The branch, master has been updated via 3ef68efca29 tests/krb5: Fix comments via 62373eeef06 tests/krb5: Test RODC‐issued TGTs that already contain device info/claims via 86fb7d17ff7 tests/krb5: Don’t reuse SID S-1-2-3-4 via 224408f9592 tests/krb5: Test target authentication policies when the TGT already contains device info/claims via 622ac53f222 tests/krb5: Add tests for PACs containing extraneous buffers via 69d588a8702 tests/krb5: Pass a list of PAC modification functions via 6e999eab1c3 tests/krb5: Test performing a FAST‐armored TGS‐REQ when the TGT already contains device info/claims via 014c939bdd7 tests/krb5: Add support to test framework for existing device info or claims buffers via e468a7d6271 tests/krb5: Always expect client claims via 7048f380eb2 tests/krb5: Ensure that device SIDs and claims are present only if we expect them to be via 51a4443b044 tests/krb5: No longer pass two‐component form of TGS principal via 6033b1c00dc tests/krb5: Remove unused import via b0a09a69cc8 selftest/flapping: Mark smb2.multichannel.bugs.bug_15346(nt4_dc) flapping via 687b1b99314 tests: Convert the regression test for bug15505 to python via 9dd5e12cfa4 tests: Make clean_file() handle directories via b5392b552ed tests: Allow to specify share names in smb2symlink tests from 1372ef0ef46 s4:rpc_server: Properly initialize ‘lsa_CreateTrustedDomainEx2’ structure (CID 1499404)
https://git.samba.org/?p=samba.git;a=shortlog;h=master - Log ----------------------------------------------------------------- commit 3ef68efca292651a7b83166767452a6986175924 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 1 09:33:10 2023 +1300 tests/krb5: Fix comments Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> Autobuild-User(master): Andrew Bartlett <abart...@samba.org> Autobuild-Date(master): Thu Nov 2 20:13:50 UTC 2023 on atb-devel-224 commit 62373eeef069a7631093f237b4ca95c3992fb346 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Nov 2 14:32:58 2023 +1300 tests/krb5: Test RODC‐issued TGTs that already contain device info/claims Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 86fb7d17ff7683c66ce74e16b3be927b97ea5e5d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Nov 2 14:32:00 2023 +1300 tests/krb5: Don’t reuse SID S-1-2-3-4 We’re already using it in ‘client_sids’ to work around a bug in Windows. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 224408f9592442a503c6b33454b9dcefec64331d Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 1 16:59:21 2023 +1300 tests/krb5: Test target authentication policies when the TGT already contains device info/claims Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 622ac53f2229c005a7f35779298af8405549c0d4 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Nov 2 15:29:32 2023 +1300 tests/krb5: Add tests for PACs containing extraneous buffers Test that the KDC removes these buffers from RODC‐issued PACs. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 69d588a8702fa5b973e33bf7cea1d01fcf112b1c Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Thu Nov 2 15:27:24 2023 +1300 tests/krb5: Pass a list of PAC modification functions This is simpler than chaining functions together. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6e999eab1c3ffd79730f9003f7f284b51a840a15 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 1 13:55:14 2023 +1300 tests/krb5: Test performing a FAST‐armored TGS‐REQ when the TGT already contains device info/claims Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 014c939bdd7f49c484ec36f0ec9159aa7012edcd Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 1 10:16:57 2023 +1300 tests/krb5: Add support to test framework for existing device info or claims buffers Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit e468a7d62716ff28e84f753fe187828e94f2c50b Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 1 13:39:28 2023 +1300 tests/krb5: Always expect client claims Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 7048f380eb28e9d411fae27fba45b66a08de0a54 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 1 13:38:24 2023 +1300 tests/krb5: Ensure that device SIDs and claims are present only if we expect them to be Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 51a4443b04490d412b018f3ef303f77cb7304d10 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 1 13:07:54 2023 +1300 tests/krb5: No longer pass two‐component form of TGS principal Samba now handles one‐component TGS principals more correctly. Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 6033b1c00dc080a8f0445bae6a8c4ccd54934237 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Wed Nov 1 12:05:50 2023 +1300 tests/krb5: Remove unused import Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b0a09a69cc8f44077363fe6ecbab8e237e769b13 Author: Joseph Sutton <josephsut...@catalyst.net.nz> Date: Tue Oct 31 07:29:57 2023 +1300 selftest/flapping: Mark smb2.multichannel.bugs.bug_15346(nt4_dc) flapping BUG: https://bugzilla.samba.org/show_bug.cgi?id=15498 Signed-off-by: Joseph Sutton <josephsut...@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 687b1b993149de0785ad1134366a7917b2d1f57a Author: Volker Lendecke <v...@samba.org> Date: Wed Nov 1 15:39:12 2023 +0100 tests: Convert the regression test for bug15505 to python The shell version is flapping, but I can't really figure out why. Maybe this version is not flapping, and it also shows the failure if you revert 952d6c2cf48. Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit 9dd5e12cfa46fe5e9c3653f2e85d0a7f9c59e74c Author: Volker Lendecke <v...@samba.org> Date: Wed Nov 1 15:38:55 2023 +0100 tests: Make clean_file() handle directories Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> commit b5392b552ed6b995196a91118bad11239eee25f7 Author: Volker Lendecke <v...@samba.org> Date: Wed Nov 1 14:22:09 2023 +0100 tests: Allow to specify share names in smb2symlink tests Signed-off-by: Volker Lendecke <v...@samba.org> Reviewed-by: Andrew Bartlett <abart...@samba.org> ----------------------------------------------------------------------- Summary of changes: python/samba/tests/krb5/conditional_ace_tests.py | 408 +++++++++++++++++++---- python/samba/tests/krb5/device_tests.py | 2 +- python/samba/tests/krb5/kdc_base_test.py | 23 ++ python/samba/tests/krb5/kdc_tgs_tests.py | 62 +++- python/samba/tests/krb5/raw_testcase.py | 8 + python/samba/tests/krb5/s4u_tests.py | 2 +- python/samba/tests/smb2symlink.py | 53 ++- selftest/flapping.d/smb2-multichannel | 3 + selftest/knownfail_heimdal_kdc | 34 ++ selftest/knownfail_mit_kdc | 46 +++ source3/script/tests/test_smbclient_s3.sh | 39 --- 11 files changed, 557 insertions(+), 123 deletions(-) create mode 100644 selftest/flapping.d/smb2-multichannel Changeset truncated at 500 lines: diff --git a/python/samba/tests/krb5/conditional_ace_tests.py b/python/samba/tests/krb5/conditional_ace_tests.py index b04a0bbaa3f..de26a920ae0 100755 --- a/python/samba/tests/krb5/conditional_ace_tests.py +++ b/python/samba/tests/krb5/conditional_ace_tests.py @@ -45,7 +45,6 @@ from samba.tests.krb5.raw_testcase import RawKerberosTest from samba.tests.krb5.rfc4120_constants import ( KDC_ERR_BADOPTION, KDC_ERR_GENERIC, - KDC_ERR_MODIFIED, KDC_ERR_POLICY, NT_PRINCIPAL, ) @@ -3420,16 +3419,10 @@ class DeviceRestrictionTests(ConditionalAceBaseTests): client_creds = self._get_creds(account_type=self.AccountType.USER, assigned_policy=client_policy) - # FIXME: we need to pass this parameter only because Samba doesn’t - # handle ‘krbtgt@REALM’ principals correctly (see - # https://bugzilla.samba.org/show_bug.cgi?id=15482). - krbtgt_sname = self.get_krbtgt_sname() - # Show that authentication succeeds. self._armored_as_req(client_creds, self.get_krbtgt_creds(), - mach_tgt, - target_sname=krbtgt_sname) + mach_tgt) self.check_as_log(client_creds, armor_creds=mach_creds, @@ -3808,16 +3801,10 @@ class DeviceRestrictionTests(ConditionalAceBaseTests): client_creds = self._get_creds(account_type=self.AccountType.USER, assigned_policy=client_policy) - # FIXME: we need to pass this parameter only because Samba doesn’t - # handle ‘krbtgt@REALM’ principals correctly (see - # https://bugzilla.samba.org/show_bug.cgi?id=15482). - krbtgt_sname = self.get_krbtgt_sname() - # Show that authentication succeeds. self._armored_as_req(client_creds, self.get_krbtgt_creds(), - mach_tgt, - target_sname=krbtgt_sname) + mach_tgt) self.check_as_log(client_creds, armor_creds=mach_creds, @@ -3934,17 +3921,11 @@ class DeviceRestrictionTests(ConditionalAceBaseTests): krbtgt_creds = self.get_krbtgt_creds() - # FIXME: we need to pass this parameter only because Samba doesn’t - # handle ‘krbtgt@REALM’ principals correctly (see - # https://bugzilla.samba.org/show_bug.cgi?id=15482). - krbtgt_sname = self.get_krbtgt_sname() - # Test whether authentication succeeds or fails. self._armored_as_req( client_creds, krbtgt_creds, mach_tgt, - target_sname=krbtgt_sname, expected_error=0 if expect_in_group else KDC_ERR_POLICY) policy_success_args = {} @@ -3976,7 +3957,6 @@ class DeviceRestrictionTests(ConditionalAceBaseTests): client_creds, krbtgt_creds, mach_tgt, - target_sname=krbtgt_sname, expected_error=KDC_ERR_POLICY if expect_in_group else 0) self.check_as_log(client_creds, @@ -4275,13 +4255,236 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): def test_pac_device_info(self): self._run_pac_device_info_test() + def test_pac_device_info_target_policy(self): + target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}') + self._run_pac_device_info_test(target_policy=target_policy) + + def test_pac_device_info_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True) + + def test_pac_device_info_existing_device_info(self): + self._run_pac_device_info_test(existing_device_info=True) + + def test_pac_device_info_existing_device_info_target_policy(self): + target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}') + self._run_pac_device_info_test(target_policy=target_policy, + existing_device_info=True) + + def test_pac_device_info_existing_device_info_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + existing_device_info=True) + + def test_pac_device_info_existing_device_claims(self): + self._run_pac_device_info_test(existing_device_claims=True) + + def test_pac_device_info_existing_device_claims_target_policy(self): + target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}') + self._run_pac_device_info_test(target_policy=target_policy, + existing_device_claims=True) + + def test_pac_device_info_existing_device_claims_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + existing_device_claims=True) + + def test_pac_device_info_existing_device_info_and_claims(self): + self._run_pac_device_info_test(existing_device_claims=True, + existing_device_info=True) + + def test_pac_device_info_existing_device_info_and_claims_target_policy(self): + target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}') + self._run_pac_device_info_test(target_policy=target_policy, + existing_device_claims=True, + existing_device_info=True) + + def test_pac_device_info_existing_device_info_and_claims_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + existing_device_claims=True, + existing_device_info=True) + def test_pac_device_info_no_compound_id_support(self): self._run_pac_device_info_test(compound_id_support=False) + def test_pac_device_info_no_compound_id_support_target_policy(self): + target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}') + self._run_pac_device_info_test(target_policy=target_policy, + compound_id_support=False) + + def test_pac_device_info_no_compound_id_support_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + compound_id_support=False) + + def test_pac_device_info_no_compound_id_support_existing_device_info(self): + self._run_pac_device_info_test(compound_id_support=False, + existing_device_info=True) + + def test_pac_device_info_no_compound_id_support_existing_device_info_target_policy(self): + target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}') + self._run_pac_device_info_test(target_policy=target_policy, + compound_id_support=False, + existing_device_info=True) + + def test_pac_device_info_no_compound_id_support_existing_device_info_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + compound_id_support=False, + existing_device_info=True) + + def test_pac_device_info_no_compound_id_support_existing_device_claims(self): + self._run_pac_device_info_test(compound_id_support=False, + existing_device_claims=True) + + def test_pac_device_info_no_compound_id_support_existing_device_claims_target_policy(self): + target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}') + self._run_pac_device_info_test(target_policy=target_policy, + compound_id_support=False, + existing_device_claims=True) + + def test_pac_device_info_no_compound_id_support_existing_device_claims_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + compound_id_support=False, + existing_device_claims=True) + + def test_pac_device_info_no_compound_id_support_existing_device_info_and_claims(self): + self._run_pac_device_info_test(compound_id_support=False, + existing_device_claims=True, + existing_device_info=True) + + def test_pac_device_info_no_compound_id_support_existing_device_info_and_claims_target_policy(self): + target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}') + self._run_pac_device_info_test(target_policy=target_policy, + compound_id_support=False, + existing_device_claims=True, + existing_device_info=True) + + def test_pac_device_info_no_compound_id_support_existing_device_info_and_claims_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + compound_id_support=False, + existing_device_claims=True, + existing_device_info=True) + + def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info(self): + self._run_pac_device_info_test(device_claims_valid=False, + compound_id_support=False, + existing_device_info=True) + + def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_target_policy(self): + target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}') + self._run_pac_device_info_test(target_policy=target_policy, + device_claims_valid=False, + compound_id_support=False, + existing_device_info=True) + + def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + device_claims_valid=False, + compound_id_support=False, + existing_device_info=True) + + def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims(self): + self._run_pac_device_info_test(device_claims_valid=False, + compound_id_support=False, + existing_device_claims=True) + + def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_target_policy(self): + target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}') + self._run_pac_device_info_test(target_policy=target_policy, + device_claims_valid=False, + compound_id_support=False, + existing_device_claims=True) + + def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_claims_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + device_claims_valid=False, + compound_id_support=False, + existing_device_claims=True) + + def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_and_claims(self): + self._run_pac_device_info_test(device_claims_valid=False, + compound_id_support=False, + existing_device_claims=True, + existing_device_info=True) + + def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_and_claims_target_policy(self): + target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}') + self._run_pac_device_info_test(target_policy=target_policy, + device_claims_valid=False, + compound_id_support=False, + existing_device_claims=True, + existing_device_info=True) + + def test_pac_device_info_no_compound_id_support_no_claims_valid_existing_device_info_and_claims_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + device_claims_valid=False, + compound_id_support=False, + existing_device_claims=True, + existing_device_info=True) + def test_pac_device_info_no_claims_valid(self): self._run_pac_device_info_test(device_claims_valid=False) - def _run_pac_device_info_test(self, compound_id_support=True, device_claims_valid=True): + def test_pac_device_info_no_claims_valid_target_policy(self): + target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}') + self._run_pac_device_info_test(target_policy=target_policy, + device_claims_valid=False) + + def test_pac_device_info_no_claims_valid_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + device_claims_valid=False) + + def test_pac_device_info_no_claims_valid_existing_device_info(self): + self._run_pac_device_info_test(device_claims_valid=False, + existing_device_info=True) + + def test_pac_device_info_no_claims_valid_existing_device_info_target_policy(self): + target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}') + self._run_pac_device_info_test(target_policy=target_policy, + device_claims_valid=False, + existing_device_info=True) + + def test_pac_device_info_no_claims_valid_existing_device_info_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + device_claims_valid=False, + existing_device_info=True) + + def test_pac_device_info_no_claims_valid_existing_device_claims(self): + self._run_pac_device_info_test(device_claims_valid=False, + existing_device_claims=True) + + def test_pac_device_info_no_claims_valid_existing_device_claims_target_policy(self): + target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}') + self._run_pac_device_info_test(target_policy=target_policy, + device_claims_valid=False, + existing_device_claims=True) + + def test_pac_device_info_no_claims_valid_existing_device_claims_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + device_claims_valid=False, + existing_device_claims=True) + + def test_pac_device_info_no_claims_valid_existing_device_info_and_claims(self): + self._run_pac_device_info_test(device_claims_valid=False, + existing_device_claims=True, + existing_device_info=True) + + def test_pac_device_info_no_claims_valid_existing_device_info_and_claims_target_policy(self): + target_policy = self.allow_if('Device_Member_of {{SID({device_0})}}') + self._run_pac_device_info_test(target_policy=target_policy, + device_claims_valid=False, + existing_device_claims=True, + existing_device_info=True) + + def test_pac_device_info_no_claims_valid_existing_device_info_and_claims_rodc_issued(self): + self._run_pac_device_info_test(rodc_issued=True, + device_claims_valid=False, + existing_device_claims=True, + existing_device_info=True) + + def _run_pac_device_info_test(self, *, + target_policy=None, + rodc_issued=False, + compound_id_support=True, + device_claims_valid=True, + existing_device_claims=False, + existing_device_info=False): """Test the groups of the client and the device after performing a FAST‐armored TGS‐REQ. """ @@ -4295,13 +4498,16 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): ]), ] - expected_client_claims = { - client_claim_id: { - 'source_type': claims.CLAIMS_SOURCE_TYPE_AD, - 'type': claims.CLAIM_TYPE_STRING, - 'values': (client_claim_value,), - }, - } + if not rodc_issued: + expected_client_claims = { + client_claim_id: { + 'source_type': claims.CLAIMS_SOURCE_TYPE_AD, + 'type': claims.CLAIM_TYPE_STRING, + 'values': (client_claim_value,), + }, + } + else: + expected_client_claims = None device_claim_id = 'the name of the device’s client claim' device_claim_value = 'the value of the device’s client claim' @@ -4312,7 +4518,26 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): ]), ] - if compound_id_support: + existing_claim_id = 'the name of an existing device claim' + existing_claim_value = 'the value of an existing device claim' + + existing_claims = [ + (claims.CLAIMS_SOURCE_TYPE_CERTIFICATE, [ + (existing_claim_id, claims.CLAIM_TYPE_STRING, [existing_claim_value]), + ]), + ] + + if rodc_issued: + expected_device_claims = None + elif existing_device_info and existing_device_claims: + expected_device_claims = { + existing_claim_id: { + 'source_type': claims.CLAIMS_SOURCE_TYPE_CERTIFICATE, + 'type': claims.CLAIM_TYPE_STRING, + 'values': (existing_claim_value,), + }, + } + elif compound_id_support and not existing_device_info and not existing_device_claims: expected_device_claims = { device_claim_id: { 'source_type': claims.CLAIMS_SOURCE_TYPE_AD, @@ -4338,16 +4563,26 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): ('S-1-2-3-4', SidType.EXTRA_SID, self.default_attrs), } + device_sid_0 = 'S-1-3-4-5' + device_sid_1 = 'S-1-4-5-6' + + policy_sids = { + 'device_0': device_sid_0, + 'device_1': device_sid_1, + } + device_sids = { (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), - ('S-1-2-3-4', SidType.EXTRA_SID, self.resource_attrs), - ('S-1-3-4-5', SidType.EXTRA_SID, self.resource_attrs), + (device_sid_0, SidType.EXTRA_SID, self.resource_attrs), + (device_sid_1, SidType.EXTRA_SID, self.resource_attrs), } if device_claims_valid: device_sids.add((security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs)) + checksum_key = self.get_krbtgt_checksum_key() + # Modify the machine account’s TGT to contain only the SID of the # machine account’s primary group. mach_tgt = self.modified_ticket( @@ -4357,42 +4592,109 @@ class TgsReqServicePolicyTests(ConditionalAceBaseTests): new_sids=device_sids), partial(self.set_pac_claims, client_claims=device_claims), ], - checksum_keys=self.get_krbtgt_checksum_key()) + checksum_keys=checksum_key) # Create a user account. - client_creds = self._get_creds(account_type=self.AccountType.USER) + client_creds = self.get_cached_creds( + account_type=self.AccountType.USER, + opts={ + 'allowed_replication_mock': rodc_issued, + 'revealed_to_mock_rodc': rodc_issued, + }) client_tgt = self.get_tgt(client_creds) + client_modify_pac_fns = [ + partial(self.set_pac_sids, + new_sids=client_sids), + partial(self.set_pac_claims, client_claims=client_claims), + ] + + if existing_device_claims: + client_modify_pac_fns.append( + partial(self.set_pac_claims, device_claims=existing_claims)) + if existing_device_info: + # These are different from the SIDs in the device’s TGT. + existing_sid_0 = 'S-1-7-8-9' + existing_sid_1 = 'S-1-9-8-7' + + policy_sids.update({ + 'existing_0': existing_sid_0, + 'existing_1': existing_sid_1, + }) + + existing_sids = { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (existing_sid_0, SidType.EXTRA_SID, self.resource_attrs), + (existing_sid_1, SidType.EXTRA_SID, self.resource_attrs), + } + + client_modify_pac_fns.append(partial( + self.set_pac_device_sids, new_sids=existing_sids, user_rid=mach_creds.get_rid())) + + if rodc_issued: + rodc_krbtgt_creds = self.get_mock_rodc_krbtgt_creds() + rodc_krbtgt_key = self.TicketDecryptionKey_from_creds(rodc_krbtgt_creds) + rodc_checksum_key = { + krb5pac.PAC_TYPE_KDC_CHECKSUM: rodc_krbtgt_key, + } + # Modify the client’s TGT to contain only the SID of the client’s # primary group. client_tgt = self.modified_ticket( client_tgt, - modify_pac_fn=[ - partial(self.set_pac_sids, - new_sids=client_sids), - partial(self.set_pac_claims, client_claims=client_claims), - ], - checksum_keys=self.get_krbtgt_checksum_key()) + modify_pac_fn=client_modify_pac_fns, + new_ticket_key=rodc_krbtgt_key if rodc_issued else None, + checksum_keys=rodc_checksum_key if rodc_issued else checksum_key) - # Indicate that Compound Identity is supported. - target_creds, _ = self.get_target(to_krbtgt=False, compound_id=compound_id_support) + if target_policy is None: + policy = None + assigned_policy = None + else: + policy = self.create_authn_policy( + enforced=True, + computer_allowed_to=target_policy.format_map(policy_sids)) + assigned_policy = str(policy.dn) + + target_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER, + opts={ + 'supported_enctypes': + security.KERB_ENCTYPE_RC4_HMAC_MD5 + | security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96, + # Indicate that Compound Identity is supported. + 'compound_id_support': compound_id_support, + 'assigned_policy': assigned_policy, + }) expected_sids = { (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), - ('S-1-2-3-4', SidType.EXTRA_SID, self.default_attrs), # The client’s groups are not to include the Asserted Identity and # Claims Valid SIDs. } + if rodc_issued: + expected_sids.add((security.SID_CLAIMS_VALID, SidType.EXTRA_SID, self.default_attrs)) + else: + expected_sids.add(('S-1-2-3-4', SidType.EXTRA_SID, self.default_attrs)) - if compound_id_support: + if rodc_issued: + expected_device_sids = None + elif existing_device_info: + expected_device_sids = { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, self.default_attrs), -- Samba Shared Repository