samba-mirror

mirror of https://github.com/samba-team/samba.git synced 2025-01-08 21:18:16 +03:00

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

91 lines

4.3 KiB

Bash

Raw Normal View History

CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00			`#!/bin/sh`

			`if [ $# -lt 5 ]; then`
testprogs: Reformat test_s4u_heimdal.sh shfmt -w -p -i 0 -fn testprogs/blackbox/test_s4u_heimdal.sh Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 2022-04-22 16:46:05 +03:00			`cat <<EOF`
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00			`Usage: test_kinit.sh SERVER USERNAME PASSWORD REALM DOMAIN PREFIX`
			`EOF`
testprogs: Reformat test_s4u_heimdal.sh shfmt -w -p -i 0 -fn testprogs/blackbox/test_s4u_heimdal.sh Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 2022-04-22 16:46:05 +03:00			`exit 1`
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00			`fi`

			`SERVER=$1`
			`USERNAME=$2`
			`PASSWORD=$3`
			`REALM=$4`
			`DOMAIN=$5`
selftest: test forwardable flag in cross-realm with s4u2proxy Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2020-05-09 17:26:45 +03:00			`TRUST_SERVER=$6`
			`TRUST_USERNAME=$7`
			`TRUST_PASSWORD=$8`
			`TRUST_REALM=$9`
			`TRUST_DOMAIN=${10}`
			`PREFIX=${11}`
			`shift 11`
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00			`failed=0`

			`samba_tool="$VALGRIND $PYTHON $BINDIR/samba-tool"`

testprogs: Consistantly use kinit -c $KRB5CCNAME We want to be really clear which credentials cache we use. The kerberos_kinit() shell function uses this internally. -c is the common option between MIT and Heimdal, and is equivilant to --cache Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Jul 5 23:51:43 UTC 2021 on sn-devel-184 2020-04-03 17:29:36 +03:00			`samba4kinit_binary=kinit`
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00			`if test -x $BINDIR/samba4kinit; then`
testprogs: Consistantly use kinit -c $KRB5CCNAME We want to be really clear which credentials cache we use. The kerberos_kinit() shell function uses this internally. -c is the common option between MIT and Heimdal, and is equivilant to --cache Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Jul 5 23:51:43 UTC 2021 on sn-devel-184 2020-04-03 17:29:36 +03:00			`samba4kinit_binary=$BINDIR/samba4kinit`
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00			`fi`

			`samba4kgetcred=kgetcred`
			`if test -x $BINDIR/samba4kgetcred; then`
			`samba4kgetcred=$BINDIR/samba4kgetcred`
			`fi`

testprogs: Reformat test_s4u_heimdal.sh shfmt -w -p -i 0 -fn testprogs/blackbox/test_s4u_heimdal.sh Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 2022-04-22 16:46:05 +03:00			`. $(dirname $0)/subunit.sh`
			`. $(dirname $0)/common_test_fns.inc`
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00
			`ocache="$PREFIX/tmpoutcache"`
			`KRB5CCNAME_PATH="$PREFIX/tmpccache"`
			`KRB5CCNAME="FILE:$KRB5CCNAME_PATH"`
testprogs: Consistantly use kinit -c $KRB5CCNAME We want to be really clear which credentials cache we use. The kerberos_kinit() shell function uses this internally. -c is the common option between MIT and Heimdal, and is equivilant to --cache Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Mon Jul 5 23:51:43 UTC 2021 on sn-devel-184 2020-04-03 17:29:36 +03:00			`samba4kinit="$samba4kinit_binary -c $KRB5CCNAME"`
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00			`export KRB5CCNAME`
			`rm -rf $KRB5CCNAME_PATH`

			`princ=test_impersonate_princ`
selftest: test forwardable flag in cross-realm with s4u2proxy Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2020-05-09 17:26:45 +03:00			`impersonator=test_impersonator.$REALM`
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00			`target="CIFS/$SERVER.$REALM"`

testprogs: Reformat test_s4u_heimdal.sh shfmt -w -p -i 0 -fn testprogs/blackbox/test_s4u_heimdal.sh Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 2022-04-22 16:46:05 +03:00			`testit "add impersonator principal" $samba_tool user add $impersonator $PASSWORD \|\| failed=$(expr $failed + 1)`
			`testit "become a service" $samba_tool spn add "HOST/$impersonator" $impersonator \|\| failed=$(expr $failed + 1)`
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00
testprogs: Reformat test_s4u_heimdal.sh shfmt -w -p -i 0 -fn testprogs/blackbox/test_s4u_heimdal.sh Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 2022-04-22 16:46:05 +03:00			`testit "set TrustedToAuthForDelegation" $samba_tool delegation for-any-protocol $impersonator on \|\| failed=$(expr $failed + 1)`
			`testit "add msDS-AllowedToDelegateTo" $samba_tool delegation add-service $impersonator $target \|\| failed=$(expr $failed + 1)`
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00
testprogs: Reformat test_s4u_heimdal.sh shfmt -w -p -i 0 -fn testprogs/blackbox/test_s4u_heimdal.sh Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 2022-04-22 16:46:05 +03:00			`testit "add a new principal" $samba_tool user add $princ --random-password \|\| failed=$(expr $failed + 1)`
			`testit "set not-delegated flag" $samba_tool user sensitive $princ on \|\| failed=$(expr $failed + 1)`
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00
testprogs: Reformat test_s4u_heimdal.sh shfmt -w -p -i 0 -fn testprogs/blackbox/test_s4u_heimdal.sh Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 2022-04-22 16:46:05 +03:00			`echo $PASSWORD >$PREFIX/tmppassfile`
			`testit "kinit impersonator" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator \|\| failed=$(expr $failed + 1)`
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00
testprogs: Reformat test_s4u_heimdal.sh shfmt -w -p -i 0 -fn testprogs/blackbox/test_s4u_heimdal.sh Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 2022-04-22 16:46:05 +03:00			`testit "test S4U2Self with normal user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=${USERNAME} $impersonator \|\| failed=$(expr $failed + 1)`
			`testit "test S4U2Proxy with normal user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target \|\| failed=$(expr $failed + 1)`
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00
testprogs: Reformat test_s4u_heimdal.sh shfmt -w -p -i 0 -fn testprogs/blackbox/test_s4u_heimdal.sh Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 2022-04-22 16:46:05 +03:00			`testit "test S4U2Self with sensitive user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator \|\| failed=$(expr $failed + 1)`
			`testit_expect_failure "test S4U2Proxy with sensitive user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target \|\| failed=$(expr $failed + 1)`
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00
			`rm -f $ocache`
testprogs: Reformat test_s4u_heimdal.sh shfmt -w -p -i 0 -fn testprogs/blackbox/test_s4u_heimdal.sh Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 2022-04-22 16:46:05 +03:00			`testit "unset not-delegated flag" $samba_tool user sensitive $princ off \|\| failed=$(expr $failed + 1)`
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00
testprogs: Reformat test_s4u_heimdal.sh shfmt -w -p -i 0 -fn testprogs/blackbox/test_s4u_heimdal.sh Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 2022-04-22 16:46:05 +03:00			`testit "test S4U2Self after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator \|\| failed=$(expr $failed + 1)`
			`testit "test S4U2Proxy after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target \|\| failed=$(expr $failed + 1)`
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00
testprogs: Reformat test_s4u_heimdal.sh shfmt -w -p -i 0 -fn testprogs/blackbox/test_s4u_heimdal.sh Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 2022-04-22 16:46:05 +03:00			`testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME \|\| failed=$(expr $failed + 1)`
			`testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator \|\| failed=$(expr $failed + 1)`
			`testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target \|\| failed=$(expr $failed + 1)`
selftest: test forwardable flag in cross-realm with s4u2proxy Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2020-05-09 17:26:45 +03:00
testprogs: Reformat test_s4u_heimdal.sh shfmt -w -p -i 0 -fn testprogs/blackbox/test_s4u_heimdal.sh Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 2022-04-22 16:46:05 +03:00			`echo $TRUST_PASSWORD >$PREFIX/tmppassfile`
			`testit "kinit trust user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $TRUST_USERNAME@$TRUST_REALM \|\| failed=$(expr $failed + 1)`
			`testit "get a ticket to impersonator for trust user" $samba4kgetcred -c $ocache --forwardable $impersonator \|\| failed=$(expr $failed + 1)`
			`testit "test S4U2Proxy evidence ticket obtained by TGS of trust user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target \|\| failed=$(expr $failed + 1)`
selftest: add test for disallowed-forwardable server BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2020-01-19 18:24:24 +03:00
testprogs: Reformat test_s4u_heimdal.sh shfmt -w -p -i 0 -fn testprogs/blackbox/test_s4u_heimdal.sh Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Pavel Filipenský <pfilipensky@samba.org> 2022-04-22 16:46:05 +03:00			`echo $PASSWORD >$PREFIX/tmppassfile`
			`testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on \|\| failed=$(expr $failed + 1)`
			`testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME \|\| failed=$(expr $failed + 1)`
			`testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator \|\| failed=$(expr $failed + 1)`
			`testit_expect_failure "test S4U2Proxy using received ticket" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target \|\| failed=$(expr $failed + 1)`
selftest: add test for disallowed-forwardable server BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 Signed-off-by: Isaac Boukris <iboukris@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 2020-01-19 18:24:24 +03:00
			`rm -f $ocache $PREFIX/tmpccache $PREFIX/tmppassfile`
CVE-2019-14870: heimdal: add S4U test for delegation_not_allowed Signed-off-by: Isaac Boukris <iboukris@gmail.com> 2019-10-30 17:59:16 +03:00			`exit $failed`

91 lines 4.3 KiB Bash Raw Normal View History Unescape Escape

91 lines

4.3 KiB

Bash

Raw Normal View History