From ff6d325e38d83b689da47c1b059f3ed865ffa7c2 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 25 Nov 2021 16:16:52 +1300 Subject: [PATCH] tests/krb5: Check ticket cname for Heimdal This is currently not checked in several places due to STRICT_CHECKING being set to 0. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- python/samba/tests/krb5/raw_testcase.py | 25 +++++++---- source4/selftest/tests.py | 58 +++++++++++++++++-------- 2 files changed, 55 insertions(+), 28 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 14e655313fc..6fdf365ad54 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -609,6 +609,12 @@ class RawKerberosTest(TestCaseInTempDir): expect_extra_pac_buffers = '1' cls.expect_extra_pac_buffers = bool(int(expect_extra_pac_buffers)) + cname_checking = samba.tests.env_get_var_value('CHECK_CNAME', + allow_missing=True) + if cname_checking is None: + cname_checking = '1' + cls.cname_checking = bool(int(cname_checking)) + def setUp(self): super().setUp() self.do_asn1_print = False @@ -2232,6 +2238,7 @@ class RawKerberosTest(TestCaseInTempDir): padata = self.getElementValue(rep, 'padata') if self.strict_checking: self.assertElementEqualUTF8(rep, 'crealm', expected_crealm) + if self.cname_checking: if expected_anon: expected_cname = self.PrincipalName_create( name_type=NT_WELLKNOWN, @@ -2452,7 +2459,7 @@ class RawKerberosTest(TestCaseInTempDir): ticket_session_key = self.EncryptionKey_import(ticket_key) self.assertElementEqualUTF8(ticket_private, 'crealm', expected_crealm) - if self.strict_checking: + if self.cname_checking: self.assertElementEqualPrincipal(ticket_private, 'cname', expected_cname) self.assertElementPresent(ticket_private, 'transited') @@ -2695,7 +2702,7 @@ class RawKerberosTest(TestCaseInTempDir): elif pac_buffer.type == krb5pac.PAC_TYPE_LOGON_NAME: expected_cname = kdc_exchange_dict['expected_cname'] - account_name = expected_cname['name-string'][0] + account_name = '/'.join(expected_cname['name-string']) self.assertEqual(account_name, pac_buffer.info.account_name) @@ -2785,15 +2792,15 @@ class RawKerberosTest(TestCaseInTempDir): self.assertElementPresent(rep, 'stime') self.assertElementPresent(rep, 'susec') # error-code checked above + if expected_anon and not inner: + expected_cname = self.PrincipalName_create( + name_type=NT_WELLKNOWN, + names=['WELLKNOWN', 'ANONYMOUS']) + self.assertElementEqualPrincipal(rep, 'cname', expected_cname) + elif self.strict_checking: + self.assertElementMissing(rep, 'cname') if self.strict_checking: self.assertElementMissing(rep, 'crealm') - if expected_anon and not inner: - expected_cname = self.PrincipalName_create( - name_type=NT_WELLKNOWN, - names=['WELLKNOWN', 'ANONYMOUS']) - self.assertElementEqualPrincipal(rep, 'cname', expected_cname) - else: - self.assertElementMissing(rep, 'cname') self.assertElementEqualUTF8(rep, 'realm', expected_srealm) self.assertElementEqualPrincipal(rep, 'sname', expected_sname) self.assertElementMissing(rep, 'e-text') diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 634e9b97562..b1ed661b784 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -944,13 +944,15 @@ have_fast_support = int('SAMBA_USES_MITKDC' in config_hash) tkt_sig_support = int('SAMBA4_USES_HEIMDAL' in config_hash) expect_pac = int('SAMBA4_USES_HEIMDAL' in config_hash) extra_pac_buffers = int('SAMBA4_USES_HEIMDAL' in config_hash) +check_cname = int('SAMBA4_USES_HEIMDAL' in config_hash) planoldpythontestsuite("none", "samba.tests.krb5.kcrypto") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests", environ={'SERVICE_USERNAME':'$SERVER', 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers}) + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname}) planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", environ={'ADMIN_USERNAME':'$USERNAME', 'ADMIN_PASSWORD':'$PASSWORD', @@ -959,7 +961,8 @@ planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers}) + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname}) planoldpythontestsuite("rodc:local", "samba.tests.krb5.rodc_tests", environ={'ADMIN_USERNAME':'$USERNAME', 'ADMIN_PASSWORD':'$PASSWORD', @@ -967,7 +970,8 @@ planoldpythontestsuite("rodc:local", "samba.tests.krb5.rodc_tests", 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers}) + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname}) planoldpythontestsuite("ad_dc_default", "samba.tests.dsdb_dns") @@ -975,7 +979,8 @@ planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests", environ={'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers}) + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname}) planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache", environ={ @@ -985,7 +990,8 @@ planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache", 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname }) planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap", environ={ @@ -995,7 +1001,8 @@ planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap", 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname }) for env in ['ad_dc_default', 'ad_member']: planoldpythontestsuite(env, "samba.tests.krb5.test_rpc", @@ -1006,7 +1013,8 @@ for env in ['ad_dc_default', 'ad_member']: 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname }) planoldpythontestsuite("ad_dc_smb1", "samba.tests.krb5.test_smb", environ={ @@ -1016,7 +1024,8 @@ planoldpythontestsuite("ad_dc_smb1", "samba.tests.krb5.test_smb", 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname }) planoldpythontestsuite("ad_member_idmap_nss:local", "samba.tests.krb5.test_min_domain_uid", @@ -1040,7 +1049,8 @@ planoldpythontestsuite("ad_member_idmap_nss:local", 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname }) for env in ["ad_dc", smbv1_disabled_testenv]: @@ -1636,7 +1646,8 @@ for env in ["fl2008r2dc", "fl2003dc"]: 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname }) planoldpythontestsuite('fl2008r2dc', 'samba.tests.krb5.salt_tests', @@ -1647,7 +1658,8 @@ planoldpythontestsuite('fl2008r2dc', 'samba.tests.krb5.salt_tests', 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname }) for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: @@ -1671,7 +1683,8 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests", 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname }) planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests", environ={ @@ -1681,13 +1694,15 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests", 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname }) planpythontestsuite("ad_dc", "samba.tests.krb5.kdc_tests", environ={'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers}) + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname}) planpythontestsuite( "ad_dc", "samba.tests.krb5.kdc_tgs_tests", @@ -1698,7 +1713,8 @@ planpythontestsuite( 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname }) planpythontestsuite( "ad_dc", @@ -1710,7 +1726,8 @@ planpythontestsuite( 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname }) planpythontestsuite( "ad_dc", @@ -1722,7 +1739,8 @@ planpythontestsuite( 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname }) planpythontestsuite( "ad_dc", @@ -1734,7 +1752,8 @@ planpythontestsuite( 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname }) planpythontestsuite( "ad_dc", @@ -1746,7 +1765,8 @@ planpythontestsuite( 'FAST_SUPPORT': have_fast_support, 'TKT_SIG_SUPPORT': tkt_sig_support, 'EXPECT_PAC': expect_pac, - 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers + 'EXPECT_EXTRA_PAC_BUFFERS': extra_pac_buffers, + 'CHECK_CNAME': check_cname }) for env in [