The branch, master has been updated
via 01378a52a1c tests/krb5: Create testing accounts in appropriate
containers
via c3b74629027 tests/krb5: Check for presence of 'key-expiration'
element
via d3106a8d352 tests/krb5: Check 'caddr' element
via 9cba5f9a1b0 tests/krb5: Check for presence of 'renew-till' element
via 0afb548a0a3 tests/krb5: Allow Kerberos requests to be sent to DC or
RODC
via 1974b872fb5 tests/krb5: Make time assertion less strict
via 85ddfc1afcf tests/krb5: Allow specifying ticket flags expected to
be set or reset
via 571265257f3 tests/krb5: Remove magic constants
via 7556a4dfa64 tests/krb5: Don't create PAC request or options
manually in fast_tests
via bc21ba25920 tests/krb5: Don't create PAC request manually in
as_req_tests
via c0db1ba54d2 tests/krb5: add options to kdc_exchange_dict to specify
including PAC-REQUEST or PAC-OPTIONS
via 1f23b16ef3a tests/krb5: Move padata generation methods to base class
via 9973b51e48a tests/krb5: Keep track of account DN in credentials
object
via 9aa90085744 tests/krb5: Allow specifying additional User Account
Control flags for account
via 7aae0e9b100 tests/krb5: Allow specifying an OU to create accounts in
via bf55786fcd9 tests/krb5: Replace expected_cname_private with
expected_anon parameter
via 3fd73b65a3d tests/krb5: Use more compact dict lookup
via 08086c43987 tests/krb5: Add KDCOptions flag for constrained
delegation
via 448b661bf88 tests/krb5: Use signed integers to represent key
version numbers in ASN.1
via 9924dd97618 tests/krb5: Add methods to obtain the length of
checksum types
via c6badf818e9 tests/krb5: Calculate expected salt if not given
explicitly
via 0092b4a3ed5 security.idl: Add well-known SIDs for FAST
via ff2f38fae79 krb5pac.idl: Add ticket checksum PAC buffer type
from 95d8cdf0c36 tsocket: set errno on some failures of
tsocket_address_inet_from_strings
https://git.samba.org/?p=samba.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit 01378a52a1cf0b6855492673455013d5719be45b
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Fri Sep 3 09:18:32 2021 +1200
tests/krb5: Create testing accounts in appropriate containers
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
Autobuild-Date(master): Tue Sep 14 00:01:44 UTC 2021 on sn-devel-184
commit c3b746290278f7b5c1dea676e3fa28b9f15bcf94
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 19:47:27 2021 +1200
tests/krb5: Check for presence of 'key-expiration' element
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit d3106a8d35225e826d548d3bea0d42edc3998c38
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 19:45:57 2021 +1200
tests/krb5: Check 'caddr' element
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit 9cba5f9a1b098e49315e2e3d4c0b626884c04a64
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 19:43:41 2021 +1200
tests/krb5: Check for presence of 'renew-till' element
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit 0afb548a0a3221730c4a81d51bc31e99ec90e334
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 19:34:20 2021 +1200
tests/krb5: Allow Kerberos requests to be sent to DC or RODC
If run inside the 'rodc' testing environment, 'DC_SERVER' and 'SERVER'
refer to the hostnames of the DC and RODC respectively, and this commit
allows either one of them to be used as the KDC for Kerberos exchanges.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit 1974b872fb5a7da052305d01e2f1efc8d0637078
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 19:15:17 2021 +1200
tests/krb5: Make time assertion less strict
This assertion could fail if there was a time difference between the KDC
and the client.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit 85ddfc1afcf21797dab15431a5f375444c4d316e
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 19:13:11 2021 +1200
tests/krb5: Allow specifying ticket flags expected to be set or reset
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit 571265257f335ba7f6f1b46daa0d657b8a8dff2b
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 17:46:02 2021 +1200
tests/krb5: Remove magic constants
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit 7556a4dfa64650939aef14a2fc4d10b9ed3d29f7
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Sep 2 14:38:33 2021 +1200
tests/krb5: Don't create PAC request or options manually in fast_tests
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit bc21ba2592093c765751ed3e8083dcd3512997f8
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Sep 2 14:37:27 2021 +1200
tests/krb5: Don't create PAC request manually in as_req_tests
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit c0db1ba54d238d4b2da8895215d8314b068ce09c
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Sep 2 14:36:42 2021 +1200
tests/krb5: add options to kdc_exchange_dict to specify including
PAC-REQUEST or PAC-OPTIONS
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit 1f23b16ef3a900a1bda01bf2a5a3a3847e2e79d1
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Thu Sep 2 14:27:00 2021 +1200
tests/krb5: Move padata generation methods to base class
This allows them to be used directly from RawKerberosTest.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit 9973b51e48a5d5f3e33c6e0da46e6231a42bd77a
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 16:35:58 2021 +1200
tests/krb5: Keep track of account DN in credentials object
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit 9aa900857441ea7e1c2d6c60bfa1ddeb142bf3e3
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 16:34:46 2021 +1200
tests/krb5: Allow specifying additional User Account Control flags for
account
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit 7aae0e9b100b8cb7d1da78b8cb9a4a5c20acffbd
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 16:34:02 2021 +1200
tests/krb5: Allow specifying an OU to create accounts in
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit bf55786fcd9a96daa9002661d6f5d9b3502ed8a7
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 16:31:56 2021 +1200
tests/krb5: Replace expected_cname_private with expected_anon parameter
This is used in the case where the KDC returns 'WELLKNOWN/ANONYMOUS' as
the cname, and makes the reply checking logic easier to follow. This
also removes the need to fetch the client credentials in the test
methods.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit 3fd73b65a3db405db5a0a82cca6c808763d4f437
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 16:21:55 2021 +1200
tests/krb5: Use more compact dict lookup
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit 08086c43987abecc588ebd32ec846ff7e27a83b6
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 16:05:39 2021 +1200
tests/krb5: Add KDCOptions flag for constrained delegation
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit 448b661bf8815a05f534926d8ee8d6f57d123c2c
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 15:57:26 2021 +1200
tests/krb5: Use signed integers to represent key version numbers in ASN.1
As specified in 'MS-KILE 3.1.5.8: Key Version Numbers', Windows uses
signed 32-bit integers to represent key version numbers. This makes a
difference for an RODC with a msDS-SecondaryKrbTgtNumber greater than
32767, where the kvno should be encoded in four bytes rather than five.
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit 9924dd976183ea62b08f116f8b8bacc698bb9b95
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 15:50:26 2021 +1200
tests/krb5: Add methods to obtain the length of checksum types
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit c6badf818e9db44461979a931c74fc5ab6e80132
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 15:46:42 2021 +1200
tests/krb5: Calculate expected salt if not given explicitly
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit 0092b4a3ed58b2c256d4dd9117cce927a3edde12
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 15:40:59 2021 +1200
security.idl: Add well-known SIDs for FAST
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
commit ff2f38fae79220e16765e17671972f9a55eb7cce
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date: Wed Sep 1 15:39:19 2021 +1200
krb5pac.idl: Add ticket checksum PAC buffer type
Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abart...@samba.org>
Reviewed-by: Isaac Boukris <ibouk...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
librpc/idl/krb5pac.idl | 4 +-
librpc/idl/security.idl | 3 +
python/samba/tests/krb5/as_req_tests.py | 39 ++----
python/samba/tests/krb5/fast_tests.py | 82 ++++--------
python/samba/tests/krb5/kcrypto.py | 26 ++++
python/samba/tests/krb5/kdc_base_test.py | 25 +++-
python/samba/tests/krb5/raw_testcase.py | 204 +++++++++++++++++++++++-------
python/samba/tests/krb5/rfc4120.asn1 | 3 +-
python/samba/tests/krb5/rfc4120_pyasn1.py | 3 +-
9 files changed, 255 insertions(+), 134 deletions(-)
Changeset truncated at 500 lines:
diff --git a/librpc/idl/krb5pac.idl b/librpc/idl/krb5pac.idl
index fb360c1257f..3239d7656b6 100644
--- a/librpc/idl/krb5pac.idl
+++ b/librpc/idl/krb5pac.idl
@@ -112,7 +112,8 @@ interface krb5pac
PAC_TYPE_KDC_CHECKSUM = 7,
PAC_TYPE_LOGON_NAME = 10,
PAC_TYPE_CONSTRAINED_DELEGATION = 11,
- PAC_TYPE_UPN_DNS_INFO = 12
+ PAC_TYPE_UPN_DNS_INFO = 12,
+ PAC_TYPE_TICKET_CHECKSUM = 16
} PAC_TYPE;
typedef struct {
@@ -128,6 +129,7 @@ interface krb5pac
[case(PAC_TYPE_CONSTRAINED_DELEGATION)][subcontext(0xFFFFFC01)]
PAC_CONSTRAINED_DELEGATION_CTR constrained_delegation;
[case(PAC_TYPE_UPN_DNS_INFO)] PAC_UPN_DNS_INFO upn_dns_info;
+ [case(PAC_TYPE_TICKET_CHECKSUM)] PAC_SIGNATURE_DATA
ticket_checksum;
/* when new PAC info types are added they are supposed to be
done
in such a way that they are backwards compatible with
existing
servers. This makes it safe to just use a [default] for
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index 06bf7449a70..3df96dedbdd 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -295,6 +295,9 @@ interface security
const string SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY =
"S-1-18-1";
const string SID_SERVICE_ASSERTED_IDENTITY = "S-1-18-2";
+ const string SID_COMPOUNDED_AUTHENTICATION = "S-1-5-21-0-0-0-496";
+ const string SID_CLAIMS_VALID = "S-1-5-21-0-0-0-497";
+
/*
* http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx
*/
diff --git a/python/samba/tests/krb5/as_req_tests.py
b/python/samba/tests/krb5/as_req_tests.py
index 82ff3f4845c..35f88a0c920 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -56,7 +56,7 @@ class AsReqKerberosTests(KDCBaseTest):
def _test_as_req_nopreauth(self,
initial_etypes,
- initial_padata=None,
+ pac=None,
initial_kdc_options=None):
client_creds = self.get_client_creds()
client_account = client_creds.get_username()
@@ -74,7 +74,7 @@ class AsReqKerberosTests(KDCBaseTest):
expected_cname = cname
expected_srealm = realm
expected_sname = sname
- expected_salt = client_creds.get_forced_salt()
+ expected_salt = client_creds.get_salt()
if any(etype in client_as_etypes and etype in initial_etypes
for etype in (kcrypto.Enctype.AES256,
@@ -84,27 +84,19 @@ class AsReqKerberosTests(KDCBaseTest):
else:
expected_error_mode = KDC_ERR_ETYPE_NOSUPP
- def _generate_padata_copy(_kdc_exchange_dict,
- _callback_dict,
- req_body):
- return initial_padata, req_body
-
- generate_padata_fn = (_generate_padata_copy
- if initial_padata is not None
- else None)
-
kdc_exchange_dict = self.as_exchange_dict(
expected_crealm=expected_crealm,
expected_cname=expected_cname,
expected_srealm=expected_srealm,
expected_sname=expected_sname,
- generate_padata_fn=generate_padata_fn,
+ generate_padata_fn=None,
check_error_fn=self.generic_check_kdc_error,
check_rep_fn=None,
expected_error_mode=expected_error_mode,
client_as_etypes=client_as_etypes,
expected_salt=expected_salt,
- kdc_options=str(initial_kdc_options))
+ kdc_options=str(initial_kdc_options),
+ pac_request=pac)
self._generic_kdc_exchange(kdc_exchange_dict,
cname=cname,
@@ -114,13 +106,8 @@ class AsReqKerberosTests(KDCBaseTest):
def _test_as_req_no_preauth_with_args(self, etype_idx, pac):
name, etypes = self.etype_test_permutation_by_idx(etype_idx)
- if pac is None:
- padata = None
- else:
- pa_pac = self.KERB_PA_PAC_REQUEST_create(pac)
- padata = [pa_pac]
self._test_as_req_nopreauth(
- initial_padata=padata,
+ pac=pac,
initial_etypes=etypes,
initial_kdc_options=krb5_asn1.KDCOptions('forwardable'))
@@ -142,12 +129,10 @@ class AsReqKerberosTests(KDCBaseTest):
expected_cname = cname
expected_srealm = realm
expected_sname = sname
- expected_salt = client_creds.get_forced_salt()
+ expected_salt = client_creds.get_salt()
till = self.get_KerberosTime(offset=36000)
- pa_pac = self.KERB_PA_PAC_REQUEST_create(True)
- initial_padata = [pa_pac]
initial_etypes = client_as_etypes
initial_kdc_options = krb5_asn1.KDCOptions('forwardable')
initial_error_mode = KDC_ERR_PREAUTH_REQUIRED
@@ -164,8 +149,9 @@ class AsReqKerberosTests(KDCBaseTest):
expected_sname,
expected_salt,
initial_etypes,
- initial_padata,
- initial_kdc_options)
+ None,
+ initial_kdc_options,
+ pac_request=True)
etype_info2 = kdc_exchange_dict['preauth_etype_info2']
self.assertIsNotNone(etype_info2)
@@ -183,7 +169,7 @@ class AsReqKerberosTests(KDCBaseTest):
pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts)
- preauth_padata = [pa_ts, pa_pac]
+ preauth_padata = [pa_ts]
preauth_etypes = client_as_etypes
preauth_kdc_options = krb5_asn1.KDCOptions('forwardable')
preauth_error_mode = 0 # AS-REP
@@ -207,7 +193,8 @@ class AsReqKerberosTests(KDCBaseTest):
preauth_padata,
preauth_kdc_options,
preauth_key=preauth_key,
- ticket_decryption_key=krbtgt_decryption_key)
+ ticket_decryption_key=krbtgt_decryption_key,
+ pac_request=True)
self.assertIsNotNone(as_rep)
if __name__ == "__main__":
diff --git a/python/samba/tests/krb5/fast_tests.py
b/python/samba/tests/krb5/fast_tests.py
index 392d19f59b3..6f3738257b5 100755
--- a/python/samba/tests/krb5/fast_tests.py
+++ b/python/samba/tests/krb5/fast_tests.py
@@ -49,10 +49,8 @@ from samba.tests.krb5.rfc4120_constants import (
KU_TICKET,
NT_PRINCIPAL,
NT_SRV_INST,
- NT_WELLKNOWN,
PADATA_FX_COOKIE,
PADATA_FX_FAST,
- PADATA_PAC_OPTIONS
)
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
import samba.tests.krb5.kcrypto as kcrypto
@@ -1028,14 +1026,6 @@ class FAST_Tests(KDCBaseTest):
])
def test_fast_hide_client_names(self):
- user_creds = self.get_client_creds()
- user_name = user_creds.get_username()
- user_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
- names=[user_name])
-
- expected_cname = self.PrincipalName_create(
- name_type=NT_WELLKNOWN, names=['WELLKNOWN', 'ANONYMOUS'])
-
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
@@ -1044,7 +1034,7 @@ class FAST_Tests(KDCBaseTest):
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_mach_tgt,
'fast_options': '01', # hide client names
- 'expected_cname': expected_cname
+ 'expected_anon': True
},
{
'rep_type': KRB_AS_REP,
@@ -1054,20 +1044,11 @@ class FAST_Tests(KDCBaseTest):
'fast_armor': FX_FAST_ARMOR_AP_REQUEST,
'gen_armor_tgt_fn': self.get_mach_tgt,
'fast_options': '01', # hide client names
- 'expected_cname': expected_cname,
- 'expected_cname_private': user_cname
+ 'expected_anon': True
}
])
def test_fast_tgs_hide_client_names(self):
- user_creds = self.get_client_creds()
- user_name = user_creds.get_username()
- user_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
- names=[user_name])
-
- expected_cname = self.PrincipalName_create(
- name_type=NT_WELLKNOWN, names=['WELLKNOWN', 'ANONYMOUS'])
-
self._run_test_sequence([
{
'rep_type': KRB_TGS_REP,
@@ -1076,8 +1057,7 @@ class FAST_Tests(KDCBaseTest):
'gen_tgt_fn': self.get_user_tgt,
'fast_armor': None,
'fast_options': '01', # hide client names
- 'expected_cname': expected_cname,
- 'expected_cname_private': user_cname
+ 'expected_anon': True
}
])
@@ -1156,8 +1136,6 @@ class FAST_Tests(KDCBaseTest):
'canonicalize,'
'renewable-ok'))
- pac_request = self.get_pa_pac_request()
-
client_creds = self.get_client_creds()
target_creds = self.get_service_creds()
krbtgt_creds = self.get_krbtgt_creds()
@@ -1259,8 +1237,8 @@ class FAST_Tests(KDCBaseTest):
srealm = target_realm
expected_cname = kdc_dict.pop('expected_cname', client_cname)
- expected_cname_private = kdc_dict.pop('expected_cname_private',
- None)
+ expected_anon = kdc_dict.pop('expected_anon',
+ False)
expected_crealm = kdc_dict.pop('expected_crealm', client_realm)
expected_sname = kdc_dict.pop('expected_sname', sname)
expected_srealm = kdc_dict.pop('expected_srealm', srealm)
@@ -1313,7 +1291,7 @@ class FAST_Tests(KDCBaseTest):
_callback_dict,
req_body,
padata):
- return padata, req_body
+ return list(padata), req_body
def _check_padata_preauth_key(_kdc_exchange_dict,
_callback_dict,
@@ -1323,15 +1301,9 @@ class FAST_Tests(KDCBaseTest):
return preauth_key, as_rep_usage
pac_options = kdc_dict.pop('pac_options', '1') # claims support
- pac_options = self.get_pa_pac_options(pac_options)
kdc_options = kdc_dict.pop('kdc_options', kdc_options_default)
- if rep_type == KRB_AS_REP:
- padata = [pac_request, pac_options]
- else:
- padata = [pac_options]
-
gen_padata_fn = kdc_dict.pop('gen_padata_fn', None)
if gen_padata_fn is not None:
self.assertEqual(KRB_AS_REP, rep_type)
@@ -1341,10 +1313,10 @@ class FAST_Tests(KDCBaseTest):
client_creds,
preauth_etype_info2[0],
client_creds.get_kvno())
- gen_padata = gen_padata_fn(preauth_key, armor_key)
- padata.insert(0, gen_padata)
+ padata = [gen_padata_fn(preauth_key, armor_key)]
else:
preauth_key = None
+ padata = []
if rep_type == KRB_AS_REP:
check_padata_fn = _check_padata_preauth_key
@@ -1380,13 +1352,22 @@ class FAST_Tests(KDCBaseTest):
inner_req = kdc_dict.pop('inner_req', None)
outer_req = kdc_dict.pop('outer_req', None)
+ expected_flags = kdc_dict.pop('expected_flags', None)
+ if expected_flags is not None:
+ expected_flags = krb5_asn1.KDCOptions(expected_flags)
+ unexpected_flags = kdc_dict.pop('unexpected_flags', None)
+ if unexpected_flags is not None:
+ unexpected_flags = krb5_asn1.KDCOptions(unexpected_flags)
+
if rep_type == KRB_AS_REP:
kdc_exchange_dict = self.as_exchange_dict(
expected_crealm=expected_crealm,
expected_cname=expected_cname,
- expected_cname_private=expected_cname_private,
+ expected_anon=expected_anon,
expected_srealm=expected_srealm,
expected_sname=expected_sname,
+ expected_flags=expected_flags,
+ unexpected_flags=unexpected_flags,
ticket_decryption_key=krbtgt_decryption_key,
generate_fast_fn=generate_fast_fn,
generate_fast_armor_fn=generate_fast_armor_fn,
@@ -1408,14 +1389,18 @@ class FAST_Tests(KDCBaseTest):
armor_subkey=armor_subkey,
kdc_options=kdc_options,
inner_req=inner_req,
- outer_req=outer_req)
+ outer_req=outer_req,
+ pac_request=True,
+ pac_options=pac_options)
else: # KRB_TGS_REP
kdc_exchange_dict = self.tgs_exchange_dict(
expected_crealm=expected_crealm,
expected_cname=expected_cname,
- expected_cname_private=expected_cname_private,
+ expected_anon=expected_anon,
expected_srealm=expected_srealm,
expected_sname=expected_sname,
+ expected_flags=expected_flags,
+ unexpected_flags=unexpected_flags,
ticket_decryption_key=target_decryption_key,
generate_fast_fn=generate_fast_fn,
generate_fast_armor_fn=generate_fast_armor_fn,
@@ -1437,7 +1422,9 @@ class FAST_Tests(KDCBaseTest):
body_checksum_type=None,
kdc_options=kdc_options,
inner_req=inner_req,
- outer_req=outer_req)
+ outer_req=outer_req,
+ pac_request=None,
+ pac_options=pac_options)
repeat = kdc_dict.pop('repeat', 1)
for _ in range(repeat):
@@ -1528,25 +1515,12 @@ class FAST_Tests(KDCBaseTest):
return self.PA_DATA_create(PADATA_FX_COOKIE, cookie)
- def get_pa_pac_request(self, request_pac=True):
- pac_request = self.KERB_PA_PAC_REQUEST_create(request_pac)
-
- return pac_request
-
- def get_pa_pac_options(self, options):
- pac_options = self.PA_PAC_OPTIONS_create(options)
- pac_options = self.der_encode(pac_options,
- asn1Spec=krb5_asn1.PA_PAC_OPTIONS())
- pac_options = self.PA_DATA_create(PADATA_PAC_OPTIONS, pac_options)
-
- return pac_options
-
def check_kdc_fast_support(self):
# Check that the KDC supports FAST
samdb = self.get_samdb()
- krbtgt_rid = 502
+ krbtgt_rid = security.DOMAIN_RID_KRBTGT
krbtgt_sid = '%s-%d' % (samdb.get_domain_sid(), krbtgt_rid)
res = samdb.search(base='<SID=%s>' % krbtgt_sid,
diff --git a/python/samba/tests/krb5/kcrypto.py
b/python/samba/tests/krb5/kcrypto.py
index ce7b00bda4c..4a4a12a66d4 100755
--- a/python/samba/tests/krb5/kcrypto.py
+++ b/python/samba/tests/krb5/kcrypto.py
@@ -478,6 +478,7 @@ class _ChecksumProfile(object):
# define:
# * checksum
# * verify (if verification is not just checksum-and-compare)
+ # * checksum_len
@classmethod
def verify(cls, key, keyusage, text, cksum):
expected = cls.checksum(key, keyusage, text)
@@ -504,6 +505,10 @@ class _SimplifiedChecksum(_ChecksumProfile):
raise ValueError('Wrong key type for checksum')
super(_SimplifiedChecksum, cls).verify(key, keyusage, text, cksum)
+ @classmethod
+ def checksum_len(cls):
+ return cls.macsize
+
class _SHA1AES128(_SimplifiedChecksum):
macsize = 12
@@ -533,6 +538,10 @@ class _HMACMD5(_ChecksumProfile):
raise ValueError('Wrong key type for checksum')
super(_HMACMD5, cls).verify(key, keyusage, text, cksum)
+ @classmethod
+ def checksum_len(cls):
+ return hashes.MD5.digest_size
+
class _MD5(_ChecksumProfile):
@classmethod
@@ -540,6 +549,10 @@ class _MD5(_ChecksumProfile):
# This is unkeyed!
return SIMPLE_HASH(text, hashes.MD5)
+ @classmethod
+ def checksum_len(cls):
+ return hashes.MD5.digest_size
+
class _SHA1(_ChecksumProfile):
@classmethod
@@ -547,6 +560,10 @@ class _SHA1(_ChecksumProfile):
# This is unkeyed!
return SIMPLE_HASH(text, hashes.SHA1)
+ @classmethod
+ def checksum_len(cls):
+ return hashes.SHA1.digest_size
+
class _CRC32(_ChecksumProfile):
@classmethod
@@ -555,6 +572,10 @@ class _CRC32(_ChecksumProfile):
cksum = (~crc32(text, 0xffffffff)) & 0xffffffff
return pack('<I', cksum)
+ @classmethod
+ def checksum_len(cls):
+ return 4
+
_enctype_table = {
Enctype.DES3: _DES3CBC,
@@ -643,6 +664,11 @@ def verify_checksum(cksumtype, key, keyusage, text, cksum):
c.verify(key, keyusage, text, cksum)
+def checksum_len(cksumtype):
+ c = _get_checksum_profile(cksumtype)
+ return c.checksum_len()
+
+
def prfplus(key, pepper, ln):
# Produce ln bytes of output using the RFC 6113 PRF+ function.
out = b''
diff --git a/python/samba/tests/krb5/kdc_base_test.py
b/python/samba/tests/krb5/kdc_base_test.py
index f5c1eba9151..49a3227c26e 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -34,6 +34,8 @@ from samba.drs_utils import drsuapi_connect
from samba.dsdb import (
DS_DOMAIN_FUNCTION_2000,
DS_DOMAIN_FUNCTION_2008,
+ DS_GUID_COMPUTERS_CONTAINER,
+ DS_GUID_USERS_CONTAINER,
UF_WORKSTATION_TRUST_ACCOUNT,
UF_NORMAL_ACCOUNT
)
@@ -116,7 +118,7 @@ class KDCBaseTest(RawKerberosTest):
lp = self.get_lp()
session = system_session()
- type(self)._ldb = SamDB(url="ldap://%s"; % self.host,
+ type(self)._ldb = SamDB(url="ldap://%s"; % self.dc_host,
session_info=session,
credentials=creds,
lp=lp)
@@ -151,12 +153,19 @@ class KDCBaseTest(RawKerberosTest):
return default_enctypes
def create_account(self, ldb, name, machine_account=False,
- spn=None, upn=None, additional_details=None):
+ spn=None, upn=None, additional_details=None,
+ ou=None, account_control=0):
'''Create an account for testing.
The dn of the created account is added to self.accounts,
which is used by tearDownClass to clean up the created accounts.
'''
- dn = "cn=%s,%s" % (name, ldb.domain_dn())
+ if ou is None:
+ guid = (DS_GUID_COMPUTERS_CONTAINER if machine_account
+ else DS_GUID_USERS_CONTAINER)
+
+ ou = ldb.get_wellknown_dn(ldb.get_default_basedn(), guid)
+
+ dn = "CN=%s,%s" % (name, ou)
# remove the account if it exists, this will happen if a previous test
# run failed
@@ -164,11 +173,11 @@ class KDCBaseTest(RawKerberosTest):
if machine_account:
object_class = "computer"
account_name = "%s$" % name
- account_control = str(UF_WORKSTATION_TRUST_ACCOUNT)
+ account_control |= UF_WORKSTATION_TRUST_ACCOUNT
else:
object_class = "user"
account_name = name
- account_control = str(UF_NORMAL_ACCOUNT)
+ account_control |= UF_NORMAL_ACCOUNT
password = generate_random_password(32, 32)
utf16pw = ('"%s"' % password).encode('utf-16-le')
@@ -177,7 +186,7 @@ class KDCBaseTest(RawKerberosTest):
"dn": dn,
--
Samba Shared Repository
