From 53c47698f01b9b948cbb565c1cc808d9cfd423f8 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 18 May 2023 10:59:53 +1200
Subject: [PATCH] tests/krb5: Add tests presenting short-lived ticket in
 various scenarios

With the Heimdal KDC, we erroneously accept short-lived FAST and
user-to-user tickets.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 python/samba/tests/krb5/kdc_tgs_tests.py | 34 ++++++++++++++++++++++++
 selftest/knownfail_heimdal_kdc           |  5 ++++
 selftest/knownfail_mit_kdc               |  9 +++++++
 3 files changed, 48 insertions(+)

diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index a5b4d18b051..171623cc5d7 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -47,6 +47,7 @@ from samba.tests.krb5.rfc4120_constants import (
     KDC_ERR_PREAUTH_REQUIRED,
     KDC_ERR_C_PRINCIPAL_UNKNOWN,
     KDC_ERR_S_PRINCIPAL_UNKNOWN,
+    KDC_ERR_TKT_EXPIRED,
     KDC_ERR_TGT_REVOKED,
     KRB_ERR_TKT_NYV,
     KDC_ERR_WRONG_REALM,
@@ -1668,6 +1669,39 @@ class KdcTgsTests(KdcTgsBaseTests):
         self._fast(tgt, creds, expected_error=KDC_ERR_GENERIC,
                    expect_edata=self.expect_padata_outer)
 
+    # Test with a TGT that has the lifetime of a kpasswd ticket (two minutes).
+    def test_tgs_kpasswd(self):
+        creds = self._get_creds()
+        tgt = self.modify_lifetime(self._get_tgt(creds), lifetime=2 * 60)
+        self._run_tgs(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
+
+    def test_renew_kpasswd(self):
+        creds = self._get_creds()
+        tgt = self._get_tgt(creds, renewable=True)
+        tgt = self.modify_lifetime(tgt, lifetime=2 * 60)
+        self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
+
+    def test_validate_kpasswd(self):
+        creds = self._get_creds()
+        tgt = self._get_tgt(creds, invalid=True)
+        tgt = self.modify_lifetime(tgt, lifetime=2 * 60)
+        self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
+
+    def test_s4u2self_kpasswd(self):
+        creds = self._get_creds()
+        tgt = self.modify_lifetime(self._get_tgt(creds), lifetime=2 * 60)
+        self._s4u2self(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
+
+    def test_user2user_kpasswd(self):
+        creds = self._get_creds()
+        tgt = self.modify_lifetime(self._get_tgt(creds), lifetime=2 * 60)
+        self._user2user(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
+
+    def test_fast_kpasswd(self):
+        creds = self._get_creds()
+        tgt = self.modify_lifetime(self._get_tgt(creds), lifetime=2 * 60)
+        self._fast(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
+
     # Test user-to-user with incorrect service principal names.
     def test_user2user_matching_sname_host(self):
         creds = self._get_creds()
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index c00fc68ac12..8386966ed9f 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -40,6 +40,11 @@
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_b
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_rodc_issued
 #
+# KDC TGS tests
+#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_kpasswd.ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_kpasswd.ad_dc
+#
 # https://bugzilla.samba.org/show_bug.cgi?id=14886: Tests for accounts not revealed to the RODC
 #
 # The KDC should not accept tickets from an RODC for accounts not in the msDS-RevealedUsers list.
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 3686dd24f9b..d600957388c 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -194,6 +194,15 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_ldap_service_ticket\(ad_dc\)
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_get_ticket_for_host_service_of_machine_account\(ad_dc\)
 #
+# KDC TGS tests
+#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_kpasswd.ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_kpasswd.ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_kpasswd.ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_kpasswd.ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_kpasswd.ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_kpasswd.ad_dc
+#
 # KDC TGS PAC tests
 #
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_no_pac_service_no_auth_data_required\(ad_dc\)