1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00
Commit Graph

3191 Commits

Author SHA1 Message Date
Joseph Sutton
ca80c47406 tests/krb5: Add tests for validation with requester SID PAC buffer
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-30 02:42:31 +00:00
Joseph Sutton
ebc9137cee tests/krb5: Align PAC buffer checking to more closely match Windows with PacRequestorEnforcement=2
We set EXPECT_EXTRA_PAC_BUFFERS to 0 for the moment. This signifies that
these checks are currently not enforced, which avoids a lot of test
failures.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-30 02:42:31 +00:00
Joseph Sutton
ec823c2a83 tests/krb5: Add TGS-REQ tests with FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-30 02:42:31 +00:00
Joseph Sutton
778029c1dc tests/krb5: Add tests for TGS requests with a non-TGT
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-30 02:42:31 +00:00
Joseph Sutton
7574ba9f58 tests/krb5: Add tests for invalid TGTs
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-30 02:42:31 +00:00
Joseph Sutton
28d501875a tests/krb5: Remove unnecessary expect_pac arguments
The value of expect_pac is not considered if we are expecting an error.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-30 02:42:31 +00:00
Joseph Sutton
d95705172b tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-30 02:42:31 +00:00
Joseph Sutton
e930274aa4 tests/krb5: Split out methods to create renewable or invalid tickets
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-30 02:42:31 +00:00
Joseph Sutton
a560c2e9ad tests/krb5: Allow PasswordKey_create() to use s2kparams
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-30 02:42:31 +00:00
Joseph Sutton
167bd20704 tests/krb5: Run test_rpc against member server
We were instead always running against the DC.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-30 02:42:31 +00:00
Joseph Sutton
f0b222e3ec tests/krb5: Deduplicate AS-REQ tests
salt_tests was running the tests defined in the base class as well as
its own tests.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-30 02:42:31 +00:00
Joseph Sutton
57b1b76154 tests/krb5: Remove unused variable
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-30 02:42:31 +00:00
Andreas Schneider
28be1acd8e mit-kdc: Use more strict KDC default settings
As we require MIT KRB5 >= 1.19 for the KDC, use more secure defaults.

Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
2021-11-29 08:39:37 +00:00
Douglas Bagnall
b5e0f33e82 pytest/docs: better spelling of set_smbconf_arbitrary
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>

Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Mon Nov 22 11:18:09 UTC 2021 on sn-devel-184
2021-11-22 11:18:09 +00:00
Douglas Bagnall
b674c57a18 pytest/docs: set_smbconf_arbitrary_opposite() needs param_type
also, we fixed the name ("arbitrary", not "arbitary").

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2021-11-22 10:28:34 +00:00
Douglas Bagnall
5bbf105937 pytest/dns_aging: remove duplicate tests
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2021-11-22 10:28:34 +00:00
Douglas Bagnall
524ca3c6d2 pytest/dns_aging: use correct variable names
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-11-22 10:28:34 +00:00
Douglas Bagnall
b5e2651f1c py/dnsserver: add a missing exception variable
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2021-11-22 10:28:34 +00:00
Douglas Bagnall
3c18bb6c77 py/dnsserver: add missing imports
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.com>
2021-11-22 10:28:34 +00:00
Douglas Bagnall
2c3596e721 pytest/source_chars: forget thirdparty/pep8 test file
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Noel Power <npower@samba.org>
2021-11-19 12:35:39 +00:00
Douglas Bagnall
2868b80364 lib/replace/timegm: use utf-8
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>

Autobuild-User(master): Ralph Böhme <slow@samba.org>
Autobuild-Date(master): Wed Nov 17 05:27:39 UTC 2021 on sn-devel-184
2021-11-17 05:27:39 +00:00
Douglas Bagnall
039f876c4e s4/auth/gensec/gensec_krb5_heimdal: use utf-8
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-17 04:36:37 +00:00
Douglas Bagnall
6ced906e2b test/blackbox/test_samba-tool_ntacl: use utf-8
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-17 04:36:37 +00:00
Douglas Bagnall
4c85693f55 s3/modules/vfs_acl_common.h: use utf-8
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-17 04:36:36 +00:00
Douglas Bagnall
c3194d0d65 test/bad_chars: ensure our tests could fail
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-17 04:36:36 +00:00
Douglas Bagnall
fccb105e07 pytests: check that we don't have bad format characters
Unicode has format control characters that affect the appearance —
including the apparent order — of other characters. Some of these,
like the bidi controls (for mixing left-to-right scripts with
right-to-left scripts) can be used make text that means one thing look
very much like it means another thing.

The potential for duplicity using these characters has recently been
publicised under the name “Trojan Source”, and CVE-2021-42694. A
specific example, as it affects the Rust language is CVE-2021-42574.

We don't have many format control characters in our code — in fact,
just the non-breaking space (\u200b) and the redundant BOM thing
(\ufeff), and this test aims to ensure we keep it that way.

The test uses a series of allow-lists and deny-lists to check most
text files for unknown format control characters. The filtering is
fairly conservative but not exhaustive. For example, XML and text
files are checked, but UTF-16 files are not.

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-17 04:36:36 +00:00
Joseph Sutton
494bf7de6f CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

[metze@samba.org removed unused tests for a feature that
 was removed before merging]
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-15 18:10:28 +00:00
Joseph Sutton
5ea347d367 CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
2021-11-15 18:10:28 +00:00
Stefan Metzmacher
9ebc679e76 CVE-2021-23192: python/tests/dcerpc: add tests to check how security contexts relate to fragmented requests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-11-09 19:45:34 +00:00
Stefan Metzmacher
44584f97b0 CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-11-09 19:45:34 +00:00
Stefan Metzmacher
e21c405163 CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use g_auth_level in all places
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-11-09 19:45:34 +00:00
Stefan Metzmacher
4786565316 CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into assertNotEqual()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Samuel Cabrero <scabrero@samba.org>
2021-11-09 19:45:34 +00:00
Stefan Metzmacher
262f59a71f CVE-2020-25722 pytests: Give computer accounts unique (and valid) sAMAccountNames and SPNs
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14564

Signed-off-by: Stefan Metzmacher <metze@samba.org>
2021-11-09 19:45:34 +00:00
Joseph Sutton
f5baabd987 CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:34 +00:00
Joseph Sutton
b8c6fa20f4 CVE-2020-25718 tests/krb5: Only fetch RODC account credentials when necessary
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14558

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:34 +00:00
Andrew Bartlett
43983170fc CVE-2020-25721 auth: Fill in the new HAS_SAM_NAME_AND_SID values
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14835

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
2021-11-09 19:45:34 +00:00
Joseph Sutton
deccd0dc5e CVE-2020-25722 pytest: Raise an error when adding a dynamic test that would overwrite an existing test
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14753

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
a461b7d4f8 CVE-2020-25719 tests/krb5: Add tests for mismatched names with user-to-user
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
26480ba2aa CVE-2020-25719 tests/krb5: Add test for user-to-user with no sname
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
7ff05eb8d4 CVE-2020-25719 tests/krb5: Add tests for requester SID PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
2e1e57fca8 CVE-2020-25719 tests/krb5: Add tests for PAC-REQUEST padata
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
b8c85fe81c CVE-2020-25719 tests/krb5: Add tests for PAC attributes buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
72f82d949a CVE-2020-25719 tests/krb5: Add expected parameters to cache key for obtaining tickets
If multiple calls to get_tgt() or get_service_ticket() specify different
expected parameters, we want to perform the request again so that the
checking can be performed, rather than reusing a previously obtained
ticket and potentially skipping checks.

It should be fine to cache tickets with the same expected parameters, as
tickets that fail to be obtained will not be stored in the cache, so the
checking will happen for every call.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
8752b83bb9 CVE-2020-25719 tests/krb5: Add EXPECT_PAC environment variable to expect pac from all TGS tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
42405aa46b CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_REQUESTER_SID PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
58455c4876 CVE-2020-25719 tests/krb5: Add testing for PAC_TYPE_ATTRIBUTES_INFO PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
40a3f71818 CVE-2020-25719 tests/krb5: Add _modify_tgt() method for modifying already obtained tickets
https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
2158ba1eb0 CVE-2020-25719 tests/krb5: Extend _get_tgt() method to allow more modifications to tickets
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
e647186c14 CVE-2020-25719 tests/krb5: tests/krb5: Adjust expected error code for S4U2Self no-PAC tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00
Joseph Sutton
924f323188 CVE-2020-25719 tests/krb5: Adjust expected error codes for user-to-user tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14873

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
2021-11-09 19:45:33 +00:00