1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-24 21:34:56 +03:00
Commit Graph

24 Commits

Author SHA1 Message Date
Andrew Bartlett
92e8ce18a7 kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED
applies to services only, not to clients.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-10-20 08:31:31 +00:00
Joseph Sutton
9d3a691920 tests/krb5: Add tests for requesting a service ticket without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Oct 17 23:40:33 UTC 2021 on sn-devel-184
2021-10-17 23:40:33 +00:00
Joseph Sutton
d5002c34ce s4/torture: Expect ticket checksum PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-14 18:59:31 +00:00
Joseph Sutton
bd22dcd9cc tests/krb5: Check padata types when STRICT_CHECKING=0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-10-14 18:59:31 +00:00
Joseph Sutton
24914ae17d tests/krb5: Add tests for omitting sname in inner request
Note: the test 'test_fast_tgs_inner_no_sname' crashes the MIT KDC.

This is fixed in MIT Krb5 commit d775c95af7606a51bf79547a94fa52ddd1cb7f49
and was given CVE-2021-37750

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
bbbb13caf7 tests/krb5: Add tests for omitting sname in request
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Andrew Bartlett
3330eaf39c tests/krb5: Remove harmful and a-typical return in as_req testcase
A test in a TestCase class should not return a value, the
test is determined by the assertions raised.

Other changes will shortly cause kdc_exchange_dict[preauth_etype_info2]
to not always be filled, so we need to remove this
rudundent code.

This also fixes a *lot* of tests against the MIT KDC

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
b8e2515552 CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer request
Note: Without the previous patch, 'test_fast_tgs_outer_no_sname' would
crash the Heimdal KDC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
36798f5b65 tests/krb5: Make cname checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Joseph Sutton
79dda329f2 tests/krb5: Make e-data checking less strict
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC, instead failing when obtaining a TGT for the user or machine.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02 13:41:28 +00:00
Andrew Bartlett
554bdfa8a0 build: Move minimum MIT krb5 version to 1.19 to align with what is tested
This avoid shipping untested code and aligns with the version
used in GitLab CI for all the MIT builds.

The "bronze bit" (CVE-2020-17049) security fixes will need
a new MIT KDB version in any case, this prepares the ground
by removing the older version support.

(knownfail_mit_kdc updates taken from a patch by
Andreas Schneider <asn@samba.org> that did this optionally)

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-26 06:16:35 +00:00
Joseph Sutton
984a0db00c tests/krb5: Add FAST tests
Example command:

SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \
KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \
PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184
2021-08-18 23:20:13 +00:00
Joseph Sutton
bf71fa038e s4:torture/krb5/kdc-heimdal: Automatically determine AS-REP enctype to check against
This enables us to more easily switch to a different algorithm to find
the strongest key in _kdc_find_etype().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Stefan Metzmacher
d5e350a4a4 tests/krb5/as_req_tests.py: add simple test_as_req_enc_timestamp test
Example commands:

Windows 2012R2:
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=2eb6d146a2653d333cdbfb641a4efbc3de81af49e878e112bb4f6cbdd73fca52 KRBTGT_RC4_KEY_HEX=4e6d99c30e5fab901ea71f8894289d3b python/samba/tests/krb5/as_req_tests.py AsReqKerberosTests
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.188 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=ldaptestuser CLIENT_PASSWORD=a1B2c3D4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=4 python/samba/tests/krb5/as_req_tests.py

Windows 2008R2:
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.133 SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py

Samba:
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 KRBTGT_KVNO=2 KRBTGT_AES256_KEY_HEX=550aea2ea2719cb81c87692569796d1b3a099d433a93438f53bee798cc2f83be KRBTGT_RC4_KEY_HEX=dbc0d1feaaca3d5abc6794857b7f6fe0 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=4 CLIENT_KVNO=1 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 CLIENT_USERNAME=cifsmount CLIENT_PASSWORD=A1b2C3d4-08 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=17 python/samba/tests/krb5/as_req_tests.py
SERVER=172.31.9.163 SMB_CONF_PATH=/dev/null STRICT_CHECKING=0 DOMAIN=W4EDOM-L4 REALM=W4EDOM-L4.BASE ADMIN_USERNAME=administrator ADMIN_PASSWORD=A1b2C3d4 python/samba/tests/krb5/as_req_tests.py

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Joseph Sutton
0fd71ed3c3 tests/krb5/as_req_tests.py: Automatically obtain credentials
The credentials for the client and krbtgt accounts are now fetched
automatically rather than using environment variables, and the client
account is now automatically created.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
2021-07-01 17:46:31 +00:00
Stefan Metzmacher
d91665d331 selftest: run new as_req_tests against fl2008r2dc and fl2003dc
There are a lot of things we should improve in our KDC
in order to work like a Windows KDC.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-07-01 17:46:31 +00:00
Gary Lockyer
768d48fca9 tests python krb5: MS-KILE client principal look-up
Tests of [MS-KILE]: Kerberos Protocol Extensions
                    section 3.3.5.6.1 Client Principal Lookup

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Apr 12 00:38:26 UTC 2021 on sn-devel-184
2021-04-12 00:38:26 +00:00
Gary Lockyer
1ed461a142 tests python krb5: initial TGS tests
Initial tests on the KDC TGS

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-12-16 23:48:05 +00:00
Gary Lockyer
7f7e2b0e1e tests python krb5: Extra canonicalization tests
Add tests that set the server name to the client name for the machine
account in the kerberos AS_REQ.  This replicates the TEST_AS_REQ_SELF
test phase in source4/torture/krb5/kdc-canon-heimdal.c.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Mon Nov 30 05:21:42 UTC 2020 on sn-devel-184
2020-11-30 05:21:42 +00:00
Andrew Bartlett
f214a3ba5a selftest: Windows 2019 implements the RemoveDollar behaviour for Enterprise principals
This is documented in MS-KILE.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>

Autobuild-User(master): Gary Lockyer <gary@samba.org>
Autobuild-Date(master): Wed Nov 11 02:38:46 UTC 2020 on sn-devel-184
2020-11-11 02:38:46 +00:00
Andrew Bartlett
d7f731ed35 selftest: Send enterprise principals tagged as such
This test passed against Samba but failed against Windows when
an enterprise principal (user@domain.com@REALM) was encoded as
NT_PRINCIPAL.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2020-11-11 01:15:39 +00:00
Gary Lockyer
1e1d8b9c83 tests python krb5: Add python kerberos compatability tests
Add new python test to document the differences between the MIT and
Heimdal Kerberos implementations.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-11-09 02:46:50 +00:00
Gary Lockyer
005435dc4d tests python krb5: Add python kerberos canonicalization tests
Add python canonicalization tests, loosely based on the code in
source4/torture/krb5/kdc-canon-heimdal.c.  The long term goal is to move
the integration level tests out of kdc-canon-heimdal, leaving it as a
heimdal library unit test.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-11-04 22:54:41 +00:00
Gary Lockyer
04248f5e86 selftest: add mit kdc specific known fail
Add a MIT kerberos specific known fail, will be needed by subsequent
commits.

Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2020-11-04 22:54:41 +00:00