Joseph Sutton
40a3f71818
CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets
...
https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
2158ba1eb0
CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
e647186c14
CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
924f323188
CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
faf47b0b6b
CVE-2020-25719 tests/krb5: Adjust PAC tests to prepare for new PAC_ATTRIBUTES_INFO buffer
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
a236e2cc25
CVE-2020-25719 tests/krb5: Use correct credentials for user-to-user tests
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
9602594585
CVE-2020-25719 tests/krb5: Return ticket from _tgs_req()
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
21298ddfc5
CVE-2020-25719 tests/krb5: Expect 'renew-till' element when renewing a TGT
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
383bedd6fd
CVE-2020-25719 tests/krb5: Don't expect a kvno for user-to-user
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
dd251f26df
CVE-2020-25719 tests/krb5: Allow update_pac_checksums=True if the PAC is not present
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
336dfc3207
CVE-2020-25719 tests/krb5: Provide expected parameters for both AS-REQs in get_tgt()
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
2249143fe3
CVE-2020-25718 tests/krb5: Fix indentation
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Douglas Bagnall
11540375af
CVE-2020-25722 pytest: test setting servicePrincipalName over ldap
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Douglas Bagnall
df34c11cbc
CVE-2020-25722 pytest: test sAMAccountName/userPrincipalName over ldap
...
Because the sam account name + the dns host name is used as the
default user principal name, we need to check for collisions between
these. Fixes are coming in upcoming patches.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Douglas Bagnall
72a2c21f3f
CVE-2020-25722 samba-tool spn add: remove --force option
...
This did not actually *force* the creation of a duplicate SPN, it just
ignored the client-side check for the existing copy. Soon we are going
to enforce SPN uniqueness on the server side, and this --force will not
work. This will make the --force test fail, and if that tests fail, so
will others that depend the duplicate values. So we remove those tests.
It is wrong-headed to try to make duplicate SPNs in any case, which is
probably why there is no sign of anyone ever having used this option.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Douglas Bagnall
7243bd7d38
CVE-2020-25722 samba-tool spn: accept -H for database url
...
Following the convention and making testing easier
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Douglas Bagnall
b919246c55
CVE-2020-25722 pytest: assertRaisesLdbError invents a message if you're lazy
...
This makes it easier to convert tests that don't have good messages.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Douglas Bagnall
de24916a82
CVE-2020-25722 pytests: add reverse lookup dict for LDB error codes
...
You can give ldb_err() it a number, an LdbError, or a sequence of
numbers, and it will return the corresponding strings. Examples:
ldb_err(68) # "LDB_ERR_ENTRY_ALREADY_EXISTS"
LDB_ERR_LUT[68] # "LDB_ERR_ENTRY_ALREADY_EXISTS"
expected = (ldb.ERR_INSUFFICIENT_ACCESS_RIGHTS,
ldb.ERR_INVALID_CREDENTIALS)
try:
foo()
except ldb.LdbError as e:
self.fail(f"got {ldb_err(e)}, expected one of {ldb_err(expected)}")
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Samuel Cabrero
14b9f905da
CVE-2020-25717: selftest: Add a test for the new 'min domain uid' parameter
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org Fixed knowfail per instruction from metze]
2021-11-09 19:45:33 +00:00
Joseph Sutton
b4ea50f8b2
CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Stefan Metzmacher
9fe1b719e1
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC
...
At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if
no PAC is available.
For now we want to look for ACCESS_DENIED as this allows
the test to pass (showing that gensec:require_pac = true
is a useful partial mitigation).
This will also help others doing backports that do not
take the full patch set.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
903ab1a027
CVE-2020-25721 tests/krb5: Add tests for extended PAC_UPN_DNS_INFO PAC buffer
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
24be204834
CVE-2020-25719 tests/krb5: Add tests for including authdata without a PAC
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
3af0c36a06
CVE-2020-25718 tests/krb5: Add tests for RODC-printed and invalid TGTs
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
7f7476b08c
CVE-2020-25719 tests/krb5: Add principal aliasing test
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
48e5154de6
CVE-2020-25719 tests/krb5: Add a test for making an S4U2Self request without a PAC
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
bd87905cf1
CVE-2020-25719 tests/krb5: Add tests for requiring and issuing a PAC
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
3f7b971d37
CVE-2020-25721 ndrdump: Add tests for PAC with UPN_DNS_INFO
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
89c88a83da
CVE-2020-25722 tests/krb5: Add KDC tests for 3-part SPNs
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
4125650a27
CVE-2020-25719 CVE-2020-25717 tests/krb5: Allow create_ccache_with_user() to return a ticket without a PAC
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
873ac6d814
CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service
...
This allows us to use get_tgt() and get_service_ticket() to obtain
tickets, which simplifies the logic.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
23dc0cbd53
CVE-2020-25721 tests/krb5: Check PAC buffer types when STRICT_CHECKING=0
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
4ac05264a7
MS CVE-2020-17049 tests/krb5: Allow tests to pass if ticket signature checksum type is wrong
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
dbedf5b6e2
CVE-2020-25719 tests/krb5: Add method to get unique username for test accounts
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
4a792ad92d
CVE-2020-25719 tests/krb5: Add is_tgt() helper method
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14686
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
43df8d0b2e
CVE-2020-25722 tests/krb5: Allow creating server accounts
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
06168fd4e3
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add pac_request parameter to get_service_ticket()
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
ff6631ecdc
CVE-2020-25719 CVE-2020-25717 tests/krb5: Modify get_service_ticket() to use _generic_kdc_exchange()
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Joseph Sutton
f7f49db722
CVE-2020-25718 tests/krb5: Allow tests accounts to replicate to RODC
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:32 +00:00
Andrew Bartlett
adfae12584
CVE-2020-25722 selftest: Allow self.assertRaisesLdbError() to take a list of errors to match with
...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-11-09 19:45:32 +00:00
David Mulder
1fce72f796
samba-tool: Add domain member leave
...
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Rowland Penny <rpenny@samba.org>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Thu Nov 4 20:43:32 UTC 2021 on sn-devel-184
2021-11-04 20:43:32 +00:00
David Mulder
5199eb1412
gp: Apply Firewalld Policy
...
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Nov 1 21:16:43 UTC 2021 on sn-devel-184
2021-11-01 21:16:43 +00:00
David Mulder
cd73e41013
gp: Test Firewalld Group Policy Apply
...
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-11-01 20:29:36 +00:00
David Mulder
2be0a19d44
Revert "samba-tool: Pick local host if calling samba-tool from DC"
...
This reverts commit 7c9195e28b
.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Tue Oct 26 16:00:28 UTC 2021 on sn-devel-184
2021-10-26 16:00:28 +00:00
David Mulder
7c9195e28b
samba-tool: Pick local host if calling samba-tool from DC
...
It is reasonable to assume, that if we are running a command from a DC,
that a user expects that the command will run against this DC.
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Rowland Penny <rpenny@samba.org>
Autobuild-User(master): David Mulder <dmulder@samba.org>
Autobuild-Date(master): Tue Oct 26 14:23:42 UTC 2021 on sn-devel-184
2021-10-26 14:23:42 +00:00
Andreas Schneider
db34188246
Revert "gp: Test Firewalld Group Policy Apply"
...
This reverts commit 8f34744919
.
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: David Mulder <dmulder@suse.com>
2021-10-25 14:08:32 +00:00
Andreas Schneider
cd5f519913
Revert "gp: Apply Firewalld Policy"
...
This reverts commit 9ac2d5d991
.
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: David Mulder <dmulder@suse.com>
2021-10-25 14:08:32 +00:00
Joseph Sutton
c174e9ebe7
tests/krb5: Check account name and SID in PAC for S4U tests
...
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Oct 25 09:23:35 UTC 2021 on sn-devel-184
2021-10-25 09:23:35 +00:00
David Mulder
9ac2d5d991
gp: Apply Firewalld Policy
...
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2021-10-25 08:31:31 +00:00
David Mulder
8f34744919
gp: Test Firewalld Group Policy Apply
...
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2021-10-25 08:31:31 +00:00