sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-27 14:04:05 +03:00
Code

CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022

Browse Source 
I'm using the following options:

SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \
SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \
DOMAIN=W2022-L7 REALM=W2022-L7.BASE \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \
CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \
FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1

in order to run these:

python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests
python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
This commit is contained in:
Stefan Metzmacher 2022-11-29 09:48:09 +01:00
parent 4ebbe7e407
commit e0f89b7bc8
3 changed files with 39 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
python/samba/tests/krb5/as_req_tests.py
View File

@ -47,6 +47,7 @@ class AsReqBaseTest(KDCBaseTest):
expected_cname=None, sname=None, expected_cname=None, sname=None,
name_type=NT_PRINCIPAL, etypes=None, name_type=NT_PRINCIPAL, etypes=None,
expected_error=None, expect_edata=None, expected_error=None, expect_edata=None,
expected_pa_error=None, expect_pa_edata=None,
kdc_options=None, till=None): kdc_options=None, till=None):
user_name = client_creds.get_username() user_name = client_creds.get_username()
if client_account is None: if client_account is None:
@ -125,6 +126,8 @@ class AsReqBaseTest(KDCBaseTest):
preauth_padata = [pa_ts] preauth_padata = [pa_ts]
preauth_error_mode = 0 # AS-REP preauth_error_mode = 0 # AS-REP
if expected_pa_error is not None:
preauth_error_mode = expected_pa_error
krbtgt_decryption_key = ( krbtgt_decryption_key = (
self.TicketDecryptionKey_from_creds(krbtgt_creds)) self.TicketDecryptionKey_from_creds(krbtgt_creds))
@ -146,6 +149,7 @@ class AsReqBaseTest(KDCBaseTest):
kdc_options, kdc_options,
expected_supported_etypes=krbtgt_supported_etypes, expected_supported_etypes=krbtgt_supported_etypes,
expected_account_name=user_name, expected_account_name=user_name,
expect_edata=expect_pa_edata,
preauth_key=preauth_key, preauth_key=preauth_key,
ticket_decryption_key=krbtgt_decryption_key, ticket_decryption_key=krbtgt_decryption_key,
pac_request=True) pac_request=True)
@ -512,10 +516,17 @@ class AsReqKerberosTests(AsReqBaseTest):
name_type=NT_SRV_INST, name_type=NT_SRV_INST,
names=[krbtgt_account, realm]) names=[krbtgt_account, realm])
self._run_as_req_enc_timestamp( if self.strict_checking:
client_creds, self._run_as_req_enc_timestamp(
sname=wrong_krbtgt_princ, client_creds,
expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN) sname=wrong_krbtgt_princ,
expected_pa_error=KDC_ERR_S_PRINCIPAL_UNKNOWN,
expect_pa_edata=False)
else:
self._run_as_req_enc_timestamp(
client_creds,
sname=wrong_krbtgt_princ,
expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
# Test that we can make a request for a ticket expiring post-2038. # Test that we can make a request for a ticket expiring post-2038.
def test_future_till(self): def test_future_till(self):

9
python/samba/tests/krb5/kdc_base_test.py
View File

@ -53,6 +53,11 @@ from samba.dsdb import (
UF_SERVER_TRUST_ACCOUNT, UF_SERVER_TRUST_ACCOUNT,
UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
) )
from samba.dcerpc.misc import (
SEC_CHAN_NULL,
SEC_CHAN_WKSTA,
SEC_CHAN_BDC,
)
from samba.join import DCJoinContext from samba.join import DCJoinContext
from samba.ndr import ndr_pack, ndr_unpack from samba.ndr import ndr_pack, ndr_unpack
from samba import net from samba import net
@ -430,6 +435,7 @@ class KDCBaseTest(RawKerberosTest):
# run failed # run failed
delete_force(samdb, dn) delete_force(samdb, dn)
account_name = name account_name = name
secure_schannel_type = SEC_CHAN_NULL
if account_type is self.AccountType.USER: if account_type is self.AccountType.USER:
object_class = "user" object_class = "user"
account_control |= UF_NORMAL_ACCOUNT account_control |= UF_NORMAL_ACCOUNT
@ -439,8 +445,10 @@ class KDCBaseTest(RawKerberosTest):
account_name += '$' account_name += '$'
if account_type is self.AccountType.COMPUTER: if account_type is self.AccountType.COMPUTER:
account_control |= UF_WORKSTATION_TRUST_ACCOUNT account_control |= UF_WORKSTATION_TRUST_ACCOUNT
secure_schannel_type = SEC_CHAN_WKSTA
elif account_type is self.AccountType.SERVER: elif account_type is self.AccountType.SERVER:
account_control |= UF_SERVER_TRUST_ACCOUNT account_control |= UF_SERVER_TRUST_ACCOUNT
secure_schannel_type = SEC_CHAN_BDC
else: else:
self.fail() self.fail()
@ -481,6 +489,7 @@ class KDCBaseTest(RawKerberosTest):
creds.set_workstation('') creds.set_workstation('')
else: else:
creds.set_workstation(name) creds.set_workstation(name)
creds.set_secure_channel_type(secure_schannel_type)
creds.set_dn(ldb.Dn(samdb, dn)) creds.set_dn(ldb.Dn(samdb, dn))
creds.set_upn(upn) creds.set_upn(upn)
creds.set_spn(spn) creds.set_spn(spn)

18
python/samba/tests/krb5/raw_testcase.py
View File

@ -41,6 +41,10 @@ from samba.credentials import Credentials
from samba.dcerpc import claims, krb5pac, netlogon, security from samba.dcerpc import claims, krb5pac, netlogon, security
from samba.gensec import FEATURE_SEAL from samba.gensec import FEATURE_SEAL
from samba.ndr import ndr_pack, ndr_unpack from samba.ndr import ndr_pack, ndr_unpack
from samba.dcerpc.misc import (
SEC_CHAN_WKSTA,
SEC_CHAN_BDC,
)
import samba.tests import samba.tests
from samba.tests import TestCaseInTempDir from samba.tests import TestCaseInTempDir
@ -485,7 +489,8 @@ class KerberosCredentials(Credentials):
else: else:
salt_name = self.get_username() salt_name = self.get_username()
if self.get_workstation(): secure_schannel_type = self.get_secure_channel_type()
if secure_schannel_type in [SEC_CHAN_WKSTA,SEC_CHAN_BDC]:
salt_name = self.get_username().lower() salt_name = self.get_username().lower()
if salt_name[-1] == '$': if salt_name[-1] == '$':
salt_name = salt_name[:-1] salt_name = salt_name[:-1]
@ -2976,7 +2981,7 @@ class RawKerberosTest(TestCaseInTempDir):
else: else:
self.assertElementMissing(ticket_private, 'renew-till') self.assertElementMissing(ticket_private, 'renew-till')
if self.strict_checking: if self.strict_checking:
self.assertElementEqual(ticket_private, 'caddr', []) self.assertElementMissing(ticket_private, 'caddr')
if expect_pac is not None: if expect_pac is not None:
if expect_pac: if expect_pac:
self.assertElementPresent(ticket_private, self.assertElementPresent(ticket_private,
@ -3030,7 +3035,7 @@ class RawKerberosTest(TestCaseInTempDir):
self.assertElementEqualPrincipal(encpart_private, 'sname', self.assertElementEqualPrincipal(encpart_private, 'sname',
expected_sname) expected_sname)
if self.strict_checking: if self.strict_checking:
self.assertElementEqual(encpart_private, 'caddr', []) self.assertElementMissing(encpart_private, 'caddr')
sent_pac_options = self.get_sent_pac_options(kdc_exchange_dict) sent_pac_options = self.get_sent_pac_options(kdc_exchange_dict)
@ -3793,6 +3798,13 @@ class RawKerberosTest(TestCaseInTempDir):
kcrypto.Enctype.AES128}: kcrypto.Enctype.AES128}:
expected_patypes += (PADATA_ETYPE_INFO2,) expected_patypes += (PADATA_ETYPE_INFO2,)
preauth_key = kdc_exchange_dict['preauth_key']
if preauth_key.etype == kcrypto.Enctype.RC4 and rep_padata is None:
rep_padata = ()
elif rep_msg_type == KRB_TGS_REP:
if expected_patypes == () and rep_padata is None:
rep_padata = ()
if not self.strict_checking and rep_padata is None: if not self.strict_checking and rep_padata is None:
rep_padata = () rep_padata = ()