mirror of
https://github.com/samba-team/samba.git
synced 2025-03-01 04:58:35 +03:00
tests/krb5: Add tests for single‐component krbtgt principals
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton
Andrew Bartlett
parent
f266f5c670
commit
3917a1995c
@ -529,6 +529,23 @@ class AsReqKerberosTests(AsReqBaseTest):
|
||||
sname=wrong_krbtgt_princ,
|
||||
expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
|
||||
|
||||
def test_krbtgt_single_component_krbtgt(self):
|
||||
"""Test that we can make a request to the single‐component krbtgt
|
||||
principal."""
|
||||
|
||||
client_creds = self.get_client_creds()
|
||||
|
||||
# Create a krbtgt principal with a single component.
|
||||
single_component_krbtgt_principal = self.PrincipalName_create(
|
||||
name_type=NT_SRV_INST,
|
||||
names=['krbtgt'])
|
||||
|
||||
self._run_as_req_enc_timestamp(
|
||||
client_creds,
|
||||
sname=single_component_krbtgt_principal,
|
||||
# Don’t ask for canonicalization.
|
||||
kdc_options=0)
|
||||
|
||||
# Test that we can make a request for a ticket expiring post-2038.
|
||||
def test_future_till(self):
|
||||
client_creds = self.get_client_creds()
|
||||
|
||||
@ -2793,7 +2793,11 @@ class KDCBaseTest(TestCaseInTempDir, RawKerberosTest):
|
||||
unexpected_client_claims=None,
|
||||
expected_device_claims=None,
|
||||
unexpected_device_claims=None,
|
||||
pac_request=True, expect_pac=True, fresh=False):
|
||||
pac_request=True, expect_pac=True,
|
||||
expect_requester_sid=None,
|
||||
expect_pac_attrs=None,
|
||||
expect_pac_attrs_pac_request=None,
|
||||
fresh=False):
|
||||
user_name = tgt.cname['name-string'][0]
|
||||
ticket_sname = tgt.sname
|
||||
if target_name is None:
|
||||
@ -2812,7 +2816,10 @@ class KDCBaseTest(TestCaseInTempDir, RawKerberosTest):
|
||||
str(unexpected_client_claims),
|
||||
str(expected_device_claims),
|
||||
str(unexpected_device_claims),
|
||||
expect_pac)
|
||||
expect_pac,
|
||||
expect_requester_sid,
|
||||
expect_pac_attrs,
|
||||
expect_pac_attrs_pac_request)
|
||||
|
||||
if not fresh:
|
||||
ticket = self.tkt_cache.get(cache_key)
|
||||
@ -2860,6 +2867,9 @@ class KDCBaseTest(TestCaseInTempDir, RawKerberosTest):
|
||||
kdc_options=kdc_options,
|
||||
pac_request=pac_request,
|
||||
expect_pac=expect_pac,
|
||||
expect_requester_sid=expect_requester_sid,
|
||||
expect_pac_attrs=expect_pac_attrs,
|
||||
expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
|
||||
rc4_support=rc4_support,
|
||||
to_rodc=to_rodc)
|
||||
|
||||
|
||||
@ -2113,6 +2113,120 @@ class KdcTgsTests(KdcTgsBaseTests):
|
||||
expected_error=(KDC_ERR_POLICY,
|
||||
KDC_ERR_S_PRINCIPAL_UNKNOWN))
|
||||
|
||||
def test_single_component_krbtgt_requester_sid_as_req(self):
|
||||
"""Test that TGTs issued to a single‐component krbtgt principal always
|
||||
contain a requester SID PAC buffer.
|
||||
"""
|
||||
|
||||
creds = self._get_creds()
|
||||
|
||||
# Create a single‐component principal of the form ‘krbtgt@REALM’.
|
||||
sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
|
||||
names=['krbtgt'])
|
||||
|
||||
# Don’t request canonicalization.
|
||||
kdc_options = 'forwardable,renewable,renewable-ok'
|
||||
|
||||
# Get a TGT and assert that the requester SID PAC buffer is present.
|
||||
self.get_tgt(creds,
|
||||
sname=sname,
|
||||
kdc_options=kdc_options,
|
||||
expect_requester_sid=True)
|
||||
|
||||
def test_single_component_krbtgt_requester_sid_tgs_req(self):
|
||||
"""Test that TGTs issued to a single‐component krbtgt principal always
|
||||
contain a requester SID PAC buffer.
|
||||
"""
|
||||
|
||||
creds = self._get_creds()
|
||||
tgt = self.get_tgt(creds)
|
||||
|
||||
# Create a single‐component principal of the form ‘krbtgt@REALM’.
|
||||
sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
|
||||
names=['krbtgt'])
|
||||
|
||||
# Don’t request canonicalization.
|
||||
kdc_options = '0'
|
||||
|
||||
# Get a TGT and assert that the requester SID PAC buffer is present.
|
||||
self.get_service_ticket(tgt,
|
||||
self.get_krbtgt_creds(),
|
||||
sname=sname,
|
||||
kdc_options=kdc_options,
|
||||
expect_requester_sid=True)
|
||||
|
||||
def test_single_component_krbtgt_no_pac_as_req(self):
|
||||
"""Test that TGTs issued to a single‐component krbtgt principal always
|
||||
contain a PAC.
|
||||
"""
|
||||
|
||||
creds = self._get_creds()
|
||||
|
||||
# Create a single‐component principal of the form ‘krbtgt@REALM’.
|
||||
sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
|
||||
names=['krbtgt'])
|
||||
|
||||
# Don’t request canonicalization.
|
||||
kdc_options = 'forwardable,renewable,renewable-ok'
|
||||
|
||||
# Get a TGT and assert that the requester SID PAC buffer is present.
|
||||
self.get_tgt(creds,
|
||||
sname=sname,
|
||||
kdc_options=kdc_options,
|
||||
# Request that no PAC be issued.
|
||||
pac_request=False,
|
||||
# Ensure that a PAC is issued nonetheless.
|
||||
expect_pac=True)
|
||||
|
||||
def test_single_component_krbtgt_no_pac_tgs_req(self):
|
||||
"""Test that TGTs issued to a single‐component krbtgt principal always
|
||||
contain a PAC.
|
||||
"""
|
||||
|
||||
creds = self._get_creds()
|
||||
tgt = self.get_tgt(creds)
|
||||
|
||||
# Create a single‐component principal of the form ‘krbtgt@REALM’.
|
||||
sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
|
||||
names=['krbtgt'])
|
||||
|
||||
# Don’t request canonicalization.
|
||||
kdc_options = '0'
|
||||
|
||||
# Get a TGT and assert that the requester SID PAC buffer is present.
|
||||
self.get_service_ticket(tgt,
|
||||
self.get_krbtgt_creds(),
|
||||
sname=sname,
|
||||
kdc_options=kdc_options,
|
||||
# Request that no PAC be issued.
|
||||
pac_request=False,
|
||||
# Ensure that a PAC is issued nonetheless.
|
||||
expect_pac=True,
|
||||
expect_pac_attrs=True,
|
||||
expect_pac_attrs_pac_request=True)
|
||||
|
||||
def test_single_component_krbtgt_service_ticket(self):
|
||||
"""Test that TGTs issued to a single‐component krbtgt principal can be
|
||||
used to get service tickets.
|
||||
"""
|
||||
|
||||
creds = self._get_creds()
|
||||
|
||||
# Create a single‐component principal of the form ‘krbtgt@REALM’.
|
||||
sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
|
||||
names=['krbtgt'])
|
||||
|
||||
# Don’t request canonicalization.
|
||||
kdc_options = 'forwardable,renewable,renewable-ok'
|
||||
|
||||
# Get a TGT.
|
||||
tgt = self.get_tgt(creds,
|
||||
sname=sname,
|
||||
kdc_options=kdc_options)
|
||||
|
||||
# Ensure that we can use the TGT to get a service ticket.
|
||||
self._run_tgs(tgt, creds, expected_error=0)
|
||||
|
||||
def test_pac_attrs_none(self):
|
||||
creds = self._get_creds()
|
||||
self.get_tgt(creds, pac_request=None,
|
||||
|
||||
@ -704,6 +704,43 @@ class KpasswdTests(KDCBaseTest):
|
||||
expected_msg,
|
||||
mode=self.KpasswdMode.CHANGE)
|
||||
|
||||
# Show that we cannot provide a TGT to kpasswd that was obtained with a
|
||||
# single‐component principal.
|
||||
def test_kpasswd_tgt_single_component_krbtgt(self):
|
||||
# Create an account for testing.
|
||||
creds = self._get_creds()
|
||||
|
||||
# Create a single‐component principal of the form ‘krbtgt@REALM’.
|
||||
sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
|
||||
names=['krbtgt'])
|
||||
|
||||
# Don’t request canonicalization.
|
||||
kdc_options = 'forwardable,renewable,renewable-ok'
|
||||
|
||||
# Get a TGT.
|
||||
tgt = self.get_tgt(creds, sname=sname, kdc_options=kdc_options)
|
||||
|
||||
# Change the sname of the ticket to match that of kadmin/changepw.
|
||||
tgt.set_sname(self.get_kpasswd_sname())
|
||||
|
||||
expected_code = KPASSWD_AUTHERROR
|
||||
expected_msg = b'A TGT may not be used as a ticket to kpasswd'
|
||||
|
||||
# Set the password.
|
||||
new_password = generate_random_password(32, 32)
|
||||
self.kpasswd_exchange(tgt,
|
||||
new_password,
|
||||
expected_code,
|
||||
expected_msg,
|
||||
mode=self.KpasswdMode.SET)
|
||||
|
||||
# Change the password.
|
||||
self.kpasswd_exchange(tgt,
|
||||
new_password,
|
||||
expected_code,
|
||||
expected_msg,
|
||||
mode=self.KpasswdMode.CHANGE)
|
||||
|
||||
# Test that kpasswd rejects requests with a service ticket.
|
||||
def test_kpasswd_non_initial(self):
|
||||
# Create an account for testing, and get a TGT.
|
||||
|
||||
@ -135,3 +135,14 @@
|
||||
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_device_in_network_group_rbcd\(ad_dc\)$
|
||||
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.DeviceRestrictionTests\.test_device_in_network_group\(ad_dc\)$
|
||||
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_device_in_network_group\(ad_dc\)$
|
||||
#
|
||||
# Single‐component krbtgt principal tests
|
||||
#
|
||||
^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_krbtgt_single_component_krbtgt\(fl2003dc\)$
|
||||
^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_krbtgt_single_component_krbtgt\(fl2008r2dc\)$
|
||||
^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_as_req\(ad_dc\)$
|
||||
^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_tgs_req\(ad_dc\)$
|
||||
^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_requester_sid_as_req\(ad_dc\)$
|
||||
^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_requester_sid_tgs_req\(ad_dc\)$
|
||||
^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_service_ticket\(ad_dc\)$
|
||||
^samba\.tests\.krb5\.kpasswd_tests\.samba\.tests\.krb5\.kpasswd_tests\.KpasswdTests\.test_kpasswd_tgt_single_component_krbtgt\(ad_dc\)$
|
||||
|
||||
@ -129,3 +129,14 @@
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_sha256_certificate_signature_win2k.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_sha256_signature_win2k.ad_dc
|
||||
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_win2k.ad_dc
|
||||
#
|
||||
# Single‐component krbtgt principal tests
|
||||
#
|
||||
^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_krbtgt_single_component_krbtgt\(fl2003dc\)$
|
||||
^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_krbtgt_single_component_krbtgt\(fl2008r2dc\)$
|
||||
^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_as_req\(ad_dc\)$
|
||||
^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_tgs_req\(ad_dc\)$
|
||||
^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_requester_sid_as_req\(ad_dc\)$
|
||||
^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_requester_sid_tgs_req\(ad_dc\)$
|
||||
^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_service_ticket\(ad_dc\)$
|
||||
^samba\.tests\.krb5\.kpasswd_tests\.samba\.tests\.krb5\.kpasswd_tests\.KpasswdTests\.test_kpasswd_tgt_single_component_krbtgt\(ad_dc\)$
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user