The branch, master has been updated via 50cbdecf2e2 tests/krb5: Add test requesting a TGT expiring post-2038 via 67811e121fb tests/krb5: Add test requesting a service ticket expiring post-2038 from eb2f3526032 s4:ldap_server: let ldapsrv_call_writev_start use conn_idle_time to limit the time
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Oct 20 12:36:44 2022 +1300 tests/krb5: Add test requesting a TGT expiring post-2038 This demonstrates the behaviour of Windows 11 22H2 over Kerberos, which changed to use a year 9999 date for a forever timetime in tickets. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184 commit 67811e121fbef08337675d473390160793544719 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 4 12:25:08 2022 +1300 tests/krb5: Add test requesting a service ticket expiring post-2038 Windows 11 22H2 performs such requests, with year 9999. The test fails with KDC_ERR_BAD_INTEGRITY on older Heimdal versions, which are unable to verify a checksum over the modified request body (due to a re-encoding failure). REF: https://github.com/heimdal/heimdal/issues/1011 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagn...@catalyst.net.nz> ----------------------------------------------------------------------- Summary of changes: python/samba/tests/krb5/as_req_tests.py | 13 +++++++++++-- python/samba/tests/krb5/kdc_tgs_tests.py | 14 ++++++++++++++ 2 files changed, 25 insertions(+), 2 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 6a573947067..6b3b5ad4a22 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -47,7 +47,7 @@ class AsReqBaseTest(KDCBaseTest): expected_cname=None, sname=None, name_type=NT_PRINCIPAL, etypes=None, expected_error=None, expect_edata=None, - kdc_options=None): + kdc_options=None, till=None): user_name = client_creds.get_username() if client_account is None: client_account = user_name @@ -71,7 +71,8 @@ class AsReqBaseTest(KDCBaseTest): expected_sname = sname expected_salt = client_creds.get_salt() - till = self.get_KerberosTime(offset=36000) + if till is None: + till = self.get_KerberosTime(offset=36000) if etypes is None: etypes = client_as_etypes @@ -516,6 +517,14 @@ class AsReqKerberosTests(AsReqBaseTest): sname=wrong_krbtgt_princ, expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN) + # Test that we can make a request for a ticket expiring post-2038. + def test_future_till(self): + client_creds = self.get_client_creds() + + self._run_as_req_enc_timestamp( + client_creds, + till='99990913024805Z') + if __name__ == "__main__": global_asn1_print = False diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index f57df85bfcd..e64135249db 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -2334,6 +2334,18 @@ class KdcTgsTests(KDCBaseTest): self._run_tgs(tgt, expected_error=(KDC_ERR_TGT_REVOKED, KDC_ERR_C_PRINCIPAL_UNKNOWN)) + # Test making a TGS request for a ticket expiring post-2038. + def test_tgs_req_future_till(self): + creds = self._get_creds() + tgt = self._get_tgt(creds) + + target_creds = self.get_service_creds() + self._tgs_req( + tgt=tgt, + expected_error=0, + target_creds=target_creds, + till='99990913024805Z') + def _modify_renewable(self, enc_part): # Set the renewable flag. enc_part = self.modify_ticket_flag(enc_part, 'renewable', value=True) @@ -2704,6 +2716,7 @@ class KdcTgsTests(KDCBaseTest): sname=None, srealm=None, use_fast=False, + till=None, expect_pac=True, expect_pac_attrs=None, expect_pac_attrs_pac_request=None, @@ -2813,6 +2826,7 @@ class KdcTgsTests(KDCBaseTest): cname=None, realm=srealm, sname=sname, + till_time=till, etypes=etypes, additional_tickets=additional_tickets) if expected_error: -- Samba Shared Repository