sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-05 09:18:06 +03:00
Code

python/samba/tests/krb5: Add tests for password expiry with krb5 ENC-TS

Browse Source 
This augments the PKINIT based tests to show this is correctly handled
for the fare more usual case.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 13 00:45:36 UTC 2024 on atb-devel-224
This commit is contained in:
Andrew Bartlett 2024-06-12 10:24:18 +12:00
parent ef87f0be60
commit aecbfe5218
4 changed files with 85 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
python/samba/tests/krb5/as_req_tests.py
View File

@ -22,8 +22,12 @@ import os
sys.path.insert(0, "bin/python") sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1" os.environ["PYTHONUNBUFFERED"] = "1"
from samba import ntstatus import time
from samba import credentials, ntstatus
from samba.dcerpc import netlogon
from samba.tests import DynamicTestCase from samba.tests import DynamicTestCase
from samba.tests.pso import PasswordSettings
from samba.tests.krb5.kdc_base_test import KDCBaseTest from samba.tests.krb5.kdc_base_test import KDCBaseTest
import samba.tests.krb5.kcrypto as kcrypto import samba.tests.krb5.kcrypto as kcrypto
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
@ -33,6 +37,8 @@ from samba.tests.krb5.rfc4120_constants import (
KDC_ERR_S_PRINCIPAL_UNKNOWN, KDC_ERR_S_PRINCIPAL_UNKNOWN,
KDC_ERR_ETYPE_NOSUPP, KDC_ERR_ETYPE_NOSUPP,
KDC_ERR_PREAUTH_REQUIRED, KDC_ERR_PREAUTH_REQUIRED,
KDC_ERR_PREAUTH_FAILED,
KDC_ERR_KEY_EXPIRED,
KU_PA_ENC_TIMESTAMP, KU_PA_ENC_TIMESTAMP,
NT_ENTERPRISE_PRINCIPAL, NT_ENTERPRISE_PRINCIPAL,
NT_PRINCIPAL, NT_PRINCIPAL,
@ -150,6 +156,7 @@ class AsReqBaseTest(KDCBaseTest):
etypes, etypes,
preauth_padata, preauth_padata,
kdc_options, kdc_options,
creds=client_creds,
expected_supported_etypes=krbtgt_supported_etypes, expected_supported_etypes=krbtgt_supported_etypes,
expected_account_name=user_name, expected_account_name=user_name,
expect_edata=expect_pa_edata, expect_edata=expect_pa_edata,
@ -591,6 +598,77 @@ class AsReqKerberosTests(AsReqBaseTest):
expected_pa_error=KDC_ERR_CLIENT_REVOKED, expected_pa_error=KDC_ERR_CLIENT_REVOKED,
expect_pa_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS) expect_pa_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS)
def test_pw_expired(self):
"""Test making an AS-REQ with an expired password."""
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
client_creds.set_kerberos_state(credentials.AUTO_USE_KERBEROS)
userdn = str(client_creds.get_dn())
samdb = self.get_samdb()
# create a PSO setting password_age_max to 1 second
#
# The first parameter is not a username, just a new unique name for the PSO
short_expiry_pso = PasswordSettings(self.get_new_username(), samdb,
precedence=200,
password_age_max=1)
self.addCleanup(samdb.delete, short_expiry_pso.dn)
short_expiry_pso.apply_to(userdn)
time.sleep(1)
# Expect to get a CLIENT_REVOKED error.
self._run_as_req_enc_timestamp(
client_creds,
expected_error=(KDC_ERR_KEY_EXPIRED, KDC_ERR_PREAUTH_FAILED, KDC_ERR_PREAUTH_REQUIRED),
expect_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED,
expected_pa_error=KDC_ERR_KEY_EXPIRED,
expect_pa_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED)
self._test_samlogon(creds=client_creds,
logon_type=netlogon.NetlogonNetworkInformation,
expect_error=ntstatus.NT_STATUS_PASSWORD_EXPIRED)
def test_pw_expired_wrong_password(self):
"""Test making an AS-REQ with an expired, wrong password"""
# Use a non-cached account so that it is not locked out for other
# tests.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
use_cache=False)
client_creds.set_kerberos_state(credentials.AUTO_USE_KERBEROS)
userdn = str(client_creds.get_dn())
samdb = self.get_samdb()
# create a PSO setting password_age_max to 1 second
#
# The first parameter is not a username, just a new unique name for the PSO
short_expiry_pso = PasswordSettings(self.get_new_username(), samdb,
precedence=200,
password_age_max=1)
self.addCleanup(samdb.delete, short_expiry_pso.dn)
short_expiry_pso.apply_to(userdn)
time.sleep(1)
client_creds.set_password('wrong password')
# Expect to get a CLIENT_REVOKED error.
self._run_as_req_enc_timestamp(
client_creds,
expected_error=(KDC_ERR_KEY_EXPIRED, KDC_ERR_PREAUTH_FAILED, KDC_ERR_PREAUTH_REQUIRED),
expect_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED,
expected_pa_error=KDC_ERR_PREAUTH_FAILED,
expect_pa_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED)
self._test_samlogon(creds=client_creds,
logon_type=netlogon.NetlogonNetworkInformation,
expect_error=ntstatus.NT_STATUS_WRONG_PASSWORD)
def test_as_req_unicode(self): def test_as_req_unicode(self):
client_creds = self.get_cached_creds( client_creds = self.get_cached_creds(
account_type=self.AccountType.USER, account_type=self.AccountType.USER,

3
python/samba/tests/krb5/raw_testcase.py
View File

@ -5100,7 +5100,8 @@ class RawKerberosTest(TestCase):
if sent_freshness: if sent_freshness:
expected_patypes += PADATA_AS_FRESHNESS, expected_patypes += PADATA_AS_FRESHNESS,
if (self.kdc_fast_support if (error_code != KDC_ERR_PREAUTH_FAILED
and self.kdc_fast_support
and not sent_fast and not sent_fast
and not sent_enc_challenge): and not sent_enc_challenge):
expected_patypes += (PADATA_FX_FAST,) expected_patypes += (PADATA_FX_FAST,)

2
selftest/expectedfail.d/kdc_test_pw_expired Normal file
View File

@ -0,0 +1,2 @@
# This tests needs Password Settings Objects to work, so is expected to fail in this environment
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired\(fl2003dc\)

2
selftest/knownfail_mit_kdc
View File

@ -42,6 +42,8 @@
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_False\(fl2003dc\) ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_False\(fl2003dc\)
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_None\(fl2003dc\) ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_None\(fl2003dc\)
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_True\(fl2003dc\) ^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_True\(fl2003dc\)
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(fl2008r2dc\)
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(fl2003dc\)
# #
# Currently MOST but not quite all the Canonicalization tests fail on the # Currently MOST but not quite all the Canonicalization tests fail on the
# MIT KDC # MIT KDC