sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code

tests/krb5: Remove tests of KDCs without resource SID compression support

Browse Source 
As part of mitigations of CVE-2022-37966, we no longer regard the
msDS-SupportedEncryptionTypes attribute of the KDC when determining its
supported encryption types. Thus, these tests that try to disable SID
compression support by setting this attribute run to no purpose.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Joseph Sutton 2022-12-12 10:57:42 +13:00 committed by Andrew Bartlett
parent c21d5bf674
commit 4ec34d297d
3 changed files with 6 additions and 91 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

91
python/samba/tests/krb5/group_tests.py
View File

@ -104,63 +104,6 @@ class GroupTests(KDCBaseTest):
cls.generate_dynamic_test('test_group', name,
dict(case))
# Enable or disable resource SID compression on the krbtgt
# account. Depending on how the KDC chooses to handle SID compression, this
# may or may not have any real effect.
def set_krbtgt_sid_compression(self, compression):
krbtgt_creds = self.get_krbtgt_creds()
krbtgt_dn = krbtgt_creds.get_dn()
samdb = self.get_samdb()
# Get the current supported encryption types of the krbtgt account.
res = samdb.search(krbtgt_dn,
scope=ldb.SCOPE_BASE,
attrs=['msDS-SupportedEncryptionTypes'])
orig_msg = res[0]
krbtgt_enctypes = orig_msg.get(
'msDS-SupportedEncryptionTypes', idx=0)
if krbtgt_enctypes is None:
# Setting the enctypes isn't likely to accomplish anything.
return
krbtgt_enctypes = int(krbtgt_enctypes)
# Enable or disable the compression bit.
if compression:
set_krbtgt_enctypes = krbtgt_enctypes | (
security.KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED)
else:
set_krbtgt_enctypes = krbtgt_enctypes & ~(
security.KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED)
if krbtgt_enctypes == set_krbtgt_enctypes:
# Nothing to do.
return
msg = ldb.Message(krbtgt_dn)
msg['msDS-SupportedEncryptionTypes'] = ldb.MessageElement(
str(set_krbtgt_enctypes),
ldb.FLAG_MOD_REPLACE,
'msDS-SupportedEncryptionTypes')
# Clean up the change afterwards.
diff = samdb.msg_diff(msg, orig_msg)
self.addCleanup(samdb.modify, diff)
samdb.modify(msg)
# Make sure the value remains as we set it.
res = samdb.search(krbtgt_dn,
scope=ldb.SCOPE_BASE,
attrs=['msDS-SupportedEncryptionTypes'])
new_krbtgt_enctypes = res[0].get(
'msDS-SupportedEncryptionTypes', idx=0)
self.assertIsNotNone(new_krbtgt_enctypes)
new_krbtgt_enctypes = int(new_krbtgt_enctypes)
self.assertEqual(set_krbtgt_enctypes, new_krbtgt_enctypes,
'failed to set krbtgt supported enctypes')
# Get a ticket with the SIDs in the PAC replaced with ones we specify. This
# is useful for creating arbitrary tickets that can be used to perform a
# TGS-REQ.
@ -809,7 +752,7 @@ class GroupTests(KDCBaseTest):
},
},
{
'test': 'resource sids given; compression; tgs-req to krbtgt',
'test': 'resource sids given; tgs-req to krbtgt',
'groups': {
# A couple of independent domain-local groups.
'dom-local-0': (GroupType.DOMAIN_LOCAL, {}),
@ -817,7 +760,6 @@ class GroupTests(KDCBaseTest):
},
'as:to_krbtgt': True,
'tgs:to_krbtgt': True,
'tgs:compression': True,
'tgs:sids': {
# The TGT contains two resource SIDs for the domain-local
# groups.
@ -837,32 +779,6 @@ class GroupTests(KDCBaseTest):
(security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
},
},
{
'test': 'resource sids given; no compression; tgs-req to krbtgt',
'groups': {
'dom-local-0': (GroupType.DOMAIN_LOCAL, {}),
'dom-local-1': (GroupType.DOMAIN_LOCAL, {}),
},
'as:to_krbtgt': True,
'tgs:to_krbtgt': True,
# Compression is disabled on the krbtgt account...
'tgs:compression': False,
'tgs:sids': {
('dom-local-0', SidType.RESOURCE_SID, resource_attrs),
('dom-local-1', SidType.RESOURCE_SID, resource_attrs),
(asserted_identity, SidType.EXTRA_SID, default_attrs),
(security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
(security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
},
'tgs:expected': {
# ...and the resource SIDs remain.
('dom-local-0', SidType.RESOURCE_SID, resource_attrs),
('dom-local-1', SidType.RESOURCE_SID, resource_attrs),
(asserted_identity, SidType.EXTRA_SID, default_attrs),
(security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
(security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
},
},
{
'test': 'resource sids given; compression; tgs-req to service',
'groups': {
@ -893,7 +809,6 @@ class GroupTests(KDCBaseTest):
},
'as:to_krbtgt': True,
'tgs:to_krbtgt': True,
'tgs:compression': False,
'tgs:sids': {
# In Samba 4.17, domain-local groups are contained within the
# TGT, and do not have the SE_GROUP_RESOURCE bit set.
@ -1017,7 +932,9 @@ class GroupTests(KDCBaseTest):
# or unsupported.
def get_target(self, to_krbtgt, compression):
if to_krbtgt:
self.set_krbtgt_sid_compression(compression)
self.assertIsNone(compression,
"it's no good specifying compression support "
"for the krbtgt")
creds = self.get_krbtgt_creds()
sname = self.get_krbtgt_sname()
else:

3
selftest/knownfail_heimdal_kdc
View File

@ -150,6 +150,5 @@
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_domain_local_compression_as_req_to_service.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_removal_compression_tgs_req_to_service.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_universal_compression_as_req_to_service.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_resource_sids_given_compression_tgs_req_to_krbtgt.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_resource_sids_given_compression_tgs_req_to_service.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_resource_sids_given_no_compression_tgs_req_to_krbtgt.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_resource_sids_given_tgs_req_to_krbtgt.ad_dc

3
selftest/knownfail_mit_kdc
View File

@ -583,9 +583,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_universal_as_req_to_krbtgt.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_universal_compression_as_req_to_service.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_universal_no_compression_as_req_to_service.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_resource_sids_given_compression_tgs_req_to_krbtgt.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_resource_sids_given_compression_tgs_req_to_service.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_resource_sids_given_no_compression_tgs_req_to_krbtgt.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_resource_sids_given_tgs_req_to_krbtgt.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_tgs_req_to_krbtgt.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_tgs_req_to_service.ad_dc
^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_universal_as_req_to_krbtgt.ad_dc