tests/krb5: Correctly determine whether tickets are service tickets

Previously we expected tickets to contain a ticket checksum if the sname
was not the krbtgt. However, the ticket checksum should not be present
if we are performing an AS-REQ to our own account. Now we determine a
ticket is a service ticket only if the request is also a TGS-REQ.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 100be7eb8e70ba270a8e92957a5e47466160a901)

python/samba/tests/krb5/compatability_tests.py

@@ -132,13 +132,14 @@ class SimpleKerberosTests(KDCBaseTest):
         tgt = self.get_tgt(user_creds)
 
         # Ensure the PAC contains the expected checksums.
-        self.verify_ticket(tgt, key)
+        self.verify_ticket(tgt, key, service_ticket=False)
 
         # Get a service ticket from the DC.
         service_ticket = self.get_service_ticket(tgt, target_creds)
 
         # Ensure the PAC contains the expected checksums.
-        self.verify_ticket(service_ticket, key, expect_ticket_checksum=True)
+        self.verify_ticket(service_ticket, key, service_ticket=True,
+                           expect_ticket_checksum=True)
 
     def test_mit_ticket_signature(self):
         # Ensure that a DC does not issue tickets signed with its krbtgt key.
@@ -152,13 +153,14 @@ class SimpleKerberosTests(KDCBaseTest):
         tgt = self.get_tgt(user_creds)
 
         # Ensure the PAC contains the expected checksums.
-        self.verify_ticket(tgt, key)
+        self.verify_ticket(tgt, key, service_ticket=False)
 
         # Get a service ticket from the DC.
         service_ticket = self.get_service_ticket(tgt, target_creds)
 
         # Ensure the PAC does not contain the expected checksums.
-        self.verify_ticket(service_ticket, key, expect_ticket_checksum=False)
+        self.verify_ticket(service_ticket, key, service_ticket=True,
+                           expect_ticket_checksum=False)
 
     def as_pre_auth_req(self, creds, etypes):
         user = creds.get_username()

python/samba/tests/krb5/kdc_base_test.py

@@ -1395,7 +1395,7 @@ class KDCBaseTest(RawKerberosTest):
             krbtgt_creds = self.get_krbtgt_creds()
         krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
         self.verify_ticket(service_ticket_creds, krbtgt_key,
-                           expect_pac=expect_pac,
+                           service_ticket=True, expect_pac=expect_pac,
                            expect_ticket_checksum=self.tkt_sig_support)
 
         self.tkt_cache[cache_key] = service_ticket_creds

python/samba/tests/krb5/raw_testcase.py

@@ -2587,7 +2587,11 @@ class RawKerberosTest(TestCaseInTempDir):
             self.assertIsNotNone(ticket_decryption_key)
 
         if ticket_decryption_key is not None:
-            self.verify_ticket(ticket_creds, krbtgt_keys, expect_pac=expect_pac,
+            service_ticket = (not self.is_tgs(expected_sname)
+                              and rep_msg_type == KRB_TGS_REP)
+            self.verify_ticket(ticket_creds, krbtgt_keys,
+                               service_ticket=service_ticket,
+                               expect_pac=expect_pac,
                                expect_ticket_checksum=expect_ticket_checksum
                                or self.tkt_sig_support)
 
@@ -2624,14 +2628,14 @@ class RawKerberosTest(TestCaseInTempDir):
                 expected_types.append(krb5pac.PAC_TYPE_DEVICE_INFO)
                 expected_types.append(krb5pac.PAC_TYPE_DEVICE_CLAIMS_INFO)
 
-        if not self.is_tgs(expected_sname):
+        if not self.is_tgs(expected_sname) and rep_msg_type == KRB_TGS_REP:
             expected_types.append(krb5pac.PAC_TYPE_TICKET_CHECKSUM)
 
         require_strict = {krb5pac.PAC_TYPE_CLIENT_CLAIMS_INFO}
         if not self.tkt_sig_support:
             require_strict.add(krb5pac.PAC_TYPE_TICKET_CHECKSUM)
 
-        expect_extra_pac_buffers = rep_msg_type == KRB_AS_REP
+        expect_extra_pac_buffers = self.is_tgs(expected_sname)
 
         expect_pac_attrs = kdc_exchange_dict['expect_pac_attrs']
 
@@ -3233,11 +3237,9 @@ class RawKerberosTest(TestCaseInTempDir):
                                         ticket_blob)
         self.assertEqual(expected_checksum, checksum)
 
-    def verify_ticket(self, ticket, krbtgt_keys, expect_pac=True,
+    def verify_ticket(self, ticket, krbtgt_keys, service_ticket,
+                      expect_pac=True,
                       expect_ticket_checksum=True):
-        # Check if the ticket is a TGT.
-        is_tgt = self.is_tgt(ticket)
-
         # Decrypt the ticket.
 
         key = ticket.decryption_key
@@ -3336,7 +3338,7 @@ class RawKerberosTest(TestCaseInTempDir):
                                         kdc_ctype,
                                         kdc_checksum)
 
-        if is_tgt:
+        if not service_ticket:
             self.assertNotIn(krb5pac.PAC_TYPE_TICKET_CHECKSUM, checksums)
         else:
             ticket_checksum, ticket_ctype = checksums.get(

python/samba/tests/krb5/rodc_tests.py

@@ -58,14 +58,14 @@ class RodcKerberosTests(KDCBaseTest):
         tgt = self.get_tgt(user_creds, to_rodc=True)
 
         # Ensure the PAC contains the expected checksums.
-        self.verify_ticket(tgt, rodc_key)
+        self.verify_ticket(tgt, rodc_key, service_ticket=False)
 
         # Get a service ticket from the RODC.
         service_ticket = self.get_service_ticket(tgt, target_creds,
                                                  to_rodc=True)
 
         # Ensure the PAC contains the expected checksums.
-        self.verify_ticket(service_ticket, rodc_key)
+        self.verify_ticket(service_ticket, rodc_key, service_ticket=True)
 
 
 if __name__ == "__main__":