sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code

tests/krb5: Add tests for requesting a service ticket without a PAC

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Oct 17 23:40:33 UTC 2021 on sn-devel-184
This commit is contained in:
Joseph Sutton 2021-10-15 14:29:26 +13:00 committed by Andrew Bartlett
parent 288355896a
commit 9d3a691920
3 changed files with 130 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

120
python/samba/tests/krb5/kdc_tgs_tests.py
View File

@ -23,15 +23,18 @@ import os
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
import samba.tests.krb5.kcrypto as kcrypto
from samba.tests.krb5.kdc_base_test import KDCBaseTest
from samba.tests.krb5.rfc4120_constants import (
AES256_CTS_HMAC_SHA1_96,
ARCFOUR_HMAC_MD5,
KRB_ERROR,
KRB_TGS_REP,
KDC_ERR_BADMATCH,
NT_PRINCIPAL,
NT_SRV_INST,
)
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
global_asn1_print = False
global_hexdump = False
@ -209,6 +212,123 @@ class KdcTgsTests(KDCBaseTest):
pac_data.account_sid,
"rep = {%s},%s" % (rep, pac_data))
def _make_tgs_request(self, client_creds, service_creds, tgt,
expect_pac=True):
client_account = client_creds.get_username()
cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
names=[client_account])
service_account = service_creds.get_username()
sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
names=[service_account])
realm = service_creds.get_realm()
expected_crealm = realm
expected_cname = cname
expected_srealm = realm
expected_sname = sname
expected_supported_etypes = service_creds.tgs_supported_enctypes
etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
kdc_options = str(krb5_asn1.KDCOptions('canonicalize'))
target_decryption_key = self.TicketDecryptionKey_from_creds(
service_creds)
authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256)
kdc_exchange_dict = self.tgs_exchange_dict(
expected_crealm=expected_crealm,
expected_cname=expected_cname,
expected_srealm=expected_srealm,
expected_sname=expected_sname,
expected_supported_etypes=expected_supported_etypes,
ticket_decryption_key=target_decryption_key,
check_rep_fn=self.generic_check_kdc_rep,
check_kdc_private_fn=self.generic_check_kdc_private,
expected_error_mode=0,
tgt=tgt,
authenticator_subkey=authenticator_subkey,
kdc_options=kdc_options,
expect_pac=expect_pac)
rep = self._generic_kdc_exchange(kdc_exchange_dict,
cname=cname,
realm=realm,
sname=sname,
etypes=etypes)
self.check_reply(rep, KRB_TGS_REP)
return kdc_exchange_dict['rep_ticket_creds']
def test_request_no_pac(self):
client_creds = self.get_client_creds()
service_creds = self.get_service_creds()
tgt = self.get_tgt(client_creds, pac_request=False,
expect_pac=False)
pac = self.get_ticket_pac(tgt, expect_pac=False)
self.assertIsNone(pac)
ticket = self._make_tgs_request(client_creds, service_creds, tgt,
expect_pac=False)
pac = self.get_ticket_pac(ticket, expect_pac=False)
self.assertIsNone(pac)
def test_client_no_auth_data_required(self):
client_creds = self.get_cached_creds(
machine_account=False,
opts={'no_auth_data_required': True})
service_creds = self.get_service_creds()
tgt = self.get_tgt(client_creds)
pac = self.get_ticket_pac(tgt)
self.assertIsNotNone(pac)
ticket = self._make_tgs_request(client_creds, service_creds, tgt)
pac = self.get_ticket_pac(ticket)
self.assertIsNotNone(pac)
def test_service_no_auth_data_required(self):
client_creds = self.get_client_creds()
service_creds = self.get_cached_creds(
machine_account=True,
opts={'no_auth_data_required': True})
tgt = self.get_tgt(client_creds)
pac = self.get_ticket_pac(tgt)
self.assertIsNotNone(pac)
ticket = self._make_tgs_request(client_creds, service_creds, tgt,
expect_pac=False)
pac = self.get_ticket_pac(ticket, expect_pac=False)
self.assertIsNone(pac)
def test_remove_pac(self):
client_creds = self.get_client_creds()
service_creds = self.get_service_creds()
tgt = self.modified_ticket(self.get_tgt(client_creds),
exclude_pac=True)
pac = self.get_ticket_pac(tgt, expect_pac=False)
self.assertIsNone(pac)
ticket = self._make_tgs_request(client_creds, service_creds, tgt,
expect_pac=False)
pac = self.get_ticket_pac(ticket, expect_pac=False)
self.assertIsNone(pac)
if __name__ == "__main__":
global_asn1_print = False

5
selftest/knownfail_heimdal_kdc
View File

@ -87,3 +87,8 @@
# KRB5KRB_ERR_RESPONSE_TOO_BIG in this specific case
#
^samba4.krb5.kdc with machine account.as-req-pac-request.fl2000dc:local
#
# TGS tests
#
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_client_no_auth_data_required
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_service_no_auth_data_required

5
selftest/knownfail_mit_kdc
View File

@ -256,6 +256,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_ldap_service_ticket\(ad_dc\)
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_get_ticket_for_host_service_of_machine_account\(ad_dc\)
#
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_client_no_auth_data_required\(ad_dc\)
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac\(ad_dc\)
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_request_no_pac\(ad_dc\)
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_service_no_auth_data_required\(ad_dc\)
#
# MIT currently fails the following MS-KILE tests.
#
^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_1_3