1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-22 13:34:15 +03:00
Commit Graph

4979 Commits

Author SHA1 Message Date
Andrew Bartlett
504a47ecfd python/tests/krb5: Expect AES keys for UF_SMARTCARD_REQUIRED
Windows 2022 at April 2024 has change and now includes the
AES keys for accounts with UF_SMARTCARD_REQUIRED, so revert
part of the change in b2fe1ea1c6.

(This is an improvement to Windows security).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
dc6c4b215e python/samba/tests/krb5: Extend PKINIT tests to show kpasswd still works
We have had confirmed from MS that this behaviour is both deliberate
and required.  Possession of the credential is (by the returned PAC
containing the NT hash) possession of the password, and it must be
possible to change the password to a known value otherwise DPAPI
(local keychain) secured by this value can fail on the client.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15045

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andrew Bartlett
4ec24a2076 python/samba/tests/krb5: Move get_kpasswd_sname() into raw_testcase() to allow broader use
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
2024-06-10 04:27:30 +00:00
Andreas Schneider
78f03c386c python: Add test for checking the SHA256SUM
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 20:25:36 +00:00
Andreas Schneider
f5de1f8585 python:netcmd: Create a SHA256SUM file with checksums
This allows to verify the backup tarball contents with:

  sha256sum -c SHA256SUM

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 20:25:36 +00:00
Andreas Schneider
e584350a55 python:netcmd: Only put regular files into the tarball
We also have ldapi, other sockets or pipes around, we don't want to
add. This will be relevant for adding checksums later.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 20:25:36 +00:00
Stefan Metzmacher
708a6fae69 python:tests/dns_tkey: add test_update_tsig_record_access_denied()
This demonstrates that access_denied is only generated if the client
really generates a change in the database.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
88457da00d python:tests/dns_base: add get_unpriv_creds() helper
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
848318338b python:tests/dns_tkey: let test_update_tsig_windows() actually pass against windows 2022
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
8324d0739d python:tests/dns_base: let verify_packet() work against Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
de4ed363d3 python:tests/dns_tkey: test bad and changing tsig algorithms
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
b9b03ca503 python:tests/dns_tkey: add gss.microsoft.com tsig updates
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
3c7cb85eaf python:tests/dns_tkey: let us have test_update_gss_tsig_tkey_req_{additional,answers}()
Also test using the additional record in the answers section.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
740bda87a8 python:tests/dns_tkey: test TKEY with gss-tsig, gss.microsoft.com and invalid algorithms
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
b0af60e785 python:tests/dns_base: maintain a dict with tkey related state
This will allow tests to backup the whole state
and mix them.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
1b1e7e06cf python:tests/dns_base: let dns_transaction_udp() take allow_{remaining,truncated}=True
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
27d92fa808 python:tests/dns_base: pass tkey_trans(expected_rcode)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
cd747307d8 python:tests/dns_base: let tkey_trans() take tkey_req_in_answers
It's possible to put the additional into the answers section,
so we should be able to test that.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
f8dfa9b33b python:tests/dns_base: let tkey_trans() and sign_packet() take algorithm_name as argument
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
6e997f93d5 python:tests/dns_tkey: make use of self.assert_echoed_dns_error()
Failed DNS updates just echo the request flaged as response,
all other elements are unchanged.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
ce591464cb python:tests/dns_base: add self.assert_echoed_dns_error()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
c741d0f396 python:tests/dns_base: let dns_transaction_tcp() handle short receives
With socket_wrapper we only get 1500 byte chunks...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
c594cbad4a python:tests/dns_base: use ndr_deepcopy() and ndr_pack() in verify_packet()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:33 +00:00
Stefan Metzmacher
ae23d512a7 python:tests/dns_base: generate a real signature in bad_sign_packet()
We just destroy the signature bytes but keep the header unchanged.

This makes it easier to look at it in wireshark.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13019

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-06 02:13:32 +00:00
Jo Sutton
a54dca4ea5 tests/krb5: Calculate correct gMSA password to fix flapping test
If this test happens to be run in the five minute window prior to the
next ten‐hour GKDI interval — about once every one hundred and twenty
runs — the ‘current’ password requested from LDAP will actually be the
future password, which won’t match what’s in the database.

Instead of taking the password from LDAP, calculate it ourselves with
expected_gmsa_password_blob().

[330(7038)/334 at 43m51s] samba.tests.krb5.gmsa_tests(ad_dc:local)
UNEXPECTED(failure): samba.tests.krb5.gmsa_tests.samba.tests.krb5.gmsa_tests.GmsaTests.test_retrieving_managed_password_triggers_keys_update(ad_dc:local)
REASON: Exception: Exception: Traceback (most recent call last):
  File "/builds/samba-testbase/samba-def-build/bin/python/samba/tests/krb5/gmsa_tests.py", line 1091, in test_retrieving_managed_password_triggers_keys_update
    self.assertEqual(creds.get_nt_hash(), nt_hash)
AssertionError: b'\xcf[\xe8:\xc7-\xd4V\xce\t\xfc\xcd\x06.T\x8a' != b'c\xc5\x97k\x17"G\x1e\x81>\xacV\x9d.*\x14'

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Jun  4 20:52:09 UTC 2024 on atb-devel-224
2024-06-04 20:52:09 +00:00
Jo Sutton
9c700f790b tests/krb5: Reset local database time in a cleaner (and nearly equivalent) fashion
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 19:49:36 +00:00
Jo Sutton
3256c6bfd6 tests/krb5: Make use of update_password() method
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-06-04 19:49:36 +00:00
Volker Lendecke
1dba6d3cfc tests: Check that query_directory lists the reparse tag
With the source3/ based clilist.c, we can't test all infolevels where
this matters (see callers of get_dirent_ea_size()). But porting the
source4 based all-infolevel search code into source3/libsmb or doing
this one the reparse point test in the source4 infrastructure to me
seems like a lot of effort for moderate gain.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
2024-06-04 16:35:34 +00:00
Douglas Bagnall
8331475a18 python:smb tests: remove py2 compatibility code
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-31 00:25:33 +00:00
Douglas Bagnall
b4b8f18612 python/common: remove verbiage about old python versions
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-31 00:25:33 +00:00
Jo Sutton
a0d639bfb8 tests/krb5: Test that previous keys are counted as current keys following a gMSA key rollover
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Jo Sutton
aa8aeeb655 python:tests: Extract keytab_as_set() function to be usable by other tests
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Jo Sutton
5682df15a0 python:tests: Manually raise AssertionError
This removes the last dependency on ‘self’ in this method.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Jo Sutton
95e80bf1e0 python:tests: Rename ‘keytab_as_set’ variable to be distinct from keytab_as_set() method
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
c00571a8b2 python:tests: Ignore case for group_name comparison
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Andreas Schneider
758bb9aacd docs-xml: Add smb.conf option 'dns hostname'
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 20:33:36 +00:00
Stefan Metzmacher
b4be5718d3 samba-tool: let 'samba-tool domain exportkeytab' take an --only-current-keys option
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
2793ef3e16 samba.tests.dckeytab: add test_export_keytab_change3_update_only_current_keep()
This tests that only_current_keys=True works.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Stefan Metzmacher
e2a5fbf5cf s4:libnet_export_keytab: add only_current_keys option
By default we also export on the old and older passwords...

In order to do a kinit with a keytab it might we useful to
include only the current keys.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-22 03:04:34 +00:00
Jo Sutton
d36bfbf632 tests/krb5: Adjust tests to pass against newer Windows versions that include ticket checksums in response to AS‐REQs
A lot of these tests are going to start failing, so skip them until
we’ve implemented the corresponding behaviour for the KDC.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:37 +00:00
Jo Sutton
5c4f2623c5 tests/krb5: Add more tests for gMSAs
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
6f09418010 tests/krb5: Test viewing gMSA passwords after performing simple binds
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
f9cbda9cf0 tests/krb5: Test that computers (and, by extension, gMSAs) cannot perform interactive logons
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
336a58473a tests/krb5: Don’t pass gMSA as ‘domain_joined_mach_creds’ parameter
We just want to test whether a gMSA can use netlogon.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
ad0740751e tests/krb5: Test performing NTLMSSP logons at different times
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
9fac9b776e tests/krb5: Test that gMSA passwords cannot be viewed over an unsealed connection
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
aa4347ff23 tests/krb5: Add ‘expect_success’ parameter to gensec_ntlmssp_logon()
View with ‘git show -b’.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
41e71406a1 tests/krb5: Make use of gmsa_series_for_account() method
This allows us to replace a call to
expected_current_gmsa_password_blob() with one to
expected_gmsa_password_blob(), a method which allows us to specify the
exact key we expect.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
577aa79042 tests/krb5: Add quantized_time() method
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00
Jo Sutton
65fe09007f tests/krb5: Read current time from correct SamDB
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2024-05-16 02:11:36 +00:00