1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

tests/krb5: Test that NT_STATUS_ACCOUNT_LOCKED_OUT is returned in KDC reply e-data

Certain clients rely on this behaviour.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2022-12-01 15:35:56 +13:00 committed by Andrew Bartlett
parent 18b24f9572
commit 3424c6d20f
3 changed files with 92 additions and 24 deletions

View File

@ -89,7 +89,8 @@ def connect_kdc(pipe,
realm,
workstation,
dn,
expect_error=True):
expect_error=True,
expect_status=None):
AsReqBaseTest.setUpClass()
as_req_base = AsReqBaseTest()
as_req_base.setUp()
@ -131,14 +132,69 @@ def connect_kdc(pipe,
etypes = as_req_base.get_default_enctypes(user_creds)
# Remove the LDAP connection.
del type(as_req_base)._ldb
if expect_error:
expected_error_modes = (KDC_ERR_CLIENT_REVOKED,
KDC_ERR_PREAUTH_FAILED)
# Wrap generic_check_kdc_error() to expect an NTSTATUS code when the
# account is locked out.
def check_error_fn(kdc_exchange_dict,
callback_dict,
rep):
error_code = rep.get('error-code')
if error_code == KDC_ERR_CLIENT_REVOKED:
# The account was locked out.
if expect_status:
# Expect to get a LOCKED_OUT NTSTATUS code.
kdc_exchange_dict['expect_edata'] = True
kdc_exchange_dict['expect_status'] = True
kdc_exchange_dict['expected_status'] = (
ntstatus.NT_STATUS_ACCOUNT_LOCKED_OUT)
elif error_code == KDC_ERR_PREAUTH_FAILED:
# Just a wrong password: the account wasnt locked out. Dont
# expect an NTSTATUS code.
kdc_exchange_dict['expect_status'] = False
# Continue with the generic error-checking logic.
return as_req_base.generic_check_kdc_error(
kdc_exchange_dict,
callback_dict,
rep)
check_rep_fn = None
else:
expected_error_modes = 0
# Remove the LDAP connection.
del type(as_req_base)._ldb
check_error_fn = None
check_rep_fn = as_req_base.generic_check_kdc_rep
def _generate_padata_copy(_kdc_exchange_dict,
_callback_dict,
req_body):
return padata, req_body
kdc_exchange_dict = as_req_base.as_exchange_dict(
creds=user_creds,
expected_crealm=realm,
expected_cname=cname,
expected_srealm=realm,
expected_sname=sname,
expected_account_name=user_name,
expected_supported_etypes=krbtgt_supported_etypes,
ticket_decryption_key=krbtgt_decryption_key,
generate_padata_fn=_generate_padata_copy,
check_error_fn=check_error_fn,
check_rep_fn=check_rep_fn,
check_kdc_private_fn=as_req_base.generic_check_kdc_private,
expected_error_mode=expected_error_modes,
expected_salt=expected_salt,
preauth_key=preauth_key,
kdc_options=str(kdc_options),
pac_request=True)
# Indicate that we're ready. This ensures we hit the right transaction
# lock.
@ -148,28 +204,15 @@ def connect_kdc(pipe,
if not pipe.poll(timeout=5):
raise AssertionError('main process failed to indicate readiness')
# Try making a Kerberos AS-REQ to the KDC. This should fail, either due to
# Try making a Kerberos AS-REQ to the KDC. This might fail, either due to
# the user's account being locked out or due to using the wrong password.
as_rep, kdc_exchange_dict = as_req_base._test_as_exchange(
creds=user_creds,
cname=cname,
realm=realm,
sname=sname,
till=till,
expected_error_mode=expected_error_modes,
expected_crealm=realm,
expected_cname=cname,
expected_srealm=realm,
expected_sname=sname,
expected_salt=expected_salt,
etypes=etypes,
padata=padata,
kdc_options=kdc_options,
expected_supported_etypes=krbtgt_supported_etypes,
expected_account_name=user_name,
preauth_key=preauth_key,
ticket_decryption_key=krbtgt_decryption_key,
pac_request=True)
as_rep = as_req_base._generic_kdc_exchange(kdc_exchange_dict,
cname=cname,
realm=realm,
sname=sname,
till_time=till,
etypes=etypes)
as_req_base.assertIsNotNone(as_rep)
msg_type = as_rep['msg-type']
@ -564,6 +607,9 @@ class LockoutTests(KDCBaseTest):
def test_lockout_transaction_kdc(self):
self.do_lockout_transaction(connect_kdc)
def test_lockout_transaction_kdc_ntstatus(self):
self.do_lockout_transaction(partial(connect_kdc, expect_status=True))
def test_lockout_transaction_ntlm(self):
self.do_lockout_transaction(connect_ntlm)
@ -588,6 +634,10 @@ class LockoutTests(KDCBaseTest):
def test_lockout_transaction_rename_kdc(self):
self.do_lockout_transaction(connect_kdc, rename=True)
def test_lockout_transaction_rename_kdc_ntstatus(self):
self.do_lockout_transaction(partial(connect_kdc, expect_status=True),
rename=True)
def test_lockout_transaction_rename_ntlm(self):
self.do_lockout_transaction(connect_ntlm, rename=True)
@ -597,6 +647,10 @@ class LockoutTests(KDCBaseTest):
def test_lockout_transaction_bad_pwd_kdc(self):
self.do_lockout_transaction(connect_kdc, correct_pw=False)
def test_lockout_transaction_bad_pwd_kdc_ntstatus(self):
self.do_lockout_transaction(partial(connect_kdc, expect_status=True),
correct_pw=False)
def test_lockout_transaction_bad_pwd_ntlm(self):
self.do_lockout_transaction(connect_ntlm, correct_pw=False)
@ -640,6 +694,9 @@ class LockoutTests(KDCBaseTest):
def test_lockout_race_kdc(self):
self.do_lockout_race(connect_kdc)
def test_lockout_race_kdc_ntstatus(self):
self.do_lockout_race(partial(connect_kdc, expect_status=True))
def test_lockout_race_ntlm(self):
self.do_lockout_race(connect_ntlm)

View File

@ -57,6 +57,13 @@
#
^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_samr_change_password_protected.ad_dc
#
# Lockout tests
#
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_race_kdc_ntstatus.ad_dc:local
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_bad_pwd_kdc_ntstatus.ad_dc:local
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_kdc_ntstatus.ad_dc:local
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_rename_kdc_ntstatus.ad_dc:local
#
# Group tests
#
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_addition_compression_tgs_req_to_service.ad_dc

View File

@ -480,9 +480,13 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_bad_pwd_count_transaction_kdc.ad_dc:local
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_bad_pwd_count_transaction_rename_kdc.ad_dc:local
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_race_kdc.ad_dc:local
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_race_kdc_ntstatus.ad_dc:local
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_bad_pwd_kdc.ad_dc:local
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_bad_pwd_kdc_ntstatus.ad_dc:local
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_kdc.ad_dc:local
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_kdc_ntstatus.ad_dc:local
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_rename_kdc.ad_dc:local
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_rename_kdc_ntstatus.ad_dc:local
#
# Encryption type tests
#