The branch, v4-13-test has been updated via b7d16fdc653 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname via 7a2a6e0bcb0 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field via 1e27b45f49c tests/krb5: Allow expected_error_mode to be a container type via 57800189c5f tests/krb5: Allow specifying parameters specific to the inner FAST request body via b5e11c10966 tests/krb5: Add tests for omitting sname in request via cabc5b114dc tests/krb5: Check PADATA-PW-SALT element in e-data via 8a8872f7070 tests/krb5: Check e-data element for TGS-REP errors without FAST via bd76f6d47e7 tests/krb5: Remove harmful and a-typical return in as_req testcase via d3a611377bd CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request via a67cda7159f CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ via 95de6d138ad tests/krb5: Make cname checking less strict via 497b461238b tests/krb5: Make e-data checking less strict via 17c7bc10695 selftest: Remove knownfail for no_etypes FAST tests via 27e964233a5 tests/krb5: Add FAST tests via 576e5ca2e9c initial FAST tests via e7e79028093 tests/krb5: Check PADATA-FX-ERROR in reply via 1fd611e9e7f tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors via 83073237a95 tests/krb5: Check PADATA-PAC-OPTIONS in reply via 48199d18cc9 tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies via 8fa99e31658 tests/krb5: Make check_rep_padata() also work for checking TGS replies via e1c4d715a61 tests/krb5: Check PADATA-FX-COOKIE in reply via 2391eabfcf2 tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply via 40da4ffbf18 tests/krb5: Adjust reply padata checking depending on whether FAST was sent via 0febff53f38 tests/krb5: Check reply FAST padata if request included FAST via ee892faca94 tests/krb5: Check sname is krbtgt for FAST generic error via 2356b4d9b75 tests/krb5: Add get_krbtgt_sname() method via be4977249bc tests/krb5: Remove unused variables via fef9198aafc tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply via 087cf5f9504 tests/krb5: Add check_rep_padata() method to check padata in reply via efe112dfa56 tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata via bef5024da8c tests/krb5: Include authdata in kdc_exchange_dict via 8eaa8e10383 tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict via 8a3b41f0483 tests/krb5: Check encrypted-pa-data via 701e5c98399 tests/krb5: Add methods to determine whether elements were included in the request via 64b5183a776 tests/krb5: Add functions to get dicts of request padata via cedfc67ede4 tests/krb5: Check FAST response via 5d39d4b36e8 tests/krb5: Add method to verify ticket checksum for FAST via b551c801193 tests/krb5: Add method to check PA-FX-FAST-REPLY via de8fbf93111 tests/krb5: Allow specifying parameters specific to the outer request body via 3be408a3a83 tests/krb5: Add FAST armor generation to _generic_kdc_exchange() via 52eb693ac31 tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ via 25b6681c3cd tests/krb5: Include authenticator_subkey in AS-REQ exchange dict via a57e79c5fce tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error() via 6264ed42420 tests/krb5: Add methods to calculate keys for FAST via b7562c873e8 tests/krb5: Add method to generate FAST encrypted challenge padata via 0e33a06673b tests/krb5: Add more methods to create ASN1 objects for FAST via dbeafd158a4 tests/krb5: Add more ASN1 definitions for FAST via 1ce82cbc9d6 tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange() via 04a6c902ede tests/krb5: Ensure generated padata is not None via a9e421c4bfa tests/krb5: Add generate_ap_req() method via d9f406518ca tests/krb5: Check nonce in EncKDCRepPart via d81a88a78f4 tests/krb5: Make checking less strict via ee9b0a028c2 tests/krb5: Check version number of obtained ticket via 1e451d724b0 tests/krb5: Assert that more variables are not None via db6495a2377 tests/krb5: Ensure in assertElementPresent() that container elements are not empty via 81408702949 tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn via cc1f6fcddbc tests/krb5: Include kdc_options in kdc_exchange_dict via d82d3a20d32 tests/krb5: Always specify expected error code via 235873ff334 tests/krb5: Add check_reply() method to check for AS or TGS reply via dcd9320cd9c tests/krb5: Add method to calculate account salt via afcf48e752c tests/krb5: Add more methods for obtaining machine and service credentials via caca311af0a tests/krb5: Allow specifying additional details when creating an account via 34faed8971c tests/krb5: Use encryption with admin credentials via 5cada922527 tests/krb5: Add get_EpochFromKerberosTime() via 2e42112ef96 tests/krb5: Make _test_as_exchange() return value more consistent via ce7b1d71142 tests/krb5: Add method to return dict containing padata elements via 11001fca4d2 tests/krb5: Add get_enc_timestamp_pa_data_from_key() via ca5b9aff8f9 tests/krb5: Refactor get_pa_data() via 70dd144a05f tests/krb5: Allow cf2 to automatically use the enctype of the first key via 2ae49840a4f tests/krb5: Use credentials kvno when creating password key via e2d952cfa02 tests/krb5: Check Kerberos protocol version number via e79061f0626 tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC via 2f12714196c tests/krb5: Fix encpart_decryption_key with MIT KDC via a4e70d45d3b tests/krb5: Fix callback_dict parameter via 254bd5ad6ed tests/krb5: Fix including enc-authorization-data via d4c3e11e247 tests/krb5: Remove magic constants via cd3b4785b9a tests/krb5: Simplify Python syntax via 80757c65b24 tests/krb5: Use more compact dict lookup via c3ffa232c03 tests/krb5: Remove unneeded statements via 70f6cf7afce tests/krb5: formatting via fa26a95dda1 tests/krb5: Fix method name typo via c76cf2bc054 tests/krb5: Fix comment typo via 7b16ffcb46f tests/krb5: Fix ms_kile_client_principal_lookup_test errors via 11cf6255573 pygensec: Don't modify Python bytes objects via 52898d56abb pygensec: Fix memory leaks via 3e013f04e19 selftest: add option to pass args to tests to planpythontestsuite() via a5a26564a87 selftest: Add support for setting ENV variables in plantestsuite() via f5e4fc453b1 selftest: Add support for setting ENV variables in plansmbtorture4testsuite() via e6de4d851c0 selftest: Re-format long lines in selftesthelpers.py via 63be60227a8 selftest: add space after --list in output of selftesthelpers.py via e1a4921d5e3 s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against via 07610622027 tests/krb5: Use admin creds for SamDB rather than user creds via 09d0e89265c tests/krb5/as_canonicalization_tests.py: Refactor account creation via 5a0af3e510e tests/krb5: Deduplicate 'host' attribute initialisation via c76c9f15a78 tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value via 75f534c0ac5 tests/krb5/as_req_tests.py: Check the client kvno via 02f3bd6a821 tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test via 9db32a6a456 tests/krb5/as_req_tests.py: Automatically obtain credentials via 56b5ceb0c64 tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials via ea9083dfd63 tests/krb5/raw_testcase.py: Simplify conditionals via d88603f8b5c tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function via 23496bb7cf3 tests/krb5/raw_testcase.py: Cache obtained credentials via 7bd0c7f557b tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds via 5b209e40ec2 tests/krb5/raw_testcase.py: Make env_get_var() a standalone method via 44018e6131c tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS via 1c0c89ac3bf tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types via 768f1d71b93 tests/krb5/kdc_base_test.py: Create loadparm only when needed via 113fa4ecfd1 tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute via 807773d382b tests/krb5/kdc_base_test.py: Create database connection only when needed via 051487c6ab9 tests/krb5/raw_testcase.py: Add get_admin_creds() via fa1a2eb7b9a tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called via d371e8688c3 selftest: run new as_req_tests against fl2008r2dc and fl2003dc via 99acba0be9e tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol via ec49afa5a23 tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure via 1b36e3bd7e2 tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds() via e6682e51206 tests/krb5/raw_testcase.py: add methods to iterate over etype permutations via 38c4f77b9e4 tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create() via 697edd2e1db tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create() via 1ec0efe26ff tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values via 159384d02fb tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values via bf799b23de2 tests/krb5/raw_testcase.py: add assertElement*() via 5e69e2d7cd1 tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future via ce264474d29 tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds() via a83ea43c7ba tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing via 9d32cb48194 Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} via 019b77dbb85 auth/credentials: allow credentials.Credentials to act as base class via 8737c731040 python: Make credentials cache test run against Windows via 3a586a81f58 python: Fix ticket timestamp conversion when local timezone is not UTC via 9bf0f33ad10 python: Fix erroneous increments of reference counts via 73bba60d737 python: Ensure reference counts are properly incremented via b32c1932054 python: Add SMB credentials cache test via ff4d39737c5 pylibsmb: Add posix_whoami() via d75226b9092 libsmb: Ensure that whoami parses all the data provided to it via 1208a4dce1e libsmb: Check to see that whoami is not receiving more data than it requested via e80ad4c0f29 libsmb: Avoid undefined behaviour when parsing whoami state via 1a3cc9a4e2d libsmb: Remove overflow check via 8e70f0c174a Revert "libsmb: Use sid_parse()" via c40a90d7c7a python: Add RPC credentials cache test via bb9ff0e143a python: Add LDAP credentials cache test via 848458d1704 python: Add credentials cache test via 02bfb9e2daf krb5: Add Python functions to create a credentials cache containing a service ticket via 98727cd606c librpc: Test parsing a Kerberos 5 credentials cache with ndrdump via 38d622f38ea krb5ccache.idl: Add definition for a Kerberos credentials cache via a47b37c170f Revert "s4-test: fixed ndrdump test for top level build" via 1854fc55a30 pygensec: Fix method documentation via 522ebd8e7c9 auth:creds: Fix parameter in creds.set_named_ccache() via 427185f8a99 auth:creds: Remove unused variable via 1748470cc21 tests python krb5: MS-KILE client principal look-up via 9e0cf55529a librpc: Add py_descriptor_richcmp() equality function via 28dee15ee08 tests python krb5: PEP8 cleanups via 03e4bbb8d85 tests python krb5: use key usage constants via d9f914d0820 tests python krb5: Add key usage constants via f38ba415847 tests python krb5: initial TGS tests via 81923ea8232 tests python krb5: add test base class via c8f1511ea49 tests python krb5: Add Authorization data ad-type constants via bde787c8484 tests python krb5: Extra canonicalization tests via f719d74eb7e tests python krb5: add arcfour salt tests via f79c7c3217c tests python krb5: refactor compatability tests via 82d2ce2a66b tests python krb5: Convert kdc-heimdal to python via ab09ca1b0e9 tests python krb5: raw_testcase permit RC4 salts via 7858fd1799d tests python krb5: Refactor compatability test constants via 1543efaead3 tests python krb5: Refactor canonicalization test constants via 8610d03794e tests python krb5: Add constants module via fb05f15519c tests python krb5: Add python kerberos compatability tests via a142057393f selftest: add heimdal kdc specific known fail via d810539294b selftest: Windows 2019 implements the RemoveDollar behaviour for Enterprise principals via ed2c276f765 selftest: Add in encrypted-pa-data from RFC 6806 via 08a296f9018 selftest: Fix formatting of failure (traceback and options swapped in format string) via 657dde3bdf2 selftest: Make as_canonicalization_tests.py auto-detect the NT4 domain name via a07052104f3 samdb: Add samdb.domain_netbios_name() via 0242419a010 selftest: Make as_canonicalization_tests.py easier to run outside "make test" via d08faae8bd0 selftest: Fix flipped machine and user constants via d7ebc3b7055 selftest: Send enterprise principals tagged as such via ca83a606256 tests python krb5: Add python kerberos canonicalization tests via 8536b5f4397 tests python krb5: Add canonicalize flag to ASN1 via 71f30ca29b4 tests python krb5: Make PrincipalName_create a class method via 44841d2b18b selftest: add mit kdc specific known fail from cea68cbf537 ctdb-daemon: Don't mark a node as unhealthy when connecting to it
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-13-test - Log ----------------------------------------------------------------- commit b7d16fdc65397114bcc9199bbd4092f54d11e565 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Aug 31 22:38:01 2021 +1200 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname This allows our code to still pass with the error code that MIT and Heimdal have chosen BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> Autobuild-User(master): Andreas Schneider <a...@cryptomilk.org> Autobuild-Date(master): Thu Sep 2 14:28:31 UTC 2021 on sn-devel-184 [abart...@samba.org: Backported from 10baaf08523200e47451aa1862430977b0365b59 to Samba 4.14 due to conflicts in knownfail as the test which crashes older MIT KDC versions is omitted] Autobuild-User(v4-13-test): Jule Anger <jan...@samba.org> Autobuild-Date(v4-13-test): Thu Sep 16 08:54:13 UTC 2021 on sn-devel-184 commit 7a2a6e0bcb0f9508322e940360b95eae52572cb2 Author: Luke Howard <lu...@padl.com> Date: Tue Aug 31 17:38:16 2021 +1200 kdc: KRB5KDC_ERR_{C,S}_PRINCIPAL_UNKNOWN if missing field If missing cname or sname in AS-REQ, return KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN and KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN. This matches MIT behaviour. [abart...@samba.org Backported from Heimdal commit 892a1ffcaad98157e945c540b81f65edb14d29bd and knownfail added. Further adapted knownfail for 4.14 due to conflicts as the patch that adds a test which crashes old MIT versions is omitted] BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> commit 1e27b45f49c1a6d610ec498e48b4ed4f6e85c772 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Aug 31 19:42:33 2021 +1200 tests/krb5: Allow expected_error_mode to be a container type This allows a range of possible error codes to be checked against, for cases when the particular error code returned is not so important. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit ebd673e976aea5dd481a75f180fd526995c4fda0) commit 57800189c5f4a92058ff293f8583805ebcf9928d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Aug 27 13:26:45 2021 +1200 tests/krb5: Allow specifying parameters specific to the inner FAST request body BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit c6d7e19ecfb264c6f79df5a20e830e4ea6fdb340) commit b5e11c10966dcbb9ca4e751c6c378e2f9ed6e358 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Aug 27 13:02:04 2021 +1200 tests/krb5: Add tests for omitting sname in request BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit bbbb13caf7bd2440c80f4f4775725b7863d16a5b) commit cabc5b114dc094e36b4c052ed524757990ec6321 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Aug 27 13:00:37 2021 +1200 tests/krb5: Check PADATA-PW-SALT element in e-data BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 1e4d757394a0bbda587d5ff91801f88539b712b1) commit 8a8872f7070a6f2c89e2ba38d89df0e27bca9f71 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Aug 27 13:00:21 2021 +1200 tests/krb5: Check e-data element for TGS-REP errors without FAST BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit e373c6461a88c44303ea8cdbebc2d78dd15dec4a) commit bd76f6d47e756692243a77e7628324e333c566a0 Author: Andrew Bartlett <abart...@samba.org> Date: Wed Sep 1 10:43:06 2021 +1200 tests/krb5: Remove harmful and a-typical return in as_req testcase A test in a TestCase class should not return a value, the test is determined by the assertions raised. Other changes will shortly cause kdc_exchange_dict[preauth_etype_info2] to not always be filled, so we need to remove this rudundent code. This also fixes a *lot* of tests against the MIT KDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 3330eaf39c6174f2d90fe4d8e016efb97005d1e5) commit d3a611377bdda70e6940b6f3fff03cc6240f6a5b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 29 12:25:06 2021 +1200 CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request Note: Without the previous patch, 'test_fast_tgs_outer_no_sname' would crash the Heimdal KDC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit b8e2515552ffa158fab1e86a39004de4cc419da5) commit a67cda7159f3c7e9c381a13705011dd9c93742ae Author: Luke Howard <lu...@padl.com> Date: Fri Aug 27 11:42:48 2021 +1000 CVE-2021-3671 HEIMDAL kdc: validate sname in TGS-REQ In tgs_build_reply(), validate the server name in the TGS-REQ is present before dereferencing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 [abart...@samba.org backported from from Heimdal commit 04171147948d0a3636bc6374181926f0fb2ec83a via reference to an earlier patch by Joseph Sutton] RN: An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ Reviewed-by: Andreas Schneider <a...@samba.org> (cherry picked from commit 0cb4b939f192376bf5e33637863a91a20f74c5a5) commit 95de6d138adcd6f3fb5d098f5e13636910a3e0f7 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Sep 1 14:43:53 2021 +1200 tests/krb5: Make cname checking less strict Without this additional 'self.strict_checking' check, the tests in the following patches do not get far enough to trigger a crash with the MIT KDC. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 [abart...@samba.org backported from commit 36798f5b651a02b74b6844c024101f7a026f1f68 as Samba 4.14 is tested on MIT 1.16 and so the knownfails need to match this version] commit 497b461238bf69eb5ff92c4b849b8f56bbcbac5e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Aug 27 13:35:59 2021 +1200 tests/krb5: Make e-data checking less strict Without this additional 'self.strict_checking' check, the tests in the following patches do not get far enough to trigger a crash with the MIT KDC, instead failing when obtaining a TGT for the user or machine. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> [abart...@samba.org Backported from commit 79dda329f2a8382f1e46b50f4b9692e78d687826 as knownfail needed splitting into only failing in the Heimdal case due likely because b3ee034b4d457607ef25a5b01da64e1eaf5906dd (s4:kdc: prefer newer enctypes for preauth responses) is not included in the 4.14 backport. ] commit 17c7bc10695d7b2ca1a06e02786dc08c26252fd6 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Sep 7 17:23:32 2021 +1200 selftest: Remove knownfail for no_etypes FAST tests These test pass because b3ee034b4d457607ef25a5b01da64e1eaf5906dd (s4:kdc: prefer newer enctypes for preauth responses) is not included in the 4.13 backport. Signed-off-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 commit 27e964233a55665de302e25e54e93109bdcfb1ac Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 29 10:58:44 2021 +1200 tests/krb5: Add FAST tests Example command: SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \ KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \ ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \ PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184 (cherry picked from commit 984a0db00c3f2e38b568a75eb1944f4d7bb7f854) commit 576e5ca2e9cb04c3264962d0e8a256d3e3ec3306 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Thu Jun 10 09:56:58 2021 +1200 initial FAST tests Currently incomplete, and tested only against MIT Kerberos. [abart...@samba.org Originally "WIP inital FAST tests" Samba's general policy that we don't push WIP patches, we polish into a 'perfect' patch stream. However, I think there are good reasons to keep this patch distinct in this particular case. Gary is being modest in titling this WIP (now removed from the title to avoid confusion). They are not WIP in the normal sense of partially or untested code or random unfinished thoughts. The primary issue is that at that point where Gary had to finish up he had trouble getting FAST support enabled on Windows, so couldn't test against our standard reference. They are instead good, working initial tests written against the RFC and tested against Samba's AD DC in the mode backed by MIT Kerberos. This preserves clear authorship for the two distinct bodies of work, as in the next patch Joseph was able to extend and improve the tests significantly. ] Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit b7b62957bdce9929fabd3812b9378bdbd6c12966) commit e7e79028093778d9dd028d8d408af2c75f21f211 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:49:58 2021 +1200 tests/krb5: Check PADATA-FX-ERROR in reply Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit aa2c221f4e1bfc3403de857e62eaeaee1577560c) commit 1fd611e9e7fbce83ea4f7ed6c7d8f4f1a04b3543 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 29 11:50:16 2021 +1200 tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 66e1eb58bedf036ad25a868993d44480c4e0e055) commit 83073237a95f2e8e3288394362cb02bb1d3869b6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:50:20 2021 +1200 tests/krb5: Check PADATA-PAC-OPTIONS in reply Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 0c857f67a3a4a27aa4b799c9a61a1a1b59932c07) commit 48199d18cc9141cf626af99d317836ceacad51f6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 16:29:39 2021 +1200 tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 29070e74baa18d94642efcd36930b9bab216e10c) commit 8fa99e31658860bac6a03f83a5f588f29b26fd96 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jul 28 20:49:25 2021 +1200 tests/krb5: Make check_rep_padata() also work for checking TGS replies Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ab4e7028a6ac01eab9531c8a26507a912df54278) commit e1c4d715a61e06ce996961f0723867e9faead8cb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:49:12 2021 +1200 tests/krb5: Check PADATA-FX-COOKIE in reply Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 95b54078c2f82179283dfc397c4ec1f36d5edfe7) commit 2391eabfcf29c682686ab2fc03ec1d648930ce0c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:36:56 2021 +1200 tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 2f7919db395c24f6890ffe4ee46a5e34df95fccd) commit 40da4ffbf18a53b2be308d6be6309943a6c2d3d9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 16:42:26 2021 +1200 tests/krb5: Adjust reply padata checking depending on whether FAST was sent Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 44a44109db96eab08a3da3683c34446bc13b295b) commit 0febff53f3867d7905dbe8e01f2ecd9f701cec2b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 16:31:39 2021 +1200 tests/krb5: Check reply FAST padata if request included FAST Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 056fb71832e7aa16132c58ff393ab8b752ef6a93) commit ee892faca94611ec287b6240dddbfbfd83128888 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 16:25:39 2021 +1200 tests/krb5: Check sname is krbtgt for FAST generic error Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 7a27b75621908a4a6449efaecb54eb20fa45aca0) commit 2356b4d9b7543ef06b20d6867d5dd1137b72650b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 11:15:00 2021 +1200 tests/krb5: Add get_krbtgt_sname() method Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit dbe98005d5873440063b91e56679937149535be7) commit be4977249bc4b971d0d4257f85a5a0a6954dc6f4 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 16:26:06 2021 +1200 tests/krb5: Remove unused variables Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 5edbabeb26e110648d4588c90843e4715ec1ac5c) commit fef9198aafc718fcf0b739591a9c5da3e300ab77 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 16:35:32 2021 +1200 tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 705e45e37f4752e283a80626be10c38b29232359) commit 087cf5f9504eeb46e0a3c5ce4d8a7d91615861dc Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 16:21:14 2021 +1200 tests/krb5: Add check_rep_padata() method to check padata in reply Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 79b9aac65b7dbdc58275368eae9feb7d87bf6dab) commit efe112dfa56772091eb3e9334f083a550668d711 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 15:20:09 2021 +1200 tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1389ba346df81c9ea1e1143c4e819212939f6aeb) commit bef5024da8ceb658c00ade1310a13f737a94bcdf Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:18:29 2021 +1200 tests/krb5: Include authdata in kdc_exchange_dict Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ea1ed63e8819926db1cf15974009601c7d37e944) commit 8eaa8e10383acc1395ff27ed0107341d581dc3cc Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:05:59 2021 +1200 tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict This is useful for testing the 'hide client names' FAST option. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 2ee87dbf08e66e1dc812430026bfe214f9f5503d) commit 8a3b41f048396b83674bbd173ba94de65b6600b3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:34:49 2021 +1200 tests/krb5: Check encrypted-pa-data Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 0c029e780cf16a49c674593e8329eaf3b87aec69) commit 701e5c98399bb7b4ac7072e0da73dfde7d209d74 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 15:21:01 2021 +1200 tests/krb5: Add methods to determine whether elements were included in the request Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 99e3b909edf27c751b959a3d0b672ddd2b7140e2) commit 64b5183a7764f25cd45126de331cfa51fa3bb0e9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 15:20:44 2021 +1200 tests/krb5: Add functions to get dicts of request padata Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit dc7dac95ec509d90d8372005cd7b13fabd8e64c6) commit cedfc67ede46bc87a75db0514f3dbcbe29fac30e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:42:57 2021 +1200 tests/krb5: Check FAST response Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d878bd6404d26c8be45bb2016ec206ed79d4ef6e) commit 5d39d4b36e88a12e69a78b934ba611a2ae3c7e67 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:10:13 2021 +1200 tests/krb5: Add method to verify ticket checksum for FAST Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 4ca05402b36ba13a987b07b2402906764d3cd49b) commit b551c801193d13698baca765a741c74b38ce78fd Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:04:37 2021 +1200 tests/krb5: Add method to check PA-FX-FAST-REPLY Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit b62488113f6053755f9be9faa9b757e7193074fa) commit de8fbf93111284cc6bd62262421b69bfee604eb8 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:01:36 2021 +1200 tests/krb5: Allow specifying parameters specific to the outer request body This is useful for testing FAST. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 16ce1a1d304b87ed5b390fb87a4542c7c9a484fb) commit 3be408a3a839a5956e808fd939095c04b9413cc9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 29 10:33:24 2021 +1200 tests/krb5: Add FAST armor generation to _generic_kdc_exchange() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 0df385fc49cc2693c195209936a29e31216df16d) commit 52eb693ac31dcf66b637bdf07061de2cb5c3bb5b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 29 10:33:10 2021 +1200 tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 5c2cd71ae704b853a886c8af5e3cf50b53af7f9e) commit 25b6681c3cd5c0eeb1a29913dd319ab00cf3ba51 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 29 10:19:46 2021 +1200 tests/krb5: Include authenticator_subkey in AS-REQ exchange dict This is needed for FAST. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d554b6dc0f4e14d154e487dc2a842321aa746155) commit a57e79c5fcee8e2ecb5d60c05ed84dc116acb4c4 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jul 28 20:49:12 2021 +1200 tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error() This method will also be useful in checking TGS-REP error replies. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 74f332c6f9e31b933837cefee69b219054970713) commit 6264ed424206bf728de193f1177c845283580ab4 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 12:49:05 2021 +1200 tests/krb5: Add methods to calculate keys for FAST Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 080894067469d60e2c71961c2d1c1990ba15b917) commit b7562c873e8091b210ca7d70cde68fda45c714dc Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 12:47:18 2021 +1200 tests/krb5: Add method to generate FAST encrypted challenge padata Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit aafc86896969d02ff1daecdf2668bfa642860082) commit 0e33a06673b7d09a2dec878505776d82a2f09ecf Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 10:23:26 2021 +1200 tests/krb5: Add more methods to create ASN1 objects for FAST Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 69a66c0d2a7ed415c8d8acdb8da0f2f3d1abf60d) commit dbeafd158a46c48dd1cb0e88b6550e170129f4d2 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 10:21:07 2021 +1200 tests/krb5: Add more ASN1 definitions for FAST Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ec702900295100ae4e48ba57242eee6670bf30d6) commit 1ce82cbc9d65edcf0e665da8a400a2dd1b10a125 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 13:59:36 2021 +1200 tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 025737deb5325d25b2ae4c57583c24ae1d0eca33) commit 04a6c902edeb0a7a030b8850e454f87403d9e83d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 11:06:35 2021 +1200 tests/krb5: Ensure generated padata is not None Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit b6f96dd6395a30e15fa906959cbe665757aaba8d) commit a9e421c4bfafc94b1472fb270f701da6db5b27c1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jul 28 19:27:02 2021 +1200 tests/krb5: Add generate_ap_req() method This method will be useful to generate an AP-REQ for use as FAST armor. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 4824dd4e9f40abcbd4134b79e2b2b8fb960f47e7) commit d9f406518ca82afa8f748a59326d5fba7e3dd394 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 12:52:42 2021 +1200 tests/krb5: Check nonce in EncKDCRepPart Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 4951a105b0448854115a7ecc3d867be6f34b0dcf) commit d81a88a78f4c82edf6d3ebf1d8452df67fcbb750 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 11:39:37 2021 +1200 tests/krb5: Make checking less strict Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 6df0e406f1f823bf4d65cd478eb6f2424b69adcc) [abart...@samba.org Adapted to add knownfail because in this Samba 4.14 backport we do not include b3ee034b4d457607ef25a5b01da64e1eaf5906dd (s4:kdc: prefer newer enctypes for preauth responses)] commit ee9b0a028c2e712e9dee6767eb7826cfa3af1da6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 11:34:19 2021 +1200 tests/krb5: Check version number of obtained ticket Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 98dc19e8c817fc66e253e544874a45b17b8bfa7b) commit 1e451d724b0c0cba4c495c1a9fd6385c4ac021b9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:39:42 2021 +1200 tests/krb5: Assert that more variables are not None Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 3d1066e923815782036bd11524fda110a2528951) commit db6495a2377c3bfb08f6173e881d3cd5a1ff973e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 10:37:48 2021 +1200 tests/krb5: Ensure in assertElementPresent() that container elements are not empty Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ba3c92f77b20e1e0d298cd92399dc69535739c27) commit 814087029499d50d98e567b81384b9b6f7128088 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 11:06:15 2021 +1200 tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn This means that there can no longer be surprises where a test receives a reply when it was expecting an error, or vice versa. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 78818655505b3183251940e86270cd40bae73206) commit cc1f6fcddbc58d587797db27f24a04d8c6f50553 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 10:35:40 2021 +1200 tests/krb5: Include kdc_options in kdc_exchange_dict Make kdc_options an element of kdc_exchange_dict instead of a parameter to _generic_kdc_exchange(). This allows testing code to adjust the reply checking based on the options that were specified in the request. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 8fe9589da2d8fe6f5c47770c618ebabe028f6a95) commit d82d3a20d320a9921ef6cbc31cd945b011875281 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 10:32:52 2021 +1200 tests/krb5: Always specify expected error code Now the expected error code is always determined by the test code itself rather than by generic_check_as_error(). Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 21c64fda8f98d451e028ea483dbe351b1280390c) commit 235873ff334c6362f2392ac896b6fe9e03b8df1b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Jul 26 17:19:04 2021 +1200 tests/krb5: Add check_reply() method to check for AS or TGS reply Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 28fb50f511f3f693709aa9b41c001d6a5f9c3329) commit dcd9320cd9cbce87c25715d0de862d2ac81f2fbb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 22 16:22:09 2021 +1200 tests/krb5: Add method to calculate account salt Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit f5689bb8fab82d5fcbdbd3c63b86e7618834aac5) commit afcf48e752c07180717fc1184f8cfc65cc0657ad Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 10:19:57 2021 +1200 tests/krb5: Add more methods for obtaining machine and service credentials Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 50d743bafc7aa9f7b4688bae652a501001e9fdbb) commit caca311af0a851417453b856e9858fd3bb39357c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 11:25:55 2021 +1200 tests/krb5: Allow specifying additional details when creating an account Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 4790b6b04ae145a2ebb418dd734487a6ba28a30c) commit 34faed8971ca1ef537733d5878f7ebe162d3aa35 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Aug 3 15:58:19 2021 +1200 tests/krb5: Use encryption with admin credentials This ensures that account creation using admin credentials succeeds. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ce379edf2e135b105b18d35e24d732389de94291) commit 5cada92252775e26ca056a43629dca14193f1489 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 22 16:27:17 2021 +1200 tests/krb5: Add get_EpochFromKerberosTime() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit bab7503e3043002b1422b00f40cd03a0a29538aa) commit 2e42112ef964878c03ceff1727d69fed28438195 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:27:47 2021 +1200 tests/krb5: Make _test_as_exchange() return value more consistent Always return the reply and the kdc_exchange_dict so that the caller has more potentially useful information. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit fe8912e4a85c5fd614ad3079b041c0e1975958e3) commit ce7b1d711428c01d26d9666a480bd50b87441a41 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 12:51:54 2021 +1200 tests/krb5: Add method to return dict containing padata elements This makes checking multiple padata elements easier. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit cb332d83008aa97a60eaca9e008054f641d514d6) commit 11001fca4d279de3ef5c74cd7ac86b75a45d8903 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Jul 26 17:18:38 2021 +1200 tests/krb5: Add get_enc_timestamp_pa_data_from_key() This makes it easier to create encrypted timestamp padata when the key has already been obtained. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit f5a906f74f9665a894db3c13722022f732180620) commit ca5b9aff8f94e465378b4385fae9d008c2ac32d5 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 10:16:01 2021 +1200 tests/krb5: Refactor get_pa_data() The function now returns a single padata object rather than a list, making it easier to combine multiple padata elements into a request. The new name 'get_enc_timestamp_pa_data' also makes it clearer as to what the method generates. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 2c80f7f851a7a4ffbcde2c42b2c383b683b67731) commit 70dd144a05fb13cf6cab82629e2a4f41910f1c5a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 10:24:52 2021 +1200 tests/krb5: Allow cf2 to automatically use the enctype of the first key RFC6113 states: "Unless otherwise specified, the resulting enctype of KRB-FX-CF2 is the enctype of k1." This change means the enctype no longer has to be specified manually. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit a5e5f8fdfe8b6952592d7d682af893c79080826f) commit 2ae49840a4f38cd3a47018111dbe2996e6deec6a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 11:28:37 2021 +1200 tests/krb5: Use credentials kvno when creating password key Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 17d5a267298ccd7272e86fd24c2c608511cf46b7) commit e2d952cfa02a6d24f5e2cba0c5f04005cf83b1f1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 15:07:59 2021 +1200 tests/krb5: Check Kerberos protocol version number Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d6a242e20004217a0ce02dc4ef620a121e5944da) commit e79061f0626f9dd88e74f43ff09b4e1c955007d1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jul 28 17:00:09 2021 +1200 tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 8194b2a2611c6b1db2d29ec22c70e14decd1784b) commit 2f12714196c32f3051e1d8a2819484d4cb9c80b1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 14:06:29 2021 +1200 tests/krb5: Fix encpart_decryption_key with MIT KDC Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit a0c6538a97126671f9c7bcf3b581f3d98cbc7fd1) commit a4e70d45d3be5d85b24fbdab07be4a2b68bc7552 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 11:12:34 2021 +1200 tests/krb5: Fix callback_dict parameter Items contained in a default-created callback_dict should not be carried over between unrelated calls to {as,tgs}_as_exchange_dict(). Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit bad5f4ee5fdf64ca9d775233fec24975e0b510bf) commit 254bd5ad6ed30df41a2178a58ff74eacb7491a97 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Jul 26 17:14:08 2021 +1200 tests/krb5: Fix including enc-authorization-data Remove the EncAuthorizationData parameters from AS_REQ_create(), since it should only be present in the TGS-REQ form. Also, fix a call to EncryptedData_create() to supply the key usage when creating enc-authorization-data. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 67ff72395cec2e5170c0ebae8db416a1f226df72) commit d4c3e11e247a1e83182fe0689113b3c4294e63b3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 27 13:49:27 2021 +1200 tests/krb5: Remove magic constants Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit a2b183c179e74634438c85a4b35518836ba59e47) commit cd3b4785b9ab608ec73ada85e92980ad8ec536ae Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Aug 3 15:03:00 2021 +1200 tests/krb5: Simplify Python syntax Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 41c3e410344280d691e5a21fa5240ef52e71bd2d) commit 80757c65b243dd87dae2b7a155d0fec6e26aa2a7 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Aug 2 17:10:32 2021 +1200 tests/krb5: Use more compact dict lookup Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 38b3a361819c716adb773fb3b4507c28d7d26c0d) commit c3ffa232c03e60770a85aa6b119785218dca5826 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Aug 2 17:01:39 2021 +1200 tests/krb5: Remove unneeded statements A return statement is redundant as the last statement in a method, as methods will otherwise return None. Also, code blocks consisting of a single 'pass' statement can be safely omitted. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1320ac0f91a9b0fc8156840ec498059ee10b5a2d) commit 70f6cf7afcecebc8a862f09754723bedc4ef5941 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Aug 2 17:00:09 2021 +1200 tests/krb5: formatting Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit df6623363a7ec1a13af48a09e1d29fa8784e825c) commit fa26a95dda13e9b5acb4d88ed4c2063f425351c7 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 6 10:17:52 2021 +1200 tests/krb5: Fix method name typo Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 7013a8edd1f628b8659f0836f3b37ccf13156ae2) commit c76cf2bc054ea3a183a72eab559adf7d20fa82d6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Jul 22 16:26:17 2021 +1200 tests/krb5: Fix comment typo Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 9eb4c4b7b1c2e8d124456e6a57262dc9c02d67d4) commit 7b16ffcb46f6b2d7f390c9bb4d93d031dd3f397d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Jul 26 17:15:23 2021 +1200 tests/krb5: Fix ms_kile_client_principal_lookup_test errors Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 4797ced89095155c01e44727cf8b66ee4fb39710) commit 11cf625557351bd2bc73d8d858d2817f5fe680b6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jul 20 10:48:41 2021 +1200 pygensec: Don't modify Python bytes objects gensec_update() and gensec_unwrap() can both modify their input buffers (for example, during the inplace RRC operation on GSSAPI tokens). However, buffers obtained from Python bytes objects must not be modified in any way. Create a copy of the input buffer so the original isn't modified. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 6818d204897d0b7946dcfbedf79cd53fb9b3f159) commit 52898d56abb0ec7ce29d9a03d0220fe887eeae1f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Jul 19 17:29:39 2021 +1200 pygensec: Fix memory leaks Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 814df05f8c10e9d82e6082d42ece1df569db4385) commit 3e013f04e190576272a513597eb14171b6c40a1b Author: Björn Baumbach <b...@sernet.de> Date: Fri Jul 24 12:18:11 2020 +0200 selftest: add option to pass args to tests to planpythontestsuite() The logic is basically a copy from planoldpythontestsuite(). Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Björn Baumbach <b...@sernet.de> Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 3e9f0e97255de1b4235c4dca6912635386328746) commit a5a26564a87ea04e1d4abcf44af6e94465fb83f5 Author: Andreas Schneider <a...@samba.org> Date: Tue Jul 27 13:45:03 2021 +0200 selftest: Add support for setting ENV variables in plantestsuite() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 48289b6964d28e153fec885aceca02c6a9b436ef) commit f5e4fc453b1056d933219344eb582a07746bea93 Author: Andreas Schneider <a...@samba.org> Date: Tue Jul 27 13:25:59 2021 +0200 selftest: Add support for setting ENV variables in plansmbtorture4testsuite() Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 3db299e586fd9464b6e1b145f29b10c8ae325d3a) commit e6de4d851c006838d99b3b77cfe250f1b6821d99 Author: Andreas Schneider <a...@samba.org> Date: Tue Jul 27 08:50:54 2021 +0200 selftest: Re-format long lines in selftesthelpers.py Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 18976a9568b23759060377d09304e9d7badb143a) commit 63be60227a86c10d866a78148a1bed339c2d407b Author: Andrew Bartlett <abart...@samba.org> Date: Tue Sep 7 09:08:58 2021 +1200 selftest: add space after --list in output of selftesthelpers.py Selected and backported from: commit b113a3bbcd03ab6a62883fbca85ee8749e038887 Author: Volker Lendecke <v...@samba.org> Date: Mon Apr 19 16:04:00 2021 +0200 torture: Show sddl_decode() failure for "GWFX" access mask Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (This allows subsequent patches to be cherry-picked cleanly) Signed-off-by: Andrew Bartlett <abart...@samba.org> commit e1a4921d5e3589b565810b9d1af98f30e521b746 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Jun 21 14:14:48 2021 +1200 s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against This enables us to more easily switch to a different algorithm to find the strongest key in _kdc_find_etype(). Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit bf71fa038e9b97f770e06e88226e885d67342d47) commit 07610622027d22e242e430be49da90a564d5666b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 16 12:52:11 2021 +1200 tests/krb5: Use admin creds for SamDB rather than user creds This makes the purpose of each set of credentials more consistent, and makes some tests more convenient to run standalone as they no longer require user credentials. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ab221c1b3e24696aa0eed6aa970f310447657069) commit 09d0e89265c3d780fcea6afe369f09d800628932 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 16 11:49:05 2021 +1200 tests/krb5/as_canonicalization_tests.py: Refactor account creation Making this test a subclass of KDCBaseTest allows us to make use of its methods for obtaining credentials and creating accounts, which helps to eliminate some duplicated code. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit fc857ea60e2a66d20d4174cb121e0a6949f8a0c1) commit 5a0af3e510e296755cfc1e28a86695045416705a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 16 11:01:50 2021 +1200 tests/krb5: Deduplicate 'host' attribute initialisation Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 3e621dcb6966f75034bb948a2705358d43454202) commit c76c9f15a780ac05e92827ad42c78e49de14bfb7 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 13:25:34 2021 +1200 tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value This is clearer than using the constant zero, which could be mistaken for a valid kvno value. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 381223117e0bae4c348d538bffaa8227b18ef3d1) commit 75f534c0ac5b21cb10e1975490c1153672e78bf7 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 13:24:22 2021 +1200 tests/krb5/as_req_tests.py: Check the client kvno Ensure we have the correct kvno for the client, rather than an 'unknown' value. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d4c38678e0cc782965edfe40a0423fafb7d5a5ff) commit 02f3bd6a821b85e140f272d745cdb6d7eb8b3c0c Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 21 11:07:45 2020 +0200 tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test Example commands: Windows 2012R2: SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=4 python/samba/tests/krb5/as_req_tests.py Windows 2008R2: SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py Samba: SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d5e350a4a490fecf570f1c248c9dde1466796166) commit 9db32a6a456b6b678d76527f73a8f5d30593e72f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 16 14:51:22 2021 +1200 tests/krb5/as_req_tests.py: Automatically obtain credentials The credentials for the client and krbtgt accounts are now fetched automatically rather than using environment variables, and the client account is now automatically created. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 0fd71ed3c37c8cf326f9f676b7fddda3d2d24072) commit 56b5ceb0c647a4733aed758481922617d48522dd Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 16:07:16 2021 +1200 tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials Now if the client credentials are not supplied in the environment, we can fall back to creating a new user account. Similarly, if the krbtgt credentials are not supplied, we can fetch the credentials of the existing krbtgt account. Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit fd45bea7a88837cbe4f99adf3a6b3f69ce32f34c) commit ea9083dfd631cb1ec836551dc6c3361652cf18b6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 15:55:17 2021 +1200 tests/krb5/raw_testcase.py: Simplify conditionals Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ec5c2b040b63d06a17bcd7bd133c2d68d07df587) commit d88603f8b5c58a26226ca01319a2edcf4f7d6d0b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 17:12:39 2021 +1200 tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function This allows us to use other methods of obtaining credentials if getting them from the environment fails. Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit e1601f2b56f09a944c5cfb119502fdcf49a03c99) commit 23496bb7cf35463bde5d80b4e418e608ee01e3a2 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 17:10:44 2021 +1200 tests/krb5/raw_testcase.py: Cache obtained credentials If credentials are used more than once, we can now use the credentials that we already obtained and so avoid fetching them again. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 22a90aea82ba6ef86bde835f2369daa6e23ed2fd) commit 7bd0c7f557b2a95a6d21a8a1505a4fe9c3f2ea53 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 16:55:02 2021 +1200 tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds This allows us to require encryption keys in the case that a password would not be required, such as for the krbtgt account. Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 6a77c2b93315503008627ce786388f281bd6bb87) commit 5b209e40ec26ca906397d7c1cb6667f1bd5df403 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 15:59:11 2021 +1200 tests/krb5/raw_testcase.py: Make env_get_var() a standalone method This allows it to be used elsewhere in the tests. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 948bbc9cecbfc1b33a338891d26a4a706864b9c6) commit 44018e6131c5c945af57876aa971ee209bec5528 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 13:15:10 2021 +1200 tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS This requires admin credentials, and removes the need to pass these keys as environment variables. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1f2ddd3c97e3ff243c8bd0c17299f27b761f5e7f) commit 1c0c89ac3bf4985efea12181ee6c0658084bd7c2 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 15:12:38 2021 +1200 tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types This is done based on the domain functional level, which corresponds to the logic Samba uses to decide whether or not to generate a Primary:Kerberos-Newer-Keys element for the supplementalCredentials attribute. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 7d4a0ed21be49d13c2b815582f2d04f0c058bf3a) commit 768f1d71b93b482dc04705004045f14277b28aa4 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 16 11:40:41 2021 +1200 tests/krb5/kdc_base_test.py: Create loadparm only when needed Now the .conf file is only loaded on its first use, which means that SMB_CONF_PATH need not be defined for tests that don't make use of it. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 210e544016a3a4de1cdb76ce28a2148811ff07eb) commit 113fa4ecfd1be51049474a9d5d2ec25c5b35bc92 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 16 11:31:26 2021 +1200 tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute Credentials for tests are now obtained using the get_user_creds() method. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 364f1ce8d8221cb8926635fc864db782cee61cf9) commit 807773d382b17d07ad77dc700bbd9ea39819138b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 16 11:04:00 2021 +1200 tests/krb5/kdc_base_test.py: Create database connection only when needed Now the database connection is only created on its first use, which means database credentials are no longer required for tests that don't make use of it. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 4f5566be4839838e0e3e501a030bcf6e85ff5159) commit 051487c6ab941c174b820d70c4ce10838162349d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 13:14:33 2021 +1200 tests/krb5/raw_testcase.py: Add get_admin_creds() This method allows obtaining credentials that can be used for administrative tasks such as creating accounts. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 5afae39da0ab408bb36dde3a7801634bd9cc24f6) commit fa1a2eb7b9a7e36c223ced4dbb7208ecb19fa577 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 15 15:38:28 2021 +1200 tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called This allows accounts created for permutation tests to be reused, rather than having to be recreated for every test. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 5412bffb9b4fc13023e650bbc9436a79b60b6fa2) commit d371e8688c34ea67f8e2375dd569dabad84bb4b5 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 21 11:07:45 2020 +0200 selftest: run new as_req_tests against fl2008r2dc and fl2003dc There are a lot of things we should improve in our KDC in order to work like a Windows KDC. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d91665d33130aed11fa82d8d2796ab1627e04dc4) commit 99acba0be9e24f9a877f7046f6d7af127d0d4d17 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 21 11:07:45 2020 +0200 tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol Example commands: Windows 2012R2: SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests Windows 2008R2: SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests Samba 4.14: SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 01d86954d217e38be333aa1ce7db1d3d9059cd4c) commit ec49afa5a23a62fa8eaa88f036da31aa6ac097b7 Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 21 11:07:45 2020 +0200 tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure This will allow us to write tests, which will all cross check almost every aspect of the KDC response (including encrypted parts). Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 6e2f2adc8e825634780077e24a9e437bdc68155a) commit 1b36e3bd7e2c65f0a67168b7da658d7fb26532e0 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 16 17:13:35 2020 +0200 tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds() This will allow building test_as_req_enc_timestamp() It also introduces ways to specify keys in hex formated environment variables ${PREFIX}_{AES256,AES128,RC4}_KEY_HEX. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 69ce2a6408f78d41eb865b89726021ad7643b065) commit e6682e512067280d117cd5c72b51ce8de7c81438 Author: Stefan Metzmacher <me...@samba.org> Date: Mon Apr 20 20:02:52 2020 +0200 tests/krb5/raw_testcase.py: add methods to iterate over etype permutations It's often useful to run tests over a lot of input parameter permutations. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit e3905035847a5268c1a65366830cc739280ae437) commit 38c4f77b9e4f86830497d0781dfbfd667d0f2fe8 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 16 10:43:54 2020 +0200 tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create() This allows building the pre-authentication data that encodes the request for the KDC (or more likely a request not to include) the KRB5 PAC in the resulting ticket. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ee2ac2b8ccafe3e6d560d893a4135a28e393914d) commit 697edd2e1db15e5facafb7775d513117d1ce200a Author: Stefan Metzmacher <me...@samba.org> Date: Tue Apr 21 14:45:01 2020 +0200 tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create() This allows us to reuse body in future and calculate checksums on it. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit b03fcfeb6c005936818ce50d511e9f9cc75aa9fb) commit 1ec0efe26ff7941897796e8bf983683f5e3e10e2 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 15 17:57:37 2020 +0200 tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint we allow the BitString_NamedValues_prettyPrint() routine to show more named values. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 3abb3b41368666535a216a98c3e7d15a5d498f7e) commit 159384d02fbe41ebd54c2d2a5ea45d0c82063adb Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 15 17:50:00 2020 +0200 tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint we allow the BitString_NamedValues_prettyPrint() routine to show more named values. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 34e079ce9a232a765fb3a2b25441434df35df54c) commit bf799b23de251510c1587394ae68c43d480c1232 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 15 13:49:52 2020 +0200 tests/krb5/raw_testcase.py: add assertElement*() These helper functions make writing subsequent Kerberos test clearer. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 61e1b179812e48797146584998afc5bd0168beae) commit 5e69e2d7cd1106117293bdcc02b88fa6bf979baa Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 9 22:28:32 2020 +0200 tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future We should write tests as strict as possible in order to let them run against Windows servers. But at the same time we want to allow tests to be useful for Samba too... Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit dff611976d6a067614e37add99edae214815a68b) commit ce264474d2939f1bd4046f30aa84b4487f4a45f3 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 9 10:55:28 2020 +0200 tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds() These helpful functions allow us to build the various credentials that we will use in validating the KDC responses in this test. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit c3222870b92db7f867557c2896b7bf39915d469a) commit a83ea43c7ba421197638e58f150cf681418b3004 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 9 11:10:11 2020 +0200 tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing Update and re-generate the ASN.1 to allow an improved testsuite. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d4492a8aaaf70cbe81af7e6703b4ea9fc1f24162) commit 9d32cb48194a3c2f04bada32a7bfc67bdd422d10 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Apr 15 16:50:55 2020 +0200 Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} This is a clearer name for the script Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit fef08add9ec324fb0c3902e96c2a91c07646d499) commit 019b77dbb85d006165f061f0035d41193447a3f1 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Apr 9 21:04:44 2020 +0200 auth/credentials: allow credentials.Credentials to act as base class In tests it's useful to add more details. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1f413b2b2977687884781ca2399dadf6611ab461) commit 8737c731040a1e0a85c70bac71ac88539b1437bd Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon May 10 15:06:06 2021 +1200 python: Make credentials cache test run against Windows Windows, unlike Samba, requires the service principal name to be set when requesting a ticket to that service. Additionally, default_realm from the libdefaults section of krb5.conf should be set so that the correct realm is used. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Jeremy Allison <j...@samba.org> Autobuild-Date(master): Wed May 19 02:22:01 UTC 2021 on sn-devel-184 (cherry picked from commit 7791acb074b84ec7b571a81f15b56d33e2214ce9) commit 3a586a81f589d4b2f92714ee4a060eb5dac4f1af Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon May 10 16:43:03 2021 +1200 python: Fix ticket timestamp conversion when local timezone is not UTC Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit b9006f33343ba8bb82ef8ffe1fd90c780961b41e) commit 9bf0f33ad1057bc9d1e61464b5343b08ebe19774 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon May 3 14:43:04 2021 +1200 python: Fix erroneous increments of reference counts Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 66695f0f94775c4db24fb625fe78ff44d964b5ad) commit 73bba60d737482a4edf6a5cf9c5ce06958a1d5c3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon May 3 14:42:10 2021 +1200 python: Ensure reference counts are properly incremented Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 290c1dc0975867a71c02e911708323d1f38b6f96) commit b32c193205473b585bfaf5d9e50e42e2a75eadcf Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Apr 30 08:58:11 2021 +1200 python: Add SMB credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through SMB. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 78a0b57b51642df07deed8aeb6e39e608fafda60) commit ff4d39737c57599a5858148696b7b81464565bd1 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Apr 30 12:49:24 2021 +1200 pylibsmb: Add posix_whoami() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 [abart...@samba.org backport from commit 482559436f12a85adb3409433aac3ab06baa82b1 as the 4.13 backport doesn't have ealier pylibsmb changes including 752a8f870de2bb087802a1287d7fb6c7624ac631 (s3:pylibsmb: remove unused SECINFO_DEFAULT_FLAGS)] commit d75226b90925a35537d21a4f27c68031ed187056 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon May 3 16:24:42 2021 +1200 libsmb: Ensure that whoami parses all the data provided to it Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 9b96ebea5c6966b096cf1100a0895a9c41f2aa1d) commit 1208a4dce1e8542be4b5444509545c9ab28828a0 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon May 3 16:22:43 2021 +1200 libsmb: Check to see that whoami is not receiving more data than it requested Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 9e414233c84d2f2fa4a9415be9ee975eca8b9bfd) commit e80ad4c0f2917a0ec6ed47eb82c30262b65c13ec Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon May 3 16:16:51 2021 +1200 libsmb: Avoid undefined behaviour when parsing whoami state If num_gids is such that the gids array would overflow the rdata buffer, 'p + 8' could produce a result pointing outside the buffer, and thus result in undefined behaviour. To avoid this, we check num_gids against the size of the buffer beforehand. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 9d8aeed33d8edf7a5dc96dbe35e4e164e2baeeeb) commit 1a3cc9a4e2d888f07b13b6b12efbc971ee13ef2b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon May 3 15:55:01 2021 +1200 libsmb: Remove overflow check Pointer overflow is undefined, so this check does not accomplish anything. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit db5b34c7682e36630908356cf674fddd18d8fa1f) commit 8e70f0c174a9c95c221ab148ab30a06e0afa4de5 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon May 3 15:48:43 2021 +1200 Revert "libsmb: Use sid_parse()" This reverts commit afd5d34f5e1d13ba88448b3b94d353aa8361d1a9. This code originally used ndr_pull_struct_blob() to pull one SID from a buffer potentially containing multiple SIDs. When this was changed to use sid_parse(), it was now attempting to parse the whole buffer as a single SID with ndr_pull_struct_blob_all(), which would cause it to fail if more than one SID was present. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 2b487890d946df88abce67c3d07d74559f70f069) commit c40a90d7c7afdfdba86e8941caa52fb2bb4f7ff9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Apr 29 21:04:25 2021 +1200 python: Add RPC credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through RPC. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 072451a033da07c0cdaa005dd1020ef1c7951e99) commit bb9ff0e143ac3551a8b6a1c660bbec603f347c2f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Apr 29 20:58:11 2021 +1200 python: Add LDAP credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 7663b5c37fa3413f7c67c018107322494e4a6fd9) commit 848458d1704ef4cb632996a5949d00bf8fd3d9f3 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Apr 28 11:06:33 2021 +1200 python: Add credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service using the normal credentials system backed on to MIT/Heimdal Kerberos 5 libraries. This will allow us to validate the output of the MIT/Heimdal libraries in the future. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit c15f26ec40860782b22e862f9bdf665745387718) commit 02bfb9e2daffa319261089dba068893c203eaf94 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Apr 28 11:02:47 2021 +1200 krb5: Add Python functions to create a credentials cache containing a service ticket This is a FILE: format credentials cache readable by the MIT/Heimdal Kerberos libraries. This allows us to glue the Python ASN1 Kerberos system to the MIT/Heimdal one. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 2d88a6ff3dbcf650b09ef9c8c37170ca6663b533) commit 98727cd606ca5e63486908756c9aad327fcd43dd Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Apr 28 10:58:48 2021 +1200 librpc: Test parsing a Kerberos 5 credentials cache with ndrdump This is the format used by the FILE: credentials cache type. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1f17b1edca9c1638ef404fadce3ca7a4d176de12) commit 38d622f38ea8b3f3a3d6cf9db76c108b5ea082fb Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Apr 28 10:57:00 2021 +1200 krb5ccache.idl: Add definition for a Kerberos credentials cache Based on specifications found at https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html This is primarily designed for parsing and storing a single Kerberos ticket, due to the limitations of PIDL. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 74fb2cc473cea0eebf641fc4d32d706bac8aa6f2) commit a47b37c170fe67f61844aa1d3bfc4a15130ac7a8 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Apr 15 10:32:41 2021 +1200 Revert "s4-test: fixed ndrdump test for top level build" This essentially reverts commit b84c0a9ed6d556eb2d3797d606edcd03f9766606, but the datapath is now in the source4 directory. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 6f144d49b5281a08bf7be550b949f4d91e8fe19b) commit 1854fc55a30f2a7efd106e4d4cf1f2a77338251f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Apr 28 11:07:22 2021 +1200 pygensec: Fix method documentation This changes the docstrings to use the correct method names. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 50ade4cadc766a196316fd5c5a57f8c502f0ea22) commit 522ebd8e7c977c6f5aa5791766d7f9044049c877 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Apr 28 10:55:13 2021 +1200 auth:creds: Fix parameter in creds.set_named_ccache() Use the passed-in value for 'obtained' rather than always using CRED_SPECIFIED. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 2d05268aa0904221c452fc650fcdfb680efc20bb) commit 427185f8a9949920ca87807043167cb91ecafcb9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Apr 28 10:54:05 2021 +1200 auth:creds: Remove unused variable Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1ea2de561839ad948efab5112fbe4c1eae44d9ee) commit 1748470cc2155719dae5b587791c6bd223a5ae79 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Wed Feb 17 12:15:50 2021 +1300 tests python krb5: MS-KILE client principal look-up Tests of [MS-KILE]: Kerberos Protocol Extensions section 3.3.5.6.1 Client Principal Lookup Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Isaac Boukris <ibouk...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Mon Apr 12 00:38:26 UTC 2021 on sn-devel-184 (cherry picked from commit 768d48fca9f8c7527c0d12e7acc8942b5fd36ac2) commit 9e0cf55529a85853be21a42f80db88cbf5652bc9 Author: Volker Lendecke <v...@samba.org> Date: Fri Apr 16 17:22:12 2021 +0200 librpc: Add py_descriptor_richcmp() equality function Only a python3 version. Do we still need the python2 flavor? Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Jeremy Allison <j...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 439b7ccdc1b1c91c66c1a7c83e340fa044c26377) commit 28dee15ee08489635424c3053bb5629889c6f1a3 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Fri Dec 11 11:55:01 2020 +1300 tests python krb5: PEP8 cleanups Fix all the PEP8 warnings in samba/tests/krb5. With the exception of rfc4120_pyasn1.py, which is generated from rfc4120.asn1. As these tests are new, it makes sense to ensure that they conform to PEP8. And set an aspirational goal for the rest of our python code. Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Gary Lockyer <g...@samba.org> Autobuild-Date(master): Mon Dec 21 21:29:28 UTC 2020 on sn-devel-184 (cherry picked from commit c00d537526ca881c540ff66e703ad9c96dd1face) commit 03e4bbb8d855b54898a52ade9358114b1a7bab69 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Thu Dec 10 16:27:17 2020 +1300 tests python krb5: use key usage constants Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 03676a4a5c55ab5f4958a86cbd4d7be0f0a8a294) commit d9f914d0820bc9fb102ac8c9de2590e8ac3e64af Author: Gary Lockyer <g...@catalyst.net.nz> Date: Thu Dec 10 16:26:06 2020 +1300 tests python krb5: Add key usage constants Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andreas Schneider <a...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d8ed73b75ad67da99be392b2db18fe2e1ffed87f) commit f38ba41584718d54c0ed2c4ba093856d32f386bf Author: Gary Lockyer <g...@catalyst.net.nz> Date: Mon Nov 30 14:19:15 2020 +1300 tests python krb5: initial TGS tests Initial tests on the KDC TGS Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1ed461a142f68f5de5e21b873ebddfcf5ae0ca1e) commit 81923ea82324e1ff7b94ea7da2c65a56ec9ba091 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Mon Nov 30 14:16:28 2020 +1300 tests python krb5: add test base class Add a base class for the KDC tests to reduce the amount of code duplication in the tests. Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 0f232ed42fb2671d025643cafb19891373562e4a) commit c8f1511ea49e4005740b0f0ef085c123ec581832 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Thu Dec 10 10:15:28 2020 +1300 tests python krb5: Add Authorization data ad-type constants Add constants for the Authorization Data Type values. RFC 4120 7.5.4. Authorization Data Types Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d74c9dcf3aaa613abfac49288f427484468bf6e1) commit bde787c8484114fa4861283935ba8e1a695661e2 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Wed Nov 18 14:49:28 2020 +1300 tests python krb5: Extra canonicalization tests Add tests that set the server name to the client name for the machine account in the kerberos AS_REQ. This replicates the TEST_AS_REQ_SELF test phase in source4/torture/krb5/kdc-canon-heimdal.c. Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Mon Nov 30 05:21:42 UTC 2020 on sn-devel-184 (cherry picked from commit 7f7e2b0e1e17321d800de787098bb2b2c8259ecd) commit f719d74eb7ef06969ad60f23627779a50cc68b70 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Tue Nov 10 16:57:11 2020 +1300 tests python krb5: add arcfour salt tests MIT kerberos returns a salt when ARCFOUR_HMAC_MD5 encryption selected, Heimdal does not. Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Thu Nov 12 22:54:22 UTC 2020 on sn-devel-184 (cherry picked from commit 2ba6d596ff0a3580eca9285fd83569bcb147ce77) commit f79c7c3217c26ca5c35e7d624603c1a626cb1a40 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Tue Nov 10 16:56:46 2020 +1300 tests python krb5: refactor compatability tests Refactor to aid the adding of tests for the inclusion of a salt when ARCFOUR_HMAC_MD5 encryption selected Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d492355f293e2da400318665035b056dfaba852c) commit 82d2ce2a66b82b9d0d2102f458e7f8b9fd54cee0 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Fri Nov 6 09:07:04 2020 +1300 tests python krb5: Convert kdc-heimdal to python Implement the tests in source4/torture/krb5/kdc-heimdal.c in python. The following tests were not re-implemented as they are client side tests for the "Orpheus Lyre" attack: TORTURE_KRB5_TEST_CHANGE_SERVER_OUT TORTURE_KRB5_TEST_CHANGE_SERVER_IN TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit a00a1c9745033dae05eee17cfa4e2c5354a81e68) commit ab09ca1b0e9ea3f56b17a9cd480b931f60acedd9 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Tue Nov 10 13:51:39 2020 +1300 tests python krb5: raw_testcase permit RC4 salts MIT kerberos returns a salt when ARCFOUR_HMAC_MD5, this commit removes the check that a salt is not returned. A test for the difference between MIT and Heimdal will be added in the subsequent commits. Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1bab87c50baf0fecb5d4cd09e1a9896730c6377e) commit 7858fd1799d7b2363ab3c481551974fb9a905f64 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Tue Nov 10 11:20:58 2020 +1300 tests python krb5: Refactor compatability test constants Modify tests to use the constants defined in rfc4120_constants.py Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 82a413f48b7ef71feb68fc34f7ca753d45eb8974) commit 1543efaead3a7adcef28687ba9b1ba51882b5227 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Tue Nov 10 11:20:03 2020 +1300 tests python krb5: Refactor canonicalization test constants Modify tests to use the constants defined in rfc4120_constants.py Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 97b830cbcac53fcf49bbcd272812d1ba019bac51) commit 8610d03794eef7d81bb02631d1285cc1f4ebc3a6 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Tue Nov 10 11:19:02 2020 +1300 tests python krb5: Add constants module Extract the constants used in the tests into a separate module. To reduce code duplication Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 532c941fbb8fc5fc5da4aa2d0e170229076e9aa7) commit fb05f15519cb908da44f25f547444ac85369df0e Author: Gary Lockyer <g...@catalyst.net.nz> Date: Wed Nov 4 13:58:24 2020 +1300 tests python krb5: Add python kerberos compatability tests Add new python test to document the differences between the MIT and Heimdal Kerberos implementations. Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1e1d8b9c83f32c06ecab31214a20b77529ee038e) commit a142057393fdc8f69de16658ae180e138f3c504f Author: Gary Lockyer <g...@catalyst.net.nz> Date: Wed Nov 4 13:54:46 2020 +1300 selftest: add heimdal kdc specific known fail Add a heimdal kerberos specific known fail, will be needed by subsequent commits. Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 5cb5134377f099353e0f91c44cc11e45d548d40f) commit d810539294b92cb5d19f553d895fa04073bd4736 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 10 13:50:37 2020 +1300 selftest: Windows 2019 implements the RemoveDollar behaviour for Enterprise principals This is documented in MS-KILE. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Gary Lockyer <g...@samba.org> Autobuild-Date(master): Wed Nov 11 02:38:46 UTC 2020 on sn-devel-184 (cherry picked from commit f214a3ba5a3e9f129f10062392ae03edd62d8186) commit ed2c276f76519ba1bade37778d860f8eb7cab1fd Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 10 11:27:06 2020 +1300 selftest: Add in encrypted-pa-data from RFC 6806 This comes from Windows 2019 which supports FAST. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit fc77ece0e2b5fd324809e17a9b208cc7854cee4b) commit 08a296f901883fae5578ea13142786ce83a0b0ca Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 10 11:21:24 2020 +1300 selftest: Fix formatting of failure (traceback and options swapped in format string) Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ab8c0a181bebe17a597af49790f6e7b17e13c29b) commit 657dde3bdf23ec96f5686d5fc5e81349297278d8 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 10 13:47:30 2020 +1300 selftest: Make as_canonicalization_tests.py auto-detect the NT4 domain name Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 2693f12fbe321e0f4932b1f74d7006dbac140e8e) commit a07052104f34c6e9777797c9993aa5fc07ecd032 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 10 13:46:28 2020 +1300 samdb: Add samdb.domain_netbios_name() Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 [abart...@samba.org: Backported from commit d79218dbba3d0f26d6a0e22b3c91b0731bf641dd as this backport to Samba 4.13 does not include 07ce48088824bba2054e029edfa6fbae972c1921 (samba-tool: Create unix user with modified template homedir)] commit 0242419a01075e93d4c7cdcb636260694a6f6eab Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 10 11:12:13 2020 +1300 selftest: Make as_canonicalization_tests.py easier to run outside "make test" This takes the realm from the LDAP base DN and so avoids one easy mistake to make. So far the NT4 domain name is not auto-detected, so much be read from the smb.conf. By using .guess() the smb.conf is read for the unspecified parts (eg workstation for an NTLM login to the LDAP server if the target server is an IP address). Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d85e71f449037fa035fa2fae6b64caf695c53cb3) commit d08faae8bd0da140772946e3dfe75e484438ef39 Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 10 11:09:59 2020 +1300 selftest: Fix flipped machine and user constants This naturally does not change the test, but reduces developer confusion. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 579a3c641c72b65f6ba39141a55c765b517bd7f8) commit d7ebc3b705519e3fabd464e0d81586111df8e97d Author: Andrew Bartlett <abart...@samba.org> Date: Tue Nov 10 11:09:13 2020 +1300 selftest: Send enterprise principals tagged as such This test passed against Samba but failed against Windows when an enterprise principal (u...@domain.com@REALM) was encoded as NT_PRINCIPAL. Signed-off-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Gary Lockyer <g...@catalyst.net.nz> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d7f731ed3577b407370d8fe7a62b4c3ee2dd9c75) commit ca83a606256d2270683afeb9eba3f6254df9480c Author: Gary Lockyer <g...@catalyst.net.nz> Date: Tue Oct 27 09:32:21 2020 +1300 tests python krb5: Add python kerberos canonicalization tests Add python canonicalization tests, loosely based on the code in source4/torture/krb5/kdc-canon-heimdal.c. The long term goal is to move the integration level tests out of kdc-canon-heimdal, leaving it as a heimdal library unit test. Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 005435dc4d7de9d442c7513edec8c782fe20fda3) commit 8536b5f4397b568c5af334652a6db36f88e6d786 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Tue Oct 27 09:31:24 2020 +1300 tests python krb5: Add canonicalize flag to ASN1 Add the canonicalize flag to KerberosFlags, so that it can be used in python based canonicalization tests. Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 41c8aa4b991aad306d731b08d068c480eb5c7fed) commit 71f30ca29b4356abb908d09c25dddd8758533ddf Author: Gary Lockyer <g...@catalyst.net.nz> Date: Tue Oct 27 09:29:56 2020 +1300 tests python krb5: Make PrincipalName_create a class method Make PrincipalName_create a class method, so it can be used in helper classes. Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit b14dca7c1c063e069517ff01b33c63a000d398c3) commit 44841d2b18bea264e126264c44744d4018031e8c Author: Gary Lockyer <g...@catalyst.net.nz> Date: Tue Nov 3 09:25:48 2020 +1300 selftest: add mit kdc specific known fail Add a MIT kerberos specific known fail, will be needed by subsequent commits. Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 04248f5e868d38498bdc8f9705c9a60fcfe79c09) ----------------------------------------------------------------------- Summary of changes: auth/credentials/pycredentials.c | 8 +- lib/talloc/pytalloc.c | 4 +- libgpo/pygpo.c | 2 +- librpc/idl/krb5ccache.idl | 115 + librpc/idl/wscript_build | 1 + librpc/wscript_build | 8 +- python/samba/netcmd/user.py | 10 +- python/samba/samdb.py | 15 + python/samba/tests/blackbox/ndrdump.py | 45 +- .../samba/tests/krb5/as_canonicalization_tests.py | 434 ++++ python/samba/tests/krb5/as_req_tests.py | 218 ++ python/samba/tests/krb5/compatability_tests.py | 227 ++ python/samba/tests/krb5/fast_tests.py | 1691 +++++++++++++ python/samba/tests/krb5/kcrypto.py | 79 +- python/samba/tests/krb5/kdc_base_test.py | 913 +++++++ python/samba/tests/krb5/kdc_tests.py | 228 ++ python/samba/tests/krb5/kdc_tgs_tests.py | 213 ++ .../krb5/ms_kile_client_principal_lookup_tests.py | 829 +++++++ .../{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} | 0 python/samba/tests/krb5/raw_testcase.py | 2511 +++++++++++++++++--- python/samba/tests/krb5/rfc4120.asn1 | 187 +- python/samba/tests/krb5/rfc4120_constants.py | 171 ++ python/samba/tests/krb5/rfc4120_pyasn1.py | 241 +- python/samba/tests/krb5/s4u_tests.py | 38 +- python/samba/tests/krb5/simple_tests.py | 49 +- python/samba/tests/krb5/test_ccache.py | 135 ++ python/samba/tests/krb5/test_ldap.py | 96 + python/samba/tests/krb5/test_rpc.py | 79 + python/samba/tests/krb5/test_smb.py | 110 + python/samba/tests/krb5/xrealm_tests.py | 45 +- python/samba/tests/samdb.py | 13 +- python/samba/tests/usage.py | 13 + selftest/knownfail | 6 +- selftest/knownfail.d/kdc-enterprise | 63 + selftest/knownfail_heimdal_kdc | 123 + selftest/knownfail_mit_kdc | 322 +++ selftest/selftesthelpers.py | 58 +- selftest/target/Samba4.pm | 2 +- selftest/tests.py | 1 + selftest/wscript | 5 + source3/libsmb/clifsinfo.c | 44 +- source3/libsmb/pylibsmb.c | 138 +- source3/passdb/py_passdb.c | 4 - source3/selftest/ktest-krb5_ccache-2.txt | 1574 ++++++++++++ source3/selftest/ktest-krb5_ccache-3.txt | 832 +++++++ source4/auth/gensec/gensec_gssapi.c | 4 + source4/auth/gensec/pygensec.c | 71 +- source4/heimdal/kdc/kerberos5.c | 4 +- source4/heimdal/kdc/krb5tgs.c | 4 + source4/librpc/ndr/py_security.c | 37 + source4/librpc/wscript_build | 7 + source4/ntvfs/posix/python/pyposix_eadb.c | 2 +- source4/ntvfs/posix/python/pyxattr_native.c | 4 +- source4/ntvfs/posix/python/pyxattr_tdb.c | 2 +- source4/selftest/tests.py | 57 + source4/torture/krb5/kdc-heimdal.c | 104 +- 56 files changed, 11725 insertions(+), 471 deletions(-) create mode 100644 librpc/idl/krb5ccache.idl create mode 100755 python/samba/tests/krb5/as_canonicalization_tests.py create mode 100755 python/samba/tests/krb5/as_req_tests.py create mode 100755 python/samba/tests/krb5/compatability_tests.py create mode 100755 python/samba/tests/krb5/fast_tests.py create mode 100644 python/samba/tests/krb5/kdc_base_test.py create mode 100755 python/samba/tests/krb5/kdc_tests.py create mode 100755 python/samba/tests/krb5/kdc_tgs_tests.py create mode 100755 python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} (100%) create mode 100644 python/samba/tests/krb5/rfc4120_constants.py create mode 100755 python/samba/tests/krb5/test_ccache.py create mode 100755 python/samba/tests/krb5/test_ldap.py create mode 100755 python/samba/tests/krb5/test_rpc.py create mode 100755 python/samba/tests/krb5/test_smb.py create mode 100644 selftest/knownfail.d/kdc-enterprise create mode 100644 selftest/knownfail_heimdal_kdc create mode 100644 selftest/knownfail_mit_kdc create mode 100644 source3/selftest/ktest-krb5_ccache-2.txt create mode 100644 source3/selftest/ktest-krb5_ccache-3.txt Changeset truncated at 500 lines: diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index a5d0f9e051c..e583b83d9a4 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -603,8 +603,6 @@ static PyObject *py_creds_get_forced_sasl_mech(PyObject *self, PyObject *unused) static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args) { char *newval; - enum credentials_obtained obt = CRED_SPECIFIED; - int _obt = obt; struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); if (creds == NULL) { PyErr_Format(PyExc_TypeError, "Credentials expected"); @@ -614,7 +612,6 @@ static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args) if (!PyArg_ParseTuple(args, "s", &newval)) { return NULL; } - obt = _obt; cli_credentials_set_forced_sasl_mech(creds, newval); Py_RETURN_NONE; @@ -766,6 +763,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args) if (!PyArg_ParseTuple(args, "s|iO", &newval, &_obt, &py_lp_ctx)) return NULL; + obt = _obt; mem_ctx = talloc_new(NULL); if (mem_ctx == NULL) { @@ -781,7 +779,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args) ret = cli_credentials_set_ccache(creds, lp_ctx, - newval, CRED_SPECIFIED, + newval, obt, &error_string); if (ret != 0) { @@ -1223,7 +1221,7 @@ static struct PyModuleDef moduledef = { PyTypeObject PyCredentials = { .tp_name = "credentials.Credentials", .tp_new = py_creds_new, - .tp_flags = Py_TPFLAGS_DEFAULT, + .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, .tp_methods = py_creds_methods, }; diff --git a/lib/talloc/pytalloc.c b/lib/talloc/pytalloc.c index cc5a6a812ea..4d3826153b9 100644 --- a/lib/talloc/pytalloc.c +++ b/lib/talloc/pytalloc.c @@ -37,7 +37,7 @@ static PyObject *pytalloc_report_full(PyObject *self, PyObject *args) } else { talloc_report_full(pytalloc_get_mem_ctx(py_obj), stdout); } - return Py_None; + Py_RETURN_NONE; } /* enable null tracking */ @@ -45,7 +45,7 @@ static PyObject *pytalloc_enable_null_tracking(PyObject *self, PyObject *Py_UNUSED(ignored)) { talloc_enable_null_tracking(); - return Py_None; + Py_RETURN_NONE; } /* return the number of talloc blocks */ diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c index 29c8b11886e..3452bc77d61 100644 --- a/libgpo/pygpo.c +++ b/libgpo/pygpo.c @@ -41,7 +41,7 @@ static PyObject* GPO_get_##ATTR(PyObject *self, void *closure) \ if (gpo_ptr->ATTR) \ return PyUnicode_FromString(gpo_ptr->ATTR); \ else \ - return Py_None; \ + Py_RETURN_NONE; \ } GPO_getter(ds_path) GPO_getter(file_sys_path) diff --git a/librpc/idl/krb5ccache.idl b/librpc/idl/krb5ccache.idl new file mode 100644 index 00000000000..1f0cfa752a9 --- /dev/null +++ b/librpc/idl/krb5ccache.idl @@ -0,0 +1,115 @@ +/* + krb5 credentials cache (version 3 or 4) + specification: https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html +*/ + +#include "idl_types.h" + +[ + uuid("1702b695-99ca-4f32-93e4-1e1c4d5ddb53"), + version(0.0), + pointer_default(unique), + helpstring("KRB5 credentials cache") +] +interface krb5ccache +{ + typedef struct { + uint32 name_type; + uint32 component_count; + [flag(STR_SIZE4|STR_NOTERM|STR_UTF8)] string realm; + [flag(STR_SIZE4|STR_NOTERM|STR_UTF8)] string components[component_count]; + } PRINCIPAL; + + typedef struct { + uint16 enctype; + DATA_BLOB data; + } KEYBLOCK; + + typedef struct { + uint16 addrtype; + DATA_BLOB data; + } ADDRESS; + + typedef struct { + uint32 count; + ADDRESS data[count]; + } ADDRESSES; + + typedef struct { + uint16 ad_type; + DATA_BLOB data; + } AUTHDATUM; + + typedef struct { + uint32 count; + AUTHDATUM data[count]; + } AUTHDATA; + + typedef struct { + PRINCIPAL client; + PRINCIPAL server; + KEYBLOCK keyblock; + uint32 authtime; + uint32 starttime; + uint32 endtime; + uint32 renew_till; + uint8 is_skey; + uint32 ticket_flags; + ADDRESSES addresses; + AUTHDATA authdata; + DATA_BLOB ticket; + DATA_BLOB second_ticket; + } CREDENTIAL; + + typedef struct { + [value(0)] int32 kdc_sec_offset; + [value(0)] int32 kdc_usec_offset; + } DELTATIME_TAG; + + typedef [nodiscriminant] union { + [case(1)] DELTATIME_TAG deltatime_tag; + } FIELD; + + typedef struct { + [value(1)] uint16 tag; + [subcontext(2),switch_is(tag)] FIELD field; + } V4TAG; + + typedef struct { + V4TAG tag; + /* + * We should allow for more than one tag to be properly parsed, but that + * would require manual parsing. + */ + [flag(NDR_REMAINING)] DATA_BLOB further_tags; + } V4TAGS; + + typedef struct { + [subcontext(2)] V4TAGS v4tags; + } V4HEADER; + + typedef [nodiscriminant] union { + /* + * We don't attempt to support file format versions 1 and 2 as they + * assume native CPU byte order, which makes no sense in PIDL. + */ + [case(3)] ; + [case(4)] V4HEADER v4header; + } OPTIONAL_HEADER; + + /* Public structures. */ + + typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct { + [value(5)] uint8 pvno; + [value(4)] uint8 version; + [switch_is(version)] OPTIONAL_HEADER optional_header; + PRINCIPAL principal; + CREDENTIAL cred; + [flag(NDR_REMAINING)] DATA_BLOB further_creds; + } CCACHE; + + typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct { + CREDENTIAL cred; + [flag(NDR_REMAINING)] DATA_BLOB further_creds; + } MULTIPLE_CREDENTIALS; +} diff --git a/librpc/idl/wscript_build b/librpc/idl/wscript_build index 928f54abde0..0cbd7f8fdfc 100644 --- a/librpc/idl/wscript_build +++ b/librpc/idl/wscript_build @@ -147,6 +147,7 @@ bld.SAMBA_PIDL_LIST('PIDL', drsblobs.idl idmap.idl krb5pac.idl + krb5ccache.idl messaging.idl misc.idl nbt.idl diff --git a/librpc/wscript_build b/librpc/wscript_build index 27b180fa63d..8f31d59d3b5 100644 --- a/librpc/wscript_build +++ b/librpc/wscript_build @@ -374,6 +374,11 @@ bld.SAMBA_LIBRARY('ndr-krb5pac', vnum='0.0.1' ) +bld.SAMBA_SUBSYSTEM('NDR_KRB5CCACHE', + source='gen_ndr/ndr_krb5ccache.c', + deps='ndr NDR_COMPRESSION NDR_SECURITY ndr-standard asn1util' + ) + bld.SAMBA_LIBRARY('ndr-standard', source='', vnum='0.0.1', @@ -616,7 +621,8 @@ bld.SAMBA_LIBRARY('ndr-samba', source=[], deps='''NDR_DRSBLOBS NDR_DRSUAPI NDR_IDMAP NDR_NTLMSSP NDR_NEGOEX NDR_SCHANNEL NDR_MGMT NDR_DNSSERVER NDR_EPMAPPER NDR_XATTR NDR_UNIXINFO NDR_NAMED_PIPE_AUTH NDR_DCOM - NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_MDSSVC NDR_OPEN_FILES NDR_SMBXSRV''', + NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_MDSSVC NDR_OPEN_FILES NDR_SMBXSRV + NDR_KRB5CCACHE''', private_library=True, grouping_library=True ) diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py index 7d4464e2aa9..ad5d2fbd485 100644 --- a/python/samba/netcmd/user.py +++ b/python/samba/netcmd/user.py @@ -3001,14 +3001,8 @@ The users gecos field will be set to 'User4 test' if unix_home is None: # obtain nETBIOS Domain Name - filter = "(&(objectClass=crossRef)(nETBIOSName=*))" - searchdn = ("CN=Partitions,CN=Configuration," + domaindn) - try: - res = samdb.search(searchdn, - scope=ldb.SCOPE_SUBTREE, - expression=filter) - unix_domain = res[0]["nETBIOSName"][0] - except IndexError: + unix_domain = samdb.domain_netbios_name() + if unix_domain is None: raise CommandError('Unable to find Unix domain') unix_home = "/home/{0}/{1}".format(unix_domain, username) diff --git a/python/samba/samdb.py b/python/samba/samdb.py index d13c5e3b7a2..36d668c4586 100644 --- a/python/samba/samdb.py +++ b/python/samba/samdb.py @@ -928,6 +928,21 @@ accountExpires: %u domain_dn = self.get_default_basedn() return domain_dn.canonical_str().split('/')[0] + def domain_netbios_name(self): + """return the NetBIOS name of the domain root""" + domain_dn = self.get_default_basedn() + dns_name = self.domain_dns_name() + filter = "(&(objectClass=crossRef)(nETBIOSName=*)(ncName=%s)(dnsroot=%s))" % (domain_dn, dns_name) + partitions_dn = self.get_partitions_dn() + res = self.search(partitions_dn, + scope=ldb.SCOPE_ONELEVEL, + expression=filter) + try: + netbios_domain = res[0]["nETBIOSName"][0].decode() + except IndexError: + return None + return netbios_domain + def forest_dns_name(self): """return the DNS name of the forest root""" forest_dn = self.get_root_basedn() diff --git a/python/samba/tests/blackbox/ndrdump.py b/python/samba/tests/blackbox/ndrdump.py index a33229e4740..7833ec98119 100644 --- a/python/samba/tests/blackbox/ndrdump.py +++ b/python/samba/tests/blackbox/ndrdump.py @@ -25,13 +25,7 @@ import os import re from samba.tests import BlackboxTestCase, BlackboxProcessError -for p in ["../../../../../source4/librpc/tests", - "../../../../../librpc/tests"]: - data_path_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), p)) - print(data_path_dir) - if os.path.exists(data_path_dir): - break - +data_path_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), "../../../../../source4/librpc/tests")) class NdrDumpTests(BlackboxTestCase): """Blackbox tests for ndrdump.""" @@ -326,6 +320,43 @@ dump OK # convert expected to bytes for python 3 self.assertEqual(actual, expected.encode('utf-8')) + def test_ndrdump_Krb5ccache(self): + expected = open(self.data_path("../../../source3/selftest/" + "ktest-krb5_ccache-2.txt")).read() + try: + # Specify -d1 to match the generated output file, because ndrdump + # only outputs some additional info if this parameter is specified, + # and the --configfile parameter gives us an empty smb.conf to avoid + # extraneous output. + actual = self.check_output( + "ndrdump krb5ccache CCACHE struct " + "--configfile /dev/null -d1 --validate " + + self.data_path("../../../source3/selftest/" + "ktest-krb5_ccache-2")) + except BlackboxProcessError as e: + self.fail(e) + # check_output will return bytes + # convert expected to bytes for python 3 + self.assertEqual(actual, expected.encode('utf-8')) + + expected = open(self.data_path("../../../source3/selftest/" + "ktest-krb5_ccache-3.txt")).read() + try: + # Specify -d1 to match the generated output file, because ndrdump + # only outputs some additional info if this parameter is specified, + # and the --configfile parameter gives us an empty smb.conf to avoid + # extraneous output. + actual = self.check_output( + "ndrdump krb5ccache CCACHE struct " + "--configfile /dev/null -d1 --validate " + + self.data_path("../../../source3/selftest/" + "ktest-krb5_ccache-3")) + except BlackboxProcessError as e: + self.fail(e) + # check_output will return bytes + # convert expected to bytes for python 3 + self.assertEqual(actual, expected.encode('utf-8')) + # This is a good example of a union with an empty default # and no buffers to parse. def test_ndrdump_fuzzed_spoolss_EnumForms(self): diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py new file mode 100755 index 00000000000..29d8cf418f5 --- /dev/null +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -0,0 +1,434 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# +# Copyright (C) Catalyst IT Ltd. 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see <http://www.gnu.org/licenses/>. +# + +import sys +import os +from enum import Enum, unique +import pyasn1 + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests.krb5.kdc_base_test import KDCBaseTest +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +from samba.credentials import DONT_USE_KERBEROS +from samba.dcerpc.misc import SEC_CHAN_WKSTA +from samba.tests import DynamicTestCase +from samba.tests.krb5.rfc4120_constants import ( + AES256_CTS_HMAC_SHA1_96, + AES128_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5, + KDC_ERR_PREAUTH_REQUIRED, + KRB_AS_REP, + KU_AS_REP_ENC_PART, + KRB_ERROR, + KU_PA_ENC_TIMESTAMP, + PADATA_ENC_TIMESTAMP, + NT_ENTERPRISE_PRINCIPAL, + NT_PRINCIPAL, + NT_SRV_INST, +) + +global_asn1_print = False +global_hexdump = False + + +@unique +class TestOptions(Enum): + Canonicalize = 1 + Enterprise = 2 + UpperRealm = 4 + UpperUserName = 8 + NetbiosRealm = 16 + UPN = 32 + RemoveDollar = 64 + AsReqSelf = 128 + Last = 256 + + def is_set(self, x): + return self.value & x + + +@unique +class CredentialsType(Enum): + User = 1 + Machine = 2 + + def is_set(self, x): + return self.value & x + + +class TestData: + + def __init__(self, options, creds): + self.options = options + self.user_creds = creds + self.user_name = self._get_username(options, creds) + self.realm = self._get_realm(options, creds) + + if TestOptions.Enterprise.is_set(options): + client_name_type = NT_ENTERPRISE_PRINCIPAL + else: + client_name_type = NT_PRINCIPAL + + self.cname = KDCBaseTest.PrincipalName_create( + name_type=client_name_type, names=[self.user_name]) + if TestOptions.AsReqSelf.is_set(options): + self.sname = self.cname + else: + self.sname = KDCBaseTest.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", self.realm]) + self.canonicalize = TestOptions.Canonicalize.is_set(options) + + def _get_realm(self, options, creds): + realm = creds.get_realm() + if TestOptions.NetbiosRealm.is_set(options): + realm = creds.get_domain() + if TestOptions.UpperRealm.is_set(options): + realm = realm.upper() + else: + realm = realm.lower() + return realm + + def _get_username(self, options, creds): + name = creds.get_username() + if TestOptions.RemoveDollar.is_set(options) and name.endswith("$"): + name = name[:-1] + if TestOptions.Enterprise.is_set(options): + realm = creds.get_realm() + name = "{0}@{1}".format(name, realm) + if TestOptions.UpperUserName.is_set(options): + name = name.upper() + return name + + def __repr__(self): + rep = "Test Data: " + rep += "options = '" + "{:08b}".format(self.options) + "'" + rep += "user name = '" + self.user_name + "'" + rep += ", realm = '" + self.realm + "'" + rep += ", cname = '" + str(self.cname) + "'" + rep += ", sname = '" + str(self.sname) + "'" + return rep + + +MACHINE_NAME = "tstkrb5cnnmch" +USER_NAME = "tstkrb5cnnusr" + + +@DynamicTestCase +class KerberosASCanonicalizationTests(KDCBaseTest): + + @classmethod + def setUpDynamicTestCases(cls): + + def skip(ct, options): + ''' Filter out any mutually exclusive test options ''' + if ct != CredentialsType.Machine and\ + TestOptions.RemoveDollar.is_set(options): -- Samba Shared Repository