sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-12-17 04:23:50 +03:00
Code Activity
140,112 Commits 64 Branches 1,180 Tags
a814f5d90a3fb85a94c9516dba224037e8fd76f1
Commit Graph

238 Commits

Author SHA1 Message Date
Stefan Metzmacher
a814f5d90a python:lsa_utils: Fix fallback to OpenPolicy2 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Pair-Programmed-With: Andreas Schneider <asn@samba.org>
Signed-off-by: Andreas Schneider <asn@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Mon Feb 17 18:33:15 UTC 2025 on atb-devel-224
 2025-02-17 18:33:15 +00:00
Andreas Schneider
f9a3fc19f1 python:lsa_utils: Don't use optional arguments for OpenPolicyFallback() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2025-02-17 17:29:37 +00:00
Stefan Metzmacher
1510aad09b python:tests/krb5: allow get_service_ticket to accept a trust referral ticket without kvno 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
 2025-01-08 09:13:31 +00:00
Stefan Metzmacher
9e58d057a0 python:tests/krb5: add a create_trust() helper function to test trusted domains 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
 2025-01-08 09:13:31 +00:00
Stefan Metzmacher
9520aea8b0 python:tests/krb5: allow exporting a keytab file of the accounts used by the tests 
EXPORT_KEYTAB_FILE=/dev/shm/export.keytab
EXPORT_KEYTAB_APPEND=0 or 1
EXPORT_EXISTING_CREDS_TO_KEYTAB=0 or 1
EXPORT_GIVEN_CREDS_TO_KEYTAB=0 or 1

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
 2025-01-08 09:13:30 +00:00
Stefan Metzmacher
65812d642d python:tests/krb5: allow get_mock_rodc_krbtgt_creds(preserve=False) to create a tmp rodc 
This also exposes credentials for the machine account for netlogon
testing.

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
 2025-01-08 09:13:30 +00:00
Stefan Metzmacher
db0e7dfc41 python:tests/krb5: remember the objectGUID of created accounts 
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2024-12-05 16:46:38 +00:00
Stefan Metzmacher
18a62ea23f tests/krb5: make use of conn.auth_info() in _test_samlogon() 
In future we'll have KRB5 instead of SCHANNEL...

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2024-12-05 16:46:37 +00:00
Stefan Metzmacher
e7d57fc6e9 python/tests: use encrypt_netr_PasswordInfo in KDCBaseTest._test_samlogon() 
This will make it easier to implement netr_ServerAuthenticateKerberos()
later...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
 2024-10-30 23:08:36 +00:00
Jo Sutton
6dc6168719 tests/krb5: Allow creation of disabled accounts for testing 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15655

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
 2024-06-27 04:29:41 +00:00
Andrew Bartlett
044cc53860 python/test/krb5: Use assertAlmostEqual in check_ticket_times() 
This allows Windows behaviour with clock skew to be allowed for.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
 2024-06-10 04:27:30 +00:00
Andrew Bartlett
68fa90754f python/tests/krb5: Move check_ticket_times() to kdc_base_test.py 
This will allow other parts of the testsuite to use this helpful function.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
 2024-06-10 04:27:30 +00:00
Andrew Bartlett
a85f4c661b python/tests/krb5: Remove unused utf16pw variable 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
 2024-06-10 04:27:30 +00:00
Andrew Bartlett
504a47ecfd python/tests/krb5: Expect AES keys for UF_SMARTCARD_REQUIRED 
Windows 2022 at April 2024 has change and now includes the
AES keys for accounts with UF_SMARTCARD_REQUIRED, so revert
part of the change in b2fe1ea1c6.

(This is an improvement to Windows security).

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
 2024-06-10 04:27:30 +00:00
Jo Sutton
21d46f3ece tests/krb5: Extract method to unpack supplementalCredentials blob 
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2024-04-21 22:10:36 +00:00
Jo Sutton
502070cd9a tests/krb5: Skip loop iteration if attribute has no values 
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2024-04-21 22:10:35 +00:00
Jo Sutton
6d20d436de tests/krb5: Make use of ‘expect_edata’ parameter 
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2024-04-16 03:58:31 +00:00
Andrew Bartlett
b2fe1ea1c6 python/tests/krb5: Prepare for PKINIT tests with UF_SMARTCARD_REQUIRED 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>
 2024-03-28 01:50:41 +00:00
Jo Sutton
67457394e4 tests/krb5: Allow specifying SamDB to use when creating an account 
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2024-03-21 03:12:33 +00:00
Rob van der Linde
7fafb268bf python: pep8: fix import sorting after move 
Only touch files where samba.domain.models import was moved

Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2024-03-20 03:49:35 +00:00
Rob van der Linde
f739ef813c python: move models out of the netcmd package 
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2024-03-20 03:49:35 +00:00
Jo Sutton
df475fbc2f tests/krb5: type hinting 
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2024-02-27 01:11:37 +00:00
Rob van der Linde
6bcfcacd53 python: PEP275: docstrings should always use double quotes 
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-11-30 01:05:32 +00:00
Joseph Sutton
df19006c78 tests/krb5: Allow creating Group Managed Service Accounts 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-11-16 05:18:36 +00:00
Joseph Sutton
622ac53f22 tests/krb5: Add tests for PACs containing extraneous buffers 
Test that the KDC removes these buffers from RODC‐issued PACs.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-11-02 19:14:37 +00:00
Joseph Sutton
54eb175816 tests/krb5: Rename ‘krbtgt_creds’ to ‘rodc_krbtgt_creds’ 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-11-01 20:10:45 +00:00
Joseph Sutton
2b69e1e7c3 tests/krb5: Use __slots__ to indicate which attributes are used by classes 
These should help to catch mistaken attempts to set invalid attributes.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-11-01 20:10:45 +00:00
Joseph Sutton
3917a1995c tests/krb5: Add tests for single‐component krbtgt principals 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-10-26 01:24:32 +00:00
Joseph Sutton
0e7e46c396 tests/krb5: Add method to replace client or device claims in a PAC 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-09-28 03:33:38 +00:00
Joseph Sutton
6f5368dd32 tests/krb5: Add method to replace the device SIDs in a PAC 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-09-28 03:33:38 +00:00
Joseph Sutton
2d0bdb5ce9 tests/krb5: Have set_pac_sids() accept lone RIDs as well as full SIDs 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-09-28 03:33:38 +00:00
Joseph Sutton
cc1dd00d0f tests/krb5: Make optional ‘domain_sid’ parameter to set_pac_sids() 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-09-28 03:33:38 +00:00
Joseph Sutton
9fb0380cb8 tests/krb5: Make optional ‘user_rid’ parameter to set_pac_sids() 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-09-28 03:33:38 +00:00
Joseph Sutton
34e721030d tests/krb5: Make set_pac_sids() parameters keyword‐only 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-09-28 03:33:38 +00:00
Joseph Sutton
d6ec0e4f40 tests/krb5: Allow passing mapping=None to map_to_sid() 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-09-28 03:33:38 +00:00
Joseph Sutton
c33ce17454 tests/krb5: Sort imports 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-09-28 03:33:38 +00:00
Joseph Sutton
7b4b03e5e7 tests/krb5: Re-raise any LdbError other than ERR_ENTRY_ALREADY_EXISTS 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-08-30 02:15:29 +00:00
Joseph Sutton
3f01cf9169 tests/krb5: Correctly assert that we found a LOGON_INFO PAC buffer 
Because ‘found_logon_info’ was invariably true, we would miss the case
in which set_pac_sids() failed to accomplish anything, having been
unable to find the LOGON_INFO PAC buffer.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-08-30 02:15:29 +00:00
Joseph Sutton
04cdb13c08 tests/krb5: Remove local variable 
This seems a bit clearer to me.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-08-30 02:15:29 +00:00
Joseph Sutton
942cc0b626 tests/krb5: Keep claim types for subsequent tests 
We want to be able to reuse them across several tests.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-08-14 04:57:34 +00:00
Joseph Sutton
1abc2543cd tests/krb5: Add test for authenticating with disabled account and wrong password 
This shows us that the client’s access is checked prior to passwords
being checked.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
 2023-06-26 11:10:31 +00:00
Joseph Sutton
a5770669e1 tests/krb5: Improve authentication policy creation 
Don’t require passing in an ID to create an authentication policy.
Instead, have create_authn_policy() generate one for us.

We now return an actual AuthenticationPolicy object rather than just a
DN. This will give the tests more details to work with about the
policies.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-06-25 23:29:32 +00:00
Joseph Sutton
fb260e1f46 tests/krb5: Make use of KerberosCredentials.get_sid() 
KerberosCredentials objects now keep track of their account’s SID, which
removes the need to look it up with KDCBaseTest.get_objectSid().

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-06-14 22:57:35 +00:00
Joseph Sutton
490c451a79 tests/krb5: Keep track of account SIDs 
This prevents having to look them up in the database when tests need
them.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-06-14 22:57:35 +00:00
Joseph Sutton
9d8ee6a422 tests/krb5: Cache created authentication policies 
View with ‘git show -b’.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-06-14 22:57:35 +00:00
Joseph Sutton
01643b3527 tests/krb5: Keep track of the type of each created account 
This allows us to determine which parts of an authentication policy
apply to a particular account, which will be necessary to test audit
logging.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-06-14 22:57:35 +00:00
Joseph Sutton
dc0d96b058 tests/krb5: Move TestCaseInTempDir to more appropriate place in class hierarchy 
KDCBaseTest is the only class that makes use of it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-05-29 22:32:28 +00:00
Joseph Sutton
53b62429f8 tests/krb5: Allow server and workstation accounts to perform a SamLogon 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-05-18 01:03:37 +00:00
Joseph Sutton
c1ab6036bb tests/krb5: Allow specifying machine credentials to _test_samlogon() 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-05-18 01:03:37 +00:00
Joseph Sutton
031f1c7632 tests/krb5: Rename ‘server’ to ‘dc_server’ 
This makes it more clear that this is in fact the DC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2023-05-18 01:03:37 +00:00