sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-13 13:18:06 +03:00
Code
f8bfd607ca
samba-mirror/python/samba/tests/krb5/test_ldap.py

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

169 lines
6.1 KiB
Python
Raw Normal View History

python: Add LDAP credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-29 11:58:11 +03:00
#!/usr/bin/env python3
# Unix SMB/CIFS implementation.
# Copyright (C) Stefan Metzmacher 2020
# Copyright (C) 2021 Catalyst.Net Ltd
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import os
CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") before any other imports This allows the tests to be executed without an explicit PYTHONPATH="bin/python". BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184
2022-11-29 16:14:32 +03:00
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-29 05:07:07 +03:00
import ldb
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if no PAC is available. For now we want to look for ACCESS_DENIED as this allows the test to pass (showing that gensec:require_pac = true is a useful partial mitigation). This will also help others doing backports that do not take the full patch set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-24 18:11:24 +03:00
from ldb import LdbError, ERR_OPERATIONS_ERROR, SCOPE_BASE, SCOPE_SUBTREE
python: Add LDAP credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-29 11:58:11 +03:00
from samba.dcerpc import security
from samba.ndr import ndr_unpack
from samba.samdb import SamDB
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if no PAC is available. For now we want to look for ACCESS_DENIED as this allows the test to pass (showing that gensec:require_pac = true is a useful partial mitigation). This will also help others doing backports that do not take the full patch set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-24 18:11:24 +03:00
from samba import credentials
python: Add LDAP credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-29 11:58:11 +03:00
from samba.tests.krb5.kdc_base_test import KDCBaseTest
global_asn1_print = False
global_hexdump = False
class LdapTests(KDCBaseTest):
"""Test for LDAP authentication using Kerberos credentials stored in a
credentials cache file.
"""
def test_ldap(self):
CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-29 05:07:07 +03:00
self._run_ldap_test()
def test_ldap_rename(self):
self._run_ldap_test(rename=True)
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if no PAC is available. For now we want to look for ACCESS_DENIED as this allows the test to pass (showing that gensec:require_pac = true is a useful partial mitigation). This will also help others doing backports that do not take the full patch set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-24 18:11:24 +03:00
def test_ldap_no_pac(self):
CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-29 05:07:07 +03:00
self._run_ldap_test(include_pac=False,
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if no PAC is available. For now we want to look for ACCESS_DENIED as this allows the test to pass (showing that gensec:require_pac = true is a useful partial mitigation). This will also help others doing backports that do not take the full patch set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-24 18:11:24 +03:00
expect_anon=True, allow_error=True)
CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-29 05:07:07 +03:00
def _run_ldap_test(self, rename=False, include_pac=True,
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if no PAC is available. For now we want to look for ACCESS_DENIED as this allows the test to pass (showing that gensec:require_pac = true is a useful partial mitigation). This will also help others doing backports that do not take the full patch set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-24 18:11:24 +03:00
expect_anon=False, allow_error=False):
python: Add LDAP credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-29 11:58:11 +03:00
# Create a user account and a machine account, along with a Kerberos
# credentials cache file where the service ticket authenticating the
# user are stored.
tests/krb5/kdc_base_test.py: Create database connection only when needed Now the database connection is only created on its first use, which means database credentials are no longer required for tests that don't make use of it. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-06-16 02:04:00 +03:00
samdb = self.get_samdb()
mach_name = samdb.host_dns_name()
python: Add LDAP credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-29 11:58:11 +03:00
service = "ldap"
# Create the user account.
CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-29 05:07:07 +03:00
user_credentials = self.get_cached_creds(
account_type=self.AccountType.USER,
use_cache=False)
user_name = user_credentials.get_username()
python: Add LDAP credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-29 11:58:11 +03:00
CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service This allows us to use get_tgt() and get_service_ticket() to obtain tickets, which simplifies the logic. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-22 01:37:31 +03:00
mach_credentials = self.get_dc_creds()
python: Add LDAP credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-29 11:58:11 +03:00
# Talk to the KDC to obtain the service ticket, which gets placed into
# the cache. The machine account name has to match the name in the
# ticket, to ensure that the krbtgt ticket doesn't also need to be
# stored.
(creds, cachefile) = self.create_ccache_with_user(user_credentials,
CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service This allows us to use get_tgt() and get_service_ticket() to obtain tickets, which simplifies the logic. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-22 01:37:31 +03:00
mach_credentials,
service,
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if no PAC is available. For now we want to look for ACCESS_DENIED as this allows the test to pass (showing that gensec:require_pac = true is a useful partial mitigation). This will also help others doing backports that do not take the full patch set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-24 18:11:24 +03:00
mach_name,
pac=include_pac)
# Remove the cached credentials file.
self.addCleanup(os.remove, cachefile.name)
python: Add LDAP credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-29 11:58:11 +03:00
# Retrieve the user account's SID.
tests/krb5/kdc_base_test.py: Create database connection only when needed Now the database connection is only created on its first use, which means database credentials are no longer required for tests that don't make use of it. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-06-16 02:04:00 +03:00
ldb_res = samdb.search(scope=SCOPE_SUBTREE,
expression="(sAMAccountName=%s)" % user_name,
attrs=["objectSid"])
python: Add LDAP credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-29 11:58:11 +03:00
self.assertEqual(1, len(ldb_res))
sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0])
CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-29 05:07:07 +03:00
if rename:
# Rename the account.
new_name = self.get_new_username()
msg = ldb.Message(user_credentials.get_dn())
msg['sAMAccountName'] = ldb.MessageElement(new_name,
ldb.FLAG_MOD_REPLACE,
'sAMAccountName')
samdb.modify(msg)
# Authenticate in-process to the machine account using the user's
# cached credentials.
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if no PAC is available. For now we want to look for ACCESS_DENIED as this allows the test to pass (showing that gensec:require_pac = true is a useful partial mitigation). This will also help others doing backports that do not take the full patch set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-24 18:11:24 +03:00
# Connect to the machine account and retrieve the user SID.
try:
ldb_as_user = SamDB(url="ldap://%s" % mach_name,
credentials=creds,
lp=self.get_lp())
except LdbError as e:
if not allow_error:
self.fail()
enum, estr = e.args
self.assertEqual(ERR_OPERATIONS_ERROR, enum)
CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-29 00:27:41 +03:00
self.assertIn('NT_STATUS_NO_IMPERSONATION_TOKEN', estr)
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if no PAC is available. For now we want to look for ACCESS_DENIED as this allows the test to pass (showing that gensec:require_pac = true is a useful partial mitigation). This will also help others doing backports that do not take the full patch set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-24 18:11:24 +03:00
return
ldb_res = ldb_as_user.search('',
scope=SCOPE_BASE,
attrs=["tokenGroups"])
self.assertEqual(1, len(ldb_res))
token_groups = ldb_res[0]["tokenGroups"]
token_sid = ndr_unpack(security.dom_sid, token_groups[0])
if expect_anon:
# Ensure we got an anonymous token.
self.assertEqual(security.SID_NT_ANONYMOUS, str(token_sid))
token_sid = ndr_unpack(security.dom_sid, token_groups[1])
self.assertEqual(security.SID_NT_NETWORK, str(token_sid))
if len(token_groups) >= 3:
token_sid = ndr_unpack(security.dom_sid, token_groups[2])
self.assertEqual(security.SID_NT_THIS_ORGANISATION,
str(token_sid))
else:
# Ensure that they match.
self.assertEqual(sid, token_sid)
def test_ldap_anonymous(self):
samdb = self.get_samdb()
mach_name = samdb.host_dns_name()
anon_creds = credentials.Credentials()
anon_creds.set_anonymous()
python: Add LDAP credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-29 11:58:11 +03:00
# Connect to the machine account and retrieve the user SID.
ldb_as_user = SamDB(url="ldap://%s" % mach_name,
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if no PAC is available. For now we want to look for ACCESS_DENIED as this allows the test to pass (showing that gensec:require_pac = true is a useful partial mitigation). This will also help others doing backports that do not take the full patch set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-24 18:11:24 +03:00
credentials=anon_creds,
tests/krb5/kdc_base_test.py: Create loadparm only when needed Now the .conf file is only loaded on its first use, which means that SMB_CONF_PATH need not be defined for tests that don't make use of it. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-06-16 02:40:41 +03:00
lp=self.get_lp())
python: Add LDAP credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-29 11:58:11 +03:00
ldb_res = ldb_as_user.search('',
scope=SCOPE_BASE,
attrs=["tokenGroups"])
self.assertEqual(1, len(ldb_res))
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if no PAC is available. For now we want to look for ACCESS_DENIED as this allows the test to pass (showing that gensec:require_pac = true is a useful partial mitigation). This will also help others doing backports that do not take the full patch set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-24 18:11:24 +03:00
# Ensure we got an anonymous token.
python: Add LDAP credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-29 11:58:11 +03:00
token_sid = ndr_unpack(security.dom_sid, ldb_res[0]["tokenGroups"][0])
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if no PAC is available. For now we want to look for ACCESS_DENIED as this allows the test to pass (showing that gensec:require_pac = true is a useful partial mitigation). This will also help others doing backports that do not take the full patch set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-08-24 18:11:24 +03:00
self.assertEqual(security.SID_NT_ANONYMOUS, str(token_sid))
self.assertEqual(len(ldb_res[0]["tokenGroups"]), 1)
python: Add LDAP credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-29 11:58:11 +03:00
if __name__ == "__main__":
tests/krb5: Disable debugging output for tests This reduces the time spent running the tests in a testenv. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-08 01:48:41 +03:00
global_asn1_print = False
global_hexdump = False
python: Add LDAP credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-04-29 11:58:11 +03:00
import unittest
unittest.main()
Copy Permalink