1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00

auth: keytab invalidation test

chgtdcpass should add a new DC password and delete the old ones but the bug
exposed by this test causes the tool to remove only a single record from
the old entries, leaving the old passwords functional.  Since the tool is
used by administrators who may have disclosed their domain join password and
want to invalidate it, this is a security concern.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13415

Signed-off-by: Aaron Haslett <aaronhaslett@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Aaron Haslett 2018-05-01 11:10:24 +12:00 committed by Andreas Schneider
parent 506c520503
commit a3d6fdd535
4 changed files with 116 additions and 0 deletions

View File

@ -0,0 +1 @@
^samba.unittests.kerberos.test_krb5_remove_obsolete_keytab_entries_many

View File

@ -187,5 +187,7 @@ plantestsuite("samba.unittests.tldap", "none",
[os.path.join(bindir(), "default/source3/test_tldap")])
plantestsuite("samba.unittests.rfc1738", "none",
[os.path.join(bindir(), "default/lib/util/test_rfc1738")])
plantestsuite("samba.unittests.kerberos", "none",
[os.path.join(bindir(), "test_kerberos")])
plantestsuite("samba.unittests.ms_fnmatch", "none",
[os.path.join(bindir(), "default/lib/util/test_ms_fnmatch")])

View File

@ -0,0 +1,107 @@
#include <time.h>
#include <stdlib.h>
#include <stdarg.h>
#include <stddef.h>
#include <setjmp.h>
#include <stdint.h>
#include <cmocka.h>
#include "includes.h"
#include "system/kerberos.h"
#include "auth/kerberos/kerberos.h"
#include "auth/credentials/credentials.h"
#include "auth/credentials/credentials_proto.h"
#include "auth/credentials/credentials_krb5.h"
#include "auth/kerberos/kerberos_credentials.h"
#include "auth/kerberos/kerberos_util.h"
static void internal_obsolete_keytab_test(int num_principals, int num_kvnos,
krb5_kvno kvno, const char *kt_name)
{
krb5_context krb5_ctx;
krb5_keytab keytab;
krb5_keytab_entry kt_entry;
krb5_kt_cursor cursor;
krb5_error_code code;
int i,j;
char princ_name[6] = "user0";
char expect_princ_name[23] = "user0@samba.example.com";
bool found_previous;
const char *error_str;
TALLOC_CTX *tmp_ctx = talloc_new(NULL);
krb5_principal *principals = talloc_zero_array(tmp_ctx,
krb5_principal,
num_principals);
krb5_init_context(&krb5_ctx);
krb5_kt_resolve(krb5_ctx, kt_name, &keytab);
ZERO_STRUCT(kt_entry);
for(i=0; i<num_principals; i++) {
princ_name[4] = (char)i+48;
smb_krb5_make_principal(krb5_ctx, &(principals[i]),
"samba.example.com", princ_name, NULL);
kt_entry.principal = principals[i];
for (j=0; j<num_kvnos; j++) {
kt_entry.vno = j+1;
krb5_kt_add_entry(krb5_ctx, keytab, &kt_entry);
}
}
code = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
assert_int_equal(code, 0);
for (i=0; i<num_principals; i++) {
expect_princ_name[4] = (char)i+48;
for (j=0; j<num_kvnos; j++) {
char *unparsed_name;
code = krb5_kt_next_entry(krb5_ctx, keytab,
&kt_entry, &cursor);
assert_int_equal(code, 0);
assert_int_equal(kt_entry.vno, j+1);
krb5_unparse_name(krb5_ctx, kt_entry.principal,
&unparsed_name);
assert_string_equal(expect_princ_name, unparsed_name);
}
}
smb_krb5_remove_obsolete_keytab_entries(tmp_ctx, krb5_ctx, keytab,
num_principals, principals,
kvno, &found_previous,
&error_str);
code = krb5_kt_start_seq_get(krb5_ctx, keytab, &cursor);
assert_int_equal(code, 0);
for (i=0; i<num_principals; i++) {
char *unparsed_name;
expect_princ_name[4] = (char)i+48;
code = krb5_kt_next_entry(krb5_ctx, keytab, &kt_entry, &cursor);
assert_int_equal(code, 0);
assert_int_equal(kt_entry.vno, kvno-1);
krb5_unparse_name(krb5_ctx, kt_entry.principal, &unparsed_name);
assert_string_equal(expect_princ_name, unparsed_name);
}
code = krb5_kt_next_entry(krb5_ctx, keytab, &kt_entry, &cursor);
assert_int_not_equal(code, 0);
}
static void test_krb5_remove_obsolete_keytab_entries_many(void **state)
{
internal_obsolete_keytab_test(5, 4, (krb5_kvno)5, "MEMORY:LOL2");
}
static void test_krb5_remove_obsolete_keytab_entries_one(void **state)
{
internal_obsolete_keytab_test(1, 2, (krb5_kvno)3, "MEMORY:LOL");
}
int main(int argc, const char **argv)
{
const struct CMUnitTest tests[] = {
cmocka_unit_test(test_krb5_remove_obsolete_keytab_entries_one),
cmocka_unit_test(test_krb5_remove_obsolete_keytab_entries_many),
};
cmocka_set_message_output(CM_OUTPUT_SUBUNIT);
return cmocka_run_group_tests(tests, NULL, NULL);
}

View File

@ -42,6 +42,12 @@ bld.SAMBA_SUBSYSTEM('auth4_sam',
deps=''
)
bld.SAMBA_BINARY('test_kerberos',
source='tests/kerberos.c',
deps='cmocka authkrb5 krb5samba com_err CREDENTIALS_KRB5',
local_include=False,
install=False
)
for env in bld.gen_python_environments():
pytalloc_util = bld.pyembed_libname('pytalloc-util')