sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-12-20 16:23:51 +03:00
Code Activity
127,390 Commits 64 Branches 1,180 Tags
ae09219c3a1c6d47817f51baf3784e8986c7478d
Commit Graph

125 Commits

Author SHA1 Message Date
Joseph Sutton
ae09219c3a tests/krb5: Fix method for creating invalid length zeroed checksum 
Previously the base class method was being used.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
9d142dc3a4 tests/krb5: Introduce helper method for creating invalid length checksums 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
1fd00135fa tests/krb5: Fix PA-PAC-OPTIONS checking 
Make the check work correctly if bits other than the claims bit are
specified.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
6f1282e8d3 tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST 
These padata were not being sent if other FAST padata was not specified.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
8e4b215908 tests/krb5: Remove unused parameter 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
d501ddca3b tests/krb5: Rename method parameter 
For class methods, the name given to the first parameter is generally 'cls'
rather than 'self'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-10-14 18:59:31 +00:00
Joseph Sutton
5b331443d0 tests/krb5: Add classes for testing invalid checksums 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Sep 23 19:28:44 UTC 2021 on sn-devel-184
 2021-09-23 19:28:44 +00:00
Joseph Sutton
c0b81f0dd5 tests/krb5: Add method to determine if principal is krbtgt 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
ea7b550a50 tests/krb5: Verify checksums of tickets obtained from the KDC 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
1458cd9065 tests/krb5: Add get_rodc_krbtgt_creds() to RawKerberosTest 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
f9284d8517 tests/krb5: Fix checking for presence of authorization data 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
14cd933a9d tests/krb5: Correctly check PA-SUPPORTED-ENCTYPES 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
b6eaf2cf44 tests/krb5: Get supported enctypes for credentials from database 
Look up the account's msDS-SupportedEncryptionTypes attribute to get the
encryption types that it supports. Move the fallback to RC4 to when the
ticket decryption key is obtained.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
432eba9e09 tests/krb5: Add methods to convert between enctypes and bitfields 
These methods are useful for converting a collection of encryption types
into msDS-SupportedEncryptionTypes bit flags, and vice versa.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
4c67a53cdc tests/krb5: Simplify adding authdata to ticket by using modified_ticket() 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
1fcde7cb6c tests/krb5: Add method for modifying a ticket and creating PAC checksums 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
12b5e72a35 tests/krb5: Add method to verify ticket PAC checksums 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-23 18:32:29 +00:00
Joseph Sutton
ec95b3042b tests/krb5: Add RodcPacEncryptionKey type allowing for RODC PAC signatures 
Signatures created by an RODC have an RODCIdentifier appended to them
identifying the RODC's krbtgt account.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Tue Sep 21 23:55:39 UTC 2021 on sn-devel-184
 2021-09-21 23:55:39 +00:00
Joseph Sutton
a562882b15 tests/krb5: Add methods for creating zeroed checksums and verifying checksums 
Creating a zeroed checksum is needed for signing a PAC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-21 23:05:42 +00:00
Joseph Sutton
c226029655 tests/krb5: Don't manually create PAC request and options in fast_tests 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-21 23:05:41 +00:00
Joseph Sutton
2a4d53dc12 tests/krb5: Refactor tgs_req() to use _generic_kdc_exchange 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-21 23:05:41 +00:00
Joseph Sutton
0061fa2c2a tests/krb5: Check correct flags element 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-21 23:05:41 +00:00
Joseph Sutton
a281ae09bc tests/krb5: Add helper method for modifying PACs 
This method can remove or replace a PAC in an authorization-data
container, while additionally returning the original PAC.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
 2021-09-21 23:05:41 +00:00
Joseph Sutton
7bc52cecb4 tests/krb5: Sign-extend kvno from 32-bit integer 
This helps to avoid problems with RODC kvnos that have the high bit set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
 2021-09-15 07:59:31 +00:00
Joseph Sutton
0e99382d73 tests/krb5: Get encpart decryption key from kdc_exchange_dict 
Instead of using check_padata_fn to get the encpart decryption key, we
can get the key from the AS-REQ preauth phase or from the TGT, depending
on whether the message is an AS-REQ or a TGS-REQ. This allows removal of
check_padata_fn and some duplicated code.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
 2021-09-15 07:59:31 +00:00
Joseph Sutton
4ba5e82ae5 tests/krb5: Allow specifying status code to be checked 
This allows us to check the status code that may be sent in an error
reply to a TGS-REQ message.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
 2021-09-15 07:59:31 +00:00
Joseph Sutton
c3b7462902 tests/krb5: Check for presence of 'key-expiration' element 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
 2021-09-13 23:11:35 +00:00
Joseph Sutton
d3106a8d35 tests/krb5: Check 'caddr' element 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
 2021-09-13 23:11:35 +00:00
Joseph Sutton
9cba5f9a1b tests/krb5: Check for presence of 'renew-till' element 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
 2021-09-13 23:11:35 +00:00
Joseph Sutton
0afb548a0a tests/krb5: Allow Kerberos requests to be sent to DC or RODC 
If run inside the 'rodc' testing environment, 'DC_SERVER' and 'SERVER'
refer to the hostnames of the DC and RODC respectively, and this commit
allows either one of them to be used as the KDC for Kerberos exchanges.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
 2021-09-13 23:11:35 +00:00
Joseph Sutton
1974b872fb tests/krb5: Make time assertion less strict 
This assertion could fail if there was a time difference between the KDC
and the client.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
 2021-09-13 23:11:35 +00:00
Joseph Sutton
85ddfc1afc tests/krb5: Allow specifying ticket flags expected to be set or reset 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
 2021-09-13 23:11:35 +00:00
Joseph Sutton
c0db1ba54d tests/krb5: add options to kdc_exchange_dict to specify including PAC-REQUEST or PAC-OPTIONS 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
 2021-09-13 23:11:35 +00:00
Joseph Sutton
1f23b16ef3 tests/krb5: Move padata generation methods to base class 
This allows them to be used directly from RawKerberosTest.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
 2021-09-13 23:11:35 +00:00
Joseph Sutton
9973b51e48 tests/krb5: Keep track of account DN in credentials object 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
 2021-09-13 23:11:35 +00:00
Joseph Sutton
bf55786fcd tests/krb5: Replace expected_cname_private with expected_anon parameter 
This is used in the case where the KDC returns 'WELLKNOWN/ANONYMOUS' as
the cname, and makes the reply checking logic easier to follow. This
also removes the need to fetch the client credentials in the test
methods.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
 2021-09-13 23:11:35 +00:00
Joseph Sutton
3fd73b65a3 tests/krb5: Use more compact dict lookup 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
 2021-09-13 23:11:35 +00:00
Joseph Sutton
448b661bf8 tests/krb5: Use signed integers to represent key version numbers in ASN.1 
As specified in 'MS-KILE 3.1.5.8: Key Version Numbers', Windows uses
signed 32-bit integers to represent key version numbers. This makes a
difference for an RODC with a msDS-SecondaryKrbTgtNumber greater than
32767, where the kvno should be encoded in four bytes rather than five.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Isaac Boukris <iboukris@samba.org>
 2021-09-13 23:11:35 +00:00
Joseph Sutton
ebd673e976 tests/krb5: Allow expected_error_mode to be a container type 
This allows a range of possible error codes to be checked against, for
cases when the particular error code returned is not so important.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2021-09-02 13:41:28 +00:00
Joseph Sutton
c6d7e19ecf tests/krb5: Allow specifying parameters specific to the inner FAST request body 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2021-09-02 13:41:28 +00:00
Joseph Sutton
1e4d757394 tests/krb5: Check PADATA-PW-SALT element in e-data 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2021-09-02 13:41:28 +00:00
Joseph Sutton
e373c6461a tests/krb5: Check e-data element for TGS-REP errors without FAST 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2021-09-02 13:41:28 +00:00
Joseph Sutton
36798f5b65 tests/krb5: Make cname checking less strict 
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2021-09-02 13:41:28 +00:00
Joseph Sutton
79dda329f2 tests/krb5: Make e-data checking less strict 
Without this additional 'self.strict_checking' check, the tests in the
following patches do not get far enough to trigger a crash with the MIT
KDC, instead failing when obtaining a TGT for the user or machine.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2021-09-02 13:41:28 +00:00
Joseph Sutton
aa2c221f4e tests/krb5: Check PADATA-FX-ERROR in reply 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2021-08-18 22:28:34 +00:00
Joseph Sutton
66e1eb58be tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2021-08-18 22:28:34 +00:00
Joseph Sutton
0c857f67a3 tests/krb5: Check PADATA-PAC-OPTIONS in reply 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2021-08-18 22:28:34 +00:00
Joseph Sutton
29070e74ba tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2021-08-18 22:28:34 +00:00
Joseph Sutton
ab4e7028a6 tests/krb5: Make check_rep_padata() also work for checking TGS replies 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2021-08-18 22:28:34 +00:00
Joseph Sutton
95b54078c2 tests/krb5: Check PADATA-FX-COOKIE in reply 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
 2021-08-18 22:28:34 +00:00