The branch, master has been updated via 7828c6535cd s4:kdc: Don’t overwrite error code via 192024e8403 s4:kdc: Add comment to clarify that we fetch the client claims via fcea53584de s4:kdc: clear client and device claims from trusts via 7a4fa2c5643 s4:kdc: Make [client,device]_claims_blob const pointers via ebc27cf32a6 s4:kdc: Remove unnecessary NULL check via c69174c07c4 s4:kdc: pass krbtgt skdc_entries to samba_kdc_update_pac() via 1ffca866c15 s4:kdc: adjust formatting of samba_kdc_update_pac() documentation via b42fbc78395 s4:kdc: Enforce authentication policy service restrictions when getting a PAC via 3240ac4ebef s4:kdc: Check authentication policy server restrictions via 9a9f4799192 s4:kdc: Check authentication policy device restrictions via f3714a3e3a3 s4:kdc: Add comment stating that policies aren’t looked up for S4U clients via 8b1897f02ee tests/krb5: Test that client policies are not enforced with S4U via 8e32075188f tests/krb5: Fix RBCD comments via 456373ac19c tests/krb5: Don’t unnecessarily specify ‘id’ via 620c842da01 s4:kdc: Remove unused ‘server’ parameter in pac_verify() via 67436de3e77 s4:kdc: Handle new KDC_AUTH_EVENT_CLIENT_FOUND audit event via 19f867bc54e s4:kdc: Ensure that we don’t log PREAUTH_REQUIRED errors via 8425ffc8f3b s4:kdc: Update Samba KDC plugin to match new Heimdal version via 95c02a9794b third_party/heimdal: Import lorikeet-heimdal-202306192129 (commit 0096f9c1dc105d8ac9f7dd96d653b05228f7d280) via 1abc2543cd4 tests/krb5: Add test for authenticating with disabled account and wrong password via 9d7f1794937 tests/auth_log_pass_change: Fix flapping test via 539cd516004 netcmd: domain: Fix typo from ecff09d75df Align samba_kdc_update_pac() prototype in pac-glue.h with the implementation in pac-glue.c
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 7828c6535cd61ef9ff64417226fcd8ae9dad23e9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Jun 26 17:09:22 2023 +1200 s4:kdc: Don’t overwrite error code Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> Autobuild-User(master): Stefan Metzmacher <me...@samba.org> Autobuild-Date(master): Mon Jun 26 12:11:30 UTC 2023 on atb-devel-224 commit 192024e840333d99cf7028cb1abfcc9da5af335e Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 23 11:55:24 2023 +1200 s4:kdc: Add comment to clarify that we fetch the client claims Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit fcea53584deadd41ecd5ce47402eee36168bbc24 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jun 22 09:08:53 2023 +0200 s4:kdc: clear client and device claims from trusts As we don't support the Claims Transformation Algorithm [MS-CTA] we better clear claims as they have no valid meaning in our domain. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7a4fa2c5643d42bd8caba31e44df94812196fca4 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Jun 26 11:10:51 2023 +1200 s4:kdc: Make [client,device]_claims_blob const pointers This is so that we can have them point to ‘null_data’ if we so choose. We can’t assign the result of data_blob_talloc() to a const pointer, so we go through an intermediary non-const pointer for the device_claims_blob case. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit ebc27cf32a61d543a1fa2c73ca49e28077904e43 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Jun 26 11:11:19 2023 +1200 s4:kdc: Remove unnecessary NULL check pac_blobs_add_blob() already checks whether the blob argument is NULL, and skips adding the blob if so. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit c69174c07c49589ed52a67781ed8862ffb47fea3 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Jun 22 09:18:51 2023 +0200 s4:kdc: pass krbtgt skdc_entries to samba_kdc_update_pac() For now we only pass in the krbtgt that verified the client pac and optionally the krbtgt that verified the device pac. These can be different depending on the domain of the related principals. If we want to apply SID filtering in future we may also need to pass in the krbtgt that verified the delegated_proxy_pac, but that needs more research and if not required for the following changes. Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 1ffca866c1574f340cd56fd8c90d41a528bc649a Author: Stefan Metzmacher <me...@samba.org> Date: Fri Jun 23 11:20:59 2023 +1200 s4:kdc: adjust formatting of samba_kdc_update_pac() documentation Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b42fbc78395870c3caa33aa1c9636a59fde9e867 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 15:08:00 2023 +1200 s4:kdc: Enforce authentication policy service restrictions when getting a PAC Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 3240ac4ebef75c3e955259ad32054380996ae7cf Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 14:24:50 2023 +1200 s4:kdc: Check authentication policy server restrictions For a constrained delegation request, we need to pass ‘delegated_proxy’ (and the delegated proxy PAC, if one was provided) into samba_kdc_update_pac() so that we can verify that the delegating server is allowed to authenticate to the target server. The ‘const’ is entirely unnecessary in a function declaration, but we add it just to be consistent. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 9a9f4799192db27562d4a53d7900d9393b72c20d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Fri Jun 16 15:05:48 2023 +1200 s4:kdc: Check authentication policy device restrictions Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit f3714a3e3a3e15f93926b51968b3c8c96db1209a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 20 12:57:27 2023 +1200 s4:kdc: Add comment stating that policies aren’t looked up for S4U clients Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 8b1897f02eef9aabcbcc12aab1cf2547b4ac4e4f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 20 12:59:11 2023 +1200 tests/krb5: Test that client policies are not enforced with S4U Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 8e32075188f6ae1f01f664ca184b87cb048b6b1a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 20 12:56:45 2023 +1200 tests/krb5: Fix RBCD comments Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 456373ac19c60b02110fc346d9d45bf4d63b691f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 20 12:39:26 2023 +1200 tests/krb5: Don’t unnecessarily specify ‘id’ In tests where we have multiple accounts of the same type, we use the ‘id’ parameter to ensure that these accounts are all different, as some restrictions are bypassed if an account authenticates to the selfsame account. However, this is unnecessary if we already specify (with ‘use_cache=False’) that the cache is not to be used. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 620c842da01c36dd89a7a5f5ed14b6b9f7e0e60d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 20 11:21:27 2023 +1200 s4:kdc: Remove unused ‘server’ parameter in pac_verify() Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 67436de3e77af14695f5e6588e6f62d7f980271f Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 20 11:20:44 2023 +1200 s4:kdc: Handle new KDC_AUTH_EVENT_CLIENT_FOUND audit event NOTE: This commit finally works again! Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 19f867bc54e81ffd1b639f1b3651608c0460074c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 20 11:15:50 2023 +1200 s4:kdc: Ensure that we don’t log PREAUTH_REQUIRED errors Such errors were not logged in the past, either, but that was accidental — a result of failing too early for an authentication event to be set — rather than the auditing being deliberately designed that way. Now that we have added the KDC_AUTH_EVENT_CLIENT_FOUND event, we want to ensure that PREAUTH_REQUIRED errors continue to go unlogged. NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 8425ffc8f3b87fb4fb88fdae24e3e3ced52643ab Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 20 11:14:50 2023 +1200 s4:kdc: Update Samba KDC plugin to match new Heimdal version NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 95c02a9794b624e89eccd73cb0a4401a7417040a Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 20 10:52:01 2023 +1200 third_party/heimdal: Import lorikeet-heimdal-202306192129 (commit 0096f9c1dc105d8ac9f7dd96d653b05228f7d280) NOTE: THIS COMMIT WON’T COMPILE/WORK ON ITS OWN! Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 1abc2543cd44f3b9c4b5da4537f69c48bc2b6e02 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Jun 21 16:54:36 2023 +1200 tests/krb5: Add test for authenticating with disabled account and wrong password This shows us that the client’s access is checked prior to passwords being checked. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 9d7f1794937a8626a016422188213e7088d0d86b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Jun 20 10:11:50 2023 +1200 tests/auth_log_pass_change: Fix flapping test It appears that discardMessages() is still not entirely reliable. Ensure that we filter out any messages from the Administrator’s authentication. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> commit 539cd516004f3597f39885c5d2c39e2b3d9a0ab9 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Mon Jun 19 12:55:40 2023 +1200 netcmd: domain: Fix typo Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Reviewed-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: python/samba/netcmd/domain/models/auth_silo.py | 2 +- python/samba/tests/auth_log_pass_change.py | 10 +- python/samba/tests/krb5/as_req_tests.py | 47 ++++- python/samba/tests/krb5/authn_policy_tests.py | 248 +++++++++++++++++++++++-- python/samba/tests/krb5/kdc_base_test.py | 7 +- selftest/knownfail_heimdal_kdc | 87 +-------- selftest/knownfail_mit_kdc | 10 + source4/kdc/db-glue.c | 4 + source4/kdc/hdb-samba4.c | 22 +++ source4/kdc/mit_samba.c | 14 +- source4/kdc/pac-glue.c | 139 +++++++++++--- source4/kdc/pac-glue.h | 8 +- source4/kdc/wdc-samba4.c | 161 +++++++++++++--- third_party/heimdal/kdc/fast.c | 20 +- third_party/heimdal/kdc/kdc-accessors.h | 37 +++- third_party/heimdal/kdc/kdc-audit.h | 1 + third_party/heimdal/kdc/kdc-plugin.c | 52 ++++-- third_party/heimdal/kdc/kdc-plugin.h | 9 +- third_party/heimdal/kdc/kdc_locl.h | 6 +- third_party/heimdal/kdc/kerberos5.c | 35 ++-- third_party/heimdal/kdc/krb5tgs.c | 71 ++++--- third_party/heimdal/kdc/libkdc-exports.def | 6 + third_party/heimdal/kdc/mssfu.c | 128 +++++++------ third_party/heimdal/kdc/pkinit.c | 2 +- third_party/heimdal/kdc/version-script.map | 6 + third_party/heimdal/lib/base/dict.c | 4 +- third_party/heimdal/lib/krb5/changepw.c | 2 +- third_party/heimdal/lib/krb5/crypto.c | 2 +- third_party/heimdal/lib/krb5/deprecated.c | 37 ++-- third_party/heimdal/lib/krb5/init_creds.c | 2 +- 30 files changed, 866 insertions(+), 313 deletions(-) Changeset truncated at 500 lines: diff --git a/python/samba/netcmd/domain/models/auth_silo.py b/python/samba/netcmd/domain/models/auth_silo.py index e694e1874c6..e3228d5607b 100644 --- a/python/samba/netcmd/domain/models/auth_silo.py +++ b/python/samba/netcmd/domain/models/auth_silo.py @@ -75,7 +75,7 @@ class AuthenticationSilo(Model): self.refresh(ldb, fields=["members"]) def remove_member(self, ldb, member): - """Remove a member to the Authentication Silo. + """Remove a member from the Authentication Silo. Rather than saving the silo object and writing the entire member list out again, just remove one member only. diff --git a/python/samba/tests/auth_log_pass_change.py b/python/samba/tests/auth_log_pass_change.py index eef2d743684..bbc14a5a7e1 100644 --- a/python/samba/tests/auth_log_pass_change.py +++ b/python/samba/tests/auth_log_pass_change.py @@ -236,8 +236,14 @@ class AuthLogPassChangeTests(samba.tests.auth_log_base.AuthLogTestBase): # def test_ldap_change_password_bad_user(self): def isLastExpectedMessage(msg): - # Accept any message we receive. - return True + msg_type = msg["type"] + + # Accept any message we receive, except for those produced while + # the Administrator authenticates in setUp(). + return (msg_type != "Authentication" or ( + "Administrator" not in msg[msg_type]["clientAccount"])) and ( + msg_type != "Authorization" or ( + "Administrator" not in msg[msg_type]["account"])) new_password = samba.generate_random_password(32, 32) try: diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index e8712b5bf8a..eb5e16e539e 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -22,11 +22,13 @@ import os sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" +from samba import ntstatus from samba.tests import DynamicTestCase from samba.tests.krb5.kdc_base_test import KDCBaseTest import samba.tests.krb5.kcrypto as kcrypto import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( + KDC_ERR_CLIENT_REVOKED, KDC_ERR_C_PRINCIPAL_UNKNOWN, KDC_ERR_S_PRINCIPAL_UNKNOWN, KDC_ERR_ETYPE_NOSUPP, @@ -48,6 +50,8 @@ class AsReqBaseTest(KDCBaseTest): name_type=NT_PRINCIPAL, etypes=None, expected_error=None, expect_edata=None, expected_pa_error=None, expect_pa_edata=None, + expect_status=None, + expect_pa_status=None, kdc_options=None, till=None): user_name = client_creds.get_username() if client_account is None: @@ -101,9 +105,10 @@ class AsReqBaseTest(KDCBaseTest): expected_supported_etypes=krbtgt_supported_etypes, expected_account_name=user_name, pac_request=True, - expect_edata=expect_edata) + expect_edata=expect_edata, + expected_status=expect_status) - if expected_error is not None: + if rep['error-code'] != KDC_ERR_PREAUTH_REQUIRED: return None etype_info2 = kdc_exchange_dict['preauth_etype_info2'] @@ -148,6 +153,7 @@ class AsReqBaseTest(KDCBaseTest): expected_supported_etypes=krbtgt_supported_etypes, expected_account_name=user_name, expect_edata=expect_pa_edata, + expected_status=expect_pa_status, preauth_key=preauth_key, ticket_decryption_key=krbtgt_decryption_key, pac_request=True) @@ -531,6 +537,43 @@ class AsReqKerberosTests(AsReqBaseTest): client_creds, till='99990913024805Z') + def test_logon_hours(self): + """Test making an AS-REQ with a logonHours attribute that disallows + logging in.""" + + client_creds = self.get_cached_creds( + account_type=self.AccountType.USER, + opts={'logon_hours': bytes(21)}) + + # Expect to get a CLIENT_REVOKED error. + self._run_as_req_enc_timestamp( + client_creds, + expected_error=(KDC_ERR_CLIENT_REVOKED, KDC_ERR_PREAUTH_REQUIRED), + expect_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS, + expected_pa_error=KDC_ERR_CLIENT_REVOKED, + expect_pa_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS) + + def test_logon_hours_wrong_password(self): + """Test making an AS-REQ with a wrong password and a logonHours + attribute that disallows logging in.""" + + # Use a non-cached account so that it is not locked out for other + # tests. + client_creds = self.get_cached_creds( + account_type=self.AccountType.USER, + opts={'logon_hours': bytes(21)}, + use_cache=False) + + client_creds.set_password('wrong password') + + # Expect to get a CLIENT_REVOKED error. + self._run_as_req_enc_timestamp( + client_creds, + expected_error=(KDC_ERR_CLIENT_REVOKED, KDC_ERR_PREAUTH_REQUIRED), + expect_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS, + expected_pa_error=KDC_ERR_CLIENT_REVOKED, + expect_pa_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS) + if __name__ == "__main__": global_asn1_print = False diff --git a/python/samba/tests/krb5/authn_policy_tests.py b/python/samba/tests/krb5/authn_policy_tests.py index 29bde221a89..5ffdba41e99 100755 --- a/python/samba/tests/krb5/authn_policy_tests.py +++ b/python/samba/tests/krb5/authn_policy_tests.py @@ -4444,7 +4444,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): # Create a computer account. client_creds = self.get_cached_creds( account_type=self.AccountType.COMPUTER, - opts={'id': 1}, use_cache=False) client_dn = client_creds.get_dn() tgt = self.get_tgt(client_creds) @@ -4479,7 +4478,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): # Create a computer account. client_creds = self.get_cached_creds( account_type=self.AccountType.COMPUTER, - opts={'id': 1}, use_cache=False) client_dn = client_creds.get_dn() tgt = self.get_tgt(client_creds) @@ -4680,7 +4678,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): # Create a target account. target_creds = self.get_cached_creds( account_type=self.AccountType.COMPUTER, - opts={'id': 1}, use_cache=False) target_spn = target_creds.get_spn() @@ -4777,6 +4774,53 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): policy=target_policy, checked_creds=service_creds) + def test_authn_policy_s4u2self_not_allowed_from(self): + # Create a machine account with which to perform FAST. + mach_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER) + mach_tgt = self.get_tgt(mach_creds) + + # Create an authentication policy that applies to a user and explicitly + # denies authentication with any device. + denied = f'O:SYD:(D;;CR;;;WD)' + policy = self.create_authn_policy(enforced=True, + user_allowed_from=denied) + + # Create a user account with the assigned policy. + client_creds = self._get_creds(account_type=self.AccountType.USER, + assigned_policy=policy) + client_cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[client_creds.get_username()]) + client_realm = client_creds.get_realm() + + # Create a computer account. + target_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER) + target_tgt = self.get_tgt(target_creds) + + def generate_s4u2self_padata(_kdc_exchange_dict, + _callback_dict, + req_body): + padata = self.PA_S4U2Self_create( + name=client_cname, + realm=client_realm, + tgt_session_key=target_tgt.session_key, + ctype=None) + + return [padata], req_body + + # Show that obtaining a service ticket with S4U2Self is allowed, + # despite the client’s policy. + self._tgs_req(target_tgt, 0, target_creds, target_creds, + expected_cname=client_cname, + generate_fast_padata_fn=generate_s4u2self_padata, + armor_tgt=mach_tgt) + + # The client’s policy does not apply for S4U2Self, and thus does not + # appear in the logs. + self.check_tgs_log(client_creds, target_creds, policy=None) + def test_authn_policy_allowed_to_user_allow_constrained_delegation(self): samdb = self.get_samdb() @@ -4803,7 +4847,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): # Create a target account. target_creds = self.get_cached_creds( account_type=self.AccountType.COMPUTER, - opts={'id': 1}, use_cache=False) target_spn = target_creds.get_spn() @@ -4889,7 +4932,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): # Create a target account. target_creds = self.get_cached_creds( account_type=self.AccountType.COMPUTER, - opts={'id': 1}, use_cache=False) target_spn = target_creds.get_spn() @@ -4949,6 +4991,186 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): event=AuditEvent.KERBEROS_SERVER_RESTRICTION, reason=AuditReason.ACCESS_DENIED) + def test_authn_policy_constrained_delegation_not_allowed_from(self): + samdb = self.get_samdb() + + client_creds = self.get_cached_creds( + account_type=self.AccountType.USER, + use_cache=False) + client_sid = client_creds.get_sid() + + client_username = client_creds.get_username() + client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[client_username]) + + client_tkt_options = 'forwardable' + expected_flags = krb5_asn1.TicketFlags(client_tkt_options) + + client_tgt = self.get_tgt(client_creds, + kdc_options=client_tkt_options, + expected_flags=expected_flags) + + # Create an authentication policy that applies to a user and explicitly + # denies authentication with any device. + denied = f'O:SYD:(D;;CR;;;WD)' + policy = self.create_authn_policy(enforced=True, + user_allowed_from=denied) + + # Assign the policy to the client account. + self.add_attribute(samdb, str(client_creds.get_dn()), + 'msDS-AssignedAuthNPolicy', str(policy.dn)) + + # Create a machine account with which to perform FAST. + mach_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER) + mach_tgt = self.get_tgt(mach_creds) + + # Create a target account. + target_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER, + use_cache=False) + target_spn = target_creds.get_spn() + + service_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER, + opts={ + 'delegation_to_spn': target_spn, + }) + service_tgt = self.get_tgt(service_creds) + + client_service_tkt = self.get_service_ticket( + client_tgt, + service_creds, + kdc_options=client_tkt_options, + expected_flags=expected_flags) + + kdc_options = str(krb5_asn1.KDCOptions('cname-in-addl-tkt')) + + target_decryption_key = self.TicketDecryptionKey_from_creds( + target_creds) + target_etypes = target_creds.tgs_supported_enctypes + + service_name = service_creds.get_username() + if service_name[-1] == '$': + service_name = service_name[:-1] + expected_transited_services = [ + f'host/{service_name}@{service_creds.get_realm()}' + ] + + # Don’t confuse the client’s TGS-REQ to the service, above, with the + # following constrained delegation request to the service. + self.discardMessages() + + # Show that obtaining a service ticket with constrained delegation is + # allowed, despite the client’s policy. + self._tgs_req(service_tgt, 0, service_creds, target_creds, + armor_tgt=mach_tgt, + kdc_options=kdc_options, + expected_cname=client_cname, + expected_account_name=client_username, + additional_ticket=client_service_tkt, + decryption_key=target_decryption_key, + expected_sid=client_sid, + expected_supported_etypes=target_etypes, + expected_proxy_target=target_spn, + expected_transited_services=expected_transited_services) + + self.check_tgs_log(client_creds, target_creds, + policy=None, + checked_creds=service_creds) + + def test_authn_policy_rbcd_not_allowed_from(self): + samdb = self.get_samdb() + functional_level = self.get_domain_functional_level(samdb) + + if functional_level < dsdb.DS_DOMAIN_FUNCTION_2008: + self.skipTest('RBCD requires FL2008') + + client_creds = self.get_cached_creds( + account_type=self.AccountType.USER, + use_cache=False) + client_sid = client_creds.get_sid() + + client_username = client_creds.get_username() + client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[client_username]) + + client_tkt_options = 'forwardable' + expected_flags = krb5_asn1.TicketFlags(client_tkt_options) + + client_tgt = self.get_tgt(client_creds, + kdc_options=client_tkt_options, + expected_flags=expected_flags) + + # Create an authentication policy that applies to a user and explicitly + # denies authentication with any device. + denied = f'O:SYD:(D;;CR;;;WD)' + policy = self.create_authn_policy(enforced=True, + user_allowed_from=denied) + + # Assign the policy to the client account. + self.add_attribute(samdb, str(client_creds.get_dn()), + 'msDS-AssignedAuthNPolicy', str(policy.dn)) + + # Create a machine account with which to perform FAST. + mach_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER) + mach_tgt = self.get_tgt(mach_creds) + + service_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER, + opts={'id': 1}) + service_tgt = self.get_tgt(service_creds) + + # Create a target account. + target_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER, + opts={ + 'delegation_from_dn': str(service_creds.get_dn()), + }) + + client_service_tkt = self.get_service_ticket( + client_tgt, + service_creds, + kdc_options=client_tkt_options, + expected_flags=expected_flags) + + kdc_options = str(krb5_asn1.KDCOptions('cname-in-addl-tkt')) + + target_decryption_key = self.TicketDecryptionKey_from_creds( + target_creds) + target_etypes = target_creds.tgs_supported_enctypes + + service_name = service_creds.get_username() + if service_name[-1] == '$': + service_name = service_name[:-1] + expected_transited_services = [ + f'host/{service_name}@{service_creds.get_realm()}' + ] + + # Don’t confuse the client’s TGS-REQ to the service, above, with the + # following RBCD request to the service. + self.discardMessages() + + # Show that obtaining a service ticket with RBCD is allowed, despite + # the client’s policy. + self._tgs_req(service_tgt, 0, service_creds, target_creds, + armor_tgt=mach_tgt, + kdc_options=kdc_options, + pac_options='1001', # supports claims, RBCD + expected_cname=client_cname, + expected_account_name=client_username, + additional_ticket=client_service_tkt, + decryption_key=target_decryption_key, + expected_sid=client_sid, + expected_supported_etypes=target_etypes, + expected_proxy_target=target_creds.get_spn(), + expected_transited_services=expected_transited_services) + + self.check_tgs_log(client_creds, target_creds, + policy=None, + checked_creds=service_creds) + def test_authn_policy_allowed_to_user_allow_constrained_delegation_wrong_sname(self): client_creds = self.get_cached_creds( account_type=self.AccountType.USER, @@ -5079,7 +5301,7 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): ] # Don’t confuse the client’s TGS-REQ to the service, above, with the - # following constrained delegation request to the service. + # following RBCD request to the service. self.discardMessages() # Show that obtaining a service ticket with RBCD is allowed. @@ -5156,7 +5378,7 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): target_creds) # Don’t confuse the client’s TGS-REQ to the service, above, with the - # following constrained delegation request to the service. + # following RBCD request to the service. self.discardMessages() # Show that obtaining a service ticket with RBCD is not allowed. @@ -5223,7 +5445,7 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): target_creds) # Don’t confuse the client’s TGS-REQ to the service, above, with the - # following constrained delegation request to the service. + # following RBCD request to the service. self.discardMessages() # Show that obtaining a service ticket with RBCD fails if the sname @@ -5267,7 +5489,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): # Create a service account. service_creds = self.get_cached_creds( account_type=self.AccountType.COMPUTER, - opts={'id': 1}, use_cache=False) service_dn_str = str(service_creds.get_dn()) service_spn = service_creds.get_spn() @@ -5356,7 +5577,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): # Create a service account. service_creds = self.get_cached_creds( account_type=self.AccountType.COMPUTER, - opts={'id': 1}, use_cache=False) service_dn_str = str(service_creds.get_dn()) service_spn = service_creds.get_spn() @@ -5441,7 +5661,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): # Create a service account. service_creds = self.get_cached_creds( account_type=self.AccountType.COMPUTER, - opts={'id': 1}, use_cache=False) service_dn_str = str(service_creds.get_dn()) service_sid = service_creds.get_sid() @@ -5567,7 +5786,7 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): ] # Don’t confuse the client’s TGS-REQ to the service, above, with the - # following constrained delegation request to the service. + # following RBCD request to the service. self.discardMessages() # Show that obtaining a service ticket to ourselves with RBCD is @@ -5662,7 +5881,7 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): ] # Don’t confuse the client’s TGS-REQ to the service, above, with the - # following constrained delegation request to the service. + # following RBCD request to the service. self.discardMessages() # Show that obtaining a service ticket to ourselves with RBCD is @@ -5710,7 +5929,6 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): # Create a service account. service_creds = self.get_cached_creds( account_type=self.AccountType.COMPUTER, - opts={'id': 1}, use_cache=False) service_dn_str = str(service_creds.get_dn()) service_sid = service_creds.get_sid() @@ -5741,7 +5959,7 @@ class AuthnPolicyTests(AuthLogTestBase, KdcTgsBaseTests): service_creds) # Don’t confuse the client’s TGS-REQ to the service, above, with the - # following constrained delegation request to the service. + # following RBCD request to the service. self.discardMessages() # Show that obtaining a service ticket to ourselves with RBCD diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 276fc089a6d..96ae43a0937 100644 --- a/python/samba/tests/krb5/kdc_base_test.py -- Samba Shared Repository