcase.py          |   2 +-
 python/samba/tests/krb5/s4u_tests.py             |  54 ++
 python/samba/tests/krb5/spn_tests.py             |   2 +-
 selftest/knownfail_heimdal_kdc                   |  16 +
 selftest/knownfail_mit_kdc                       |  17 +
 selftest/knownfail_mit_kdc_pre_1_20              |   2 +
 selftest/subunithelper.py                        |   2 +-
 selftest/target/dns_hub.py                       |   1 +
 source3/winbindd/winbindd_dual_srv.c             |  12 +-
 source4/dsdb/kcc/kcc_periodic.c                  |  10 +-
 source4/kdc/mit_samba.c                          |  26 +-
 source4/kdc/pac-glue.c                           | 712 ++++++++++++-----------
 source4/kdc/pac-glue.h                           |  26 +-
 source4/kdc/wdc-samba4.c                         |  14 +-
 25 files changed, 1210 insertions(+), 489 deletions(-)


Changeset truncated at 500 lines:

diff --git a/auth/auth_sam_reply.c b/auth/auth_sam_reply.c
index 2a35723e355..8e0089eb8d1 100644
--- a/auth/auth_sam_reply.c
+++ b/auth/auth_sam_reply.c
@@ -399,6 +399,7 @@ NTSTATUS auth_convert_user_info_dc_saminfo6(TALLOC_CTX 
*mem_ctx,
        if (sam6->sidcount) {
                sam6->base.user_flags |= NETLOGON_EXTRA_SIDS;
        } else {
+               sam6->base.user_flags &= ~NETLOGON_EXTRA_SIDS;
                TALLOC_FREE(sam6->sids);
        }
 
diff --git a/buildtools/wafsamba/wscript b/buildtools/wafsamba/wscript
index 93af81f1eca..9ee158b1f39 100644
--- a/buildtools/wafsamba/wscript
+++ b/buildtools/wafsamba/wscript
@@ -710,11 +710,6 @@ struct foo bar = { .y = 'X', .x = 1 };
                     define="HAVE_VA_COPY",
                     msg="Checking for va_copy")
 
-    conf.CHECK_CODE('''
-                    #define eprintf(...) fprintf(stderr, __VA_ARGS__)
-                    eprintf("bla", "bar")
-                    ''', define='HAVE__VA_ARGS__MACRO')
-
     conf.env.enable_fuzzing = False
 
     conf.env.enable_libfuzzer = Options.options.enable_libfuzzer
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index 57c37656eb6..6655e2ff5b7 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -168,8 +168,16 @@ interface krb5pac
                PAC_TYPE_ATTRIBUTES_INFO = 17,
                PAC_TYPE_REQUESTER_SID = 18,
                PAC_TYPE_FULL_CHECKSUM = 19
+               /*
+                * Note! when adding new types, adjust the value of PAC_TYPE_END
+                * to equal one more than the highest supported type.
+                */
        } PAC_TYPE;
 
+       const uint32 PAC_TYPE_BEGIN = 1;
+       const uint32 PAC_TYPE_END = 20;
+       const uint32 PAC_TYPE_COUNT = PAC_TYPE_END - PAC_TYPE_BEGIN;
+
        typedef struct {
                [flag(NDR_REMAINING)] DATA_BLOB remaining;
        } DATA_BLOB_REM;
diff --git a/python/samba/ndr.py b/python/samba/ndr.py
index 35b2414e8ae..314e57b7f8e 100644
--- a/python/samba/ndr.py
+++ b/python/samba/ndr.py
@@ -52,7 +52,7 @@ def ndr_unpack(cls, data, allow_remaining=False):
 def ndr_print(object):
     ndr_print = getattr(object, "__ndr_print__", None)
     if ndr_print is None:
-        raise TypeError("%r is not a NDR object" % object)
+        raise TypeError(f"{object} is not a NDR object")
     return ndr_print()
 
 
diff --git a/python/samba/tests/krb5/claims_tests.py 
b/python/samba/tests/krb5/claims_tests.py
index 78c78476e0c..5cdd1f4a361 100755
--- a/python/samba/tests/krb5/claims_tests.py
+++ b/python/samba/tests/krb5/claims_tests.py
@@ -27,6 +27,7 @@ import re
 import ldb
 
 from samba.dcerpc import claims, krb5pac, security
+from samba.ndr import ndr_pack
 
 from samba.tests import DynamicTestCase, env_get_var_value
 from samba.tests.krb5 import kcrypto
@@ -47,16 +48,19 @@ global_asn1_print = False
 global_hexdump = False
 
 
-class UnorderedList(list):
+class UnorderedList(tuple):
     def __eq__(self, other):
         if not isinstance(other, UnorderedList):
             raise AssertionError('unexpected comparison attempt')
         return sorted(self) == sorted(other)
 
+    def __hash__(self):
+        return hash(tuple(sorted(self)))
+
 
 # Use this to assert that each element of a list belongs to a set() of
 # acceptable elements.
-class OneOf(list):
+class OneOf(tuple):
     def __eq__(self, other):
         if not isinstance(other, OneOf):
             raise AssertionError('unexpected comparison attempt')
@@ -129,6 +133,7 @@ class ClaimsTests(KDCBaseTest):
 
         details = {}
         mod_msg = ldb.Message()
+        security_desc = None
 
         for claim in all_claims:
             # Make a copy to avoid modifying the original.
@@ -173,6 +178,22 @@ class ClaimsTests(KDCBaseTest):
                                      'conflicting values set for attribute')
                 details[attribute] = transformed_values
 
+                readable = claim.pop('readable', True)
+                if not readable:
+                    if security_desc is None:
+                        security_desc = security.descriptor()
+
+                    # Deny all read property access to the attribute.
+                    ace = security.ace()
+                    ace.type = security.SEC_ACE_TYPE_ACCESS_DENIED_OBJECT
+                    ace.access_mask = security.SEC_ADS_READ_PROP
+                    ace.trustee = security.dom_sid(security.SID_WORLD)
+                    ace.object.flags |= security.SEC_ACE_OBJECT_TYPE_PRESENT
+                    ace.object.type = self.get_schema_id_guid_from_attribute(
+                        attribute)
+
+                    security_desc.dacl_add(ace)
+
                 if expected_values is None:
                     expected_values = values
 
@@ -199,31 +220,48 @@ class ClaimsTests(KDCBaseTest):
 
             self.create_claim(claim_id, **claim)
 
-        details = ((k, v) for k, v in details.items())
+        if security_desc is not None:
+            self.assertNotIn('nTSecurityDescriptor', details)
+            details['nTSecurityDescriptor'] = ndr_pack(security_desc)
 
         return details, mod_msg, expected_claims, unexpected_claims
 
-    def remove_client_claims(self, ticket):
-        def modify_pac_fn(pac):
-            pac_buffers = pac.buffers
-            for pac_buffer in pac_buffers:
-                if pac_buffer.type == krb5pac.PAC_TYPE_CLIENT_CLAIMS_INFO:
-                    pac.num_buffers -= 1
-                    pac_buffers.remove(pac_buffer)
-
-                    break
-            else:
-                self.fail('expected client claims in PAC')
+    def modify_pac_remove_client_claims(self, pac):
+        pac_buffers = pac.buffers
+        for pac_buffer in pac_buffers:
+            if pac_buffer.type == krb5pac.PAC_TYPE_CLIENT_CLAIMS_INFO:
+                pac.num_buffers -= 1
+                pac_buffers.remove(pac_buffer)
+
+                break
+        else:
+            self.fail('expected client claims in PAC')
 
-            pac.buffers = pac_buffers
+        pac.buffers = pac_buffers
 
-            return pac
+        return pac
 
+    def remove_client_claims(self, ticket):
         return self.modified_ticket(
             ticket,
-            modify_pac_fn=modify_pac_fn,
+            modify_pac_fn=self.modify_pac_remove_client_claims,
             checksum_keys=self.get_krbtgt_checksum_key())
 
+    def remove_client_claims_tgt_from_rodc(self, ticket):
+        rodc_krbtgt_creds = self.get_mock_rodc_krbtgt_creds()
+        rodc_krbtgt_key = self.TicketDecryptionKey_from_creds(
+            rodc_krbtgt_creds)
+
+        checksum_keys = {
+            krb5pac.PAC_TYPE_KDC_CHECKSUM: rodc_krbtgt_key
+        }
+
+        return self.modified_ticket(
+            ticket,
+            new_ticket_key=rodc_krbtgt_key,
+            modify_pac_fn=self.modify_pac_remove_client_claims,
+            checksum_keys=checksum_keys)
+
     def test_tgs_claims(self):
         self.run_tgs_test(remove_claims=False, to_krbtgt=False)
 
@@ -242,6 +280,30 @@ class ClaimsTests(KDCBaseTest):
     def test_delegation_claims_remove_claims(self):
         self.run_delegation_test(remove_claims=True)
 
+    def test_rodc_issued_claims_modify(self):
+        self.run_rodc_tgs_test(remove_claims=False, delete_claim=False)
+
+    def test_rodc_issued_claims_delete(self):
+        self.run_rodc_tgs_test(remove_claims=False, delete_claim=True)
+
+    def test_rodc_issued_claims_remove_claims_modify(self):
+        self.run_rodc_tgs_test(remove_claims=True, delete_claim=False)
+
+    def test_rodc_issued_claims_remove_claims_delete(self):
+        self.run_rodc_tgs_test(remove_claims=True, delete_claim=True)
+
+    def test_rodc_issued_device_claims_modify(self):
+        self.run_device_rodc_tgs_test(remove_claims=False, delete_claim=False)
+
+    def test_rodc_issued_device_claims_delete(self):
+        self.run_device_rodc_tgs_test(remove_claims=False, delete_claim=True)
+
+    def test_rodc_issued_device_claims_remove_claims_modify(self):
+        self.run_device_rodc_tgs_test(remove_claims=True, delete_claim=False)
+
+    def test_rodc_issued_device_claims_remove_claims_delete(self):
+        self.run_device_rodc_tgs_test(remove_claims=True, delete_claim=True)
+
     # Create a user account with an applicable claim for the 'middleName'
     # attribute. After obtaining a TGT, from which we optionally remove the
     # claims, change the middleName attribute values for the account in the
@@ -270,7 +332,7 @@ class ClaimsTests(KDCBaseTest):
             claim_id: {
                 'source_type': claims.CLAIMS_SOURCE_TYPE_AD,
                 'type': claims.CLAIM_TYPE_STRING,
-                'values': ['foo'],
+                'values': ('foo',),
             },
         }
 
@@ -354,14 +416,14 @@ class ClaimsTests(KDCBaseTest):
             claim_id: {
                 'source_type': claims.CLAIMS_SOURCE_TYPE_AD,
                 'type': claims.CLAIM_TYPE_STRING,
-                'values': ['user_old'],
+                'values': ('user_old',),
             },
         }
         expected_claims_mach = {
             claim_id: {
                 'source_type': claims.CLAIMS_SOURCE_TYPE_AD,
                 'type': claims.CLAIM_TYPE_STRING,
-                'values': ['mach_old'],
+                'values': ('mach_old',),
             },
         }
 
@@ -463,6 +525,234 @@ class ClaimsTests(KDCBaseTest):
                                          additional_tickets=additional_tickets)
         self.check_reply(rep, KRB_TGS_REP)
 
+    def run_rodc_tgs_test(self, remove_claims, delete_claim):
+        samdb = self.get_samdb()
+        # Create a user account permitted to replicate to the RODC.
+        user_creds = self.get_cached_creds(
+            account_type=self.AccountType.USER,
+            opts={
+                # Set the value of the claim attribute.
+                'additional_details': (('middleName', 'foo'),),
+                'allowed_replication_mock': True,
+                'revealed_to_mock_rodc': True,
+            },
+            use_cache=False)
+        user_dn = user_creds.get_dn()
+
+        # Create a claim that applies to the user.
+        claim_id = self.get_new_username()
+        self.create_claim(claim_id,
+                          enabled=True,
+                          attribute='middleName',
+                          single_valued=True,
+                          source_type='AD',
+                          for_classes=['user'],
+                          value_type=claims.CLAIM_TYPE_STRING)
+
+        expected_claims = {
+            claim_id: {
+                'source_type': claims.CLAIMS_SOURCE_TYPE_AD,
+                'type': claims.CLAIM_TYPE_STRING,
+                'values': ('foo',),
+            },
+        }
+
+        # Get a TGT for the user.
+        tgt = self.get_tgt(user_creds, expect_pac=True,
+                           expect_client_claims=True,
+                           expected_client_claims=expected_claims)
+
+        # Modify the TGT to be issued by an RODC. Optionally remove the client
+        # claims.
+        if remove_claims:
+            tgt = self.remove_client_claims_tgt_from_rodc(tgt)
+        else:
+            tgt = self.issued_by_rodc(tgt)
+
+        # Modify or delete the value of the attribute used for the claim. 
Modify
+        # our test expectations accordingly.
+        msg = ldb.Message(user_dn)
+        if delete_claim:
+            msg['middleName'] = ldb.MessageElement([],
+                                                   ldb.FLAG_MOD_DELETE,
+                                                   'middleName')
+            expected_claims = None
+            unexpected_claims = {claim_id}
+        else:
+            msg['middleName'] = ldb.MessageElement('bar',
+                                                   ldb.FLAG_MOD_REPLACE,
+                                                   'middleName')
+            expected_claims = {
+                claim_id: {
+                    'source_type': claims.CLAIMS_SOURCE_TYPE_AD,
+                    'type': claims.CLAIM_TYPE_STRING,
+                    'values': ('bar',),
+                },
+            }
+            unexpected_claims = None
+        samdb.modify(msg)
+
+        target_creds = self.get_service_creds()
+
+        # Get a service ticket for the user. The claim value should have
+        # changed, indicating that the client claims have been regenerated or
+        # removed, depending on whether the corresponding attribute is still
+        # present on the account.
+        self.get_service_ticket(
+            tgt, target_creds,
+            expect_pac=True,
+            # Expect the CLIENT_CLAIMS_INFO PAC buffer. It may be empty.
+            expect_client_claims=True,
+            expected_client_claims=expected_claims,
+            unexpected_client_claims=unexpected_claims)
+
+    def run_device_rodc_tgs_test(self, remove_claims, delete_claim):
+        samdb = self.get_samdb()
+
+        # Create the user account.
+        user_creds = self.get_cached_creds(
+            account_type=self.AccountType.USER)
+        user_name = user_creds.get_username()
+
+        # Create a machine account permitted to replicate to the RODC.
+        mach_creds = self.get_cached_creds(
+            account_type=self.AccountType.COMPUTER,
+            opts={
+                # Set the value of the claim attribute.
+                'additional_details': (('middleName', 'foo'),),
+                'allowed_replication_mock': True,
+                'revealed_to_mock_rodc': True,
+            },
+            use_cache=False)
+        mach_dn = mach_creds.get_dn()
+
+        # Create a claim that applies to the computer.
+        claim_id = self.get_new_username()
+        self.create_claim(claim_id,
+                          enabled=True,
+                          attribute='middleName',
+                          single_valued=True,
+                          source_type='AD',
+                          for_classes=['computer'],
+                          value_type=claims.CLAIM_TYPE_STRING)
+
+        expected_claims = {
+            claim_id: {
+                'source_type': claims.CLAIMS_SOURCE_TYPE_AD,
+                'type': claims.CLAIM_TYPE_STRING,
+                'values': ('foo',),
+            },
+        }
+
+        # Get a TGT for the user.
+        user_tgt = self.get_tgt(user_creds)
+
+        # Get a TGT for the computer.
+        mach_tgt = self.get_tgt(mach_creds, expect_pac=True,
+                                expect_client_claims=True,
+                                expected_client_claims=expected_claims)
+
+        # Modify the computer's TGT to be issued by an RODC. Optionally remove
+        # the client claims.
+        if remove_claims:
+            mach_tgt = self.remove_client_claims_tgt_from_rodc(mach_tgt)
+        else:
+            mach_tgt = self.issued_by_rodc(mach_tgt)
+
+        # Modify or delete the value of the attribute used for the claim. 
Modify
+        # our test expectations accordingly.
+        msg = ldb.Message(mach_dn)
+        if delete_claim:
+            msg['middleName'] = ldb.MessageElement([],
+                                                   ldb.FLAG_MOD_DELETE,
+                                                   'middleName')
+            expected_claims = None
+            unexpected_claims = {claim_id}
+        else:
+            msg['middleName'] = ldb.MessageElement('bar',
+                                                   ldb.FLAG_MOD_REPLACE,
+                                                   'middleName')
+            expected_claims = {
+                claim_id: {
+                    'source_type': claims.CLAIMS_SOURCE_TYPE_AD,
+                    'type': claims.CLAIM_TYPE_STRING,
+                    'values': ('bar',),
+                },
+            }
+            unexpected_claims = None
+        samdb.modify(msg)
+
+        subkey = self.RandomKey(user_tgt.session_key.etype)
+
+        armor_subkey = self.RandomKey(subkey.etype)
+        explicit_armor_key = self.generate_armor_key(armor_subkey,
+                                                     mach_tgt.session_key)
+        armor_key = kcrypto.cf2(explicit_armor_key.key,
+                                subkey.key,
+                                b'explicitarmor',
+                                b'tgsarmor')
+        armor_key = Krb5EncryptionKey(armor_key, None)
+
+        target_creds = self.get_service_creds()
+        target_name = target_creds.get_username()
+        if target_name[-1] == '$':
+            target_name = target_name[:-1]
+
+        sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+                                          names=['host', target_name])
+        srealm = target_creds.get_realm()
+
+        decryption_key = self.TicketDecryptionKey_from_creds(
+            target_creds)
+
+        target_supported_etypes = target_creds.tgs_supported_enctypes
+
+        etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
+
+        kdc_options = '0'
+        pac_options = '1'  # claims support
+
+        # Perform a TGS-REQ for the user. The device claim value should have
+        # changed, indicating that the computer's client claims have been
+        # regenerated or removed, depending on whether the corresponding
+        # attribute is still present on the account.
+
+        kdc_exchange_dict = self.tgs_exchange_dict(
+            expected_crealm=user_tgt.crealm,
+            expected_cname=user_tgt.cname,
+            expected_srealm=srealm,
+            expected_sname=sname,
+            expected_account_name=user_name,
+            ticket_decryption_key=decryption_key,
+            generate_fast_fn=self.generate_simple_fast,
+            generate_fast_armor_fn=self.generate_ap_req,
+            check_rep_fn=self.generic_check_kdc_rep,
+            check_kdc_private_fn=self.generic_check_kdc_private,
+            tgt=user_tgt,
+            armor_key=armor_key,
+            armor_tgt=mach_tgt,
+            armor_subkey=armor_subkey,
+            pac_options=pac_options,
+            authenticator_subkey=subkey,
+            kdc_options=kdc_options,
+            expect_pac=True,
+            expected_supported_etypes=target_supported_etypes,
+            # Expect the DEVICE_CLAIMS_INFO PAC buffer. It may be empty.
+            expect_device_claims=True,
+            expected_device_claims=expected_claims,
+            unexpected_device_claims=unexpected_claims)
+
+        rep = self._generic_kdc_exchange(kdc_exchange_dict,
+                                         cname=None,
+                                         realm=srealm,
+                                         sname=sname,
+                                         etypes=etypes)
+        self.check_reply(rep, KRB_TGS_REP)
+
+    @staticmethod
+    def freeze(m):
+        return frozenset((k, v) for k, v in m.items())
+
     @classmethod
     def setUpDynamicTestCases(cls):
         FILTER = env_get_var_value('FILTER', allow_missing=True)
@@ -498,16 +788,25 @@ class ClaimsTests(KDCBaseTest):
             self.fail(f'Unknown class "{account_class}"')
 
         all_claims = case.pop('claims')
-        (details, _,
+        (details, mod_msg,
          expected_claims,
          unexpected_claims) = self.setup_claims(all_claims)
-        creds = self.get_cached_creds(account_type=account_type,
-                                      opts={
-                                          'additional_details': details,
-                                      })
+        self.assertFalse(mod_msg,
+                         'mid-test modifications not supported in this test')
+        creds = self.get_cached_creds(
+            account_type=account_type,
+            opts={


-- 
Samba Shared Repository


Reply via email to