sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code

tests/krb5: Be less strict regarding acceptable delegation error codes

Browse Source 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
Joseph Sutton 2023-06-20 16:46:03 +12:00 committed by Stefan Metzmacher
parent 0e43d11e39
commit fcfdb44381
2 changed files with 24 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
python/samba/tests/krb5/s4u_tests.py
View File

@ -1018,7 +1018,8 @@ class S4UKerberosTests(KDCBaseTest):
self._run_delegation_test( self._run_delegation_test(
{ {
'expected_error_mode': (KDC_ERR_MODIFIED, 'expected_error_mode': (KDC_ERR_MODIFIED,
KDC_ERR_BADOPTION), KDC_ERR_BADOPTION,
KDC_ERR_TGT_REVOKED),
'allow_delegation': True, 'allow_delegation': True,
'modify_client_tkt_fn': self.remove_ticket_pac, 'modify_client_tkt_fn': self.remove_ticket_pac,
'expect_edata': False, 'expect_edata': False,
@ -1128,7 +1129,8 @@ class S4UKerberosTests(KDCBaseTest):
# contain a PAC, and an empty msDS-AllowedToDelegateTo attribute. # contain a PAC, and an empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test( self._run_delegation_test(
{ {
'expected_error_mode': KDC_ERR_MODIFIED, 'expected_error_mode': (KDC_ERR_MODIFIED,
KDC_ERR_TGT_REVOKED),
# We arent particular about whether or not we get an NTSTATUS. # We arent particular about whether or not we get an NTSTATUS.
'expect_status': None, 'expect_status': None,
'expected_status': ntstatus.NT_STATUS_NOT_SUPPORTED, 'expected_status': ntstatus.NT_STATUS_NOT_SUPPORTED,
@ -1144,7 +1146,8 @@ class S4UKerberosTests(KDCBaseTest):
# contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute. # contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test( self._run_delegation_test(
{ {
'expected_error_mode': KDC_ERR_MODIFIED, 'expected_error_mode': (KDC_ERR_MODIFIED,
KDC_ERR_TGT_REVOKED),
# We arent particular about whether or not we get an NTSTATUS. # We arent particular about whether or not we get an NTSTATUS.
'expect_status': None, 'expect_status': None,
'expected_status': ntstatus.NT_STATUS_NO_MATCH, 'expected_status': ntstatus.NT_STATUS_NO_MATCH,
@ -1177,7 +1180,8 @@ class S4UKerberosTests(KDCBaseTest):
# contain a PAC, and an empty msDS-AllowedToDelegateTo attribute. # contain a PAC, and an empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test( self._run_delegation_test(
{ {
'expected_error_mode': KDC_ERR_MODIFIED, 'expected_error_mode': (KDC_ERR_MODIFIED,
KDC_ERR_TGT_REVOKED),
# We arent particular about whether or not we get an NTSTATUS. # We arent particular about whether or not we get an NTSTATUS.
'expect_status': None, 'expect_status': None,
'expected_status': ntstatus.NT_STATUS_NOT_SUPPORTED, 'expected_status': ntstatus.NT_STATUS_NOT_SUPPORTED,
@ -1196,7 +1200,8 @@ class S4UKerberosTests(KDCBaseTest):
# contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute. # contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test( self._run_delegation_test(
{ {
'expected_error_mode': KDC_ERR_MODIFIED, 'expected_error_mode': (KDC_ERR_MODIFIED,
KDC_ERR_TGT_REVOKED),
# We arent particular about whether or not we get an NTSTATUS. # We arent particular about whether or not we get an NTSTATUS.
'expect_status': None, 'expect_status': None,
'expected_status': ntstatus.NT_STATUS_NO_MATCH, 'expected_status': ntstatus.NT_STATUS_NO_MATCH,
@ -1356,7 +1361,8 @@ class S4UKerberosTests(KDCBaseTest):
for checksum in self.pac_checksum_types: for checksum in self.pac_checksum_types:
with self.subTest(checksum=checksum): with self.subTest(checksum=checksum):
if checksum == krb5pac.PAC_TYPE_TICKET_CHECKSUM: if checksum == krb5pac.PAC_TYPE_TICKET_CHECKSUM:
expected_error_mode = KDC_ERR_MODIFIED expected_error_mode = (KDC_ERR_MODIFIED,
KDC_ERR_BADOPTION)
else: else:
expected_error_mode = KDC_ERR_GENERIC expected_error_mode = KDC_ERR_GENERIC
@ -1443,7 +1449,8 @@ class S4UKerberosTests(KDCBaseTest):
with self.subTest(checksum=checksum): with self.subTest(checksum=checksum):
self._run_delegation_test( self._run_delegation_test(
{ {
'expected_error_mode': KDC_ERR_MODIFIED, 'expected_error_mode': (KDC_ERR_MODIFIED,
KDC_ERR_BAD_INTEGRITY),
# We arent particular about whether or not we get an # We arent particular about whether or not we get an
# NTSTATUS. # NTSTATUS.
'expect_status': None, 'expect_status': None,
@ -1462,7 +1469,8 @@ class S4UKerberosTests(KDCBaseTest):
for checksum in self.pac_checksum_types: for checksum in self.pac_checksum_types:
with self.subTest(checksum=checksum): with self.subTest(checksum=checksum):
if checksum == krb5pac.PAC_TYPE_SRV_CHECKSUM: if checksum == krb5pac.PAC_TYPE_SRV_CHECKSUM:
expected_error_mode = KDC_ERR_MODIFIED expected_error_mode = (KDC_ERR_MODIFIED,
KDC_ERR_BAD_INTEGRITY)
# We arent particular about whether or not we get an # We arent particular about whether or not we get an
# NTSTATUS. # NTSTATUS.
expect_status = None expect_status = None
@ -1551,9 +1559,11 @@ class S4UKerberosTests(KDCBaseTest):
with self.subTest(checksum=checksum, ctype=ctype): with self.subTest(checksum=checksum, ctype=ctype):
if (checksum == krb5pac.PAC_TYPE_SRV_CHECKSUM if (checksum == krb5pac.PAC_TYPE_SRV_CHECKSUM
and ctype == Cksumtype.SHA1): and ctype == Cksumtype.SHA1):
expected_error_mode = KDC_ERR_SUMTYPE_NOSUPP expected_error_mode = (KDC_ERR_SUMTYPE_NOSUPP,
KDC_ERR_INAPP_CKSUM)
else: else:
expected_error_mode = KDC_ERR_GENERIC expected_error_mode = (KDC_ERR_GENERIC,
KDC_ERR_INAPP_CKSUM)
self._run_delegation_test( self._run_delegation_test(
{ {
@ -1582,10 +1592,12 @@ class S4UKerberosTests(KDCBaseTest):
# NTSTATUS. # NTSTATUS.
expect_status = None expect_status = None
if ctype == Cksumtype.SHA1: if ctype == Cksumtype.SHA1:
expected_error_mode = KDC_ERR_SUMTYPE_NOSUPP expected_error_mode = (KDC_ERR_SUMTYPE_NOSUPP,
KDC_ERR_INAPP_CKSUM)
expected_status = ntstatus.NT_STATUS_LOGON_FAILURE expected_status = ntstatus.NT_STATUS_LOGON_FAILURE
else: else:
expected_error_mode = KDC_ERR_GENERIC expected_error_mode = (KDC_ERR_GENERIC,
KDC_ERR_INAPP_CKSUM)
expected_status = ( expected_status = (
ntstatus.NT_STATUS_INSUFFICIENT_RESOURCES) ntstatus.NT_STATUS_INSUFFICIENT_RESOURCES)
else: else:

1
selftest/knownfail_heimdal_kdc
View File

@ -34,7 +34,6 @@
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed
# #
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_client_pac_no_auth_data_required
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd\( ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd\(
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_a ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_a