The branch, master has been updated
       via  5b331443d06 tests/krb5: Add classes for testing invalid checksums
       via  c0b81f0dd54 tests/krb5: Add method to determine if principal is 
krbtgt
       via  ea7b550a500 tests/krb5: Verify checksums of tickets obtained from 
the KDC
       via  1458cd9065d tests/krb5: Add get_rodc_krbtgt_creds() to 
RawKerberosTest
       via  394e8db261b tests/krb5: Simplify account creation
       via  f2f1f3a1e92 tests/krb5: Provide ticket enc-part key to tgs_req()
       via  f9284d8517e tests/krb5: Fix checking for presence of authorization 
data
       via  9d01043042f tests/krb5: Add method to get DC credentials
       via  38b4b334caf tests/krb5: Allow tgs_req() to check the returned 
ticket enc-part
       via  054ec1a8cc4 tests/krb5: Set key version number for all accounts 
created with create_account()
       via  14cd933a9d6 tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
       via  b6eaf2cf44f tests/krb5: Get supported enctypes for credentials from 
database
       via  432eba9e098 tests/krb5: Add methods to convert between enctypes and 
bitfields
       via  7cedd383bcc tests/krb5: Make get_default_enctypes() return a set of 
enctype constants
       via  4c67a53cdca tests/krb5: Simplify adding authdata to ticket by using 
modified_ticket()
       via  1fcde7cb6ce tests/krb5: Add method for modifying a ticket and 
creating PAC checksums
       via  12b5e72a35d tests/krb5: Add method to verify ticket PAC checksums
      from  702ebb3d8c8 registry: skip root check when running with uid-wrapper 
enabled

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 5b331443d0698256ee7fcc040a1ab8137efe925d
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Mon Sep 20 15:10:35 2021 +1200

    tests/krb5: Add classes for testing invalid checksums
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>
    
    Autobuild-User(master): Andrew Bartlett <abart...@samba.org>
    Autobuild-Date(master): Thu Sep 23 19:28:44 UTC 2021 on sn-devel-184

commit c0b81f0dd54d0d71b5d0f5a870b505e82d0e85b8
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Mon Sep 20 15:06:18 2021 +1200

    tests/krb5: Add method to determine if principal is krbtgt
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit ea7b550a500d9e458498d37688b67dafd3d9509d
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Mon Sep 20 14:10:07 2021 +1200

    tests/krb5: Verify checksums of tickets obtained from the KDC
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 1458cd9065de34c42bd5ec63feb2f66c25103982
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Tue Sep 21 13:54:47 2021 +1200

    tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 394e8db261b10d130c5e5730989bf68f9bf4f85f
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Mon Sep 20 14:05:58 2021 +1200

    tests/krb5: Simplify account creation
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit f2f1f3a1e9269f0e7b93006bba2368a6ffbecc7c
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Wed Sep 22 11:41:45 2021 +1200

    tests/krb5: Provide ticket enc-part key to tgs_req()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit f9284d8517edd9ffd96f0c24166a16366f97de8f
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Mon Sep 20 14:08:16 2021 +1200

    tests/krb5: Fix checking for presence of authorization data
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 9d01043042f1caac98a23cf4d9aa9a02a31a9239
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Mon Sep 20 13:58:09 2021 +1200

    tests/krb5: Add method to get DC credentials
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 38b4b334caf1b32f1479db3ada48b2028946f5e6
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Mon Sep 20 13:59:24 2021 +1200

    tests/krb5: Allow tgs_req() to check the returned ticket enc-part
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 054ec1a8cc4ae42918c7c06ef9c66c8a81242655
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Mon Sep 20 13:54:39 2021 +1200

    tests/krb5: Set key version number for all accounts created with 
create_account()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 14cd933a9d6af08deb680c9f688b166138d45ed9
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Tue Sep 21 17:11:28 2021 +1200

    tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit b6eaf2cf44fb66d8f302d4cab050827a67de3ea4
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Tue Sep 21 17:10:49 2021 +1200

    tests/krb5: Get supported enctypes for credentials from database
    
    Look up the account's msDS-SupportedEncryptionTypes attribute to get the
    encryption types that it supports. Move the fallback to RC4 to when the
    ticket decryption key is obtained.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 432eba9e09849e74f4c0f2d7826d45cbd2b7ce42
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Tue Sep 21 21:01:46 2021 +1200

    tests/krb5: Add methods to convert between enctypes and bitfields
    
    These methods are useful for converting a collection of encryption types
    into msDS-SupportedEncryptionTypes bit flags, and vice versa.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 7cedd383bcc1b5652ea65817b464d6e0485c7b8b
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Tue Sep 21 17:01:12 2021 +1200

    tests/krb5: Make get_default_enctypes() return a set of enctype constants
    
    This is often more convenient than a bitfield.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 4c67a53cdca206a118e82b356db0faf0ddc011ab
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Tue Sep 21 13:33:16 2021 +1200

    tests/krb5: Simplify adding authdata to ticket by using modified_ticket()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 1fcde7cb6ce50e0a08097841e92476f320560664
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Fri Sep 17 15:26:12 2021 +1200

    tests/krb5: Add method for modifying a ticket and creating PAC checksums
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

commit 12b5e72a35d632516980f6c051a5d83f913079e7
Author: Joseph Sutton <josephsut...@catalyst.net.nz>
Date:   Fri Sep 17 14:56:51 2021 +1200

    tests/krb5: Add method to verify ticket PAC checksums
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
    
    Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz>
    Reviewed-by: Andrew Bartlett <abart...@samba.org>

-----------------------------------------------------------------------

Summary of changes:
 python/samba/tests/krb5/as_req_tests.py            |   4 +-
 python/samba/tests/krb5/fast_tests.py              |  53 +--
 python/samba/tests/krb5/kdc_base_test.py           | 141 ++++--
 python/samba/tests/krb5/kdc_tgs_tests.py           |   6 +-
 .../krb5/ms_kile_client_principal_lookup_tests.py  |  46 +-
 python/samba/tests/krb5/raw_testcase.py            | 508 ++++++++++++++++++++-
 6 files changed, 633 insertions(+), 125 deletions(-)


Changeset truncated at 500 lines:

diff --git a/python/samba/tests/krb5/as_req_tests.py 
b/python/samba/tests/krb5/as_req_tests.py
index 35f88a0c920..8d9b90fee69 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -60,7 +60,7 @@ class AsReqKerberosTests(KDCBaseTest):
                                initial_kdc_options=None):
         client_creds = self.get_client_creds()
         client_account = client_creds.get_username()
-        client_as_etypes = client_creds.get_as_krb5_etypes()
+        client_as_etypes = self.get_default_enctypes()
         krbtgt_creds = self.get_krbtgt_creds(require_keys=False)
         krbtgt_account = krbtgt_creds.get_username()
         realm = krbtgt_creds.get_realm()
@@ -114,7 +114,7 @@ class AsReqKerberosTests(KDCBaseTest):
     def test_as_req_enc_timestamp(self):
         client_creds = self.get_client_creds()
         client_account = client_creds.get_username()
-        client_as_etypes = client_creds.get_as_krb5_etypes()
+        client_as_etypes = self.get_default_enctypes()
         client_kvno = client_creds.get_kvno()
         krbtgt_creds = self.get_krbtgt_creds(require_strongest_key=True)
         krbtgt_account = krbtgt_creds.get_username()
diff --git a/python/samba/tests/krb5/fast_tests.py 
b/python/samba/tests/krb5/fast_tests.py
index 44853365d1e..5f396542d18 100755
--- a/python/samba/tests/krb5/fast_tests.py
+++ b/python/samba/tests/krb5/fast_tests.py
@@ -25,10 +25,7 @@ import collections
 import ldb
 
 from samba.dcerpc import security
-from samba.tests.krb5.raw_testcase import (
-    KerberosTicketCreds,
-    Krb5EncryptionKey
-)
+from samba.tests.krb5.raw_testcase import Krb5EncryptionKey
 from samba.tests.krb5.kdc_base_test import KDCBaseTest
 from samba.tests.krb5.rfc4120_constants import (
     AD_FX_FAST_ARMOR,
@@ -45,7 +42,6 @@ from samba.tests.krb5.rfc4120_constants import (
     KDC_ERR_UNKNOWN_CRITICAL_FAST_OPTIONS,
     KRB_AS_REP,
     KRB_TGS_REP,
-    KU_TICKET,
     NT_PRINCIPAL,
     NT_SRV_INST,
     PADATA_FX_COOKIE,
@@ -1173,6 +1169,7 @@ class FAST_Tests(KDCBaseTest):
             name_type=NT_SRV_INST, names=[krbtgt_username, krbtgt_realm])
         krbtgt_decryption_key = self.TicketDecryptionKey_from_creds(
             krbtgt_creds)
+        krbtgt_etypes = krbtgt_creds.tgs_supported_enctypes
 
         target_username = target_creds.get_username()[:-1]
         target_realm = target_creds.get_realm()
@@ -1181,6 +1178,7 @@ class FAST_Tests(KDCBaseTest):
             name_type=NT_SRV_INST, names=[target_service, target_username])
         target_decryption_key = self.TicketDecryptionKey_from_creds(
             target_creds)
+        target_etypes = target_creds.tgs_supported_enctypes
 
         fast_cookie = None
         preauth_etype_info2 = None
@@ -1369,6 +1367,7 @@ class FAST_Tests(KDCBaseTest):
                     expected_anon=expected_anon,
                     expected_srealm=expected_srealm,
                     expected_sname=expected_sname,
+                    expected_supported_etypes=krbtgt_etypes,
                     expected_flags=expected_flags,
                     unexpected_flags=unexpected_flags,
                     ticket_decryption_key=krbtgt_decryption_key,
@@ -1402,6 +1401,7 @@ class FAST_Tests(KDCBaseTest):
                     expected_anon=expected_anon,
                     expected_srealm=expected_srealm,
                     expected_sname=expected_sname,
+                    expected_supported_etypes=target_etypes,
                     expected_flags=expected_flags,
                     unexpected_flags=unexpected_flags,
                     ticket_decryption_key=target_decryption_key,
@@ -1471,44 +1471,19 @@ class FAST_Tests(KDCBaseTest):
     def gen_tgt_fast_armor_auth_data(self):
         user_tgt = self.get_user_tgt()
 
-        ticket_decryption_key = user_tgt.decryption_key
+        auth_data = self.generate_fast_armor_auth_data()
+
+        def modify_fn(enc_part):
+            enc_part['authorization-data'].append(auth_data)
 
-        tgt_encpart = self.getElementValue(user_tgt.ticket, 'enc-part')
-        self.assertElementEqual(tgt_encpart, 'etype',
-                                ticket_decryption_key.etype)
-        self.assertElementKVNO(tgt_encpart, 'kvno',
-                               ticket_decryption_key.kvno)
-        tgt_cipher = self.getElementValue(tgt_encpart, 'cipher')
-        tgt_decpart = ticket_decryption_key.decrypt(KU_TICKET, tgt_cipher)
-        tgt_private = self.der_decode(tgt_decpart,
-                                      asn1Spec=krb5_asn1.EncTicketPart())
+            return enc_part
 
-        auth_data = self.generate_fast_armor_auth_data()
-        tgt_private['authorization-data'].append(auth_data)
-
-        # Re-encrypt the user TGT.
-        tgt_private_new = self.der_encode(
-            tgt_private,
-            asn1Spec=krb5_asn1.EncTicketPart())
-        tgt_encpart = self.EncryptedData_create(ticket_decryption_key,
-                                                KU_TICKET,
-                                                tgt_private_new)
-        user_ticket = user_tgt.ticket.copy()
-        user_ticket['enc-part'] = tgt_encpart
-
-        user_tgt = KerberosTicketCreds(
-            user_ticket,
-            session_key=user_tgt.session_key,
-            crealm=user_tgt.crealm,
-            cname=user_tgt.cname,
-            srealm=user_tgt.srealm,
-            sname=user_tgt.sname,
-            decryption_key=user_tgt.decryption_key,
-            ticket_private=tgt_private,
-            encpart_private=user_tgt.encpart_private)
+        checksum_keys = self.get_krbtgt_checksum_key()
 
         # Use our modifed TGT to replace the one in the request.
-        return user_tgt
+        return self.modified_ticket(user_tgt,
+                                    modify_fn=modify_fn,
+                                    checksum_keys=checksum_keys)
 
     def create_fast_cookie(self, cookie):
         self.assertIsNotNone(cookie)
diff --git a/python/samba/tests/krb5/kdc_base_test.py 
b/python/samba/tests/krb5/kdc_base_test.py
index 59175c7bb2f..b71ae66bf54 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -222,11 +222,11 @@ class KDCBaseTest(RawKerberosTest):
         functional_level = self.get_domain_functional_level(samdb)
 
         # RC4 should always be supported
-        default_enctypes = security.KERB_ENCTYPE_RC4_HMAC_MD5
+        default_enctypes = {kcrypto.Enctype.RC4}
         if functional_level >= DS_DOMAIN_FUNCTION_2008:
             # AES is only supported at functional level 2008 or higher
-            default_enctypes |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
-            default_enctypes |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+            default_enctypes.add(kcrypto.Enctype.AES256)
+            default_enctypes.add(kcrypto.Enctype.AES128)
 
         return default_enctypes
 
@@ -289,6 +289,14 @@ class KDCBaseTest(RawKerberosTest):
         # Save the account name so it can be deleted in tearDownClass
         self.accounts.add(dn)
 
+        self.creds_set_enctypes(creds)
+
+        res = samdb.search(base=dn,
+                           scope=ldb.SCOPE_BASE,
+                           attrs=['msDS-KeyVersionNumber'])
+        kvno = int(res[0]['msDS-KeyVersionNumber'][0])
+        creds.set_kvno(kvno)
+
         return (creds, dn)
 
     def create_rodc(self, ctx):
@@ -513,12 +521,7 @@ class KDCBaseTest(RawKerberosTest):
 
         default_enctypes = self.get_default_enctypes()
 
-        if default_enctypes & security.KERB_ENCTYPE_RC4_HMAC_MD5:
-            self.assertIn(kcrypto.Enctype.RC4, keys)
-        if default_enctypes & security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96:
-            self.assertIn(kcrypto.Enctype.AES256, keys)
-        if default_enctypes & security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96:
-            self.assertIn(kcrypto.Enctype.AES128, keys)
+        self.assertCountEqual(default_enctypes, keys)
 
         return keys
 
@@ -527,13 +530,28 @@ class KDCBaseTest(RawKerberosTest):
             for enctype, key in keys.items():
                 creds.set_forced_key(enctype, key)
 
-        supported_enctypes = 0
-        if kcrypto.Enctype.AES256 in keys:
-            supported_enctypes |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
-        if kcrypto.Enctype.AES128 in keys:
-            supported_enctypes |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
-        if kcrypto.Enctype.RC4 in keys:
-            supported_enctypes |= security.KERB_ENCTYPE_RC4_HMAC_MD5
+    def creds_set_enctypes(self, creds):
+        samdb = self.get_samdb()
+
+        res = samdb.search(creds.get_dn(),
+                           scope=ldb.SCOPE_BASE,
+                           attrs=['msDS-SupportedEncryptionTypes'])
+        supported_enctypes = res[0].get('msDS-SupportedEncryptionTypes', idx=0)
+
+        if supported_enctypes is None:
+            supported_enctypes = 0
+
+        creds.set_as_supported_enctypes(supported_enctypes)
+        creds.set_tgs_supported_enctypes(supported_enctypes)
+        creds.set_ap_supported_enctypes(supported_enctypes)
+
+    def creds_set_default_enctypes(self, creds, fast_support=False):
+        default_enctypes = self.get_default_enctypes()
+        supported_enctypes = KerberosCredentials.etypes_to_bits(
+            default_enctypes)
+
+        if fast_support:
+            supported_enctypes |= KerberosCredentials.fast_supported_bits
 
         creds.set_as_supported_enctypes(supported_enctypes)
         creds.set_tgs_supported_enctypes(supported_enctypes)
@@ -638,10 +656,8 @@ class KDCBaseTest(RawKerberosTest):
 
         enctypes = supported_enctypes
         if fast_support:
-            fast_bits = (security.KERB_ENCTYPE_FAST_SUPPORTED |
-                         security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED |
-                         security.KERB_ENCTYPE_CLAIMS_SUPPORTED)
-            enctypes = (enctypes or 0) | fast_bits
+            enctypes = enctypes or 0
+            enctypes |= KerberosCredentials.fast_supported_bits
 
         if enctypes is not None:
             details['msDS-SupportedEncryptionTypes'] = str(enctypes)
@@ -660,23 +676,9 @@ class KDCBaseTest(RawKerberosTest):
                                         additional_details=details,
                                         account_control=user_account_control)
 
-        res = samdb.search(base=dn,
-                           scope=ldb.SCOPE_BASE,
-                           attrs=['msDS-KeyVersionNumber'])
-        kvno = int(res[0]['msDS-KeyVersionNumber'][0])
-        creds.set_kvno(kvno)
-
         keys = self.get_keys(samdb, dn)
         self.creds_set_keys(creds, keys)
 
-        if machine_account:
-            if supported_enctypes is not None:
-                tgs_enctypes = supported_enctypes
-            else:
-                tgs_enctypes = security.KERB_ENCTYPE_RC4_HMAC_MD5
-
-            creds.set_tgs_supported_enctypes(tgs_enctypes)
-
         # Handle secret replication to the RODC.
 
         if allowed_replication or revealed_to_rodc:
@@ -821,6 +823,11 @@ class KDCBaseTest(RawKerberosTest):
             keys = self.get_keys(samdb, krbtgt_dn)
             self.creds_set_keys(creds, keys)
 
+            # The RODC krbtgt account should support the default enctypes,
+            # although it might not have the msDS-SupportedEncryptionTypes
+            # attribute.
+            self.creds_set_default_enctypes(creds)
+
             return creds
 
         c = self._get_krb5_creds(prefix='RODC_KRBTGT',
@@ -865,6 +872,8 @@ class KDCBaseTest(RawKerberosTest):
             keys = self.get_keys(samdb, dn)
             self.creds_set_keys(creds, keys)
 
+            self.creds_set_enctypes(creds)
+
             return creds
 
         c = self._get_krb5_creds(prefix='MOCK_RODC_KRBTGT',
@@ -905,6 +914,12 @@ class KDCBaseTest(RawKerberosTest):
             keys = self.get_keys(samdb, dn)
             self.creds_set_keys(creds, keys)
 
+            # The krbtgt account should support the default enctypes, although
+            # it might not (on Samba) have the msDS-SupportedEncryptionTypes
+            # attribute.
+            self.creds_set_default_enctypes(creds,
+                                            fast_support=self.kdc_fast_support)
+
             return creds
 
         c = self._get_krb5_creds(prefix='KRBTGT',
@@ -915,6 +930,48 @@ class KDCBaseTest(RawKerberosTest):
                                  fallback_creds_fn=download_krbtgt_creds)
         return c
 
+    def get_dc_creds(self,
+                     require_keys=True,
+                     require_strongest_key=False):
+        if require_strongest_key:
+            self.assertTrue(require_keys)
+
+        def download_dc_creds():
+            samdb = self.get_samdb()
+
+            dc_rid = 1000
+            dc_sid = '%s-%d' % (samdb.get_domain_sid(), dc_rid)
+
+            res = samdb.search(base='<SID=%s>' % dc_sid,
+                               scope=ldb.SCOPE_BASE,
+                               attrs=['sAMAccountName',
+                                      'msDS-KeyVersionNumber'])
+            dn = res[0].dn
+            username = str(res[0]['sAMAccountName'])
+
+            creds = KerberosCredentials()
+            creds.set_domain(self.env_get_var('DOMAIN', 'DC'))
+            creds.set_realm(self.env_get_var('REALM', 'DC'))
+            creds.set_username(username)
+
+            kvno = int(res[0]['msDS-KeyVersionNumber'][0])
+            creds.set_kvno(kvno)
+            creds.set_dn(dn)
+
+            keys = self.get_keys(samdb, dn)
+            self.creds_set_keys(creds, keys)
+
+            self.creds_set_enctypes(creds)
+
+            return creds
+
+        c = self._get_krb5_creds(prefix='DC',
+                                 allow_missing_password=True,
+                                 allow_missing_keys=not require_keys,
+                                 require_strongest_key=require_strongest_key,
+                                 fallback_creds_fn=download_dc_creds)
+        return c
+
     def as_req(self, cname, sname, realm, etypes, padata=None, kdc_options=0):
         '''Send a Kerberos AS_REQ, returns the undecoded response
         '''
@@ -1069,7 +1126,7 @@ class KDCBaseTest(RawKerberosTest):
 
     def tgs_req(self, cname, sname, realm, ticket, key, etypes,
                 expected_error_mode=0, padata=None, kdc_options=0,
-                to_rodc=False):
+                to_rodc=False, service_creds=None, expect_pac=True):
         '''Send a TGS-REQ, returns the response and the decrypted and
            decoded enc-part
         '''
@@ -1083,6 +1140,12 @@ class KDCBaseTest(RawKerberosTest):
                                   crealm=realm,
                                   cname=cname)
 
+        if service_creds is not None:
+            decryption_key = self.TicketDecryptionKey_from_creds(
+                service_creds)
+        else:
+            decryption_key = None
+
         if not expected_error_mode:
             check_error_fn = None
             check_rep_fn = self.generic_check_kdc_rep
@@ -1105,10 +1168,12 @@ class KDCBaseTest(RawKerberosTest):
             check_error_fn=check_error_fn,
             check_rep_fn=check_rep_fn,
             check_kdc_private_fn=self.generic_check_kdc_private,
+            ticket_decryption_key=decryption_key,
             generate_padata_fn=generate_padata if padata is not None else None,
             tgt=tgt,
             authenticator_subkey=subkey,
             kdc_options=str(kdc_options),
+            expect_pac=expect_pac,
             to_rodc=to_rodc)
 
         rep = self._generic_kdc_exchange(kdc_exchange_dict,
@@ -1150,7 +1215,8 @@ class KDCBaseTest(RawKerberosTest):
                                           names=[service, target_name])
 
         rep, enc_part = self.tgs_req(cname, sname, realm, ticket, key, etype,
-                                     to_rodc=to_rodc)
+                                     to_rodc=to_rodc,
+                                     service_creds=target_creds)
 
         service_ticket = rep['ticket']
 
@@ -1252,6 +1318,8 @@ class KDCBaseTest(RawKerberosTest):
         expected_sname = self.PrincipalName_create(
             name_type=NT_SRV_INST, names=['krbtgt', realm.upper()])
 
+        expected_etypes = krbtgt_creds.tgs_supported_enctypes
+
         rep, kdc_exchange_dict = self._test_as_exchange(
             cname=cname,
             realm=realm,
@@ -1264,6 +1332,7 @@ class KDCBaseTest(RawKerberosTest):
             expected_srealm=expected_realm,
             expected_sname=expected_sname,
             expected_salt=salt,
+            expected_supported_etypes=expected_etypes,
             etypes=etype,
             padata=padata,
             kdc_options=kdc_options,
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py 
b/python/samba/tests/krb5/kdc_tgs_tests.py
index dad9e6b88df..0904233b01f 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -132,7 +132,8 @@ class KdcTgsTests(KDCBaseTest):
             names=["ldap", samdb.host_dns_name()])
 
         (rep, _) = self.tgs_req(
-            cname, sname, uc.get_realm(), ticket, key, etype)
+            cname, sname, uc.get_realm(), ticket, key, etype,
+            service_creds=self.get_dc_creds())
 
         self.check_tgs_reply(rep)
 
@@ -175,7 +176,8 @@ class KdcTgsTests(KDCBaseTest):
             names=[mc.get_username()])
 
         (rep, enc_part) = self.tgs_req(
-            cname, sname, uc.get_realm(), ticket, key, etype)
+            cname, sname, uc.get_realm(), ticket, key, etype,
+            service_creds=mc)
         self.check_tgs_reply(rep)
 
         # Check the contents of the service ticket
diff --git a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py 
b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
index 99c842701ea..501bc4892f4 100755
--- a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
+++ b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py
@@ -126,7 +126,8 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
             names=[mc.get_username()])
 
         (rep, enc_part) = self.tgs_req(
-            cname, sname, uc.get_realm(), ticket, key, etype)
+            cname, sname, uc.get_realm(), ticket, key, etype,
+            service_creds=mc)
         self.check_tgs_reply(rep)
 
         # Check the contents of the pac, and the ticket
@@ -185,7 +186,8 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
             names=[mc.get_username()])
 
         (rep, enc_part) = self.tgs_req(
-            cname, sname, mc.get_realm(), ticket, key, etype)
+            cname, sname, mc.get_realm(), ticket, key, etype,
+            service_creds=mc)
         self.check_tgs_reply(rep)
 
         # Check the contents of the pac, and the ticket
@@ -247,7 +249,8 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
             names=[mc.get_username()])
 
         (rep, enc_part) = self.tgs_req(
-            cname, sname, uc.get_realm(), ticket, key, etype)
+            cname, sname, uc.get_realm(), ticket, key, etype,
+            service_creds=mc)
         self.check_tgs_reply(rep)
 
         # Check the contents of the service ticket
@@ -279,15 +282,11 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
         samdb = self.get_samdb()
         user_name = "mskileusr"
         alt_name = "mskilealtsec"
-        (uc, dn) = self.create_account(samdb, user_name)
+        (uc, dn) = self.create_account(samdb, user_name,
+                                       account_control=UF_DONT_REQUIRE_PREAUTH)
         realm = uc.get_realm().lower()
         alt_sec = "Kerberos:%s@%s" % (alt_name, realm)
         self.add_attribute(samdb, dn, "altSecurityIdentities", alt_sec)
-        self.modify_attribute(
-            samdb,
-            dn,
-            "userAccountControl",
-            str(UF_NORMAL_ACCOUNT | UF_DONT_REQUIRE_PREAUTH))
 
         mach_name = "mskilemac"
         (mc, _) = self.create_account(samdb, mach_name, machine_account=True)
@@ -321,7 +320,8 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
             names=[mc.get_username()])
 
         (rep, enc_part) = self.tgs_req(
-            cname, sname, uc.get_realm(), ticket, key, etype)
+            cname, sname, uc.get_realm(), ticket, key, etype,
+            service_creds=mc, expect_pac=False)
         self.check_tgs_reply(rep)
 
         # Check the contents of the service ticket
@@ -389,7 +389,8 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
             names=[mc.get_username()])
 
         (rep, enc_part) = self.tgs_req(
-            cname, sname, uc.get_realm(), ticket, key, etype)
+            cname, sname, uc.get_realm(), ticket, key, etype,
+            service_creds=mc)
         self.check_tgs_reply(rep)
 
         # Check the contents of the pac, and the ticket
@@ -491,7 +492,8 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest):
             names=[mc.get_username()])
 
         (rep, enc_part) = self.tgs_req(
-            cname, sname, uc.get_realm(), ticket, key, etype)
+            cname, sname, uc.get_realm(), ticket, key, etype,


-- 
Samba Shared Repository

Reply via email to