2005-07-04 06:36:16 +04:00
/*
Unix SMB / CIFS implementation .
Validate the krb5 pac generation routines
Copyright ( C ) Andrew Bartlett < abartlet @ samba . org > 2005
This program is free software ; you can redistribute it and / or modify
it under the terms of the GNU General Public License as published by
2007-07-10 06:07:03 +04:00
the Free Software Foundation ; either version 3 of the License , or
2005-07-04 06:36:16 +04:00
( at your option ) any later version .
This program is distributed in the hope that it will be useful ,
but WITHOUT ANY WARRANTY ; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
GNU General Public License for more details .
You should have received a copy of the GNU General Public License
2007-07-10 06:07:03 +04:00
along with this program . If not , see < http : //www.gnu.org/licenses/>.
2005-07-04 06:36:16 +04:00
*/
# include "includes.h"
# include "system/kerberos.h"
# include "auth/auth.h"
# include "auth/kerberos/kerberos.h"
# include "librpc/gen_ndr/ndr_krb5pac.h"
2006-01-03 20:27:33 +03:00
# include "samba3/samba3.h"
2006-04-02 16:02:01 +04:00
# include "libcli/security/security.h"
2006-03-25 19:01:28 +03:00
# include "torture/torture.h"
2005-07-04 07:34:56 +04:00
2006-10-16 17:06:41 +04:00
static bool torture_pac_self_check ( struct torture_context * tctx )
2005-07-04 06:36:16 +04:00
{
NTSTATUS nt_status ;
DATA_BLOB tmp_blob ;
2005-08-05 04:41:53 +04:00
struct PAC_DATA * pac_data ;
2005-08-07 03:07:21 +04:00
struct PAC_LOGON_INFO * logon_info ;
union netr_Validation validation ;
2005-07-04 06:36:16 +04:00
/* Generate a nice, arbitary keyblock */
uint8_t server_bytes [ 16 ] ;
uint8_t krbtgt_bytes [ 16 ] ;
krb5_keyblock server_keyblock ;
krb5_keyblock krbtgt_keyblock ;
krb5_error_code ret ;
struct smb_krb5_context * smb_krb5_context ;
struct auth_serversupplied_info * server_info ;
2005-08-07 03:07:21 +04:00
struct auth_serversupplied_info * server_info_out ;
2005-07-04 06:36:16 +04:00
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
krb5_principal client_principal ;
time_t logon_time = time ( NULL ) ;
2006-10-16 17:06:41 +04:00
TALLOC_CTX * mem_ctx = tctx ;
2007-05-17 12:47:04 +04:00
torture_assert ( tctx , 0 = = smb_krb5_init_context ( mem_ctx ,
NULL ,
2007-12-03 02:28:22 +03:00
tctx - > lp_ctx ,
2007-05-17 12:47:04 +04:00
& smb_krb5_context ) ,
2006-11-10 05:41:00 +03:00
" smb_krb5_init_context " ) ;
2005-07-04 06:36:16 +04:00
generate_random_buffer ( server_bytes , 16 ) ;
generate_random_buffer ( krbtgt_bytes , 16 ) ;
ret = krb5_keyblock_init ( smb_krb5_context - > krb5_context ,
ENCTYPE_ARCFOUR_HMAC ,
server_bytes , sizeof ( server_bytes ) ,
& server_keyblock ) ;
2006-10-16 17:06:41 +04:00
torture_assert ( tctx , ! ret , talloc_asprintf ( tctx ,
2006-11-10 05:41:00 +03:00
" (self test) Server Keyblock encoding failed: %s " ,
smb_get_krb5_error_message ( smb_krb5_context - > krb5_context ,
ret , mem_ctx ) ) ) ;
2005-07-04 06:36:16 +04:00
ret = krb5_keyblock_init ( smb_krb5_context - > krb5_context ,
ENCTYPE_ARCFOUR_HMAC ,
krbtgt_bytes , sizeof ( krbtgt_bytes ) ,
& krbtgt_keyblock ) ;
if ( ret ) {
2006-10-16 17:06:41 +04:00
char * err = smb_get_krb5_error_message ( smb_krb5_context - > krb5_context ,
2006-11-10 05:41:00 +03:00
ret , mem_ctx ) ;
2005-08-07 03:07:21 +04:00
2005-07-04 06:36:16 +04:00
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
2006-10-16 17:06:41 +04:00
torture_fail ( tctx , talloc_asprintf ( tctx ,
2006-11-10 05:41:00 +03:00
" (self test) KRBTGT Keyblock encoding failed: %s " , err ) ) ;
2005-07-04 06:36:16 +04:00
}
/* We need an input, and this one requires no underlying database */
2007-12-03 17:53:28 +03:00
nt_status = auth_anonymous_server_info ( mem_ctx , lp_netbios_name ( tctx - > lp_ctx ) , & server_info ) ;
2005-07-04 06:36:16 +04:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
2006-10-16 17:06:41 +04:00
torture_fail ( tctx , " auth_anonymous_server_info " ) ;
2005-07-04 06:36:16 +04:00
}
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
2006-11-07 09:59:56 +03:00
ret = krb5_parse_name_flags ( smb_krb5_context - > krb5_context ,
server_info - > account_name ,
KRB5_PRINCIPAL_PARSE_NO_REALM ,
& client_principal ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
if ( ret ) {
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
2006-11-07 09:59:56 +03:00
torture_fail ( tctx , " krb5_parse_name_flags(norealm) " ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
}
2005-07-04 06:36:16 +04:00
/* OK, go ahead and make a PAC */
2006-10-16 17:06:41 +04:00
ret = kerberos_create_pac ( mem_ctx , server_info ,
2005-07-04 06:36:16 +04:00
smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ,
& server_keyblock ,
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
client_principal ,
logon_time ,
2005-07-04 06:36:16 +04:00
& tmp_blob ) ;
if ( ret ) {
2005-07-09 05:58:38 +04:00
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
2005-07-04 06:36:16 +04:00
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
krb5_free_principal ( smb_krb5_context - > krb5_context ,
client_principal ) ;
2006-10-16 17:06:41 +04:00
torture_fail ( tctx , talloc_asprintf ( tctx ,
2006-11-10 05:41:00 +03:00
" (self test) PAC encoding failed: %s " ,
smb_get_krb5_error_message ( smb_krb5_context - > krb5_context ,
ret , mem_ctx ) ) ) ;
2005-07-04 06:36:16 +04:00
}
2005-07-04 19:42:08 +04:00
2005-07-05 10:13:12 +04:00
dump_data ( 10 , tmp_blob . data , tmp_blob . length ) ;
2005-07-04 19:42:08 +04:00
2005-07-04 06:36:16 +04:00
/* Now check that we can read it back */
2006-10-16 17:06:41 +04:00
nt_status = kerberos_decode_pac ( mem_ctx , & pac_data ,
2005-07-04 06:36:16 +04:00
tmp_blob ,
2005-08-27 16:23:37 +04:00
smb_krb5_context - > krb5_context ,
2005-07-09 05:58:38 +04:00
& krbtgt_keyblock ,
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
& server_keyblock ,
client_principal ,
2005-11-07 05:29:37 +03:00
logon_time , NULL ) ;
2005-07-09 05:58:38 +04:00
2005-08-07 03:07:21 +04:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
krb5_free_principal ( smb_krb5_context - > krb5_context ,
client_principal ) ;
2005-08-07 03:07:21 +04:00
2006-10-16 17:06:41 +04:00
torture_fail ( tctx , talloc_asprintf ( tctx ,
2006-11-10 05:41:00 +03:00
" (self test) PAC decoding failed: %s " ,
nt_errstr ( nt_status ) ) ) ;
2005-08-07 03:07:21 +04:00
}
/* Now check that we can read it back */
2006-10-16 17:06:41 +04:00
nt_status = kerberos_pac_logon_info ( mem_ctx , & logon_info ,
2005-08-07 03:07:21 +04:00
tmp_blob ,
2005-08-27 16:23:37 +04:00
smb_krb5_context - > krb5_context ,
2005-08-07 03:07:21 +04:00
& krbtgt_keyblock ,
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
& server_keyblock ,
client_principal ,
2005-11-07 05:29:37 +03:00
logon_time ,
NULL ) ;
2005-08-07 03:07:21 +04:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
krb5_free_principal ( smb_krb5_context - > krb5_context ,
client_principal ) ;
2005-08-07 03:07:21 +04:00
2006-10-16 17:06:41 +04:00
torture_fail ( tctx ,
2006-11-10 05:41:00 +03:00
talloc_asprintf ( tctx ,
" (self test) PAC decoding (for logon info) failed: %s " ,
nt_errstr ( nt_status ) ) ) ;
2005-08-07 03:07:21 +04:00
}
2005-07-09 05:58:38 +04:00
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
2005-07-04 06:36:16 +04:00
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
krb5_free_principal ( smb_krb5_context - > krb5_context ,
client_principal ) ;
2005-07-04 06:36:16 +04:00
2005-08-07 03:07:21 +04:00
validation . sam3 = & logon_info - > info3 ;
2006-10-16 17:06:41 +04:00
nt_status = make_server_info_netlogon_validation ( mem_ctx ,
2005-08-07 03:07:21 +04:00
" " ,
3 , & validation ,
& server_info_out ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2006-10-16 17:06:41 +04:00
torture_fail ( tctx ,
2006-11-10 05:41:00 +03:00
talloc_asprintf ( tctx ,
" (self test) PAC decoding (make server info) failed: %s " ,
nt_errstr ( nt_status ) ) ) ;
2005-07-04 06:36:16 +04:00
}
2005-08-07 03:07:21 +04:00
if ( ! dom_sid_equal ( server_info - > account_sid ,
server_info_out - > account_sid ) ) {
2006-10-16 17:06:41 +04:00
torture_fail ( tctx ,
2006-11-10 05:41:00 +03:00
talloc_asprintf ( tctx ,
" (self test) PAC Decode resulted in *different* domain SID: %s != %s " ,
dom_sid_string ( mem_ctx , server_info - > account_sid ) ,
dom_sid_string ( mem_ctx , server_info_out - > account_sid ) ) ) ;
2005-08-07 03:07:21 +04:00
}
2006-10-16 17:06:41 +04:00
return true ;
2005-07-04 06:36:16 +04:00
}
/* This is the PAC generated on my test network, by my test Win2k3 server.
- - abartlet 2005 - 07 - 04
2006-11-10 05:41:00 +03:00
*/
2005-07-04 06:36:16 +04:00
2005-08-26 15:42:21 +04:00
static const uint8_t saved_pac [ ] = {
2005-07-04 06:36:16 +04:00
0x04 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x01 , 0x00 , 0x00 , 0x00 , 0xd8 , 0x01 , 0x00 , 0x00 ,
0x48 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x0a , 0x00 , 0x00 , 0x00 , 0x20 , 0x00 , 0x00 , 0x00 ,
0x20 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x06 , 0x00 , 0x00 , 0x00 , 0x14 , 0x00 , 0x00 , 0x00 ,
0x40 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x07 , 0x00 , 0x00 , 0x00 , 0x14 , 0x00 , 0x00 , 0x00 ,
0x58 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x01 , 0x10 , 0x08 , 0x00 , 0xcc , 0xcc , 0xcc , 0xcc ,
0xc8 , 0x01 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x02 , 0x00 , 0x30 , 0xdf , 0xa6 , 0xcb ,
0x4f , 0x7d , 0xc5 , 0x01 , 0xff , 0xff , 0xff , 0xff , 0xff , 0xff , 0xff , 0x7f , 0xff , 0xff , 0xff , 0xff ,
0xff , 0xff , 0xff , 0x7f , 0xc0 , 0x3c , 0x4e , 0x59 , 0x62 , 0x73 , 0xc5 , 0x01 , 0xc0 , 0x3c , 0x4e , 0x59 ,
0x62 , 0x73 , 0xc5 , 0x01 , 0xff , 0xff , 0xff , 0xff , 0xff , 0xff , 0xff , 0x7f , 0x16 , 0x00 , 0x16 , 0x00 ,
0x04 , 0x00 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x08 , 0x00 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
0x0c , 0x00 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x10 , 0x00 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
0x14 , 0x00 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x18 , 0x00 , 0x02 , 0x00 , 0x65 , 0x00 , 0x00 , 0x00 ,
0xed , 0x03 , 0x00 , 0x00 , 0x04 , 0x02 , 0x00 , 0x00 , 0x01 , 0x00 , 0x00 , 0x00 , 0x1c , 0x00 , 0x02 , 0x00 ,
0x20 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
0x00 , 0x00 , 0x00 , 0x00 , 0x14 , 0x00 , 0x16 , 0x00 , 0x20 , 0x00 , 0x02 , 0x00 , 0x16 , 0x00 , 0x18 , 0x00 ,
0x24 , 0x00 , 0x02 , 0x00 , 0x28 , 0x00 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
0x00 , 0x21 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
0x01 , 0x00 , 0x00 , 0x00 , 0x2c , 0x00 , 0x02 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
0x00 , 0x00 , 0x00 , 0x00 , 0x0b , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x0b , 0x00 , 0x00 , 0x00 ,
0x57 , 0x00 , 0x32 , 0x00 , 0x30 , 0x00 , 0x30 , 0x00 , 0x33 , 0x00 , 0x46 , 0x00 , 0x49 , 0x00 , 0x4e , 0x00 ,
0x41 , 0x00 , 0x4c , 0x00 , 0x24 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
0x00 , 0x00 , 0x00 , 0x00 , 0x01 , 0x00 , 0x00 , 0x00 , 0x04 , 0x02 , 0x00 , 0x00 , 0x07 , 0x00 , 0x00 , 0x00 ,
0x0b , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x0a , 0x00 , 0x00 , 0x00 , 0x57 , 0x00 , 0x32 , 0x00 ,
0x30 , 0x00 , 0x30 , 0x00 , 0x33 , 0x00 , 0x46 , 0x00 , 0x49 , 0x00 , 0x4e , 0x00 , 0x41 , 0x00 , 0x4c , 0x00 ,
0x0c , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x0b , 0x00 , 0x00 , 0x00 , 0x57 , 0x00 , 0x49 , 0x00 ,
0x4e , 0x00 , 0x32 , 0x00 , 0x4b , 0x00 , 0x33 , 0x00 , 0x54 , 0x00 , 0x48 , 0x00 , 0x49 , 0x00 , 0x4e , 0x00 ,
0x4b , 0x00 , 0x00 , 0x00 , 0x04 , 0x00 , 0x00 , 0x00 , 0x01 , 0x04 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x05 ,
0x15 , 0x00 , 0x00 , 0x00 , 0x11 , 0x2f , 0xaf , 0xb5 , 0x90 , 0x04 , 0x1b , 0xec , 0x50 , 0x3b , 0xec , 0xdc ,
0x01 , 0x00 , 0x00 , 0x00 , 0x30 , 0x00 , 0x02 , 0x00 , 0x07 , 0x00 , 0x00 , 0x00 , 0x01 , 0x00 , 0x00 , 0x00 ,
0x01 , 0x01 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x05 , 0x09 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 , 0x00 ,
0x80 , 0x66 , 0x28 , 0xea , 0x37 , 0x80 , 0xc5 , 0x01 , 0x16 , 0x00 , 0x77 , 0x00 , 0x32 , 0x00 , 0x30 , 0x00 ,
0x30 , 0x00 , 0x33 , 0x00 , 0x66 , 0x00 , 0x69 , 0x00 , 0x6e , 0x00 , 0x61 , 0x00 , 0x6c , 0x00 , 0x24 , 0x00 ,
0x76 , 0xff , 0xff , 0xff , 0x37 , 0xd5 , 0xb0 , 0xf7 , 0x24 , 0xf0 , 0xd6 , 0xd4 , 0xec , 0x09 , 0x86 , 0x5a ,
0xa0 , 0xe8 , 0xc3 , 0xa9 , 0x00 , 0x00 , 0x00 , 0x00 , 0x76 , 0xff , 0xff , 0xff , 0xb4 , 0xd8 , 0xb8 , 0xfe ,
0x83 , 0xb3 , 0x13 , 0x3f , 0xfc , 0x5c , 0x41 , 0xad , 0xe2 , 0x64 , 0x83 , 0xe0 , 0x00 , 0x00 , 0x00 , 0x00
} ;
/* Check with a known 'well formed' PAC, from my test server */
2006-10-16 17:06:41 +04:00
static bool torture_pac_saved_check ( struct torture_context * tctx )
2005-07-04 06:36:16 +04:00
{
NTSTATUS nt_status ;
2007-11-09 21:24:51 +03:00
enum ndr_err_code ndr_err ;
2005-07-04 19:42:08 +04:00
DATA_BLOB tmp_blob , validate_blob ;
2005-10-24 11:11:40 +04:00
struct PAC_DATA * pac_data , pac_data2 ;
2005-08-07 03:07:21 +04:00
struct PAC_LOGON_INFO * logon_info ;
union netr_Validation validation ;
2005-08-25 06:07:51 +04:00
const char * pac_file , * pac_kdc_key , * pac_member_key ;
2005-08-07 03:07:21 +04:00
struct auth_serversupplied_info * server_info_out ;
2005-07-04 06:36:16 +04:00
krb5_keyblock server_keyblock ;
2005-07-09 05:58:38 +04:00
krb5_keyblock krbtgt_keyblock ;
2005-08-25 06:07:51 +04:00
struct samr_Password * krbtgt_bytes , * krbsrv_bytes ;
2005-07-04 06:36:16 +04:00
krb5_error_code ret ;
struct smb_krb5_context * smb_krb5_context ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
const char * principal_string ;
2007-04-12 08:01:42 +04:00
char * broken_principal_string ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
krb5_principal client_principal ;
const char * authtime_string ;
time_t authtime ;
2006-10-16 17:06:41 +04:00
TALLOC_CTX * mem_ctx = tctx ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
2007-05-17 12:47:04 +04:00
torture_assert ( tctx , 0 = = smb_krb5_init_context ( mem_ctx , NULL ,
2007-12-03 02:28:22 +03:00
tctx - > lp_ctx ,
2007-05-17 12:47:04 +04:00
& smb_krb5_context ) ,
2006-11-10 05:41:00 +03:00
" smb_krb5_init_context " ) ;
2005-07-04 06:36:16 +04:00
2006-10-16 17:06:41 +04:00
pac_kdc_key = torture_setting_string ( tctx , " pac_kdc_key " ,
2006-11-10 05:41:00 +03:00
" B286757148AF7FD252C53603A150B7E7 " ) ;
2005-08-25 06:07:51 +04:00
2006-10-16 17:06:41 +04:00
pac_member_key = torture_setting_string ( tctx , " pac_member_key " ,
2006-11-10 05:41:00 +03:00
" D217FAEAE5E6B5F95CCC94077AB8A5FC " ) ;
2005-08-25 06:07:51 +04:00
2006-10-16 17:06:41 +04:00
torture_comment ( tctx , " Using pac_kdc_key '%s' \n " , pac_kdc_key ) ;
torture_comment ( tctx , " Using pac_member_key '%s' \n " , pac_member_key ) ;
2005-08-25 06:07:51 +04:00
2005-07-27 04:25:17 +04:00
/* The krbtgt key in use when the above PAC was generated.
* This is an arcfour - hmac - md5 key , extracted with our ' net
* samdump ' tool . */
2006-10-16 17:06:41 +04:00
krbtgt_bytes = smbpasswd_gethexpwd ( mem_ctx , pac_kdc_key ) ;
2005-07-09 05:58:38 +04:00
if ( ! krbtgt_bytes ) {
2006-10-16 17:06:41 +04:00
torture_fail ( tctx , " (saved test) Could not interpret krbtgt key " ) ;
2005-07-09 05:58:38 +04:00
}
2006-10-16 17:06:41 +04:00
krbsrv_bytes = smbpasswd_gethexpwd ( mem_ctx , pac_member_key ) ;
2005-08-25 06:07:51 +04:00
if ( ! krbsrv_bytes ) {
2006-10-16 17:06:41 +04:00
torture_fail ( tctx , " (saved test) Could not interpret krbsrv key " ) ;
2005-08-25 06:07:51 +04:00
}
2005-07-04 06:36:16 +04:00
ret = krb5_keyblock_init ( smb_krb5_context - > krb5_context ,
ENCTYPE_ARCFOUR_HMAC ,
2005-08-25 06:07:51 +04:00
krbsrv_bytes - > hash , sizeof ( krbsrv_bytes - > hash ) ,
2005-07-04 06:36:16 +04:00
& server_keyblock ) ;
2006-10-16 17:06:41 +04:00
torture_assert ( tctx , ! ret ,
2006-11-10 05:41:00 +03:00
talloc_asprintf ( tctx ,
" (saved test) Server Keyblock encoding failed: %s " ,
smb_get_krb5_error_message ( smb_krb5_context - > krb5_context ,
ret , mem_ctx ) ) ) ;
2005-07-04 06:36:16 +04:00
2005-07-09 05:58:38 +04:00
ret = krb5_keyblock_init ( smb_krb5_context - > krb5_context ,
ENCTYPE_ARCFOUR_HMAC ,
krbtgt_bytes - > hash , sizeof ( krbtgt_bytes - > hash ) ,
& krbtgt_keyblock ) ;
if ( ret ) {
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
2006-10-16 17:06:41 +04:00
torture_fail ( tctx ,
2006-11-10 05:41:00 +03:00
talloc_asprintf ( tctx ,
" (saved test) Server Keyblock encoding failed: %s " ,
smb_get_krb5_error_message ( smb_krb5_context - > krb5_context ,
ret , mem_ctx ) ) ) ;
2005-07-09 05:58:38 +04:00
}
2006-10-16 17:06:41 +04:00
pac_file = torture_setting_string ( tctx , " pac_file " , NULL ) ;
2005-08-25 06:07:51 +04:00
if ( pac_file ) {
2006-10-16 17:06:41 +04:00
tmp_blob . data = ( uint8_t * ) file_load ( pac_file , & tmp_blob . length , mem_ctx ) ;
torture_comment ( tctx , " (saved test) Loaded pac of size %ld from %s \n " , ( long ) tmp_blob . length , pac_file ) ;
2005-08-25 06:07:51 +04:00
} else {
2006-10-16 17:06:41 +04:00
tmp_blob = data_blob_talloc ( mem_ctx , saved_pac , sizeof ( saved_pac ) ) ;
2005-08-25 06:07:51 +04:00
}
2005-08-07 03:07:21 +04:00
2005-07-05 10:13:12 +04:00
dump_data ( 10 , tmp_blob . data , tmp_blob . length ) ;
2005-07-04 19:42:08 +04:00
2006-10-16 17:06:41 +04:00
principal_string = torture_setting_string ( tctx , " pac_client_principal " ,
2006-11-10 05:41:00 +03:00
" w2003final$@WIN2K3.THINKER.LOCAL " ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
2006-10-16 17:06:41 +04:00
authtime_string = torture_setting_string ( tctx , " pac_authtime " , " 1120440609 " ) ;
authtime = strtoull ( authtime_string , NULL , 0 ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
ret = krb5_parse_name ( smb_krb5_context - > krb5_context , principal_string ,
& client_principal ) ;
if ( ret ) {
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
2006-10-16 17:06:41 +04:00
torture_fail ( tctx ,
2006-11-10 05:41:00 +03:00
talloc_asprintf ( tctx ,
" (saved test) parsing of client principal [%s] failed: %s " ,
principal_string ,
smb_get_krb5_error_message ( smb_krb5_context - > krb5_context , ret , mem_ctx ) ) ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
}
2005-07-04 06:36:16 +04:00
/* Decode and verify the signaure on the PAC */
2006-10-16 17:06:41 +04:00
nt_status = kerberos_decode_pac ( mem_ctx , & pac_data ,
2005-07-04 06:36:16 +04:00
tmp_blob ,
2005-08-28 05:54:27 +04:00
smb_krb5_context - > krb5_context ,
2005-07-09 05:58:38 +04:00
& krbtgt_keyblock ,
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
& server_keyblock ,
2005-11-07 05:29:37 +03:00
client_principal , authtime , NULL ) ;
2005-07-09 05:58:38 +04:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
2005-08-05 04:41:53 +04:00
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
krb5_free_principal ( smb_krb5_context - > krb5_context , client_principal ) ;
2006-10-16 17:06:41 +04:00
torture_fail ( tctx , talloc_asprintf ( tctx ,
2006-11-10 05:41:00 +03:00
" (saved test) PAC decoding failed: %s " ,
nt_errstr ( nt_status ) ) ) ;
2005-07-04 06:36:16 +04:00
}
2005-07-04 19:42:08 +04:00
2005-08-07 03:07:21 +04:00
/* Parse the PAC again, for the logon info this time */
2006-10-16 17:06:41 +04:00
nt_status = kerberos_pac_logon_info ( mem_ctx , & logon_info ,
2005-08-07 03:07:21 +04:00
tmp_blob ,
2005-08-28 05:54:27 +04:00
smb_krb5_context - > krb5_context ,
2005-08-07 03:07:21 +04:00
& krbtgt_keyblock ,
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
& server_keyblock ,
2005-11-07 05:29:37 +03:00
client_principal , authtime , NULL ) ;
2005-08-07 03:07:21 +04:00
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
krb5_free_principal ( smb_krb5_context - > krb5_context , client_principal ) ;
2006-10-16 17:06:41 +04:00
torture_fail ( tctx ,
2006-11-10 05:41:00 +03:00
talloc_asprintf ( tctx ,
" (saved test) PAC decoding (for logon info) failed: %s " ,
nt_errstr ( nt_status ) ) ) ;
2005-08-07 03:07:21 +04:00
}
validation . sam3 = & logon_info - > info3 ;
2006-10-16 17:06:41 +04:00
nt_status = make_server_info_netlogon_validation ( mem_ctx ,
2005-08-07 03:07:21 +04:00
" " ,
3 , & validation ,
& server_info_out ) ;
if ( ! NT_STATUS_IS_OK ( nt_status ) ) {
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
2006-11-10 05:41:00 +03:00
& server_keyblock ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
krb5_free_principal ( smb_krb5_context - > krb5_context , client_principal ) ;
2005-08-07 03:07:21 +04:00
2006-10-16 17:06:41 +04:00
torture_fail ( tctx ,
2006-11-10 05:41:00 +03:00
talloc_asprintf ( tctx ,
" (saved test) PAC decoding (make server info) failed: %s " ,
nt_errstr ( nt_status ) ) ) ;
2005-08-07 03:07:21 +04:00
}
2005-08-25 09:00:52 +04:00
if ( ! pac_file & &
2006-10-16 17:06:41 +04:00
! dom_sid_equal ( dom_sid_parse_talloc ( mem_ctx ,
2006-11-10 05:41:00 +03:00
" S-1-5-21-3048156945-3961193616-3706469200-1005 " ) ,
2005-08-07 03:07:21 +04:00
server_info_out - > account_sid ) ) {
2005-08-07 03:25:00 +04:00
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
krb5_free_principal ( smb_krb5_context - > krb5_context , client_principal ) ;
2005-08-07 03:25:00 +04:00
2006-10-16 17:06:41 +04:00
torture_fail ( tctx ,
2006-11-10 05:41:00 +03:00
talloc_asprintf ( tctx ,
" (saved test) PAC Decode resulted in *different* domain SID: %s != %s " ,
" S-1-5-21-3048156945-3961193616-3706469200-1005 " ,
dom_sid_string ( mem_ctx , server_info_out - > account_sid ) ) ) ;
2005-08-07 03:07:21 +04:00
}
2006-10-16 17:06:41 +04:00
ret = kerberos_encode_pac ( mem_ctx ,
2005-08-05 04:41:53 +04:00
pac_data ,
smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ,
& server_keyblock ,
& validate_blob ) ;
2005-07-04 19:42:08 +04:00
2005-08-05 04:41:53 +04:00
if ( ret ! = 0 ) {
2005-08-07 03:25:00 +04:00
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
krb5_free_principal ( smb_krb5_context - > krb5_context , client_principal ) ;
2005-08-07 03:25:00 +04:00
2006-10-16 17:06:41 +04:00
torture_fail ( tctx , " (saved test) PAC push failed " ) ;
2005-07-04 19:42:08 +04:00
}
2006-06-12 23:02:38 +04:00
dump_data ( 10 , validate_blob . data , validate_blob . length ) ;
2005-07-04 19:42:08 +04:00
2005-07-27 04:25:17 +04:00
/* compare both the length and the data bytes after a
* pull / push cycle . This ensures we use the exact same
* pointer , padding etc algorithms as win2k3 .
2005-07-04 21:04:36 +04:00
*/
if ( tmp_blob . length ! = validate_blob . length ) {
2005-08-07 03:25:00 +04:00
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
krb5_free_principal ( smb_krb5_context - > krb5_context , client_principal ) ;
2005-08-07 03:25:00 +04:00
2006-10-16 17:06:41 +04:00
torture_fail ( tctx ,
2006-11-10 05:41:00 +03:00
talloc_asprintf ( tctx ,
" (saved test) PAC push failed: original buffer length[%u] != created buffer length[%u] " ,
( unsigned ) tmp_blob . length , ( unsigned ) validate_blob . length ) ) ;
2005-07-04 21:04:36 +04:00
}
2005-07-09 08:58:15 +04:00
if ( memcmp ( tmp_blob . data , validate_blob . data , tmp_blob . length ) ! = 0 ) {
2005-08-07 03:25:00 +04:00
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
krb5_free_principal ( smb_krb5_context - > krb5_context , client_principal ) ;
2005-08-07 03:25:00 +04:00
2005-09-10 14:59:49 +04:00
DEBUG ( 0 , ( " tmp_data: \n " ) ) ;
2005-10-24 11:11:40 +04:00
dump_data ( 0 , tmp_blob . data , tmp_blob . length ) ;
DEBUG ( 0 , ( " validate_blob: \n " ) ) ;
dump_data ( 0 , validate_blob . data , validate_blob . length ) ;
2006-10-16 17:06:41 +04:00
torture_fail ( tctx , talloc_asprintf ( tctx , " (saved test) PAC push failed: length[%u] matches, but data does not " , ( unsigned ) tmp_blob . length ) ) ;
2005-10-24 11:11:40 +04:00
}
2006-10-16 17:06:41 +04:00
ret = kerberos_create_pac ( mem_ctx ,
2005-10-24 11:11:40 +04:00
server_info_out ,
smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ,
& server_keyblock ,
client_principal , authtime ,
& validate_blob ) ;
if ( ret ! = 0 ) {
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
krb5_free_principal ( smb_krb5_context - > krb5_context , client_principal ) ;
2006-10-16 17:06:41 +04:00
torture_fail ( tctx , " (saved test) regnerated PAC create failed " ) ;
2005-10-24 11:11:40 +04:00
}
dump_data ( 10 , validate_blob . data , validate_blob . length ) ;
/* compare both the length and the data bytes after a
* pull / push cycle . This ensures we use the exact same
* pointer , padding etc algorithms as win2k3 .
*/
if ( tmp_blob . length ! = validate_blob . length ) {
2007-11-09 21:24:51 +03:00
ndr_err = ndr_pull_struct_blob ( & validate_blob , mem_ctx , & pac_data2 ,
( ndr_pull_flags_fn_t ) ndr_pull_PAC_DATA ) ;
nt_status = ndr_map_error2ntstatus ( ndr_err ) ;
2006-10-16 17:06:41 +04:00
torture_assert_ntstatus_ok ( tctx , nt_status , " can't parse the PAC " ) ;
2005-10-24 11:11:40 +04:00
NDR_PRINT_DEBUG ( PAC_DATA , pac_data ) ;
NDR_PRINT_DEBUG ( PAC_DATA , & pac_data2 ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
krb5_free_principal ( smb_krb5_context - > krb5_context , client_principal ) ;
2006-10-16 17:06:41 +04:00
torture_fail ( tctx , talloc_asprintf ( tctx ,
2006-11-10 05:41:00 +03:00
" (saved test) PAC regenerate failed: original buffer length[%u] != created buffer length[%u] " ,
( unsigned ) tmp_blob . length , ( unsigned ) validate_blob . length ) ) ;
2005-10-24 11:11:40 +04:00
}
if ( memcmp ( tmp_blob . data , validate_blob . data , tmp_blob . length ) ! = 0 ) {
2007-11-09 21:24:51 +03:00
ndr_err = ndr_pull_struct_blob ( & validate_blob , mem_ctx , & pac_data2 ,
( ndr_pull_flags_fn_t ) ndr_pull_PAC_DATA ) ;
nt_status = ndr_map_error2ntstatus ( ndr_err ) ;
2006-10-16 17:06:41 +04:00
torture_assert_ntstatus_ok ( tctx , nt_status , " can't parse the PAC " ) ;
2005-10-24 11:11:40 +04:00
NDR_PRINT_DEBUG ( PAC_DATA , pac_data ) ;
NDR_PRINT_DEBUG ( PAC_DATA , & pac_data2 ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
krb5_free_principal ( smb_krb5_context - > krb5_context , client_principal ) ;
DEBUG ( 0 , ( " tmp_data: \n " ) ) ;
2005-09-10 14:59:49 +04:00
dump_data ( 0 , tmp_blob . data , tmp_blob . length ) ;
DEBUG ( 0 , ( " validate_blob: \n " ) ) ;
dump_data ( 0 , validate_blob . data , validate_blob . length ) ;
2006-10-16 17:06:41 +04:00
torture_fail ( tctx , talloc_asprintf ( tctx ,
2006-11-10 05:41:00 +03:00
" (saved test) PAC regenerate failed: length[%u] matches, but data does not " , ( unsigned ) tmp_blob . length ) ) ;
2005-07-09 08:58:15 +04:00
}
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
/* Break the auth time, to ensure we check this vital detail (not setting this caused all the pain in the first place... */
2006-10-16 17:06:41 +04:00
nt_status = kerberos_decode_pac ( mem_ctx , & pac_data ,
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
tmp_blob ,
smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ,
& server_keyblock ,
client_principal ,
2005-11-07 05:29:37 +03:00
authtime + 1 , NULL ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
if ( NT_STATUS_IS_OK ( nt_status ) ) {
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
krb5_free_principal ( smb_krb5_context - > krb5_context , client_principal ) ;
2006-10-16 17:06:41 +04:00
torture_fail ( tctx , " (saved test) PAC decoding DID NOT fail on broken auth time (time + 1) " ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
}
/* Break the client principal */
krb5_free_principal ( smb_krb5_context - > krb5_context , client_principal ) ;
2007-04-12 08:01:42 +04:00
broken_principal_string = talloc_strdup ( mem_ctx , principal_string ) ;
broken_principal_string [ 0 ] + + ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
ret = krb5_parse_name ( smb_krb5_context - > krb5_context ,
2007-04-12 08:01:42 +04:00
broken_principal_string , & client_principal ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
if ( ret ) {
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
2006-10-16 17:06:41 +04:00
torture_fail ( tctx , talloc_asprintf ( tctx ,
2007-04-12 08:01:42 +04:00
" (saved test) parsing of broken client principal failed: %s " ,
2006-11-10 05:41:00 +03:00
smb_get_krb5_error_message ( smb_krb5_context - > krb5_context , ret , mem_ctx ) ) ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
}
2006-10-16 17:06:41 +04:00
nt_status = kerberos_decode_pac ( mem_ctx , & pac_data ,
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
tmp_blob ,
smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ,
& server_keyblock ,
client_principal ,
2005-11-07 05:29:37 +03:00
authtime , NULL ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
if ( NT_STATUS_IS_OK ( nt_status ) ) {
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
2006-10-16 17:06:41 +04:00
torture_fail ( tctx , " (saved test) PAC decoding DID NOT fail on modified principal " ) ;
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
}
2005-08-07 03:25:00 +04:00
/* Finally... Bugger up the signature, and check we fail the checksum */
2005-08-11 02:27:55 +04:00
tmp_blob . data [ tmp_blob . length - 2 ] + + ;
2006-10-16 17:06:41 +04:00
nt_status = kerberos_decode_pac ( mem_ctx , & pac_data ,
2005-08-07 03:25:00 +04:00
tmp_blob ,
2005-08-28 05:54:27 +04:00
smb_krb5_context - > krb5_context ,
2005-08-07 03:25:00 +04:00
& krbtgt_keyblock ,
r10066: This is the second in my patches to work on Samba4's kerberos support,
with an aim to make the code simpiler and more correct.
Gone is the old (since the very early Samba 3.0 krb5 days) 'iterate over
all keytypes)' code in gensec_krb5, we now follow the approach used in
gensec_gssapi, and use a keytab.
I have also done a lot of work in the GSSAPI code, to try and reduce
the diff between us and upstream heimdal. It was becoming hard to
track patches in this code, and I also want this patch (the DCE_STYLE
support) to be in a 'manageable' state for when lha considers it for
merging. (metze assures me it still has memory leak problems, but
I've started to address some of that).
This patch also includes a simple update of other code to current
heimdal, as well as changes we need for better PAC verification.
On the PAC side of things we now match windows member servers by
checking the name and authtime on an incoming PAC. Not generating these
right was the cause of the PAC pain, and so now both the main code and
torture test validate this behaviour.
One thing doesn't work with this patch:
- the sealing of RPC pipes with kerberos, Samba -> Samba seems
broken. I'm pretty sure this is related to AES, and the need to break
apart the gss_wrap interface.
Andrew Bartlett
(This used to be commit a3aba57c00a9c5318f4706db55d03f64e8bea60c)
2005-09-08 01:52:50 +04:00
& server_keyblock ,
client_principal ,
2005-11-07 05:29:37 +03:00
authtime , NULL ) ;
2005-08-07 03:25:00 +04:00
if ( NT_STATUS_IS_OK ( nt_status ) ) {
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
2006-10-16 17:06:41 +04:00
torture_fail ( tctx , " (saved test) PAC decoding DID NOT fail on broken checksum " ) ;
2005-08-07 03:25:00 +04:00
}
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& krbtgt_keyblock ) ;
krb5_free_keyblock_contents ( smb_krb5_context - > krb5_context ,
& server_keyblock ) ;
2006-10-16 17:06:41 +04:00
return true ;
2005-07-04 06:36:16 +04:00
}
2006-10-29 20:40:19 +03:00
_PUBLIC_ struct torture_suite * torture_pac ( TALLOC_CTX * mem_ctx )
2005-07-04 06:36:16 +04:00
{
2006-10-16 17:06:41 +04:00
struct torture_suite * suite = torture_suite_create ( mem_ctx , " PAC " ) ;
2006-06-17 02:06:09 +04:00
2006-10-16 17:06:41 +04:00
torture_suite_add_simple_test ( suite , " self check " ,
2006-11-10 05:41:00 +03:00
torture_pac_self_check ) ;
2006-06-17 02:06:09 +04:00
2006-10-16 17:06:41 +04:00
torture_suite_add_simple_test ( suite , " saved check " ,
2006-11-10 05:41:00 +03:00
torture_pac_saved_check ) ;
2006-06-17 02:06:09 +04:00
2006-06-17 04:17:50 +04:00
return suite ;
2005-07-04 06:36:16 +04:00
}