The branch, master has been updated
via 4c291514a9e s4:kdc: Permit RODC‐issued evidence tickets for
constrained delegation
via d209cdf4f0c s4:kdc: Add flag to indicate the upper sixteen bits of
the kvno are specified
via 37594035547 s4:kdc: Use HDB flag constants instead of SDB ones
via 4e83dfb6764 s4:kdc: Always regard device info when the client
performs RBCD
via fc7f64baa35 s4:dsdb: Remove reference to non‐existent code
via 053292a7e8d tests/krb5: Delete connection variable
via 7ea71c4882e tests/krb5: Make ‘services’ parameter required
via ea10d01bfd6 tests/krb5: Remove unreachable exception handlers
via e48eb621cd9 tests/krb5: Fix RC4‐only Protected Users tests
via f1babf2f3db tests/krb5: Remove unnecessary f‐strings
via 137499aef60 tests/krb5: Remove unused imports
via d363c7bf55a tests/krb5: Fix DES3CBC random_to_key()
via a0d32a39804 tests/krb5: Make ‘keybytes’ a bytes object rather than
a list
via 69db1b58882 tests/krb5: Don’t expect edata if no error is expected
via ee43eed6354 tests/krb5: Add parameter to _tgs() specifying whether
FAST is to be used
via 991e8f5a7f5 tests/krb5: Use None for the default values of
parameters
via 2ddd8ca3c72 tests/krb5: Move assignments closer to where the
variables are used
via 7f860d1cba4 tests/krb5: Remove incorrect functional level check
via 11835ed5bbb tests/krb5: Update method names to be consistent with
other tests
via 88d5ae3218d tests/krb5: Have _modify_tgt() accept only keyword
arguments
via 59f7052295a tests/krb5: Correctly pass arguments to _modify_tgt()
via a365f04d0f3 tests/krb5: Add KDC_ERR_SERVER_NOMATCH error code
via fc475b2e209 tests/krb5: Add ‘expect_edata’ parameter to _user2user()
via fcdc0101225 tests/krb5: Fix comment
via 879e7a3c3e8 tests/krb5: Remove marker
via 29176807bc2 s4:torture: Check return values of gnutls functions
(CID 1547212)
via 07ec3457dc2 s4:torture: Fix leaks
via cf30ddb56d2 s4:torture: Check return values of talloc functions
from 52fd0d79ab0 smbd: put back code to fill in user and group SID
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 4c291514a9e144c84d774120001775005838e80d
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Oct 17 20:24:04 2023 +1300
s4:kdc: Permit RODC‐issued evidence tickets for constrained delegation
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Thu Oct 19 22:39:19 UTC 2023 on atb-devel-224
commit d209cdf4f0c8ab948f59ef4cbe824a6fa9bef4ad
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Oct 17 20:18:28 2023 +1300
s4:kdc: Add flag to indicate the upper sixteen bits of the kvno are
specified
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 375940355477e5d564b633d81777a3eba0f162e5
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Oct 17 20:18:12 2023 +1300
s4:kdc: Use HDB flag constants instead of SDB ones
These flags are passed to us by Heimdal, and so they are HDB flags, not
SDB flags.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 4e83dfb6764325bcb420407929399ff4c2b46656
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Oct 17 14:24:46 2023 +1300
s4:kdc: Always regard device info when the client performs RBCD
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit fc7f64baa35689b860d208702416f85bb212a3be
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Oct 17 11:18:50 2023 +1300
s4:dsdb: Remove reference to non‐existent code
Commit 498542be0bbf4f26558573c1f87b77b8e3509371 removed the code in
question.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 053292a7e8d2568a06cb6590815039e241d66c52
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 16:07:30 2023 +1300
tests/krb5: Delete connection variable
This avoids a ‘variable set but unused’ warning.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7ea71c4882e97c33e1714f8be461aedb57b82aae
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 16:06:51 2023 +1300
tests/krb5: Make ‘services’ parameter required
We use it unconditionally without a check for None.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit ea10d01bfd699b623536ca6fdd8e9b5d5db8d06f
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 16:05:17 2023 +1300
tests/krb5: Remove unreachable exception handlers
‘IOError’ is a subclass of ‘error’, which has already been handled.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit e48eb621cd92cc3d97b77126512295d5bf14ed49
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 16:03:45 2023 +1300
tests/krb5: Fix RC4‐only Protected Users tests
We forgot to actually use the ‘supported_enctypes’ parameter.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit f1babf2f3db950e1c7ebbe8886642115a7045a3e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 16:02:36 2023 +1300
tests/krb5: Remove unnecessary f‐strings
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 137499aef60bec415e3ef058d8effcc2d211d7e1
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 16:02:00 2023 +1300
tests/krb5: Remove unused imports
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit d363c7bf55a2b913e8a4d2730910467df6694dc1
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 15:59:56 2023 +1300
tests/krb5: Fix DES3CBC random_to_key()
Because ‘keybytes’ is an immutable bytes object, ‘keybytes[7] = …’ has
no hope of working.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a0d32a39804dbf96a155951199e612afcdbda334
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 17:08:01 2023 +1300
tests/krb5: Make ‘keybytes’ a bytes object rather than a list
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 69db1b58882d42b4f159404a994054439b973fc1
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 15:08:47 2023 +1300
tests/krb5: Don’t expect edata if no error is expected
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit ee43eed6354fcff3cf38e612a9e4dea5c97ad1b5
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 14:18:47 2023 +1300
tests/krb5: Add parameter to _tgs() specifying whether FAST is to be used
View with ‘git show -b’.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 991e8f5a7f5a55347a12a1f9c0eff79583bbca7e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 14:17:59 2023 +1300
tests/krb5: Use None for the default values of parameters
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 2ddd8ca3c72f0313452d6e89a2ccf1332b38f8ef
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 14:15:27 2023 +1300
tests/krb5: Move assignments closer to where the variables are used
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 7f860d1cba41a2e1ac4a82914a2471c652a135f3
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 14:06:42 2023 +1300
tests/krb5: Remove incorrect functional level check
RBCD has no relevance to a method called _tgs().
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 11835ed5bbb80b760e61c8dd8aace614152a4737
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 14:05:16 2023 +1300
tests/krb5: Update method names to be consistent with other tests
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 88d5ae3218dfb0961b9503472dd14e9585d87773
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 13:53:59 2023 +1300
tests/krb5: Have _modify_tgt() accept only keyword arguments
to prevent further accidents.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 59f7052295a340e9816946ac35a7d4a6afbfdb78
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 13:52:55 2023 +1300
tests/krb5: Correctly pass arguments to _modify_tgt()
We were passing the new realm as the ‘renewable’ parameter!
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit a365f04d0f388530cc2b772297a93b2fd54002bc
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 19:06:31 2023 +1300
tests/krb5: Add KDC_ERR_SERVER_NOMATCH error code
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit fc475b2e209bdb568e5fc3b972e84416ada304ae
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Oct 18 16:51:24 2023 +1300
tests/krb5: Add ‘expect_edata’ parameter to _user2user()
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit fcdc0101225aebc1dfbc8954184e9cb75ae9de0b
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Oct 17 11:59:40 2023 +1300
tests/krb5: Fix comment
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 879e7a3c3e810db1880967e4121fc487cac4d1ac
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Tue Oct 17 11:25:43 2023 +1300
tests/krb5: Remove marker
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 29176807bc2e40df558f5ba9d19b4a2acf9f5416
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Oct 16 18:25:36 2023 +1300
s4:torture: Check return values of gnutls functions (CID 1547212)
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit 07ec3457dc202fe7bd4e678783e621522d7dbe18
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Oct 16 19:10:56 2023 +1300
s4:torture: Fix leaks
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
commit cf30ddb56d25cb7980faf7196d63ca352f156dcc
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Mon Oct 16 19:09:54 2023 +1300
s4:torture: Check return values of talloc functions
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
python/samba/tests/krb5/conditional_ace_tests.py | 82 ++++++++++++----------
python/samba/tests/krb5/kcrypto.py | 6 +-
python/samba/tests/krb5/kdc_tgs_tests.py | 16 ++++-
python/samba/tests/krb5/kpasswd_tests.py | 2 +-
python/samba/tests/krb5/lockout_tests.py | 4 +-
.../krb5/ms_kile_client_principal_lookup_tests.py | 2 +-
python/samba/tests/krb5/protected_users_tests.py | 2 +
python/samba/tests/krb5/raw_testcase.py | 9 ---
python/samba/tests/krb5/rfc4120_constants.py | 1 +
python/samba/tests/krb5/s4u_tests.py | 2 +-
python/samba/tests/krb5/test_min_domain_uid.py | 2 +-
selftest/knownfail_heimdal_kdc | 6 --
selftest/knownfail_mit_kdc | 4 +-
source4/dsdb/samdb/ldb_modules/dirsync.c | 4 +-
source4/kdc/db-glue.c | 5 +-
source4/kdc/hdb-samba4.c | 2 +-
source4/kdc/sdb.h | 3 +-
source4/kdc/wdc-samba4.c | 12 +---
source4/torture/rpc/backupkey.c | 61 +++++++++++++---
19 files changed, 130 insertions(+), 95 deletions(-)
Changeset truncated at 500 lines:
diff --git a/python/samba/tests/krb5/conditional_ace_tests.py
b/python/samba/tests/krb5/conditional_ace_tests.py
index 62f2e7a647a..c478dfe00a8 100755
--- a/python/samba/tests/krb5/conditional_ace_tests.py
+++ b/python/samba/tests/krb5/conditional_ace_tests.py
@@ -758,7 +758,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
expected_error=0)
def test_allowed_from_claim_equals_claim(self):
- # Create a couple of claims.
+ # Create a couple of claim types.
claim0_id = self.get_new_username()
self.create_claim(claim0_id,
@@ -1074,8 +1074,6 @@ class ConditionalAceTests(ConditionalAceBaseTests):
(('foo', 'bar'), 'Contains', '{{1, 2, 3}}', None),
]
-
##########################################################################################
-
def _test_cmp_with_args(self, lhs, op, rhs, outcome, rhs_is_literal=False):
# Construct a conditional ACE expression that evaluates to True if the
# two claim values are equal.
@@ -2111,7 +2109,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
self._rbcd(target_policy=f'Device_Member_of
SID({security.SID_CLAIMS_VALID})',
device_sids=device_sids)
- def test_rbcd_device_without_compounded_auth(self):
+ def test_rbcd_device_without_compounded_authentication(self):
device_sids = {
(security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
(security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
@@ -2131,7 +2129,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
reason=AuditReason.ACCESS_DENIED,
edata=self.expect_padata_outer)
- def test_rbcd_device_with_compounded_auth(self):
+ def test_rbcd_device_with_compounded_authentication(self):
device_sids = {
(security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs),
(security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
@@ -2154,8 +2152,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
def test_rbcd_service_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
- service_from_rodc=True,
- edata=self.expect_padata_outer)
+ service_from_rodc=True)
def test_rbcd_device_and_service_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
@@ -2165,8 +2162,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
def test_rbcd_client_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
- client_from_rodc=True,
- edata=self.expect_padata_outer)
+ client_from_rodc=True)
def test_rbcd_client_and_device_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
@@ -2177,8 +2173,7 @@ class ConditionalAceTests(ConditionalAceBaseTests):
def test_rbcd_client_and_service_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
client_from_rodc=True,
- service_from_rodc=True,
- edata=self.expect_padata_outer)
+ service_from_rodc=True)
def test_rbcd_all_from_rodc(self):
self._rbcd('Member_of SID({service_sid})',
@@ -2726,8 +2721,9 @@ class ConditionalAceTests(ConditionalAceBaseTests):
reason=AuditReason.NONE,
status=None,
edata=False,
- client_from_rodc=False,
- device_from_rodc=False,
+ use_fast=True,
+ client_from_rodc=None,
+ device_from_rodc=None,
client_sids=None,
client_claims=None,
device_sids=None,
@@ -2743,13 +2739,17 @@ class ConditionalAceTests(ConditionalAceBaseTests):
except TypeError:
self.assertIsNot(code, CRASHES_WINDOWS)
- samdb = self.get_samdb()
- functional_level = self.get_domain_functional_level(samdb)
+ if not use_fast:
+ self.assertIsNone(device_from_rodc)
+ self.assertIsNone(device_sids)
+ self.assertIsNone(device_claims)
+ self.assertIsNone(expected_device_groups)
- if functional_level < dsdb.DS_DOMAIN_FUNCTION_2008:
- self.skipTest('RBCD requires FL2008')
+ if client_from_rodc is None:
+ client_from_rodc = False
- domain_sid_str = samdb.get_domain_sid()
+ if device_from_rodc is None:
+ device_from_rodc = False
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
@@ -2792,26 +2792,29 @@ class ConditionalAceTests(ConditionalAceBaseTests):
new_ticket_key=rodc_krbtgt_key if client_from_rodc else None,
checksum_keys=rodc_checksum_key if client_from_rodc else
checksum_key)
- # Create a machine account with which to perform FAST.
- mach_creds = self.get_cached_creds(
- account_type=self.AccountType.COMPUTER,
- opts={
- 'allowed_replication_mock': device_from_rodc,
- 'revealed_to_mock_rodc': device_from_rodc,
- })
- mach_tgt = self.get_tgt(mach_creds)
- device_modify_pac_fn = []
- if device_sids is not None:
- device_modify_pac_fn.append(partial(self.set_pac_sids,
- new_sids=device_sids))
- if device_claims is not None:
- device_modify_pac_fn.append(partial(self.set_pac_claims,
- client_claims=device_claims))
- mach_tgt = self.modified_ticket(
- mach_tgt,
- modify_pac_fn=device_modify_pac_fn,
- new_ticket_key=rodc_krbtgt_key if device_from_rodc else None,
- checksum_keys=rodc_checksum_key if device_from_rodc else
checksum_key)
+ if use_fast:
+ # Create a machine account with which to perform FAST.
+ mach_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={
+ 'allowed_replication_mock': device_from_rodc,
+ 'revealed_to_mock_rodc': device_from_rodc,
+ })
+ mach_tgt = self.get_tgt(mach_creds)
+ device_modify_pac_fn = []
+ if device_sids is not None:
+ device_modify_pac_fn.append(partial(self.set_pac_sids,
+ new_sids=device_sids))
+ if device_claims is not None:
+ device_modify_pac_fn.append(partial(self.set_pac_claims,
+
client_claims=device_claims))
+ mach_tgt = self.modified_ticket(
+ mach_tgt,
+ modify_pac_fn=device_modify_pac_fn,
+ new_ticket_key=rodc_krbtgt_key if device_from_rodc else None,
+ checksum_keys=rodc_checksum_key if device_from_rodc else
checksum_key)
+ else:
+ mach_tgt = None
if target_policy is None:
policy = None
@@ -2831,6 +2834,9 @@ class ConditionalAceTests(ConditionalAceBaseTests):
target_creds)
target_etypes = target_creds.tgs_supported_enctypes
+ samdb = self.get_samdb()
+ domain_sid_str = samdb.get_domain_sid()
+
expected_groups = self.map_sids(expected_groups, None, domain_sid_str)
expected_device_groups = self.map_sids(expected_device_groups, None,
domain_sid_str)
diff --git a/python/samba/tests/krb5/kcrypto.py
b/python/samba/tests/krb5/kcrypto.py
index 79df0b58a3e..c0a09908ea9 100755
--- a/python/samba/tests/krb5/kcrypto.py
+++ b/python/samba/tests/krb5/kcrypto.py
@@ -279,11 +279,11 @@ class _DES3CBC(_SimplifiedEnctype):
b &= ~1
return b if bin(b & ~1).count('1') % 2 else b | 1
assert len(seed) == 7
- firstbytes = [parity(b & ~1) for b in seed]
+ firstbytes = bytes(parity(b & ~1) for b in seed)
lastbyte = parity(sum((seed[i] & 1) << i + 1 for i in range(7)))
- keybytes = bytes([b for b in firstbytes + [lastbyte]])
+ keybytes = firstbytes + bytes([lastbyte])
if _is_weak_des_key(keybytes):
- keybytes[7] = bytes([keybytes[7] ^ 0xF0])
+ keybytes = firstbytes + bytes([lastbyte ^ 0xF0])
return keybytes
if len(seed) != 21:
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py
b/python/samba/tests/krb5/kdc_tgs_tests.py
index f6d8921635a..28654042f78 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -48,6 +48,7 @@ from samba.tests.krb5.rfc4120_constants import (
KDC_ERR_PREAUTH_REQUIRED,
KDC_ERR_C_PRINCIPAL_UNKNOWN,
KDC_ERR_S_PRINCIPAL_UNKNOWN,
+ KDC_ERR_SERVER_NOMATCH,
KDC_ERR_TKT_EXPIRED,
KDC_ERR_TGT_REVOKED,
KRB_ERR_TKT_NYV,
@@ -1954,7 +1955,7 @@ class KdcTgsTests(KdcTgsBaseTests):
tgt = self._get_tgt(creds)
realm = creds.get_realm().encode('utf-8')
- tgt = self._modify_tgt(tgt, realm)
+ tgt = self._modify_tgt(tgt, crealm=realm)
self._user2user(tgt, creds,
expected_error=0)
@@ -1963,10 +1964,16 @@ class KdcTgsTests(KdcTgsBaseTests):
creds = self._get_creds()
tgt = self._get_tgt(creds)
- tgt = self._modify_tgt(tgt, b'OTHER.REALM')
+ tgt = self._modify_tgt(tgt, crealm=b'OTHER.REALM')
self._user2user(tgt, creds,
- expected_error=0)
+ expected_error=(
+ KDC_ERR_POLICY, # Windows
+ KDC_ERR_C_PRINCIPAL_UNKNOWN, # Heimdal
+ KDC_ERR_SERVER_NOMATCH, # MIT
+ ),
+ expect_edata=True,
+ expected_status=ntstatus.NT_STATUS_NO_MATCH)
def test_user2user_tgt_correct_cname(self):
creds = self._get_creds()
@@ -2929,6 +2936,7 @@ class KdcTgsTests(KdcTgsBaseTests):
def _modify_tgt(self,
tgt,
+ *,
renewable=False,
invalid=False,
from_rodc=False,
@@ -3235,6 +3243,7 @@ class KdcTgsTests(KdcTgsBaseTests):
def _user2user(self, tgt, tgt_creds, expected_error, *,
sname=None,
srealm=None, user_tgt=None, user_creds=None,
+ expect_edata=False,
expect_pac=True, expected_status=None):
if user_tgt is None:
user_creds = self._get_mach_creds()
@@ -3250,6 +3259,7 @@ class KdcTgsTests(KdcTgsBaseTests):
additional_ticket=tgt,
sname=sname,
srealm=srealm,
+ expect_edata=expect_edata,
expect_pac=expect_pac,
expected_status=expected_status)
diff --git a/python/samba/tests/krb5/kpasswd_tests.py
b/python/samba/tests/krb5/kpasswd_tests.py
index 961feeac243..befe56c5bf5 100755
--- a/python/samba/tests/krb5/kpasswd_tests.py
+++ b/python/samba/tests/krb5/kpasswd_tests.py
@@ -26,7 +26,7 @@ os.environ['PYTHONUNBUFFERED'] = '1'
from functools import partial
from samba import generate_random_password
-from samba.dcerpc import krb5pac, security
+from samba.dcerpc import krb5pac
from samba.sd_utils import SDUtils
from samba.tests.krb5.kdc_base_test import KDCBaseTest
diff --git a/python/samba/tests/krb5/lockout_tests.py
b/python/samba/tests/krb5/lockout_tests.py
index 3fe098a662d..d91eb1df79d 100755
--- a/python/samba/tests/krb5/lockout_tests.py
+++ b/python/samba/tests/krb5/lockout_tests.py
@@ -812,8 +812,8 @@ class LockoutTests(KDCBaseTest):
# modification, so that the account is also added to the
# auxiliary bad password database.
- old_utf16pw = f'"Secret007"'.encode('utf-16le') # invalid pwd
- new_utf16pw = f'"Secret008"'.encode('utf-16le')
+ old_utf16pw = '"Secret007"'.encode('utf-16le') # invalid pwd
+ new_utf16pw = '"Secret008"'.encode('utf-16le')
msg = ldb.Message(user_dn)
msg['0'] = ldb.MessageElement(old_utf16pw,
diff --git a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
index 3fda7d66cf0..9b541a6285e 100755
--- a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
+++ b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
@@ -23,7 +23,7 @@ import os
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
-from samba.dsdb import UF_NORMAL_ACCOUNT, UF_DONT_REQUIRE_PREAUTH
+from samba.dsdb import UF_DONT_REQUIRE_PREAUTH
from samba.tests.krb5.kdc_base_test import KDCBaseTest
from samba.tests.krb5.rfc4120_constants import (
AES256_CTS_HMAC_SHA1_96,
diff --git a/python/samba/tests/krb5/protected_users_tests.py
b/python/samba/tests/krb5/protected_users_tests.py
index 27356cbd589..b592b4a893f 100755
--- a/python/samba/tests/krb5/protected_users_tests.py
+++ b/python/samba/tests/krb5/protected_users_tests.py
@@ -93,6 +93,8 @@ class ProtectedUsersTests(KDCBaseTest):
if members:
opts['member_of'] = members
+ if supported_enctypes is not None:
+ opts['supported_enctypes'] = supported_enctypes
return self.get_cached_creds(account_type=account_type,
opts=opts,
diff --git a/python/samba/tests/krb5/raw_testcase.py
b/python/samba/tests/krb5/raw_testcase.py
index 2681356f3cf..f433fa4bd4e 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -836,9 +836,6 @@ class RawKerberosTest(TestCase):
except socket.error:
self.s.close()
raise
- except IOError:
- self.s.close()
- raise
def connect(self, host, port=None):
self.assertNotConnected()
@@ -1142,9 +1139,6 @@ class RawKerberosTest(TestCase):
except socket.error as e:
self._disconnect("send_msg: %s" % e)
raise
- except IOError as e:
- self._disconnect("send_msg: %s" % e)
- raise
def recv_raw(self, num_recv=0xffff, hexdump=None, timeout=None):
rep_pdu = None
@@ -1163,9 +1157,6 @@ class RawKerberosTest(TestCase):
except socket.error as e:
self._disconnect("recv_raw: %s" % e)
raise
- except IOError as e:
- self._disconnect("recv_raw: %s" % e)
- raise
return rep_pdu
def recv_pdu_raw(self, asn1_print=None, hexdump=None, timeout=None):
diff --git a/python/samba/tests/krb5/rfc4120_constants.py
b/python/samba/tests/krb5/rfc4120_constants.py
index 583ffbaf6af..dff6017b710 100644
--- a/python/samba/tests/krb5/rfc4120_constants.py
+++ b/python/samba/tests/krb5/rfc4120_constants.py
@@ -101,6 +101,7 @@ KDC_ERR_CLIENT_REVOKED = 18
KDC_ERR_TGT_REVOKED = 20
KDC_ERR_PREAUTH_FAILED = 24
KDC_ERR_PREAUTH_REQUIRED = 25
+KDC_ERR_SERVER_NOMATCH = 26
KDC_ERR_BAD_INTEGRITY = 31
KDC_ERR_TKT_EXPIRED = 32
KRB_ERR_TKT_NYV = 33
diff --git a/python/samba/tests/krb5/s4u_tests.py
b/python/samba/tests/krb5/s4u_tests.py
index d91c06c418f..b03a246e4be 100755
--- a/python/samba/tests/krb5/s4u_tests.py
+++ b/python/samba/tests/krb5/s4u_tests.py
@@ -1778,7 +1778,7 @@ class S4UKerberosTests(KDCBaseTest):
checksum_keys=checksum_keys,
include_checksums=include_checksums)
- def add_delegation_info(self, ticket, services=None):
+ def add_delegation_info(self, ticket, *, services):
def modify_pac_fn(pac):
pac_buffers = pac.buffers
self.assertNotIn(krb5pac.PAC_TYPE_CONSTRAINED_DELEGATION,
diff --git a/python/samba/tests/krb5/test_min_domain_uid.py
b/python/samba/tests/krb5/test_min_domain_uid.py
index 7c7942c6cbe..c0b415d2a9e 100755
--- a/python/samba/tests/krb5/test_min_domain_uid.py
+++ b/python/samba/tests/krb5/test_min_domain_uid.py
@@ -91,7 +91,7 @@ class SmbMinDomainUid(KDCBaseTest):
conn = libsmb.Conn(self.mach_name, self.share, lp=s3_lp, creds=creds)
# Disconnect
- conn = None
+ del conn
with open(self.global_inject, 'w') as f:
f.truncate()
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 842309bafe8..986c2e9cc24 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -125,12 +125,6 @@
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_and_one_uint_2_0_1___zero_and_one_uint_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_int_1_0___zero_int_\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_pac_claim_cmp__1_zero_uint_2_0___zero_uint_\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_and_device_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_client_from_rodc\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_aa_asserted_identity\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_claims_valid\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_compounded_auth\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_service_asserted_identity\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_both_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_claims_valid_client_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_tgs_with_service_asserted_identity_both_from_rodc\(ad_dc\)
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index c89feb1dbb1..5f5a4fa45ec 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -3963,7 +3963,7 @@
samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_aa_asserted_identity\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_claims_valid\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_compounded_auth\(ad_dc\)
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_compounded_authentication\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_with_service_asserted_identity\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_service_from_rodc\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_with_aa_asserted_identity\(ad_dc\)
@@ -4040,7 +4040,7 @@
samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_without_aa_asserted_identity\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_without_aa_asserted_identity_not_memberof\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_without_claims_valid\(ad_dc\)
-^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_without_compounded_auth\(ad_dc\)
+^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_without_compounded_authentication\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_device_without_service_asserted_identity\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_without_aa_asserted_identity\(ad_dc\)
^samba.tests.krb5.conditional_ace_tests.samba.tests.krb5.conditional_ace_tests.ConditionalAceTests.test_rbcd_without_claims_valid\(ad_dc\)
diff --git a/source4/dsdb/samdb/ldb_modules/dirsync.c
b/source4/dsdb/samdb/ldb_modules/dirsync.c
index ac16e96f169..9901a993c05 100644
--- a/source4/dsdb/samdb/ldb_modules/dirsync.c
+++ b/source4/dsdb/samdb/ldb_modules/dirsync.c
@@ -202,9 +202,7 @@ static int dirsync_filter_entry(struct ldb_request *req,
guidfound = true;
}
/*
- * We expect to find the GUID in the object,
- * if it turns out not to be the case sometimes
- * we will uncomment the code below
+ * We expect to find the GUID in the object
*/
SMB_ASSERT(guidfound == true);
return ldb_module_send_entry(dsc->req, msg, controls);
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index cf606d3e6dd..90be0434c36 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -2466,7 +2466,7 @@ static krb5_error_code
samba_kdc_fetch_krbtgt(krb5_context context,
/* w2k8r2 sometimes gives us a kvno of 255 for inter-domain
trust tickets. We don't yet know what this means, but we do
seem to need to treat it as unspecified */
- if (flags & SDB_F_KVNO_SPECIFIED) {
+ if (flags & (SDB_F_KVNO_SPECIFIED|SDB_F_RODC_NUMBER_SPECIFIED))
{
krbtgt_number = SAMBA_KVNO_GET_KRBTGT(kvno);
if (kdc_db_ctx->rodc) {
if (krbtgt_number !=
kdc_db_ctx->my_krbtgt_number) {
@@ -3413,7 +3413,8 @@ krb5_error_code samba_kdc_check_s4u2proxy_rbcd(
struct security_token *security_token = NULL;
uint32_t session_info_flags =
AUTH_SESSION_INFO_DEFAULT_GROUPS |
- AUTH_SESSION_INFO_SIMPLE_PRIVILEGES;
+ AUTH_SESSION_INFO_SIMPLE_PRIVILEGES |
+ AUTH_SESSION_INFO_FORCE_COMPOUNDED_AUTHENTICATION;
/*
* Testing shows that although Windows grants SEC_ADS_GENERIC_ALL access
* in security descriptors it creates for RBCD, its KDC only requires
diff --git a/source4/kdc/hdb-samba4.c b/source4/kdc/hdb-samba4.c
index 7d80358c889..92e9e609196 100644
--- a/source4/kdc/hdb-samba4.c
+++ b/source4/kdc/hdb-samba4.c
@@ -215,7 +215,7 @@ static krb5_error_code
hdb_samba4_kpasswd_fetch_kvno(krb5_context context, HDB *
flags &= ~HDB_F_KVNO_SPECIFIED;
/* Don't bother looking up a client or krbtgt. */
- flags &= ~(SDB_F_GET_CLIENT|SDB_F_GET_KRBTGT);
+ flags &= ~(HDB_F_GET_CLIENT|HDB_F_GET_KRBTGT);
ret = hdb_samba4_fetch_kvno(context, db,
kpasswd_principal,
diff --git a/source4/kdc/sdb.h b/source4/kdc/sdb.h
index cc04039ac6d..820648a0698 100644
--- a/source4/kdc/sdb.h
+++ b/source4/kdc/sdb.h
@@ -134,8 +134,9 @@ struct sdb_entry {
SDB_F_ARMOR_PRINCIPAL| \
SDB_F_USER2USER_PRINCIPAL)
-/* This is not supported by HDB */
+/* These are not supported by HDB */
#define SDB_F_FORCE_CANON 16384 /* force canonicalization */
+#define SDB_F_RODC_NUMBER_SPECIFIED 32768 /* we want a particular RODC
number */
void sdb_key_free(struct sdb_key *key);
void sdb_keys_free(struct sdb_keys *keys);
diff --git a/source4/kdc/wdc-samba4.c b/source4/kdc/wdc-samba4.c
index 1daf6d63f51..dc2fffad2e4 100644
--- a/source4/kdc/wdc-samba4.c
+++ b/source4/kdc/wdc-samba4.c
@@ -642,14 +642,6 @@ static krb5_error_code samba_wdc_verify_pac(void *priv,
astgs_request_t r,
if (pac_kdc_signature_rodc_id != header_ticket_rodc_id)
{
struct sdb_entry signing_krbtgt_sdb;
- /*
- * If we didn't sign the ticket, then return an
- * error.
- */
- if (pac_kdc_signature_rodc_id != 0) {
- return KRB5KRB_AP_ERR_MODIFIED;
- }
-
/*
* Fetch our key from the database. To support
* key rollover, we're going to need to try
@@ -659,8 +651,8 @@ static krb5_error_code samba_wdc_verify_pac(void *priv,
astgs_request_t r,
ret = samba_kdc_fetch(context,
--
Samba Shared Repository
