The branch, master has been updated via 7eb1e1cc949 s4:torture: Remove test combination with enterprise principal without canonicalize flag via 23ec41fd13f s4:torture: Remove AS_REQ_SELF test stage via f8b17214d06 tests/krb5: Add tests for enterprise principals with canonicalization via 860065a3c99 tests/krb5: Add tests for AS-REQ with an SPN via 31900a0a582 tests/krb5: Add more AS-REQ ENC-TIMESTAMP tests with different encryption types via ff6d325e38d tests/krb5: Check ticket cname for Heimdal via 3fc9dc2395e tests/krb5: Check logon name in PAC for canonicalization tests via 10983779bc5 tests/krb5: Only create testing accounts once per test run via 8036aa12766 waf:mitkrb5: Always define lib so we get the header include path via 238e4c86ca7 waf:mitkrb5: Fix MIT KRB5 detection if not in default system location via 61404faf767 waf:mitkrb5: Detect com_err with pkgconfig first via 61ce2899791 wafsamba: Pass lib to CHECK_DECLS() via 18788e174ed s3:waf: Fix dependendies for libads via 93619962020 s4:waf: Fix dependencies for TORTURE_UTIL via 8393adaa5ad s3:param: Only include smb_ldap.h for LDAP_* defines via 3bfdbc1e93b s3:param: Remove trailing spaces in loadparm.c via 528e5efc17d samba-tool: Test DNS record creation on member join via 5e31e8f15bf samba-tool: Create DNS entries on member join from 05c09e8cfa0 heimdal_build: Prepare for Heimdal upgrade by only building HEIMDAL_ASN1_GEN_HOSTCC when needed.
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 7eb1e1cc9498c761c9fcd2bd839e1e2c28a365df Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Dec 3 11:58:40 2021 +1300 s4:torture: Remove test combination with enterprise principal without canonicalize flag This test combination is not needed. Removing it allows us to avoid modifying requests prior to sending them, which can cause problems with an upgraded Heimdal version. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Mon Dec 6 22:57:54 UTC 2021 on sn-devel-184 commit 23ec41fd13f3ccae6b494682901f084d34538bec Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Dec 3 11:57:49 2021 +1300 s4:torture: Remove AS_REQ_SELF test stage This behaviour is already covered by existing Python tests. This test stage also modifies the request prior to sending it, which can cause problems with an upgraded Heimdal version. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit f8b17214d06ad9f1321a1d57f6e9bfe7b8899bf6 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Nov 30 09:42:00 2021 +1300 tests/krb5: Add tests for enterprise principals with canonicalization Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 860065a3c99475e43f68330f7349cb317bc5b009 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Nov 25 16:22:58 2021 +1300 tests/krb5: Add tests for AS-REQ with an SPN Using a SPN should only be permitted if it is also a UPN, and is not an enterprise principal. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 31900a0a58283868798dcb90ed43519b39559c2c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Dec 3 13:13:29 2021 +1300 tests/krb5: Add more AS-REQ ENC-TIMESTAMP tests with different encryption types Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit ff6d325e38d83b689da47c1b059f3ed865ffa7c2 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Nov 25 16:16:52 2021 +1300 tests/krb5: Check ticket cname for Heimdal This is currently not checked in several places due to STRICT_CHECKING being set to 0. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3fc9dc2395ebc292087ae050bd721747e851056d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Dec 2 16:51:26 2021 +1300 tests/krb5: Check logon name in PAC for canonicalization tests This allows us to ensure that the correct name makes it through to the PAC. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 10983779bc5d50cdb69b64656cbc56f0250e3f23 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Dec 2 16:50:55 2021 +1300 tests/krb5: Only create testing accounts once per test run This decreases the time that the tests take to run. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8036aa12766840e019f28e914a30769f71444ba9 Author: Andreas Schneider <a...@samba.org> Date: Mon Dec 6 18:01:40 2021 +0100 waf:mitkrb5: Always define lib so we get the header include path If you have libkrb5 in a non-standard include path, we would not check the latest version but search default paths (e.g. /usr/include) first. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 238e4c86ca70174e88f11ab876965f9aba866e0d Author: Andreas Schneider <a...@samba.org> Date: Fri Dec 3 08:49:24 2021 +0100 waf:mitkrb5: Fix MIT KRB5 detection if not in default system location Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 61404faf7671f87359cf7c701ac6e159e7f2c7f9 Author: Andreas Schneider <a...@samba.org> Date: Fri Dec 3 09:13:52 2021 +0100 waf:mitkrb5: Detect com_err with pkgconfig first It is needed as a dependency later! Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 61ce2899791dc9a078b1af4ee62ab29436fe95dc Author: Andreas Schneider <a...@samba.org> Date: Mon Dec 6 18:00:33 2021 +0100 wafsamba: Pass lib to CHECK_DECLS() This is needed if you have headers in non-standard include paths. Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 18788e174edbc0c852eccf7eadb76c1a421778f5 Author: Andreas Schneider <a...@samba.org> Date: Mon Dec 6 18:17:35 2021 +0100 s3:waf: Fix dependendies for libads Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 93619962020968bbfe7967f88b8814cff3ce5510 Author: Andreas Schneider <a...@samba.org> Date: Mon Dec 6 18:13:58 2021 +0100 s4:waf: Fix dependencies for TORTURE_UTIL Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 8393adaa5ad8e4b9ba9b2a155514e09f16298ca8 Author: Andreas Schneider <a...@samba.org> Date: Mon Dec 6 18:08:54 2021 +0100 s3:param: Only include smb_ldap.h for LDAP_* defines There is no need for ads.h which would pull in krb5.h and much more ... Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 3bfdbc1e93bdad91e7498ba2601e1527bc1982f0 Author: Andreas Schneider <a...@samba.org> Date: Mon Dec 6 18:08:37 2021 +0100 s3:param: Remove trailing spaces in loadparm.c Signed-off-by: Andreas Schneider <a...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 528e5efc17ddc3393c04b7add9c51303d5ff9336 Author: David Mulder <dmul...@suse.com> Date: Tue Nov 23 08:59:01 2021 -0700 samba-tool: Test DNS record creation on member join Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 5e31e8f15bf0dea1de4f09d270f6bed1a71fb875 Author: David Mulder <dmul...@suse.com> Date: Fri Nov 5 14:43:18 2021 -0600 samba-tool: Create DNS entries on member join The net ads join command already handles this, and the call was missing from the python bindings for samba-tool domain join member. Signed-off-by: David Mulder <dmul...@suse.com> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: buildtools/wafsamba/samba_autoconf.py | 4 +- python/samba/netcmd/domain.py | 10 +- .../samba/tests/krb5/as_canonicalization_tests.py | 48 ++- python/samba/tests/krb5/as_req_tests.py | 331 +++++++++++++++++++-- python/samba/tests/krb5/kdc_base_test.py | 23 +- python/samba/tests/krb5/kdc_tgs_tests.py | 243 ++++++++++++++- python/samba/tests/krb5/raw_testcase.py | 27 +- python/samba/tests/samba_tool/join_member.py | 71 +++++ selftest/knownfail_mit_kdc | 4 + selftest/target/Samba.pm | 1 + selftest/target/Samba3.pm | 23 ++ source3/param/loadparm.c | 28 +- source3/utils/net_ads.c | 299 +------------------ source3/utils/net_ads_join_dns.c | 328 ++++++++++++++++++++ source3/utils/net_proto.h | 11 + source3/utils/py_net.c | 24 +- source3/utils/wscript_build | 7 +- source3/wscript_build | 1 + source4/selftest/tests.py | 59 ++-- source4/torture/krb5/kdc-canon-heimdal.c | 324 ++------------------ source4/torture/wscript_build | 2 +- wscript_configure_system_mitkrb5 | 130 +++++--- 22 files changed, 1250 insertions(+), 748 deletions(-) create mode 100644 python/samba/tests/samba_tool/join_member.py create mode 100644 source3/utils/net_ads_join_dns.c Changeset truncated at 500 lines: diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py index 4d2aea6c941..8b499825230 100644 --- a/buildtools/wafsamba/samba_autoconf.py +++ b/buildtools/wafsamba/samba_autoconf.py @@ -212,7 +212,7 @@ def CHECK_VARIABLE(conf, v, define=None, always=False, @conf -def CHECK_DECLS(conf, vars, reverse=False, headers=None, always=False): +def CHECK_DECLS(conf, vars, reverse=False, headers=None, lib=None, always=False): '''check a list of variable declarations, using the HAVE_DECL_xxx form of define @@ -227,6 +227,7 @@ def CHECK_DECLS(conf, vars, reverse=False, headers=None, always=False): if not CHECK_VARIABLE(conf, v, define=define, headers=headers, + lib=lib, msg='Checking for declaration of %s' % v, always=always): if not CHECK_CODE(conf, @@ -238,6 +239,7 @@ def CHECK_DECLS(conf, vars, reverse=False, headers=None, always=False): msg='Checking for declaration of %s (as enum)' % v, local_include=False, headers=headers, + lib=lib, define=define, always=always): ret = False diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py index eb52557212e..1bdc0ee535a 100644 --- a/python/samba/netcmd/domain.py +++ b/python/samba/netcmd/domain.py @@ -636,7 +636,10 @@ class cmd_domain_join(Command): "Don't choose this unless you know what you're doing") ] - takes_options = [] + takes_options = [ + Option("--no-dns-updates", action="store_true", + help="Disable DNS updates") + ] takes_options.extend(common_join_options) takes_options.extend(common_provision_join_options) @@ -652,7 +655,7 @@ class cmd_domain_join(Command): versionopts=None, server=None, site=None, targetdir=None, domain_critical_only=False, machinepass=None, use_ntvfs=False, experimental_s4_member=False, dns_backend=None, - quiet=False, verbose=False, + quiet=False, verbose=False, no_dns_updates=False, plaintext_secrets=False, backend_store=None, backend_store_size=None): lp = sambaopts.get_loadparm() @@ -693,7 +696,8 @@ class cmd_domain_join(Command): s3_net = s3_Net(creds, s3_lp, server=server) (sid, domain_name) = s3_net.join_member(netbios_name, machinepass=machinepass, - debug=verbose) + debug=verbose, + noDnsUpdates=no_dns_updates) self.errf.write("Joined domain %s (%s)\n" % (domain_name, sid)) elif role == "DC" and is_ad_dc_built(): diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index 674fcb37101..700a03622e1 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -28,7 +28,9 @@ os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests.krb5.kdc_base_test import KDCBaseTest import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.credentials import DONT_USE_KERBEROS +from samba.dcerpc import krb5pac from samba.dcerpc.misc import SEC_CHAN_WKSTA +from samba.ndr import ndr_unpack from samba.tests import DynamicTestCase from samba.tests.krb5.rfc4120_constants import ( AES256_CTS_HMAC_SHA1_96, @@ -39,6 +41,7 @@ from samba.tests.krb5.rfc4120_constants import ( KU_AS_REP_ENC_PART, KRB_ERROR, KU_PA_ENC_TIMESTAMP, + KU_TICKET, PADATA_ENC_TIMESTAMP, NT_ENTERPRISE_PRINCIPAL, NT_PRINCIPAL, @@ -134,6 +137,12 @@ USER_NAME = "tstkrb5cnnusr" @DynamicTestCase class KerberosASCanonicalizationTests(KDCBaseTest): + @classmethod + def setUpClass(cls): + super().setUpClass() + cls.user_creds = None + cls.machine_creds = None + @classmethod def setUpDynamicTestCases(cls): @@ -164,14 +173,14 @@ class KerberosASCanonicalizationTests(KDCBaseTest): def user_account_creds(self): if self.user_creds is None: samdb = self.get_samdb() - self.user_creds, _ = self.create_account(samdb, USER_NAME) + type(self).user_creds, _ = self.create_account(samdb, USER_NAME) return self.user_creds def machine_account_creds(self): if self.machine_creds is None: samdb = self.get_samdb() - self.machine_creds, _ = self.create_account( + type(self).machine_creds, _ = self.create_account( samdb, MACHINE_NAME, account_type=self.AccountType.COMPUTER) @@ -185,9 +194,6 @@ class KerberosASCanonicalizationTests(KDCBaseTest): self.do_asn1_print = global_asn1_print self.do_hexdump = global_hexdump - self.user_creds = None - self.machine_creds = None - def _test_with_args(self, x, ct): if ct == CredentialsType.User: creds = self.user_account_creds() @@ -226,6 +232,38 @@ class KerberosASCanonicalizationTests(KDCBaseTest): srealm = as_rep['srealm'].decode('ascii') self.check_srealm(srealm, data) + if TestOptions.AsReqSelf.is_set(data.options): + ticket_creds = creds + else: + ticket_creds = self.get_krbtgt_creds() + ticket_key = self.TicketDecryptionKey_from_creds(ticket_creds) + + ticket_encpart = rep['ticket']['enc-part'] + self.assertElementEqual(ticket_encpart, 'etype', + ticket_key.etype) + self.assertElementEqual(ticket_encpart, 'kvno', + ticket_key.kvno) + ticket_decpart = ticket_key.decrypt(KU_TICKET, + ticket_encpart['cipher']) + ticket_private = self.der_decode( + ticket_decpart, + asn1Spec=krb5_asn1.EncTicketPart()) + + pac_data = self.get_pac(ticket_private['authorization-data']) + pac = ndr_unpack(krb5pac.PAC_DATA, pac_data) + + for pac_buffer in pac.buffers: + if pac_buffer.type == krb5pac.PAC_TYPE_LOGON_NAME: + if TestOptions.Canonicalize.is_set(data.options): + expected = data.user_creds.get_username() + else: + expected = data.user_name + + self.assertEqual(expected, pac_buffer.info.account_name) + break + else: + self.fail('PAC_TYPE_LOGON_NAME not found') + def as_req(self, data): user_creds = data.user_creds realm = data.realm diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 315720f85d6..263e77d4812 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -27,9 +27,11 @@ from samba.tests.krb5.kdc_base_test import KDCBaseTest import samba.tests.krb5.kcrypto as kcrypto import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( + KDC_ERR_C_PRINCIPAL_UNKNOWN, KDC_ERR_ETYPE_NOSUPP, KDC_ERR_PREAUTH_REQUIRED, KU_PA_ENC_TIMESTAMP, + NT_ENTERPRISE_PRINCIPAL, NT_PRINCIPAL, NT_SRV_INST, PADATA_ENC_TIMESTAMP @@ -40,46 +42,67 @@ global_hexdump = False class AsReqBaseTest(KDCBaseTest): - def _run_as_req_enc_timestamp(self, client_creds): - client_account = client_creds.get_username() + def _run_as_req_enc_timestamp(self, client_creds, client_account=None, + expected_cname=None, + name_type=NT_PRINCIPAL, etypes=None, + expected_error=None, expect_edata=None, + kdc_options=None): + user_name = client_creds.get_username() + if client_account is None: + client_account = user_name client_as_etypes = self.get_default_enctypes() client_kvno = client_creds.get_kvno() krbtgt_creds = self.get_krbtgt_creds(require_strongest_key=True) krbtgt_account = krbtgt_creds.get_username() + krbtgt_supported_etypes = krbtgt_creds.tgs_supported_enctypes realm = krbtgt_creds.get_realm() - cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, - names=[client_account]) + cname = self.PrincipalName_create(name_type=name_type, + names=client_account.split('/')) sname = self.PrincipalName_create(name_type=NT_SRV_INST, names=[krbtgt_account, realm]) expected_crealm = realm - expected_cname = cname + if expected_cname is None: + expected_cname = cname expected_srealm = realm expected_sname = sname expected_salt = client_creds.get_salt() till = self.get_KerberosTime(offset=36000) - initial_etypes = client_as_etypes - initial_kdc_options = krb5_asn1.KDCOptions('forwardable') - initial_error_mode = KDC_ERR_PREAUTH_REQUIRED - - rep, kdc_exchange_dict = self._test_as_exchange(cname, - realm, - sname, - till, - client_as_etypes, - initial_error_mode, - expected_crealm, - expected_cname, - expected_srealm, - expected_sname, - expected_salt, - initial_etypes, - None, - initial_kdc_options, - pac_request=True) + if etypes is None: + etypes = client_as_etypes + if kdc_options is None: + kdc_options = krb5_asn1.KDCOptions('forwardable') + if expected_error is not None: + initial_error_mode = expected_error + else: + initial_error_mode = KDC_ERR_PREAUTH_REQUIRED + + rep, kdc_exchange_dict = self._test_as_exchange( + cname, + realm, + sname, + till, + client_as_etypes, + initial_error_mode, + expected_crealm, + expected_cname, + expected_srealm, + expected_sname, + expected_salt, + etypes, + None, + kdc_options, + expected_supported_etypes=krbtgt_supported_etypes, + expected_account_name=user_name, + pac_request=True, + expect_edata=expect_edata) + + if expected_error is not None: + return None + etype_info2 = kdc_exchange_dict['preauth_etype_info2'] self.assertIsNotNone(etype_info2) @@ -98,8 +121,6 @@ class AsReqBaseTest(KDCBaseTest): pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) preauth_padata = [pa_ts] - preauth_etypes = client_as_etypes - preauth_kdc_options = krb5_asn1.KDCOptions('forwardable') preauth_error_mode = 0 # AS-REP krbtgt_decryption_key = ( @@ -117,9 +138,11 @@ class AsReqBaseTest(KDCBaseTest): expected_srealm, expected_sname, expected_salt, - preauth_etypes, + etypes, preauth_padata, - preauth_kdc_options, + kdc_options, + expected_supported_etypes=krbtgt_supported_etypes, + expected_account_name=user_name, preauth_key=preauth_key, ticket_decryption_key=krbtgt_decryption_key, pac_request=True) @@ -209,6 +232,258 @@ class AsReqKerberosTests(AsReqBaseTest): client_creds = self.get_mach_creds() self._run_as_req_enc_timestamp(client_creds) + def test_as_req_enc_timestamp_rc4(self): + client_creds = self.get_client_creds() + self._run_as_req_enc_timestamp( + client_creds, + etypes={kcrypto.Enctype.RC4}) + + def test_as_req_enc_timestamp_mac_rc4(self): + client_creds = self.get_mach_creds() + self._run_as_req_enc_timestamp( + client_creds, + etypes={kcrypto.Enctype.RC4}) + + def test_as_req_enc_timestamp_rc4_dummy(self): + client_creds = self.get_client_creds() + self._run_as_req_enc_timestamp( + client_creds, + etypes={kcrypto.Enctype.RC4, + -1111}) + + def test_as_req_enc_timestamp_mac_rc4_dummy(self): + client_creds = self.get_mach_creds() + self._run_as_req_enc_timestamp( + client_creds, + etypes={kcrypto.Enctype.RC4, + -1111}) + + def test_as_req_enc_timestamp_aes128_rc4(self): + client_creds = self.get_client_creds() + self._run_as_req_enc_timestamp( + client_creds, + etypes={kcrypto.Enctype.AES128, + kcrypto.Enctype.RC4}) + + def test_as_req_enc_timestamp_mac_aes128_rc4(self): + client_creds = self.get_mach_creds() + self._run_as_req_enc_timestamp( + client_creds, + etypes={kcrypto.Enctype.AES128, + kcrypto.Enctype.RC4}) + + def test_as_req_enc_timestamp_spn(self): + client_creds = self.get_mach_creds() + spn = client_creds.get_spn() + self._run_as_req_enc_timestamp( + client_creds, client_account=spn, + expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN, + expect_edata=False) + + def test_as_req_enc_timestamp_spn_realm(self): + samdb = self.get_samdb() + realm = samdb.domain_dns_name().upper() + + client_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER, + opts={'upn': f'host/{{account}}.{realm}@{realm}'}) + spn = client_creds.get_spn() + self._run_as_req_enc_timestamp( + client_creds, client_account=spn, + expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN, + expect_edata=False) + + def test_as_req_enc_timestamp_spn_upn(self): + samdb = self.get_samdb() + realm = samdb.domain_dns_name().upper() + + client_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER, + opts={'upn': f'host/{{account}}.{realm}@{realm}', + 'spn': f'host/{{account}}.{realm}'}) + spn = client_creds.get_spn() + self._run_as_req_enc_timestamp(client_creds, client_account=spn) + + def test_as_req_enc_timestamp_spn_enterprise(self): + client_creds = self.get_mach_creds() + spn = client_creds.get_spn() + self._run_as_req_enc_timestamp( + client_creds, client_account=spn, + name_type=NT_ENTERPRISE_PRINCIPAL, + expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN, + expect_edata=False) + + def test_as_req_enc_timestamp_spn_enterprise_realm(self): + samdb = self.get_samdb() + realm = samdb.domain_dns_name().upper() + + client_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER, + opts={'upn': f'host/{{account}}.{realm}@{realm}'}) + spn = client_creds.get_spn() + self._run_as_req_enc_timestamp( + client_creds, + name_type=NT_ENTERPRISE_PRINCIPAL, + client_account=spn, + expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN, + expect_edata=False) + + def test_as_req_enc_timestamp_spn_upn_enterprise(self): + samdb = self.get_samdb() + realm = samdb.domain_dns_name().upper() + + client_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER, + opts={'upn': f'host/{{account}}.{realm}@{realm}', + 'spn': f'host/{{account}}.{realm}'}) + spn = client_creds.get_spn() + self._run_as_req_enc_timestamp( + client_creds, + name_type=NT_ENTERPRISE_PRINCIPAL, + client_account=spn, + expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN, + expect_edata=False) + + def test_as_req_enterprise_canon(self): + client_creds = self.get_cached_creds( + account_type=self.AccountType.USER, + opts={'upn': 'krb5_enterprise0'}) + + user_name = client_creds.get_username() + realm = client_creds.get_realm() + client_account = f'{user_name}@{realm}' + + expected_cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[user_name]) + + self._run_as_req_enc_timestamp( + client_creds, + client_account=client_account, + expected_cname=expected_cname, + name_type=NT_ENTERPRISE_PRINCIPAL, + kdc_options=krb5_asn1.KDCOptions('canonicalize')) + + def test_as_req_enterprise_canon_case(self): + client_creds = self.get_cached_creds( + account_type=self.AccountType.USER, + opts={'upn': 'krb5_enterprise1'}) + + user_name = client_creds.get_username() + realm = client_creds.get_realm().lower() + client_account = f'{user_name}@{realm}' + + expected_cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[user_name]) + + self._run_as_req_enc_timestamp( + client_creds, + client_account=client_account, + expected_cname=expected_cname, + name_type=NT_ENTERPRISE_PRINCIPAL, + kdc_options=krb5_asn1.KDCOptions('canonicalize')) + + def test_as_req_enterprise_canon_mac(self): + client_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER, + opts={'upn': 'krb5_enterprise2'}) + + user_name = client_creds.get_username() + realm = client_creds.get_realm() + client_account = f'{user_name}@{realm}' + + expected_cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[user_name]) + + self._run_as_req_enc_timestamp( + client_creds, + client_account=client_account, + expected_cname=expected_cname, + name_type=NT_ENTERPRISE_PRINCIPAL, + kdc_options=krb5_asn1.KDCOptions('canonicalize')) + + def test_as_req_enterprise_canon_mac_case(self): + client_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER, + opts={'upn': 'krb5_enterprise3'}) + + user_name = client_creds.get_username() + realm = client_creds.get_realm().lower() + client_account = f'{user_name}@{realm}' + + expected_cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[user_name]) + + self._run_as_req_enc_timestamp( + client_creds, + client_account=client_account, + expected_cname=expected_cname, + name_type=NT_ENTERPRISE_PRINCIPAL, + kdc_options=krb5_asn1.KDCOptions('canonicalize')) + + def test_as_req_enterprise_no_canon(self): + client_creds = self.get_cached_creds( + account_type=self.AccountType.USER, + opts={'upn': 'krb5_enterprise4'}) + + user_name = client_creds.get_username() + realm = client_creds.get_realm() + client_account = f'{user_name}@{realm}' -- Samba Shared Repository