From 533fb8fa0db71ab49176e449b7bd2ff597398cf9 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 24 Feb 2023 13:12:44 +1300 Subject: [PATCH] tests/krb5: Add tests adding a user to a group prior to a TGS-REQ Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- python/samba/tests/krb5/group_tests.py | 115 +++++++++++++++++++++++++ selftest/knownfail_heimdal_kdc | 8 ++ selftest/knownfail_mit_kdc | 8 ++ 3 files changed, 131 insertions(+) diff --git a/python/samba/tests/krb5/group_tests.py b/python/samba/tests/krb5/group_tests.py index 9ece5e64271..1090e59bea2 100755 --- a/python/samba/tests/krb5/group_tests.py +++ b/python/samba/tests/krb5/group_tests.py @@ -991,6 +991,121 @@ class GroupTests(KDCBaseTest): (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), }, }, + { + 'test': 'user group addition; tgs-req to krbtgt', + 'groups': { + # The user is a member of the group... + 'foo': (GroupType.UNIVERSAL, {user}), + }, + 'as:to_krbtgt': True, + 'tgs:to_krbtgt': True, + 'tgs:sids': { + # ...but the user's PAC still lacks the group SID. + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + 'tgs:expected': { + # The group SID should be omitted when a TGS-REQ is + # performed. + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + }, + { + 'test': 'user group addition; tgs-req to service', + 'groups': { + 'foo': (GroupType.UNIVERSAL, {user}), + }, + 'as:to_krbtgt': True, + # Likewise, but to a service. + 'tgs:to_krbtgt': False, + 'tgs:sids': { + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + 'tgs:expected': { + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + }, + { + 'test': 'nested group addition; tgs-req to krbtgt', + 'groups': { + # A Domain-local group contains a Universal group, of which the + # user is now a member... + 'dom-local': (GroupType.DOMAIN_LOCAL, {'universal'}), + 'universal': (GroupType.UNIVERSAL, {user}), + }, + 'as:to_krbtgt': True, + 'tgs:to_krbtgt': True, + 'tgs:sids': { + # ...but the user's PAC still lacks the group SID. + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + 'tgs:expected': { + # The group SID should still be missing when a TGS-REQ is + # performed. + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + }, + { + 'test': 'nested group addition; compression; tgs-req to service', + 'groups': { + # A Domain-local group contains a Universal group, of which the + # user is now a member... + 'dom-local': (GroupType.DOMAIN_LOCAL, {'universal'}), + 'universal': (GroupType.UNIVERSAL, {user}), + }, + 'as:to_krbtgt': True, + 'tgs:to_krbtgt': False, + 'tgs:sids': { + # ...but the user's PAC still lacks the group SID. + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + 'tgs:expected': { + # Both SIDs should be omitted from the PAC when a TGS-REQ is + # performed. + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + }, + { + 'test': 'nested group addition; no compression; tgs-req to service', + 'groups': { + 'dom-local': (GroupType.DOMAIN_LOCAL, {'universal'}), + 'universal': (GroupType.UNIVERSAL, {user}), + }, + 'as:to_krbtgt': True, + 'tgs:to_krbtgt': False, + # The same again, but with the server not supporting compression. + 'tgs:compression': False, + 'tgs:sids': { + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + 'tgs:expected': { + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + }, { 'test': 'resource sids given; tgs-req to krbtgt', 'groups': { diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 99f687e3212..c72717d3733 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -142,3 +142,11 @@ ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_remove_claims_to_krbtgt.ad_dc ^samba.tests.krb5.claims_tests.samba.tests.krb5.claims_tests.ClaimsTests.test_tgs_claims_to_krbtgt.ad_dc +# +# Group tests +# +^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_addition_compression_tgs_req_to_service.ad_dc +^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_addition_no_compression_tgs_req_to_service.ad_dc +^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_addition_tgs_req_to_krbtgt.ad_dc +^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_user_group_addition_tgs_req_to_krbtgt.ad_dc +^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_user_group_addition_tgs_req_to_service.ad_dc diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 1c52ec54e9f..eacb29a9479 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -2130,3 +2130,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18_23_17_requested_member_account_stored_aes_rc4 ^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18_23_requested_member_account_stored_aes_rc4 ^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_etype_tgs_None_supported_18__requested_member_account_stored_aes_rc4 +# +# Group tests +# +^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_addition_compression_tgs_req_to_service.ad_dc +^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_addition_no_compression_tgs_req_to_service.ad_dc +^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_nested_group_addition_tgs_req_to_krbtgt.ad_dc +^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_user_group_addition_tgs_req_to_krbtgt.ad_dc +^samba.tests.krb5.group_tests.samba.tests.krb5.group_tests.GroupTests.test_group_user_group_addition_tgs_req_to_service.ad_dc