From bac5f75059450898937be891e863826e1350b62c Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 25 Nov 2021 10:05:17 +1300 Subject: [PATCH] tests/krb5: Add test for S4U2Self with wrong sname Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- python/samba/tests/krb5/s4u_tests.py | 32 +++++++++++++++++++++++++++- selftest/knownfail_heimdal_kdc | 1 + 2 files changed, 32 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index 5f37525f393..2953766ef21 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -36,6 +36,7 @@ from samba.tests.krb5.raw_testcase import ( from samba.tests.krb5.rfc4120_constants import ( AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5, + KDC_ERR_BADMATCH, KDC_ERR_BADOPTION, KDC_ERR_BAD_INTEGRITY, KDC_ERR_GENERIC, @@ -243,7 +244,9 @@ class S4UKerberosTests(KDCBaseTest): client_dn = client_creds.get_dn() sid = self.get_objectSid(samdb, client_dn) - service_name = service_creds.get_username()[:-1] + service_name = kdc_dict.pop('service_name', None) + if service_name is None: + service_name = service_creds.get_username()[:-1] service_sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, names=['host', service_name]) @@ -474,6 +477,33 @@ class S4UKerberosTests(KDCBaseTest): 'expected_flags': 'forwardable' }) + # Do an S4U2Self with the sname in the request different to that of the + # service. We expect an error. + def test_s4u2self_wrong_sname(self): + other_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER, + opts={ + 'trusted_to_auth_for_delegation': True, + 'id': 0 + }) + other_sname = other_creds.get_username()[:-1] + + self._run_s4u2self_test( + { + 'expected_error_mode': KDC_ERR_BADMATCH, + 'expect_edata': False, + 'client_opts': { + 'not_delegated': False + }, + 'service_opts': { + 'trusted_to_auth_for_delegation': True + }, + 'service_name': other_sname, + 'kdc_options': 'forwardable', + 'modify_service_tgt_fn': functools.partial( + self.set_ticket_forwardable, flag=True) + }) + def _run_delegation_test(self, kdc_dict): client_opts = kdc_dict.pop('client_opts', None) client_creds = self.get_cached_creds( diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index fc2a3554f0d..fd05719cc4c 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -81,6 +81,7 @@ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_wrong_sname # ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required