sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-03 01:18:10 +03:00
Code

python/samba/tests/krb5: Add tests for password expiry with krb5 ENC-TS

Browse Source 
This augments the PKINIT based tests to show this is correctly handled
for the fare more usual case.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 13 00:45:36 UTC 2024 on atb-devel-224
This commit is contained in:
Andrew Bartlett 2024-06-12 10:24:18 +12:00
parent ef87f0be60
commit aecbfe5218
4 changed files with 85 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
python/samba/tests/krb5/as_req_tests.py
View File

@ -22,8 +22,12 @@ import os
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
from samba import ntstatus
import time
from samba import credentials, ntstatus
from samba.dcerpc import netlogon
from samba.tests import DynamicTestCase
from samba.tests.pso import PasswordSettings
from samba.tests.krb5.kdc_base_test import KDCBaseTest
import samba.tests.krb5.kcrypto as kcrypto
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
@ -33,6 +37,8 @@ from samba.tests.krb5.rfc4120_constants import (
KDC_ERR_S_PRINCIPAL_UNKNOWN,
KDC_ERR_ETYPE_NOSUPP,
KDC_ERR_PREAUTH_REQUIRED,
KDC_ERR_PREAUTH_FAILED,
KDC_ERR_KEY_EXPIRED,
KU_PA_ENC_TIMESTAMP,
NT_ENTERPRISE_PRINCIPAL,
NT_PRINCIPAL,
@ -150,6 +156,7 @@ class AsReqBaseTest(KDCBaseTest):
etypes,
preauth_padata,
kdc_options,
creds=client_creds,
expected_supported_etypes=krbtgt_supported_etypes,
expected_account_name=user_name,
expect_edata=expect_pa_edata,
@ -591,6 +598,77 @@ class AsReqKerberosTests(AsReqBaseTest):
expected_pa_error=KDC_ERR_CLIENT_REVOKED,
expect_pa_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS)
def test_pw_expired(self):
"""Test making an AS-REQ with an expired password."""
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
client_creds.set_kerberos_state(credentials.AUTO_USE_KERBEROS)
userdn = str(client_creds.get_dn())
samdb = self.get_samdb()
# create a PSO setting password_age_max to 1 second
#
# The first parameter is not a username, just a new unique name for the PSO
short_expiry_pso = PasswordSettings(self.get_new_username(), samdb,
precedence=200,
password_age_max=1)
self.addCleanup(samdb.delete, short_expiry_pso.dn)
short_expiry_pso.apply_to(userdn)
time.sleep(1)
# Expect to get a CLIENT_REVOKED error.
self._run_as_req_enc_timestamp(
client_creds,
expected_error=(KDC_ERR_KEY_EXPIRED, KDC_ERR_PREAUTH_FAILED, KDC_ERR_PREAUTH_REQUIRED),
expect_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED,
expected_pa_error=KDC_ERR_KEY_EXPIRED,
expect_pa_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED)
self._test_samlogon(creds=client_creds,
logon_type=netlogon.NetlogonNetworkInformation,
expect_error=ntstatus.NT_STATUS_PASSWORD_EXPIRED)
def test_pw_expired_wrong_password(self):
"""Test making an AS-REQ with an expired, wrong password"""
# Use a non-cached account so that it is not locked out for other
# tests.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
use_cache=False)
client_creds.set_kerberos_state(credentials.AUTO_USE_KERBEROS)
userdn = str(client_creds.get_dn())
samdb = self.get_samdb()
# create a PSO setting password_age_max to 1 second
#
# The first parameter is not a username, just a new unique name for the PSO
short_expiry_pso = PasswordSettings(self.get_new_username(), samdb,
precedence=200,
password_age_max=1)
self.addCleanup(samdb.delete, short_expiry_pso.dn)
short_expiry_pso.apply_to(userdn)
time.sleep(1)
client_creds.set_password('wrong password')
# Expect to get a CLIENT_REVOKED error.
self._run_as_req_enc_timestamp(
client_creds,
expected_error=(KDC_ERR_KEY_EXPIRED, KDC_ERR_PREAUTH_FAILED, KDC_ERR_PREAUTH_REQUIRED),
expect_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED,
expected_pa_error=KDC_ERR_PREAUTH_FAILED,
expect_pa_status=ntstatus.NT_STATUS_PASSWORD_EXPIRED)
self._test_samlogon(creds=client_creds,
logon_type=netlogon.NetlogonNetworkInformation,
expect_error=ntstatus.NT_STATUS_WRONG_PASSWORD)
def test_as_req_unicode(self):
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,

3
python/samba/tests/krb5/raw_testcase.py
View File

@ -5100,7 +5100,8 @@ class RawKerberosTest(TestCase):
if sent_freshness:
expected_patypes += PADATA_AS_FRESHNESS,
if (self.kdc_fast_support
if (error_code != KDC_ERR_PREAUTH_FAILED
and self.kdc_fast_support
and not sent_fast
and not sent_enc_challenge):
expected_patypes += (PADATA_FX_FAST,)

2
selftest/expectedfail.d/kdc_test_pw_expired Normal file
View File

@ -0,0 +1,2 @@
# This tests needs Password Settings Objects to work, so is expected to fail in this environment
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired\(fl2003dc\)

2
selftest/knownfail_mit_kdc
View File

@ -42,6 +42,8 @@
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_False\(fl2003dc\)
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_None\(fl2003dc\)
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_as_req_no_preauth_dummy_aes256_aes128_pac_True\(fl2003dc\)
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(fl2008r2dc\)
^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_pw_expired_wrong_password\(fl2003dc\)
#
# Currently MOST but not quite all the Canonicalization tests fail on the
# MIT KDC