1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

3095 Commits

Author SHA1 Message Date
Joseph Sutton
a562882b15 tests/krb5: Add methods for creating zeroed checksums and verifying checksums
Creating a zeroed checksum is needed for signing a PAC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:42 +00:00
Joseph Sutton
419e4061ce tests/krb5: Cache obtained tickets
Now tickets obtained with get_tgt() and get_service_ticket() make use of
a cache so they can be reused, unless the 'fresh' parameter is specified
as true.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
6193f7433b tests/krb5: Return encpart from get_tgt() as part of KerberosTicketCreds
The encpart is already contained in ticket_creds, so it no longer needs
to be returned as a separate value.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
59c1043be2 tests/krb5: Move get_tgt() and get_service_ticket() to kdc_base_test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
035a8f1985 tests/krb5: Allow get_tgt() to specify expected and unexpected flags
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
4ecfa82e71 tests/krb5: Allow get_tgt() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
2d69805b1e tests/krb5: Allow get_tgt() to get tickets from the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
5d3a135c23 tests/krb5: Allow get_service_ticket() to get tickets from the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
7645dfa5be tests/krb5: Set DN of created accounts to ldb.Dn type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
c226029655 tests/krb5: Don't manually create PAC request and options in fast_tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
3504e99dc5 tests/krb5: Use PAC buffer type constants from krb5pac.idl
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
a5e62d681d tests/krb5: Allow as_req() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
6403a09d94 tests/krb5: Allow tgs_req() to send requests to the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
1a3426da54 tests/krb5: Allow tgs_req() to specify different kdc-options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
1f0654b8fa tests/krb5: Allow tgs_req() to send additional padata
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
2a4d53dc12 tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
0061fa2c2a tests/krb5: Check correct flags element
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
a281ae09bc tests/krb5: Add helper method for modifying PACs
This method can remove or replace a PAC in an authorization-data
container, while additionally returning the original PAC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
21a7717359 python/join: Check for correct msDS-KrbTgtLink attribute
Previously, the wrong case was used when checking for this attribute,
which meant krbtgt accounts were not being cleaned up.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
cde38d36b9 python: Don't leak file handles
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-09-21 23:05:41 +00:00
Joseph Sutton
35292bd322 tests/krb5: Allow replicating accounts to the created RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-15 07:59:31 +00:00
Joseph Sutton
ef5666bc51 tests/krb5: Create RODC account for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-15 07:59:31 +00:00
Joseph Sutton
3cc9e77f38 tests/krb5: Allow replicating accounts to the RODC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-15 07:59:31 +00:00
Joseph Sutton
af633992e3 tests/krb5: Add get_secrets() method to get the secret attributes of a DN
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-15 07:59:31 +00:00
Joseph Sutton
a5bf7aad54 tests/krb5: Add method to get RODC krbtgt credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-15 07:59:31 +00:00
Joseph Sutton
7bc52cecb4 tests/krb5: Sign-extend kvno from 32-bit integer
This helps to avoid problems with RODC kvnos that have the high bit set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-15 07:59:31 +00:00
Joseph Sutton
a99a76722d pytest:segfault: Add test for ldb.msg_diff()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-15 07:59:31 +00:00
Joseph Sutton
943079fd94 tests/krb5: Generate padata for FAST tests
This gives us access to parameters of kdc_exchange_dict and enables us
to simplify the logic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-15 07:59:31 +00:00
Joseph Sutton
c9fd8ffd89 tests/krb5: Add get_cached_creds() method to create persistent accounts for testing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-15 07:59:31 +00:00
Joseph Sutton
0e99382d73 tests/krb5: Get encpart decryption key from kdc_exchange_dict
Instead of using check_padata_fn to get the encpart decryption key, we
can get the key from the AS-REQ preauth phase or from the TGT, depending
on whether the message is an AS-REQ or a TGS-REQ. This allows removal of
check_padata_fn and some duplicated code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-15 07:59:31 +00:00
Joseph Sutton
a5186f9280 tests/krb5: Get expected cname from TGT for TGS-REQ messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-15 07:59:31 +00:00
Joseph Sutton
4ba5e82ae5 tests/krb5: Allow specifying status code to be checked
This allows us to check the status code that may be sent in an error
reply to a TGS-REQ message.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-15 07:59:31 +00:00
Joseph Sutton
01378a52a1 tests/krb5: Create testing accounts in appropriate containers
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Sep 14 00:01:44 UTC 2021 on sn-devel-184
2021-09-14 00:01:44 +00:00
Joseph Sutton
c3b7462902 tests/krb5: Check for presence of 'key-expiration' element
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
d3106a8d35 tests/krb5: Check 'caddr' element
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
9cba5f9a1b tests/krb5: Check for presence of 'renew-till' element
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
0afb548a0a tests/krb5: Allow Kerberos requests to be sent to DC or RODC
If run inside the 'rodc' testing environment, 'DC_SERVER' and 'SERVER'
refer to the hostnames of the DC and RODC respectively, and this commit
allows either one of them to be used as the KDC for Kerberos exchanges.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
1974b872fb tests/krb5: Make time assertion less strict
This assertion could fail if there was a time difference between the KDC
and the client.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
85ddfc1afc tests/krb5: Allow specifying ticket flags expected to be set or reset
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
571265257f tests/krb5: Remove magic constants
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
7556a4dfa6 tests/krb5: Don't create PAC request or options manually in fast_tests
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
bc21ba2592 tests/krb5: Don't create PAC request manually in as_req_tests
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
c0db1ba54d tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
1f23b16ef3 tests/krb5: Move padata generation methods to base class
This allows them to be used directly from RawKerberosTest.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
9973b51e48 tests/krb5: Keep track of account DN in credentials object
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
9aa9008574 tests/krb5: Allow specifying additional User Account Control flags for account
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
7aae0e9b10 tests/krb5: Allow specifying an OU to create accounts in
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
bf55786fcd tests/krb5: Replace expected_cname_private with expected_anon parameter
This is used in the case where the KDC returns 'WELLKNOWN/ANONYMOUS' as
the cname, and makes the reply checking logic easier to follow. This
also removes the need to fetch the client credentials in the test
methods.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
3fd73b65a3 tests/krb5: Use more compact dict lookup
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
08086c4398 tests/krb5: Add KDCOptions flag for constrained delegation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
448b661bf8 tests/krb5: Use signed integers to represent key version numbers in ASN.1
As specified in 'MS-KILE 3.1.5.8: Key Version Numbers', Windows uses
signed 32-bit integers to represent key version numbers. This makes a
difference for an RODC with a msDS-SecondaryKrbTgtNumber greater than
32767, where the kvno should be encoded in four bytes rather than five.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
9924dd9761 tests/krb5: Add methods to obtain the length of checksum types
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Joseph Sutton
c6badf818e tests/krb5: Calculate expected salt if not given explicitly
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
2021-09-13 23:11:35 +00:00
Ralph Boehme
09fd46aa1c selftest: remove unsupported smbcacls option --get
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14828

Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-09-10 15:10:30 +00:00
David Mulder
efba2c445c gpo: Add Chromium Group Policy
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Sep  9 20:42:35 UTC 2021 on sn-devel-184
2021-09-09 20:42:35 +00:00
David Mulder
1047acce9d gpo: Test Chromium Group Policy
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-09-09 19:55:29 +00:00
Volker Lendecke
6ebed6b505 samba-tool: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-09-07 18:26:33 +00:00
Andrew Bartlett
6590bb0b77 selftest: Add prefix to new schema attributes to avoid flapping dsdb_schema_attributes
If two of these unit tests run in the same second they could
select the same name, as the name was only based on the time
and a common prefix.

As observed by Jeremy Allison.  Thanks for the report!

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14819

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Sep  6 02:32:51 UTC 2021 on sn-devel-184
2021-09-06 02:32:51 +00:00
Andrew Bartlett
b40761b42e selftest: Add a test for LookupSids3 and LookupNames4 in python
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14807

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-09-05 02:28:29 +00:00
Joseph Sutton
b59fc43523 python: Fix usage strings
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-09-04 00:10:37 +00:00
Andrew Bartlett
10baaf0852 tests/krb5: Allow KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN for a missing sname
This allows our code to still pass with the error code that
MIT and Heimdal have chosen

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Thu Sep  2 14:28:31 UTC 2021 on sn-devel-184
2021-09-02 14:28:31 +00:00
Joseph Sutton
ebd673e976 tests/krb5: Allow expected_error_mode to be a container type
This allows a range of possible error codes to be checked against, for
cases when the particular error code returned is not so important.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
24914ae17d tests/krb5: Add tests for omitting sname in inner request
Note: the test 'test_fast_tgs_inner_no_sname' crashes the MIT KDC.

This is fixed in MIT Krb5 commit d775c95af7606a51bf79547a94fa52ddd1cb7f49
and was given CVE-2021-37750

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
c6d7e19ecf tests/krb5: Allow specifying parameters specific to the inner FAST request body
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
bbbb13caf7 tests/krb5: Add tests for omitting sname in request
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
1e4d757394 tests/krb5: Check PADATA-PW-SALT element in e-data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
e373c6461a tests/krb5: Check e-data element for TGS-REP errors without FAST
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Andrew Bartlett
3330eaf39c tests/krb5: Remove harmful and a-typical return in as_req testcase
A test in a TestCase class should not return a value, the
test is determined by the assertions raised.

Other changes will shortly cause kdc_exchange_dict[preauth_etype_info2]
to not always be filled, so we need to remove this
rudundent code.

This also fixes a *lot* of tests against the MIT KDC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
b8e2515552 CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
Note: Without the previous patch, 'test_fast_tgs_outer_no_sname' would
crash the Heimdal KDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
15f9f040fe tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FAST
Note: This test crashed the MIT KDC prior to MIT commit
fc98f520caefff2e5ee9a0026fdf5109944b3562 which was given
CVE-2021-36222.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
36798f5b65 tests/krb5: Make cname checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
79dda329f2 tests/krb5: Make e-data checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC, instead failing when obtaining a TGT for the user or machine.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Andrew Bartlett
fb6c0b9e2a pydsdb: Add API to return strings of known UF_ flags
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-09-02 05:03:31 +00:00
David Mulder
d5118eb68a gpo: Add Group Policy Firefox Extension
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Mon Aug 30 21:57:09 UTC 2021 on sn-devel-184
2021-08-30 21:57:09 +00:00
David Mulder
c5bbb1777e gpo: Test Group Policy Firefox Extension
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-08-30 21:08:36 +00:00
Andrew Bartlett
78942ad7d1 samba-tool domain backup: Use tdbbackup on metadata.tdb
metadata.tdb is inside sam.ldb.d/ but should be backed up with tdbbackup.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Aug 24 13:22:04 UTC 2021 on sn-devel-184
2021-08-24 13:22:04 +00:00
Andrew Bartlett
958931ad37 samba-tool: Rework transations/locks to hold a lock during mdb backup
We now also get sidForRestore under that lock, rather than
after the backup.

This avoids using the database again after the backup process

While not entirely clear how/why this matters with LMDB
as seen in Fedora 34, likely due to the same issues
seen with 0.9.26 or later fixed by commmit
bb3dcd403c.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-24 12:29:32 +00:00
Andrew Bartlett
423f808ff4 samba-tool domain backup offline: Use passed in samdb when backing up sam.ldb
This avoids opening the database again by having the caller pass in
the DB open

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-24 12:29:32 +00:00
Joseph Sutton
984a0db00c tests/krb5: Add FAST tests
Example command:

SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \
KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \
PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184
2021-08-18 23:20:13 +00:00
Gary Lockyer
b7b62957bd initial FAST tests
Currently incomplete, and tested only against MIT Kerberos.

[abartlet@samba.org
 Originally "WIP inital FAST tests"

 Samba's general policy that we don't push WIP patches, we polish
 into a 'perfect' patch stream.

 However, I think there are good reasons to keep this patch distinct
 in this particular case.

 Gary is being modest in titling this WIP (now removed from the title
 to avoid confusion). They are not WIP in the normal sense of
 partially or untested code or random unfinished thoughts. The primary
 issue is that at that point where Gary had to finish up he had
 trouble getting FAST support enabled on Windows, so couldn't test
 against our standard reference. They are instead good, working
 initial tests written against the RFC and tested against Samba's AD DC
 in the mode backed by MIT Kerberos.

 This preserves clear authorship for the two distinct bodies of work,
 as in the next patch Joseph was able to extend and improve the tests
 significantly. ]

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
aa2c221f4e tests/krb5: Check PADATA-FX-ERROR in reply
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
66e1eb58be tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
0c857f67a3 tests/krb5: Check PADATA-PAC-OPTIONS in reply
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
29070e74ba tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
ab4e7028a6 tests/krb5: Make check_rep_padata() also work for checking TGS replies
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
95b54078c2 tests/krb5: Check PADATA-FX-COOKIE in reply
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
2f7919db39 tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
44a44109db tests/krb5: Adjust reply padata checking depending on whether FAST was sent
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
056fb71832 tests/krb5: Check reply FAST padata if request included FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
7a27b75621 tests/krb5: Check sname is krbtgt for FAST generic error
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
dbe98005d5 tests/krb5: Add get_krbtgt_sname() method
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
5edbabeb26 tests/krb5: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
705e45e37f tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
79b9aac65b tests/krb5: Add check_rep_padata() method to check padata in reply
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
1389ba346d tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
ea1ed63e88 tests/krb5: Include authdata in kdc_exchange_dict
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
2ee87dbf08 tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
This is useful for testing the 'hide client names' FAST option.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
0c029e780c tests/krb5: Check encrypted-pa-data
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
99e3b909ed tests/krb5: Add methods to determine whether elements were included in the request
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
dc7dac95ec tests/krb5: Add functions to get dicts of request padata
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
d878bd6404 tests/krb5: Check FAST response
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
4ca05402b3 tests/krb5: Add method to verify ticket checksum for FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
b62488113f tests/krb5: Add method to check PA-FX-FAST-REPLY
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
16ce1a1d30 tests/krb5: Allow specifying parameters specific to the outer request body
This is useful for testing FAST.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
0df385fc49 tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
5c2cd71ae7 tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
d554b6dc0f tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
This is needed for FAST.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
74f332c6f9 tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
This method will also be useful in checking TGS-REP error replies.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
0808940674 tests/krb5: Add methods to calculate keys for FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
aafc868969 tests/krb5: Add method to generate FAST encrypted challenge padata
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
69a66c0d2a tests/krb5: Add more methods to create ASN1 objects for FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
ec70290029 tests/krb5: Add more ASN1 definitions for FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
025737deb5 tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
b6f96dd639 tests/krb5: Ensure generated padata is not None
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
4824dd4e9f tests/krb5: Add generate_ap_req() method
This method will be useful to generate an AP-REQ for use as FAST armor.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
4951a105b0 tests/krb5: Check nonce in EncKDCRepPart
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
6df0e406f1 tests/krb5: Make checking less strict
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
98dc19e8c8 tests/krb5: Check version number of obtained ticket
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
3d1066e923 tests/krb5: Assert that more variables are not None
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
ba3c92f77b tests/krb5: Ensure in assertElementPresent() that container elements are not empty
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
7881865550 tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
This means that there can no longer be surprises where a test receives a
reply when it was expecting an error, or vice versa.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
8fe9589da2 tests/krb5: Include kdc_options in kdc_exchange_dict
Make kdc_options an element of kdc_exchange_dict instead of a parameter
to _generic_kdc_exchange(). This allows testing code to adjust the reply
checking based on the options that were specified in the request.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
21c64fda8f tests/krb5: Always specify expected error code
Now the expected error code is always determined by the test code itself
rather than by generic_check_as_error().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
28fb50f511 tests/krb5: Add check_reply() method to check for AS or TGS reply
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:34 +00:00
Joseph Sutton
f5689bb8fa tests/krb5: Add method to calculate account salt
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
50d743bafc tests/krb5: Add more methods for obtaining machine and service credentials
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
4790b6b04a tests/krb5: Allow specifying additional details when creating an account
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
ce379edf2e tests/krb5: Use encryption with admin credentials
This ensures that account creation using admin credentials succeeds.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
bab7503e30 tests/krb5: Add get_EpochFromKerberosTime()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
fe8912e4a8 tests/krb5: Make _test_as_exchange() return value more consistent
Always return the reply and the kdc_exchange_dict so that the caller has
more potentially useful information.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
cb332d8300 tests/krb5: Add method to return dict containing padata elements
This makes checking multiple padata elements easier.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
f5a906f74f tests/krb5: Add get_enc_timestamp_pa_data_from_key()
This makes it easier to create encrypted timestamp padata when the key
has already been obtained.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
2c80f7f851 tests/krb5: Refactor get_pa_data()
The function now returns a single padata object rather than a list,
making it easier to combine multiple padata elements into a request. The
new name 'get_enc_timestamp_pa_data' also makes it clearer as to what
the method generates.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
a5e5f8fdfe tests/krb5: Allow cf2 to automatically use the enctype of the first key
RFC6113 states: "Unless otherwise specified, the resulting enctype of
KRB-FX-CF2 is the enctype of k1." This change means the enctype no
longer has to be specified manually.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
17d5a26729 tests/krb5: Use credentials kvno when creating password key
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
d6a242e200 tests/krb5: Check Kerberos protocol version number
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
8194b2a261 tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
a0c6538a97 tests/krb5: Fix encpart_decryption_key with MIT KDC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
bad5f4ee5f tests/krb5: Fix callback_dict parameter
Items contained in a default-created callback_dict should not be carried
over between unrelated calls to {as,tgs}_as_exchange_dict().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
67ff72395c tests/krb5: Fix including enc-authorization-data
Remove the EncAuthorizationData parameters from AS_REQ_create(), since
it should only be present in the TGS-REQ form. Also, fix a call to
EncryptedData_create() to supply the key usage when creating
enc-authorization-data.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
a2b183c179 tests/krb5: Remove magic constants
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
41c3e41034 tests/krb5: Simplify Python syntax
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
38b3a36181 tests/krb5: Use more compact dict lookup
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
1320ac0f91 tests/krb5: Remove unneeded statements
A return statement is redundant as the last statement in a method, as
methods will otherwise return None. Also, code blocks consisting of a
single 'pass' statement can be safely omitted.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
df6623363a tests/krb5: formatting
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
7013a8edd1 tests/krb5: Fix method name typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
9eb4c4b7b1 tests/krb5: Fix comment typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
Joseph Sutton
4797ced890 tests/krb5: Fix ms_kile_client_principal_lookup_test errors
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18 22:28:33 +00:00
David Mulder
0f26dbe0d0 gpo: Print getcert message to debug
Otherwise re-running gpupdate to enforce policy
displays 'already exists' messages, which
confusingly appear to be a failure, but are
actually intentional behavior.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 13 20:06:31 UTC 2021 on sn-devel-184
2021-08-13 20:06:31 +00:00
David Mulder
e3a956e075 gpo: Decode the bytes for cepces-submit failure
When displaying the error from cepces-submit,
make sure to decode the bytes (otherwise it is
hard to read). Also print the error to debug
instead of warn (it may dump a traceback).

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-08-13 19:14:31 +00:00
David Mulder
7a04052dad gpo: Ignore symlink failure on sscep renew
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-08-13 19:14:30 +00:00
David Mulder
80e3daed12 gpo: Apply Group Policy User Scripts
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-08-13 19:14:30 +00:00
David Mulder
f04431b1d2 gpo: Test Group Policy User Scripts
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-08-13 19:14:30 +00:00
David Mulder
6d676cac41 gpo: Enable user policy application
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-08-13 19:14:30 +00:00
David Mulder
f97f94e93b gpo: Improve debug when extension fails to apply
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-20 15:25:37 +00:00
David Mulder
4a5f6d88ff gpo: Warn when fetching the supported templates fails
When Certificate Auto Enrollment fails to fetch
the list of supported templates, display a
warning.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-20 15:25:37 +00:00
David Mulder
a92b05ec7b gpo: Ensure Network Device Enrollment Service if sscep fails
Prompt the user to check that Network Device
Enrollment Service is installed and configured
if sscep fails to download the certificate root
chain.

Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-20 15:25:37 +00:00
David Mulder
fd6df5356b gpo: Test Certificate Auto Enrollment Policy
Signed-off-by: David Mulder <dmulder@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-15 19:13:29 +00:00
David Mulder
9f0e6f3c06 gpo: Fix up rsop output of ca certificate
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-15 19:13:29 +00:00
David Mulder
9c0a174af2 gpo: Add Certificate Auto Enrollment Policy
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
2021-07-15 19:13:29 +00:00
Douglas Bagnall
7c298ee89f samba-tool: dns update rejects malformed addresses
Because neither filling out the struct will not necessarily tell you
you got it wrong, and the RPC could succeed in setting an arbitrary
wrong address (typically, an IPv6 address would set an A record to
"255.255.255.255").

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-05 04:16:34 +00:00
Douglas Bagnall
3a4cb8679a py/dnsserver: TXTRecord copes with single strings
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-05 04:16:34 +00:00
Joseph Sutton
ab221c1b3e tests/krb5: Use admin creds for SamDB rather than user creds
This makes the purpose of each set of credentials more consistent, and
makes some tests more convenient to run standalone as they no longer
require user credentials.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
fc857ea60e tests/krb5/as_canonicalization_tests.py: Refactor account creation
Making this test a subclass of KDCBaseTest allows us to make use of its
methods for obtaining credentials and creating accounts, which helps to
eliminate some duplicated code.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
3e621dcb69 tests/krb5: Deduplicate 'host' attribute initialisation
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
381223117e tests/krb5/raw_testcase.py: Check for an explicit 'unspecified kvno' value
This is clearer than using the constant zero, which could be mistaken
for a valid kvno value.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
d4c38678e0 tests/krb5/as_req_tests.py: Check the client kvno
Ensure we have the correct kvno for the client, rather than an 'unknown'
value.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Stefan Metzmacher
d5e350a4a4 tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test
Example commands:

Windows 2012R2:
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=4 python/samba/tests/krb5/as_req_tests.py

Windows 2008R2:
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py

Samba:
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
0fd71ed3c3 tests/krb5/as_req_tests.py: Automatically obtain credentials
The credentials for the client and krbtgt accounts are now fetched
automatically rather than using environment variables, and the client
account is now automatically created.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
fd45bea7a8 tests/krb5/kdc_base_test.py: Add fallback methods to obtain client and krbtgt credentials
Now if the client credentials are not supplied in the environment, we
can fall back to creating a new user account. Similarly, if the krbtgt
credentials are not supplied, we can fetch the credentials of the
existing krbtgt account.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
ec5c2b040b tests/krb5/raw_testcase.py: Simplify conditionals
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
e1601f2b56 tests/krb5/raw_testcase.py: Allow specifying a fallback credentials function
This allows us to use other methods of obtaining credentials if getting
them from the environment fails.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
22a90aea82 tests/krb5/raw_testcase.py: Cache obtained credentials
If credentials are used more than once, we can now use the credentials
that we already obtained and so avoid fetching them again.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
6a77c2b933 tests/krb5/raw_testcase.py: Add allow_missing_keys parameter for getting creds
This allows us to require encryption keys in the case that a password
would not be required, such as for the krbtgt account.

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
948bbc9cec tests/krb5/raw_testcase.py: Make env_get_var() a standalone method
This allows it to be used elsewhere in the tests.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
1f2ddd3c97 tests/krb5/raw_testcase.py: Add method to obtain Kerberos keys over DRS
This requires admin credentials, and removes the need to pass these keys
as environment variables.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
7d4a0ed21b tests/krb5/kdc_base_test.py: Add methods to determine supported encryption types
This is done based on the domain functional level, which corresponds to
the logic Samba uses to decide whether or not to generate a
Primary:Kerberos-Newer-Keys element for the supplementalCredentials
attribute.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
210e544016 tests/krb5/kdc_base_test.py: Create loadparm only when needed
Now the .conf file is only loaded on its first use, which means that
SMB_CONF_PATH need not be defined for tests that don't make use of it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
364f1ce8d8 tests/krb5/kdc_base_test.py: Remove 'credentials' class attribute
Credentials for tests are now obtained using the get_user_creds()
method.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
4f5566be48 tests/krb5/kdc_base_test.py: Create database connection only when needed
Now the database connection is only created on its first use, which
means database credentials are no longer required for tests that don't
make use of it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
5afae39da0 tests/krb5/raw_testcase.py: Add get_admin_creds()
This method allows obtaining credentials that can be used for
administrative tasks such as creating accounts.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
5412bffb9b tests/krb5/kdc_base_test.py: Defer account deletion until tearDownClass() is called
This allows accounts created for permutation tests to be reused, rather
than having to be recreated for every test.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Stefan Metzmacher
01d86954d2 tests/krb5/as_req_tests.py: add new tests to cover more of the AS-REQ protocol
Example commands:

Windows 2012R2:
SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.188 STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests

Windows 2008R2:
SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.133 STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests

Samba 4.14:
SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.163 STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Stefan Metzmacher
6e2f2adc8e tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure
This will allow us to write tests, which will all cross check almost
every aspect of the KDC response (including encrypted parts).

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Stefan Metzmacher
69ce2a6408 tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds()
This will allow building test_as_req_enc_timestamp()

It also introduces ways to specify keys in hex formated environment
variables ${PREFIX}_{AES256,AES128,RC4}_KEY_HEX.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Stefan Metzmacher
e390503584 tests/krb5/raw_testcase.py: add methods to iterate over etype permutations
It's often useful to run tests over a lot of input parameter
permutations.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Stefan Metzmacher
ee2ac2b8cc tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create()
This allows building the pre-authentication data that encodes
the request for the KDC (or more likely a request not to include)
the KRB5 PAC in the resulting ticket.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Stefan Metzmacher
b03fcfeb6c tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create()
This allows us to reuse body in future and calculate checksums on it.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Stefan Metzmacher
3abb3b4136 tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values
By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint
we allow the BitString_NamedValues_prettyPrint() routine to show more named values.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Stefan Metzmacher
34e079ce9a tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values
By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint
we allow the BitString_NamedValues_prettyPrint() routine to show more named values.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Stefan Metzmacher
61e1b17981 tests/krb5/raw_testcase.py: add assertElement*()
These helper functions make writing subsequent Kerberos test
clearer.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Stefan Metzmacher
dff611976d tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future
We should write tests as strict as possible in order to let them run
against Windows servers.

But at the same time we want to allow tests to be useful for Samba
too...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Stefan Metzmacher
c3222870b9 tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds()
These helpful functions allow us to build the various credentials
that we will use in validating the KDC responses in this test.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Stefan Metzmacher
d4492a8aaa tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing
Update and re-generate the ASN.1 to allow an improved testsuite.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Stefan Metzmacher
fef08add9e Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh}
This is a clearer name for the script

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
David Mulder
e267cea817 samba-tool: dbcheck search DnsAdmins from wellknown container
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-22 01:14:37 +00:00
David Mulder
0db57db80a samba-tool: Provision search DnsAdmins from wellknown container
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-22 01:14:37 +00:00
David Mulder
151f432ca8 samba-tool: Demote computer to wellknown container
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-22 01:14:37 +00:00
David Mulder
fee11c3558 samdb: Create computer in wellknown user container
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-22 01:14:37 +00:00
David Mulder
4602f4fc1b samdb: Create group in wellknown user container
BUG: https://bugzilla.samba.org/show_bug.cgi?id=9143
Signed-off-by: David Mulder <dmulder@suse.com>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-06-22 01:14:37 +00:00