sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-09 08:58:35 +03:00
Code

python/samba/tests/krb5: Extend PKINIT tests to show kpasswd still works

Browse Source 
We have had confirmed from MS that this behaviour is both deliberate
and required.  Possession of the credential is (by the returned PAC
containing the NT hash) possession of the password, and it must be
possible to change the password to a known value otherwise DPAPI
(local keychain) secured by this value can fail on the client.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15045

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
This commit is contained in:
Andrew Bartlett 2024-05-27 18:53:42 +12:00
parent 4ec24a2076
commit dc6c4b215e
2 changed files with 54 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
python/samba/tests/krb5/pkinit_tests.py
View File

@ -36,7 +36,7 @@ from cryptography.x509.oid import NameOID
import ldb
import samba.tests
from samba import credentials, ntstatus
from samba import credentials, generate_random_password, ntstatus
from samba.dcerpc import security, netlogon
from samba.tests.krb5 import kcrypto
from samba.tests.krb5.kdc_base_test import KDCBaseTest
@ -51,6 +51,7 @@ from samba.tests.krb5.rfc4120_constants import (
KDC_ERR_PREAUTH_EXPIRED,
KDC_ERR_PREAUTH_FAILED,
KDC_ERR_PREAUTH_REQUIRED,
KPASSWD_SUCCESS,
KU_PA_ENC_TIMESTAMP,
NT_PRINCIPAL,
NT_SRV_INST,
@ -772,6 +773,44 @@ class PkInitTests(KDCBaseTest):
self._test_samlogon(creds=client_creds,
logon_type=netlogon.NetlogonNetworkInformation)
def test_pkinit_kpasswd_change(self):
"""Test public-key PK-INIT to get an initial ticket to change the user's own password."""
client_creds = self._get_creds()
krbtgt_creds = self.get_krbtgt_creds()
kpasswd_sname = self.get_kpasswd_sname()
freshness_token = self.create_freshness_token()
samdb = self.get_samdb()
# Get the old 'minPwdAge'
minPwdAge = samdb.get_minPwdAge()
# Reset the 'minPwdAge' as it was before
self.addCleanup(samdb.set_minPwdAge, minPwdAge)
# Set it temporarily to '0'
samdb.set_minPwdAge('0')
kdc_exchange_dict = self._pkinit_req(client_creds, krbtgt_creds,
freshness_token=freshness_token,
target_sname=kpasswd_sname)
ticket = kdc_exchange_dict['rep_ticket_creds']
expected_code = KPASSWD_SUCCESS
expected_msg = b'Password changed'
# Set the password.
new_password = generate_random_password(32, 32)
self.kpasswd_exchange(ticket,
new_password,
expected_code,
expected_msg,
mode=self.KpasswdMode.SET)
# Test the newly set password.
client_creds.update_password(new_password)
self.get_tgt(client_creds, fresh=True)
def _as_req(self,
creds,
target_creds,
@ -1160,6 +1199,7 @@ class PkInitTests(KDCBaseTest):
certificate_signature=None,
freshness_token=None,
win2k_variant=False,
target_sname=None
):
self.assertIsNot(using_pkinit, PkInit.NOT_USED)
@ -1360,6 +1400,8 @@ class PkInitTests(KDCBaseTest):
target_name = target_creds.get_username()
target_realm = target_creds.get_realm()
expected_sname = target_sname
if target_sname is None:
target_name = target_creds.get_username()
if target_name == "krbtgt":
target_sname = self.PrincipalName_create(name_type=NT_SRV_INST,

1
selftest/knownfail_mit_kdc_1_20
View File

@ -34,6 +34,7 @@
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_ntlm_from_pac_smartcard_required
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_ntlm_from_pac_smartcard_required_must_change_now
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_ntlm_from_pac
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_kpasswd_change
#
# PK-INIT Freshness tests
#