2025-01-21 18:04:06 +03:00 · 2023-02-24 13:12:44 +13:00 · 2023-02-24 13:12:44 +13:00 · 533fb8fa0d
commit 533fb8fa0d
parent 646b62f760
3 changed files with 131 additions and 0 deletions
--- a/python/samba/tests/krb5/group_tests.py
+++ b/python/samba/tests/krb5/group_tests.py
@ -991,6 +991,121 @@ class GroupTests(KDCBaseTest):
                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
            },
        },
+        {
+            'test': 'user group addition; tgs-req to krbtgt',
+            'groups': {
+                # The user is a member of the group...
+                'foo': (GroupType.UNIVERSAL, {user}),
+            },
+            'as:to_krbtgt': True,
+            'tgs:to_krbtgt': True,
+            'tgs:sids': {
+                # ...but the user's PAC still lacks the group SID.
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+            'tgs:expected': {
+                # The group SID should be omitted when a TGS-REQ is
+                # performed.
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+        },
+        {
+            'test': 'user group addition; tgs-req to service',
+            'groups': {
+                'foo': (GroupType.UNIVERSAL, {user}),
+            },
+            'as:to_krbtgt': True,
+            # Likewise, but to a service.
+            'tgs:to_krbtgt': False,
+            'tgs:sids': {
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+            'tgs:expected': {
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+        },
+        {
+            'test': 'nested group addition; tgs-req to krbtgt',
+            'groups': {
+                # A Domain-local group contains a Universal group, of which the
+                # user is now a member...
+                'dom-local': (GroupType.DOMAIN_LOCAL, {'universal'}),
+                'universal': (GroupType.UNIVERSAL, {user}),
+            },
+            'as:to_krbtgt': True,
+            'tgs:to_krbtgt': True,
+            'tgs:sids': {
+                # ...but the user's PAC still lacks the group SID.
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+            'tgs:expected': {
+                # The group SID should still be missing when a TGS-REQ is
+                # performed.
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+        },
+        {
+            'test': 'nested group addition; compression; tgs-req to service',
+            'groups': {
+                # A Domain-local group contains a Universal group, of which the
+                # user is now a member...
+                'dom-local': (GroupType.DOMAIN_LOCAL, {'universal'}),
+                'universal': (GroupType.UNIVERSAL, {user}),
+            },
+            'as:to_krbtgt': True,
+            'tgs:to_krbtgt': False,
+            'tgs:sids': {
+                # ...but the user's PAC still lacks the group SID.
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+            'tgs:expected': {
+                # Both SIDs should be omitted from the PAC when a TGS-REQ is
+                # performed.
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+        },
+        {
+            'test': 'nested group addition; no compression; tgs-req to service',
+            'groups': {
+                'dom-local': (GroupType.DOMAIN_LOCAL, {'universal'}),
+                'universal': (GroupType.UNIVERSAL, {user}),
+            },
+            'as:to_krbtgt': True,
+            'tgs:to_krbtgt': False,
+            # The same again, but with the server not supporting compression.
+            'tgs:compression': False,
+            'tgs:sids': {
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+            'tgs:expected': {
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+        },
        {
            'test': 'resource sids given; tgs-req to krbtgt',
            'groups': {
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@ -142,3 +142,11 @@
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims_to_krbtgt.ad_dc
 ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_to_krbtgt.ad_dc
+#
+# Group tests
+#
+^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_addition_compression_tgs_req_to_service.ad_dc
+^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_addition_no_compression_tgs_req_to_service.ad_dc
+^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_addition_tgs_req_to_krbtgt.ad_dc
+^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_user_group_addition_tgs_req_to_krbtgt.ad_dc
+^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_user_group_addition_tgs_req_to_service.ad_dc
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@ -2130,3 +2130,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18_23_17_requested_member_account_stored_aes_rc4
 ^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18_23_requested_member_account_stored_aes_rc4
 ^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18__requested_member_account_stored_aes_rc4
+#
+# Group tests
+#
+^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_addition_compression_tgs_req_to_service.ad_dc
+^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_addition_no_compression_tgs_req_to_service.ad_dc
+^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_addition_tgs_req_to_krbtgt.ad_dc
+^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_user_group_addition_tgs_req_to_krbtgt.ad_dc
+^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_user_group_addition_tgs_req_to_service.ad_dc