From 1e9ad4246ce7fe7a212da4357e6e11c5ac22a8b2 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 24 Nov 2021 11:52:31 +1300 Subject: [PATCH] tests/krb5: Adjust error codes to better match Windows with PacRequestorEnforcement=2 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit d95705172bcf6fe24817800a4c0009e9cc8be595) [jsutton@samba.org Fixed MIT knownfail conflict] --- python/samba/tests/krb5/alias_tests.py | 7 +- python/samba/tests/krb5/kdc_tgs_tests.py | 130 ++++++++---------- .../ms_kile_client_principal_lookup_tests.py | 39 ++---- python/samba/tests/krb5/s4u_tests.py | 57 ++++---- python/samba/tests/krb5/test_rpc.py | 8 +- selftest/knownfail_heimdal_kdc | 64 +++++++++ selftest/knownfail_mit_kdc | 9 ++ 7 files changed, 181 insertions(+), 133 deletions(-) diff --git a/python/samba/tests/krb5/alias_tests.py b/python/samba/tests/krb5/alias_tests.py index 60213845a44..1f63775c189 100755 --- a/python/samba/tests/krb5/alias_tests.py +++ b/python/samba/tests/krb5/alias_tests.py @@ -28,7 +28,7 @@ from samba.tests.krb5.kdc_base_test import KDCBaseTest from samba.tests.krb5.rfc4120_constants import ( AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5, - KDC_ERR_CLIENT_NAME_MISMATCH, + KDC_ERR_TGT_REVOKED, NT_PRINCIPAL, ) @@ -168,7 +168,7 @@ class AliasTests(KDCBaseTest): ctype=None) return [padata], req_body - expected_error_mode = KDC_ERR_CLIENT_NAME_MISMATCH + expected_error_mode = KDC_ERR_TGT_REVOKED # Make a request using S4U2Self. The request should fail. kdc_exchange_dict = self.tgs_exchange_dict( @@ -184,7 +184,8 @@ class AliasTests(KDCBaseTest): tgt=tgt, authenticator_subkey=authenticator_subkey, kdc_options='0', - expect_pac=True) + expect_pac=True, + expect_edata=False) rep = self._generic_kdc_exchange(kdc_exchange_dict, cname=None, diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index 0578969ba69..7ea15f0fbab 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -23,7 +23,7 @@ import os import ldb -from samba import dsdb, ntstatus +from samba import dsdb from samba.dcerpc import krb5pac, security @@ -38,8 +38,6 @@ from samba.tests.krb5.rfc4120_constants import ( KRB_ERROR, KRB_TGS_REP, KDC_ERR_BADMATCH, - KDC_ERR_BADOPTION, - KDC_ERR_CLIENT_NAME_MISMATCH, KDC_ERR_GENERIC, KDC_ERR_MODIFIED, KDC_ERR_POLICY, @@ -262,7 +260,7 @@ class KdcTgsTests(KDCBaseTest): authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256) if expect_error: - expected_error_mode = KDC_ERR_BADOPTION + expected_error_mode = KDC_ERR_TGT_REVOKED check_error_fn = self.generic_check_kdc_error check_rep_fn = None else: @@ -288,7 +286,8 @@ class KdcTgsTests(KDCBaseTest): authenticator_subkey=authenticator_subkey, kdc_options=kdc_options, pac_request=pac_request, - expect_pac=expect_pac) + expect_pac=expect_pac, + expect_edata=False) rep = self._generic_kdc_exchange(kdc_exchange_dict, cname=cname, @@ -516,8 +515,7 @@ class KdcTgsTests(KDCBaseTest): creds = self._get_creds() tgt = self._get_tgt(creds, remove_requester_sid=True) - self._run_tgs(tgt, expected_error=0, expect_pac=True, - expect_requester_sid=False) # Note: not expected + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_tgs_req_no_pac_attrs(self): creds = self._get_creds() @@ -531,11 +529,7 @@ class KdcTgsTests(KDCBaseTest): revealed_to_rodc=True) tgt = self._get_tgt(creds, from_rodc=True, remove_requester_sid=True) - samdb = self.get_samdb() - sid = self.get_objectSid(samdb, creds.get_dn()) - - self._run_tgs(tgt, expected_error=0, expect_pac=True, - expect_requester_sid=True, expected_sid=sid) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_tgs_req_from_rodc_no_pac_attrs(self): creds = self._get_creds(replication_allowed=True, @@ -548,101 +542,99 @@ class KdcTgsTests(KDCBaseTest): def test_tgs_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, remove_pac=True) - self._run_tgs(tgt, expected_error=KDC_ERR_BADOPTION) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_renew_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, renewable=True, remove_pac=True) - self._renew_tgt(tgt, expected_error=KDC_ERR_BADOPTION) + self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_validate_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, invalid=True, remove_pac=True) - self._validate_tgt(tgt, expected_error=KDC_ERR_BADOPTION) + self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_s4u2self_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, remove_pac=True) self._s4u2self(tgt, creds, - expected_error=(KDC_ERR_GENERIC, KDC_ERR_BADOPTION), - expected_status=ntstatus.NT_STATUS_INVALID_PARAMETER, - expect_edata=True) + expected_error=KDC_ERR_TGT_REVOKED, + expect_edata=False) def test_user2user_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, remove_pac=True) - self._user2user(tgt, creds, expected_error=KDC_ERR_BADOPTION) + self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) # Test making a request with authdata and without a PAC. def test_tgs_authdata_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) - self._run_tgs(tgt, expected_error=KDC_ERR_BADOPTION) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_renew_authdata_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, renewable=True, remove_pac=True, allow_empty_authdata=True) - self._renew_tgt(tgt, expected_error=KDC_ERR_BADOPTION) + self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_validate_authdata_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, invalid=True, remove_pac=True, allow_empty_authdata=True) - self._validate_tgt(tgt, expected_error=KDC_ERR_BADOPTION) + self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_s4u2self_authdata_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) self._s4u2self(tgt, creds, - expected_error=(KDC_ERR_GENERIC, KDC_ERR_BADOPTION), - expected_status=ntstatus.NT_STATUS_INVALID_PARAMETER, - expect_edata=True) + expected_error=KDC_ERR_TGT_REVOKED, + expect_edata=False) def test_user2user_authdata_no_pac(self): creds = self._get_creds() tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) - self._user2user(tgt, creds, expected_error=KDC_ERR_BADOPTION) + self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) # Test changing the SID in the PAC to that of another account. def test_tgs_sid_mismatch_existing(self): creds = self._get_creds() existing_rid = self._get_existing_rid() tgt = self._get_tgt(creds, new_rid=existing_rid) - self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_renew_sid_mismatch_existing(self): creds = self._get_creds() existing_rid = self._get_existing_rid() tgt = self._get_tgt(creds, renewable=True, new_rid=existing_rid) - self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_validate_sid_mismatch_existing(self): creds = self._get_creds() existing_rid = self._get_existing_rid() tgt = self._get_tgt(creds, invalid=True, new_rid=existing_rid) - self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_s4u2self_sid_mismatch_existing(self): creds = self._get_creds() existing_rid = self._get_existing_rid() tgt = self._get_tgt(creds, new_rid=existing_rid) self._s4u2self(tgt, creds, - expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + expected_error=KDC_ERR_TGT_REVOKED) def test_user2user_sid_mismatch_existing(self): creds = self._get_creds() existing_rid = self._get_existing_rid() tgt = self._get_tgt(creds, new_rid=existing_rid) self._user2user(tgt, creds, - expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + expected_error=KDC_ERR_TGT_REVOKED) def test_requester_sid_mismatch_existing(self): creds = self._get_creds() existing_rid = self._get_existing_rid() tgt = self._get_tgt(creds, new_rid=existing_rid, can_modify_logon_info=False) - self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_logon_info_sid_mismatch_existing(self): creds = self._get_creds() @@ -656,49 +648,49 @@ class KdcTgsTests(KDCBaseTest): existing_rid = self._get_existing_rid() tgt = self._get_tgt(creds, new_rid=existing_rid, remove_requester_sid=True) - self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) # Test changing the SID in the PAC to a non-existent one. def test_tgs_sid_mismatch_nonexisting(self): creds = self._get_creds() nonexistent_rid = self._get_non_existent_rid() tgt = self._get_tgt(creds, new_rid=nonexistent_rid) - self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_renew_sid_mismatch_nonexisting(self): creds = self._get_creds() nonexistent_rid = self._get_non_existent_rid() tgt = self._get_tgt(creds, renewable=True, new_rid=nonexistent_rid) - self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_validate_sid_mismatch_nonexisting(self): creds = self._get_creds() nonexistent_rid = self._get_non_existent_rid() tgt = self._get_tgt(creds, invalid=True, new_rid=nonexistent_rid) - self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_s4u2self_sid_mismatch_nonexisting(self): creds = self._get_creds() nonexistent_rid = self._get_non_existent_rid() tgt = self._get_tgt(creds, new_rid=nonexistent_rid) self._s4u2self(tgt, creds, - expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + expected_error=KDC_ERR_TGT_REVOKED) def test_user2user_sid_mismatch_nonexisting(self): creds = self._get_creds() nonexistent_rid = self._get_non_existent_rid() tgt = self._get_tgt(creds, new_rid=nonexistent_rid) self._user2user(tgt, creds, - expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + expected_error=KDC_ERR_TGT_REVOKED) def test_requester_sid_mismatch_nonexisting(self): creds = self._get_creds() nonexistent_rid = self._get_non_existent_rid() tgt = self._get_tgt(creds, new_rid=nonexistent_rid, can_modify_logon_info=False) - self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_logon_info_sid_mismatch_nonexisting(self): creds = self._get_creds() @@ -712,7 +704,7 @@ class KdcTgsTests(KDCBaseTest): nonexistent_rid = self._get_non_existent_rid() tgt = self._get_tgt(creds, new_rid=nonexistent_rid, remove_requester_sid=True) - self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) # Test with an RODC-issued ticket where the client is revealed to the RODC. def test_tgs_rodc_revealed(self): @@ -753,7 +745,7 @@ class KdcTgsTests(KDCBaseTest): existing_rid = self._get_existing_rid(replication_allowed=True, revealed_to_rodc=True) tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid) - self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_renew_rodc_sid_mismatch_existing(self): creds = self._get_creds(replication_allowed=True, @@ -762,7 +754,7 @@ class KdcTgsTests(KDCBaseTest): revealed_to_rodc=True) tgt = self._get_tgt(creds, renewable=True, from_rodc=True, new_rid=existing_rid) - self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_validate_rodc_sid_mismatch_existing(self): creds = self._get_creds(replication_allowed=True, @@ -771,7 +763,7 @@ class KdcTgsTests(KDCBaseTest): revealed_to_rodc=True) tgt = self._get_tgt(creds, invalid=True, from_rodc=True, new_rid=existing_rid) - self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_s4u2self_rodc_sid_mismatch_existing(self): creds = self._get_creds(replication_allowed=True, @@ -779,7 +771,7 @@ class KdcTgsTests(KDCBaseTest): existing_rid = self._get_existing_rid(replication_allowed=True, revealed_to_rodc=True) tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid) - self._s4u2self(tgt, creds, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) def test_user2user_rodc_sid_mismatch_existing(self): creds = self._get_creds(replication_allowed=True, @@ -788,7 +780,7 @@ class KdcTgsTests(KDCBaseTest): revealed_to_rodc=True) tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid) self._user2user(tgt, creds, - expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + expected_error=KDC_ERR_TGT_REVOKED) def test_tgs_rodc_requester_sid_mismatch_existing(self): creds = self._get_creds(replication_allowed=True, @@ -797,7 +789,7 @@ class KdcTgsTests(KDCBaseTest): revealed_to_rodc=True) tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid, can_modify_logon_info=False) - self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_tgs_rodc_logon_info_sid_mismatch_existing(self): creds = self._get_creds(replication_allowed=True, @@ -815,7 +807,7 @@ class KdcTgsTests(KDCBaseTest): revealed_to_rodc=True) tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid, remove_requester_sid=True) - self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) # Test with an RODC-issued ticket where the SID in the PAC is changed to a # non-existent one. @@ -824,7 +816,7 @@ class KdcTgsTests(KDCBaseTest): revealed_to_rodc=True) nonexistent_rid = self._get_non_existent_rid() tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid) - self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_renew_rodc_sid_mismatch_nonexisting(self): creds = self._get_creds(replication_allowed=True, @@ -832,7 +824,7 @@ class KdcTgsTests(KDCBaseTest): nonexistent_rid = self._get_non_existent_rid() tgt = self._get_tgt(creds, renewable=True, from_rodc=True, new_rid=nonexistent_rid) - self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_validate_rodc_sid_mismatch_nonexisting(self): creds = self._get_creds(replication_allowed=True, @@ -840,14 +832,14 @@ class KdcTgsTests(KDCBaseTest): nonexistent_rid = self._get_non_existent_rid() tgt = self._get_tgt(creds, invalid=True, from_rodc=True, new_rid=nonexistent_rid) - self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_s4u2self_rodc_sid_mismatch_nonexisting(self): creds = self._get_creds(replication_allowed=True, revealed_to_rodc=True) nonexistent_rid = self._get_non_existent_rid() tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid) - self._s4u2self(tgt, creds, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) def test_user2user_rodc_sid_mismatch_nonexisting(self): creds = self._get_creds(replication_allowed=True, @@ -855,7 +847,7 @@ class KdcTgsTests(KDCBaseTest): nonexistent_rid = self._get_non_existent_rid() tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid) self._user2user(tgt, creds, - expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + expected_error=KDC_ERR_TGT_REVOKED) def test_tgs_rodc_requester_sid_mismatch_nonexisting(self): creds = self._get_creds(replication_allowed=True, @@ -863,7 +855,7 @@ class KdcTgsTests(KDCBaseTest): nonexistent_rid = self._get_non_existent_rid() tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid, can_modify_logon_info=False) - self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_tgs_rodc_logon_info_sid_mismatch_nonexisting(self): creds = self._get_creds(replication_allowed=True, @@ -879,7 +871,7 @@ class KdcTgsTests(KDCBaseTest): nonexistent_rid = self._get_non_existent_rid() tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid, remove_requester_sid=True) - self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH) + self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED) # Test with an RODC-issued ticket where the client is not revealed to the # RODC. @@ -1111,8 +1103,7 @@ class KdcTgsTests(KDCBaseTest): names=[user_name]) self._user2user(tgt, creds, sname=sname, - expected_error=(KDC_ERR_BADMATCH, - KDC_ERR_BADOPTION)) + expected_error=KDC_ERR_BADMATCH) def test_user2user_other_sname(self): other_name = self.get_new_username() @@ -1134,8 +1125,7 @@ class KdcTgsTests(KDCBaseTest): sname = self.get_krbtgt_sname() self._user2user(tgt, creds, sname=sname, - expected_error=(KDC_ERR_BADMATCH, - KDC_ERR_BADOPTION)) + expected_error=KDC_ERR_BADMATCH) def test_user2user_wrong_srealm(self): creds = self._get_creds() @@ -1206,7 +1196,9 @@ class KdcTgsTests(KDCBaseTest): tgt = self._modify_tgt(tgt, cname=cname) - self._user2user(tgt, creds, expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN) + self._user2user(tgt, creds, + expected_error=(KDC_ERR_TGT_REVOKED, + KDC_ERR_C_PRINCIPAL_UNKNOWN)) def test_user2user_non_existent_sname(self): creds = self._get_creds() @@ -1522,8 +1514,7 @@ class KdcTgsTests(KDCBaseTest): tgt = self._modify_tgt(tgt, renewable=True, remove_requester_sid=True) - self._renew_tgt(tgt, expected_error=0, expect_pac=True, - expect_requester_sid=False) # Note: not expected + self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_tgs_requester_sid_missing_rodc_renew(self): creds = self._get_creds(replication_allowed=True, @@ -1539,9 +1530,7 @@ class KdcTgsTests(KDCBaseTest): tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True, remove_requester_sid=True) - self._renew_tgt(tgt, expected_error=0, expect_pac=True, - expected_sid=sid, - expect_requester_sid=True) + self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED) def test_tgs_pac_request_none(self): creds = self._get_creds() @@ -1655,10 +1644,10 @@ class KdcTgsTests(KDCBaseTest): creds = self._get_creds() tgt = self.get_tgt(creds, pac_request=False, expect_pac=None) - ticket = self._s4u2self(tgt, creds, expected_error=0, expect_pac=False) + ticket = self._s4u2self(tgt, creds, expected_error=0, expect_pac=True) - pac = self.get_ticket_pac(ticket, expect_pac=False) - self.assertIsNone(pac) + pac = self.get_ticket_pac(ticket) + self.assertIsNotNone(pac) def test_s4u2self_pac_request_true(self): creds = self._get_creds() @@ -1753,10 +1742,10 @@ class KdcTgsTests(KDCBaseTest): tgt = self.get_tgt(creds, pac_request=False, expect_pac=None) tgt = self._modify_tgt(tgt, from_rodc=True) - ticket = self._run_tgs(tgt, expected_error=0, expect_pac=False) + ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True) pac = self.get_ticket_pac(ticket, expect_pac=False) - self.assertIsNone(pac) + self.assertIsNotNone(pac) def test_tgs_rodc_pac_request_true(self): creds = self._get_creds(replication_allowed=True, @@ -1784,7 +1773,8 @@ class KdcTgsTests(KDCBaseTest): 'sAMAccountName') samdb.modify(msg) - self._run_tgs(tgt, expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN) + self._run_tgs(tgt, expected_error=(KDC_ERR_TGT_REVOKED, + KDC_ERR_C_PRINCIPAL_UNKNOWN)) def _modify_renewable(self, enc_part): # Set the renewable flag. diff --git a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py index 0aa3309b814..e6b90d3e16a 100755 --- a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py +++ b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py @@ -32,6 +32,7 @@ from samba.tests.krb5.rfc4120_constants import ( NT_PRINCIPAL, NT_SRV_INST, KDC_ERR_C_PRINCIPAL_UNKNOWN, + KDC_ERR_TGT_REVOKED, ) global_asn1_print = False @@ -322,21 +323,10 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): (rep, enc_part) = self.tgs_req( cname, sname, uc.get_realm(), ticket, key, etype, - service_creds=mc, expect_pac=False) - self.check_tgs_reply(rep) - - # Check the contents of the service ticket - ticket = rep['ticket'] - enc_part = self.decode_service_ticket(mc, ticket) - # - # We get an empty authorization-data element in the ticket. - # i.e. no PAC - self.assertEqual([], enc_part['authorization-data']) - # check the crealm and cname - cname = enc_part['cname'] - self.assertEqual(NT_PRINCIPAL, cname['name-type']) - self.assertEqual(alt_name.encode('UTF8'), cname['name-string'][0]) - self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) + service_creds=mc, expect_pac=False, + expect_edata=False, + expected_error_mode=KDC_ERR_TGT_REVOKED) + self.check_error_rep(rep, KDC_ERR_TGT_REVOKED) def test_nt_principal_step_4_b(self): ''' Step 4, pre-authentication @@ -703,21 +693,10 @@ class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): (rep, enc_part) = self.tgs_req( cname, sname, uc.get_realm(), ticket, key, etype, - service_creds=mc, expect_pac=False) - self.check_tgs_reply(rep) - - # Check the contents of the service ticket - ticket = rep['ticket'] - enc_part = self.decode_service_ticket(mc, ticket) - # - # We get an empty authorization-data element in the ticket. - # i.e. no PAC - self.assertEqual([], enc_part['authorization-data']) - # check the crealm and cname - cname = enc_part['cname'] - self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) - self.assertEqual(ename.encode('UTF8'), cname['name-string'][0]) - self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) + service_creds=mc, expect_pac=False, + expect_edata=False, + expected_error_mode=KDC_ERR_TGT_REVOKED) + self.check_error_rep(rep, KDC_ERR_TGT_REVOKED) def test_nt_enterprise_principal_step_6_b(self): ''' Step 4, pre-authentication diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index a80a7b3427e..5f37525f393 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -42,6 +42,7 @@ from samba.tests.krb5.rfc4120_constants import ( KDC_ERR_INAPP_CKSUM, KDC_ERR_MODIFIED, KDC_ERR_SUMTYPE_NOSUPP, + KDC_ERR_TGT_REVOKED, KU_PA_ENC_TIMESTAMP, KU_AS_REP_ENC_PART, KU_TGS_REP_ENC_PART_SUB_KEY, @@ -278,6 +279,8 @@ class S4UKerberosTests(KDCBaseTest): etypes = kdc_dict.pop('etypes', (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)) + expect_edata = kdc_dict.pop('expect_edata', None) + def generate_s4u2self_padata(_kdc_exchange_dict, _callback_dict, req_body): @@ -309,7 +312,8 @@ class S4UKerberosTests(KDCBaseTest): tgt=service_tgt, authenticator_subkey=authenticator_subkey, kdc_options=str(kdc_options), - expect_claims=False) + expect_claims=False, + expect_edata=expect_edata) self._generic_kdc_exchange(kdc_exchange_dict, cname=None, @@ -343,15 +347,14 @@ class S4UKerberosTests(KDCBaseTest): self._run_s4u2self_test( { - 'expected_error_mode': (KDC_ERR_GENERIC, - KDC_ERR_BADOPTION), - 'expected_status': ntstatus.NT_STATUS_INVALID_PARAMETER, + 'expected_error_mode': KDC_ERR_TGT_REVOKED, 'client_opts': { 'not_delegated': False }, 'kdc_options': 'forwardable', 'modify_service_tgt_fn': forwardable_no_pac, - 'expected_flags': 'forwardable' + 'expected_flags': 'forwardable', + 'expect_edata': False }) # Test performing an S4U2Self operation without requesting a forwardable @@ -674,8 +677,8 @@ class S4UKerberosTests(KDCBaseTest): # contain a PAC. self._run_delegation_test( { - 'expected_error_mode': (KDC_ERR_BADOPTION, - KDC_ERR_MODIFIED), + 'expected_error_mode': (KDC_ERR_MODIFIED, + KDC_ERR_TGT_REVOKED), 'allow_delegation': True, 'modify_client_tkt_fn': self.remove_ticket_pac, 'expect_edata': False @@ -686,9 +689,10 @@ class S4UKerberosTests(KDCBaseTest): # PAC. self._run_delegation_test( { - 'expected_error_mode': 0, + 'expected_error_mode': KDC_ERR_TGT_REVOKED, 'allow_delegation': True, - 'modify_service_tgt_fn': self.remove_ticket_pac + 'modify_service_tgt_fn': self.remove_ticket_pac, + 'expect_edata': False }) def test_constrained_delegation_no_client_pac_no_auth_data_required(self): @@ -696,8 +700,8 @@ class S4UKerberosTests(KDCBaseTest): # contain a PAC. self._run_delegation_test( { - 'expected_error_mode': (KDC_ERR_BADOPTION, - KDC_ERR_MODIFIED), + 'expected_error_mode': (KDC_ERR_MODIFIED, + KDC_ERR_BADOPTION), 'allow_delegation': True, 'modify_client_tkt_fn': self.remove_ticket_pac, 'expect_edata': False, @@ -711,13 +715,14 @@ class S4UKerberosTests(KDCBaseTest): # PAC. self._run_delegation_test( { - 'expected_error_mode': (KDC_ERR_BADOPTION, - KDC_ERR_MODIFIED), + 'expected_error_mode': KDC_ERR_TGT_REVOKED, 'allow_delegation': True, 'modify_service_tgt_fn': self.remove_ticket_pac, 'service2_opts': { 'no_auth_data_required': True - } + }, + 'expect_pac': False, + 'expect_edata': False }) def test_constrained_delegation_non_forwardable(self): @@ -812,12 +817,11 @@ class S4UKerberosTests(KDCBaseTest): # PAC. self._run_delegation_test( { - 'expected_error_mode': KDC_ERR_BADOPTION, - 'expected_status': - ntstatus.NT_STATUS_NOT_FOUND, + 'expected_error_mode': KDC_ERR_TGT_REVOKED, 'allow_rbcd': True, 'pac_options': '0001', # supports RBCD - 'modify_service_tgt_fn': self.remove_ticket_pac + 'modify_service_tgt_fn': self.remove_ticket_pac, + 'expect_edata': False }) def test_rbcd_no_client_pac_no_auth_data_required_a(self): @@ -858,15 +862,14 @@ class S4UKerberosTests(KDCBaseTest): # PAC. self._run_delegation_test( { - 'expected_error_mode': KDC_ERR_BADOPTION, - 'expected_status': - ntstatus.NT_STATUS_NOT_FOUND, + 'expected_error_mode': KDC_ERR_TGT_REVOKED, 'allow_rbcd': True, 'pac_options': '0001', # supports RBCD 'modify_service_tgt_fn': self.remove_ticket_pac, 'service2_opts': { 'no_auth_data_required': True - } + }, + 'expect_edata': False }) def test_rbcd_non_forwardable(self): @@ -941,8 +944,8 @@ class S4UKerberosTests(KDCBaseTest): for checksum in self.pac_checksum_types: with self.subTest(checksum=checksum): if checksum == krb5pac.PAC_TYPE_TICKET_CHECKSUM: - expected_error_mode = (KDC_ERR_BADOPTION, - KDC_ERR_MODIFIED) + expected_error_mode = (KDC_ERR_MODIFIED, + KDC_ERR_BADOPTION) else: expected_error_mode = KDC_ERR_GENERIC @@ -1061,8 +1064,7 @@ class S4UKerberosTests(KDCBaseTest): for checksum in self.pac_checksum_types: with self.subTest(checksum=checksum): if checksum == krb5pac.PAC_TYPE_SRV_CHECKSUM: - expected_error_mode = (KDC_ERR_MODIFIED, - KDC_ERR_BAD_INTEGRITY) + expected_error_mode = KDC_ERR_MODIFIED expected_status = ntstatus.NT_STATUS_WRONG_PASSWORD else: expected_error_mode = 0 @@ -1162,8 +1164,7 @@ class S4UKerberosTests(KDCBaseTest): with self.subTest(checksum=checksum, ctype=ctype): if checksum == krb5pac.PAC_TYPE_SRV_CHECKSUM: if ctype == Cksumtype.SHA1: - expected_error_mode = (KDC_ERR_SUMTYPE_NOSUPP, - KDC_ERR_BAD_INTEGRITY) + expected_error_mode = KDC_ERR_SUMTYPE_NOSUPP expected_status = ntstatus.NT_STATUS_LOGON_FAILURE else: expected_error_mode = KDC_ERR_GENERIC diff --git a/python/samba/tests/krb5/test_rpc.py b/python/samba/tests/krb5/test_rpc.py index 2d483986e83..5a3c7339cea 100755 --- a/python/samba/tests/krb5/test_rpc.py +++ b/python/samba/tests/krb5/test_rpc.py @@ -24,7 +24,10 @@ import ldb from samba import NTSTATUSError, credentials from samba.dcerpc import lsa -from samba.ntstatus import NT_STATUS_NO_IMPERSONATION_TOKEN +from samba.ntstatus import ( + NT_STATUS_ACCESS_DENIED, + NT_STATUS_NO_IMPERSONATION_TOKEN +) from samba.tests.krb5.kdc_base_test import KDCBaseTest @@ -103,7 +106,8 @@ class RpcTests(KDCBaseTest): self.fail() enum, _ = e.args - self.assertEqual(NT_STATUS_NO_IMPERSONATION_TOKEN, enum) + self.assertIn(enum, {NT_STATUS_ACCESS_DENIED, + NT_STATUS_NO_IMPERSONATION_TOKEN}) return (account_name, _) = conn.GetUserName(None, None, None) diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 7eba899966e..1b7e159c381 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -233,16 +233,21 @@ # S4U tests # ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_bronze_bit_rbcd_old_checksum +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_client_pac(?!_no_auth_data_required) ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac\(.*\)$ +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac_no_auth_data_required ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_existing_delegation_info ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_missing_client_checksum ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_a ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_b +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_service_pac +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_service_pac_no_auth_data_required ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_client_checksum ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_pac ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed # ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required @@ -259,3 +264,62 @@ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_not_revealed ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_not_revealed ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_revealed +# +# Alias tests +# +^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_create_alias_delete +^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_create_alias_rename +^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_dc_alias_delete +^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_dc_alias_rename +# +# KDC TGS tests +# +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_client_no_auth_data_required +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_service_no_auth_data_required +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_nonexisting +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_nonexisting +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_nonexisting +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_nonexisting +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_authdata_no_pac +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_no_pac +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_nonexisting +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_nonexisting +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_nonexisting +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_nonexisting +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_authdata_no_pac +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_no_pac +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_nonexisting diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 8cd36fe2d96..cc12499bb50 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -390,6 +390,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ # # KDC TGT tests # +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_allowed_denied @@ -401,6 +403,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_revealed ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_nonexisting ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_req @@ -418,6 +422,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_authdata_no_pac ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_no_pac ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rename +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_allowed_denied ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_denied ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_no_krbtgt_link @@ -427,6 +432,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_revealed ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_existing ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_nonexisting ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_sname @@ -462,6 +469,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_revealed ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_existing +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_nonexisting # # PAC attributes tests # -- 2.34.1