import ldb
-from samba import dsdb, ntstatus
+from samba import dsdb
from samba.dcerpc import krb5pac, security
KRB_ERROR,
KRB_TGS_REP,
KDC_ERR_BADMATCH,
- KDC_ERR_BADOPTION,
- KDC_ERR_CLIENT_NAME_MISMATCH,
KDC_ERR_GENERIC,
KDC_ERR_MODIFIED,
KDC_ERR_POLICY,
authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256)
if expect_error:
- expected_error_mode = KDC_ERR_BADOPTION
+ expected_error_mode = KDC_ERR_TGT_REVOKED
check_error_fn = self.generic_check_kdc_error
check_rep_fn = None
else:
authenticator_subkey=authenticator_subkey,
kdc_options=kdc_options,
pac_request=pac_request,
- expect_pac=expect_pac)
+ expect_pac=expect_pac,
+ expect_edata=False)
rep = self._generic_kdc_exchange(kdc_exchange_dict,
cname=cname,
creds = self._get_creds()
tgt = self._get_tgt(creds, remove_requester_sid=True)
- self._run_tgs(tgt, expected_error=0, expect_pac=True,
- expect_requester_sid=False) # Note: not expected
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_tgs_req_no_pac_attrs(self):
creds = self._get_creds()
revealed_to_rodc=True)
tgt = self._get_tgt(creds, from_rodc=True, remove_requester_sid=True)
- samdb = self.get_samdb()
- sid = self.get_objectSid(samdb, creds.get_dn())
-
- self._run_tgs(tgt, expected_error=0, expect_pac=True,
- expect_requester_sid=True, expected_sid=sid)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_tgs_req_from_rodc_no_pac_attrs(self):
creds = self._get_creds(replication_allowed=True,
def test_tgs_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, remove_pac=True)
- self._run_tgs(tgt, expected_error=KDC_ERR_BADOPTION)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_renew_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, renewable=True, remove_pac=True)
- self._renew_tgt(tgt, expected_error=KDC_ERR_BADOPTION)
+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_validate_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, invalid=True, remove_pac=True)
- self._validate_tgt(tgt, expected_error=KDC_ERR_BADOPTION)
+ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_s4u2self_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, remove_pac=True)
self._s4u2self(tgt, creds,
- expected_error=(KDC_ERR_GENERIC, KDC_ERR_BADOPTION),
- expected_status=ntstatus.NT_STATUS_INVALID_PARAMETER,
- expect_edata=True)
+ expected_error=KDC_ERR_TGT_REVOKED,
+ expect_edata=False)
def test_user2user_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, remove_pac=True)
- self._user2user(tgt, creds, expected_error=KDC_ERR_BADOPTION)
+ self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
# Test making a request with authdata and without a PAC.
def test_tgs_authdata_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
- self._run_tgs(tgt, expected_error=KDC_ERR_BADOPTION)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_renew_authdata_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, renewable=True, remove_pac=True,
allow_empty_authdata=True)
- self._renew_tgt(tgt, expected_error=KDC_ERR_BADOPTION)
+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_validate_authdata_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, invalid=True, remove_pac=True,
allow_empty_authdata=True)
- self._validate_tgt(tgt, expected_error=KDC_ERR_BADOPTION)
+ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_s4u2self_authdata_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
self._s4u2self(tgt, creds,
- expected_error=(KDC_ERR_GENERIC, KDC_ERR_BADOPTION),
- expected_status=ntstatus.NT_STATUS_INVALID_PARAMETER,
- expect_edata=True)
+ expected_error=KDC_ERR_TGT_REVOKED,
+ expect_edata=False)
def test_user2user_authdata_no_pac(self):
creds = self._get_creds()
tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
- self._user2user(tgt, creds, expected_error=KDC_ERR_BADOPTION)
+ self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
# Test changing the SID in the PAC to that of another account.
def test_tgs_sid_mismatch_existing(self):
creds = self._get_creds()
existing_rid = self._get_existing_rid()
tgt = self._get_tgt(creds, new_rid=existing_rid)
- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_renew_sid_mismatch_existing(self):
creds = self._get_creds()
existing_rid = self._get_existing_rid()
tgt = self._get_tgt(creds, renewable=True, new_rid=existing_rid)
- self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_validate_sid_mismatch_existing(self):
creds = self._get_creds()
existing_rid = self._get_existing_rid()
tgt = self._get_tgt(creds, invalid=True, new_rid=existing_rid)
- self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_s4u2self_sid_mismatch_existing(self):
creds = self._get_creds()
existing_rid = self._get_existing_rid()
tgt = self._get_tgt(creds, new_rid=existing_rid)
self._s4u2self(tgt, creds,
- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ expected_error=KDC_ERR_TGT_REVOKED)
def test_user2user_sid_mismatch_existing(self):
creds = self._get_creds()
existing_rid = self._get_existing_rid()
tgt = self._get_tgt(creds, new_rid=existing_rid)
self._user2user(tgt, creds,
- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ expected_error=KDC_ERR_TGT_REVOKED)
def test_requester_sid_mismatch_existing(self):
creds = self._get_creds()
existing_rid = self._get_existing_rid()
tgt = self._get_tgt(creds, new_rid=existing_rid,
can_modify_logon_info=False)
- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_logon_info_sid_mismatch_existing(self):
creds = self._get_creds()
existing_rid = self._get_existing_rid()
tgt = self._get_tgt(creds, new_rid=existing_rid,
remove_requester_sid=True)
- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
# Test changing the SID in the PAC to a non-existent one.
def test_tgs_sid_mismatch_nonexisting(self):
creds = self._get_creds()
nonexistent_rid = self._get_non_existent_rid()
tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_renew_sid_mismatch_nonexisting(self):
creds = self._get_creds()
nonexistent_rid = self._get_non_existent_rid()
tgt = self._get_tgt(creds, renewable=True,
new_rid=nonexistent_rid)
- self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_validate_sid_mismatch_nonexisting(self):
creds = self._get_creds()
nonexistent_rid = self._get_non_existent_rid()
tgt = self._get_tgt(creds, invalid=True,
new_rid=nonexistent_rid)
- self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_s4u2self_sid_mismatch_nonexisting(self):
creds = self._get_creds()
nonexistent_rid = self._get_non_existent_rid()
tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
self._s4u2self(tgt, creds,
- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ expected_error=KDC_ERR_TGT_REVOKED)
def test_user2user_sid_mismatch_nonexisting(self):
creds = self._get_creds()
nonexistent_rid = self._get_non_existent_rid()
tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
self._user2user(tgt, creds,
- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ expected_error=KDC_ERR_TGT_REVOKED)
def test_requester_sid_mismatch_nonexisting(self):
creds = self._get_creds()
nonexistent_rid = self._get_non_existent_rid()
tgt = self._get_tgt(creds, new_rid=nonexistent_rid,
can_modify_logon_info=False)
- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_logon_info_sid_mismatch_nonexisting(self):
creds = self._get_creds()
nonexistent_rid = self._get_non_existent_rid()
tgt = self._get_tgt(creds, new_rid=nonexistent_rid,
remove_requester_sid=True)
- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
# Test with an RODC-issued ticket where the client is revealed to the RODC.
def test_tgs_rodc_revealed(self):
existing_rid = self._get_existing_rid(replication_allowed=True,
revealed_to_rodc=True)
tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid)
- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_renew_rodc_sid_mismatch_existing(self):
creds = self._get_creds(replication_allowed=True,
revealed_to_rodc=True)
tgt = self._get_tgt(creds, renewable=True, from_rodc=True,
new_rid=existing_rid)
- self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_validate_rodc_sid_mismatch_existing(self):
creds = self._get_creds(replication_allowed=True,
revealed_to_rodc=True)
tgt = self._get_tgt(creds, invalid=True, from_rodc=True,
new_rid=existing_rid)
- self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_s4u2self_rodc_sid_mismatch_existing(self):
creds = self._get_creds(replication_allowed=True,
existing_rid = self._get_existing_rid(replication_allowed=True,
revealed_to_rodc=True)
tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid)
- self._s4u2self(tgt, creds, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
def test_user2user_rodc_sid_mismatch_existing(self):
creds = self._get_creds(replication_allowed=True,
revealed_to_rodc=True)
tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid)
self._user2user(tgt, creds,
- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ expected_error=KDC_ERR_TGT_REVOKED)
def test_tgs_rodc_requester_sid_mismatch_existing(self):
creds = self._get_creds(replication_allowed=True,
revealed_to_rodc=True)
tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid,
can_modify_logon_info=False)
- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_tgs_rodc_logon_info_sid_mismatch_existing(self):
creds = self._get_creds(replication_allowed=True,
revealed_to_rodc=True)
tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid,
remove_requester_sid=True)
- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
# Test with an RODC-issued ticket where the SID in the PAC is changed to a
# non-existent one.
revealed_to_rodc=True)
nonexistent_rid = self._get_non_existent_rid()
tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid)
- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_renew_rodc_sid_mismatch_nonexisting(self):
creds = self._get_creds(replication_allowed=True,
nonexistent_rid = self._get_non_existent_rid()
tgt = self._get_tgt(creds, renewable=True, from_rodc=True,
new_rid=nonexistent_rid)
- self._renew_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_validate_rodc_sid_mismatch_nonexisting(self):
creds = self._get_creds(replication_allowed=True,
nonexistent_rid = self._get_non_existent_rid()
tgt = self._get_tgt(creds, invalid=True, from_rodc=True,
new_rid=nonexistent_rid)
- self._validate_tgt(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._validate_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_s4u2self_rodc_sid_mismatch_nonexisting(self):
creds = self._get_creds(replication_allowed=True,
revealed_to_rodc=True)
nonexistent_rid = self._get_non_existent_rid()
tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid)
- self._s4u2self(tgt, creds, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
def test_user2user_rodc_sid_mismatch_nonexisting(self):
creds = self._get_creds(replication_allowed=True,
nonexistent_rid = self._get_non_existent_rid()
tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid)
self._user2user(tgt, creds,
- expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ expected_error=KDC_ERR_TGT_REVOKED)
def test_tgs_rodc_requester_sid_mismatch_nonexisting(self):
creds = self._get_creds(replication_allowed=True,
nonexistent_rid = self._get_non_existent_rid()
tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid,
can_modify_logon_info=False)
- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_tgs_rodc_logon_info_sid_mismatch_nonexisting(self):
creds = self._get_creds(replication_allowed=True,
nonexistent_rid = self._get_non_existent_rid()
tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid,
remove_requester_sid=True)
- self._run_tgs(tgt, expected_error=KDC_ERR_CLIENT_NAME_MISMATCH)
+ self._run_tgs(tgt, expected_error=KDC_ERR_TGT_REVOKED)
# Test with an RODC-issued ticket where the client is not revealed to the
# RODC.
names=[user_name])
self._user2user(tgt, creds, sname=sname,
- expected_error=(KDC_ERR_BADMATCH,
- KDC_ERR_BADOPTION))
+ expected_error=KDC_ERR_BADMATCH)
def test_user2user_other_sname(self):
other_name = self.get_new_username()
sname = self.get_krbtgt_sname()
self._user2user(tgt, creds, sname=sname,
- expected_error=(KDC_ERR_BADMATCH,
- KDC_ERR_BADOPTION))
+ expected_error=KDC_ERR_BADMATCH)
def test_user2user_wrong_srealm(self):
creds = self._get_creds()
tgt = self._modify_tgt(tgt, cname=cname)
- self._user2user(tgt, creds, expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN)
+ self._user2user(tgt, creds,
+ expected_error=(KDC_ERR_TGT_REVOKED,
+ KDC_ERR_C_PRINCIPAL_UNKNOWN))
def test_user2user_non_existent_sname(self):
creds = self._get_creds()
tgt = self._modify_tgt(tgt, renewable=True,
remove_requester_sid=True)
- self._renew_tgt(tgt, expected_error=0, expect_pac=True,
- expect_requester_sid=False) # Note: not expected
+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_tgs_requester_sid_missing_rodc_renew(self):
creds = self._get_creds(replication_allowed=True,
tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True,
remove_requester_sid=True)
- self._renew_tgt(tgt, expected_error=0, expect_pac=True,
- expected_sid=sid,
- expect_requester_sid=True)
+ self._renew_tgt(tgt, expected_error=KDC_ERR_TGT_REVOKED)
def test_tgs_pac_request_none(self):
creds = self._get_creds()
creds = self._get_creds()
tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
- ticket = self._s4u2self(tgt, creds, expected_error=0, expect_pac=False)
+ ticket = self._s4u2self(tgt, creds, expected_error=0, expect_pac=True)
- pac = self.get_ticket_pac(ticket, expect_pac=False)
- self.assertIsNone(pac)
+ pac = self.get_ticket_pac(ticket)
+ self.assertIsNotNone(pac)
def test_s4u2self_pac_request_true(self):
creds = self._get_creds()
tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
tgt = self._modify_tgt(tgt, from_rodc=True)
- ticket = self._run_tgs(tgt, expected_error=0, expect_pac=False)
+ ticket = self._run_tgs(tgt, expected_error=0, expect_pac=True)
pac = self.get_ticket_pac(ticket, expect_pac=False)
- self.assertIsNone(pac)
+ self.assertIsNotNone(pac)
def test_tgs_rodc_pac_request_true(self):
creds = self._get_creds(replication_allowed=True,
'sAMAccountName')
samdb.modify(msg)
- self._run_tgs(tgt, expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN)
+ self._run_tgs(tgt, expected_error=(KDC_ERR_TGT_REVOKED,
+ KDC_ERR_C_PRINCIPAL_UNKNOWN))
def _modify_renewable(self, enc_part):
# Set the renewable flag.
KDC_ERR_INAPP_CKSUM,
KDC_ERR_MODIFIED,
KDC_ERR_SUMTYPE_NOSUPP,
+ KDC_ERR_TGT_REVOKED,
KU_PA_ENC_TIMESTAMP,
KU_AS_REP_ENC_PART,
KU_TGS_REP_ENC_PART_SUB_KEY,
etypes = kdc_dict.pop('etypes', (AES256_CTS_HMAC_SHA1_96,
ARCFOUR_HMAC_MD5))
+ expect_edata = kdc_dict.pop('expect_edata', None)
+
def generate_s4u2self_padata(_kdc_exchange_dict,
_callback_dict,
req_body):
tgt=service_tgt,
authenticator_subkey=authenticator_subkey,
kdc_options=str(kdc_options),
- expect_claims=False)
+ expect_claims=False,
+ expect_edata=expect_edata)
self._generic_kdc_exchange(kdc_exchange_dict,
cname=None,
self._run_s4u2self_test(
{
- 'expected_error_mode': (KDC_ERR_GENERIC,
- KDC_ERR_BADOPTION),
- 'expected_status': ntstatus.NT_STATUS_INVALID_PARAMETER,
+ 'expected_error_mode': KDC_ERR_TGT_REVOKED,
'client_opts': {
'not_delegated': False
},
'kdc_options': 'forwardable',
'modify_service_tgt_fn': forwardable_no_pac,
- 'expected_flags': 'forwardable'
+ 'expected_flags': 'forwardable',
+ 'expect_edata': False
})
# Test performing an S4U2Self operation without requesting a forwardable
# contain a PAC.
self._run_delegation_test(
{
- 'expected_error_mode': (KDC_ERR_BADOPTION,
- KDC_ERR_MODIFIED),
+ 'expected_error_mode': (KDC_ERR_MODIFIED,
+ KDC_ERR_TGT_REVOKED),
'allow_delegation': True,
'modify_client_tkt_fn': self.remove_ticket_pac,
'expect_edata': False
# PAC.
self._run_delegation_test(
{
- 'expected_error_mode': 0,
+ 'expected_error_mode': KDC_ERR_TGT_REVOKED,
'allow_delegation': True,
- 'modify_service_tgt_fn': self.remove_ticket_pac
+ 'modify_service_tgt_fn': self.remove_ticket_pac,
+ 'expect_edata': False
})
def test_constrained_delegation_no_client_pac_no_auth_data_required(self):
# contain a PAC.
self._run_delegation_test(
{
- 'expected_error_mode': (KDC_ERR_BADOPTION,
- KDC_ERR_MODIFIED),
+ 'expected_error_mode': (KDC_ERR_MODIFIED,
+ KDC_ERR_BADOPTION),
'allow_delegation': True,
'modify_client_tkt_fn': self.remove_ticket_pac,
'expect_edata': False,
# PAC.
self._run_delegation_test(
{
- 'expected_error_mode': (KDC_ERR_BADOPTION,
- KDC_ERR_MODIFIED),
+ 'expected_error_mode': KDC_ERR_TGT_REVOKED,
'allow_delegation': True,
'modify_service_tgt_fn': self.remove_ticket_pac,
'service2_opts': {
'no_auth_data_required': True
- }
+ },
+ 'expect_pac': False,
+ 'expect_edata': False
})
def test_constrained_delegation_non_forwardable(self):
# PAC.
self._run_delegation_test(
{
- 'expected_error_mode': KDC_ERR_BADOPTION,
- 'expected_status':
- ntstatus.NT_STATUS_NOT_FOUND,
+ 'expected_error_mode': KDC_ERR_TGT_REVOKED,
'allow_rbcd': True,
'pac_options': '0001', # supports RBCD
- 'modify_service_tgt_fn': self.remove_ticket_pac
+ 'modify_service_tgt_fn': self.remove_ticket_pac,
+ 'expect_edata': False
})
def test_rbcd_no_client_pac_no_auth_data_required_a(self):
# PAC.
self._run_delegation_test(
{
- 'expected_error_mode': KDC_ERR_BADOPTION,
- 'expected_status':
- ntstatus.NT_STATUS_NOT_FOUND,
+ 'expected_error_mode': KDC_ERR_TGT_REVOKED,
'allow_rbcd': True,
'pac_options': '0001', # supports RBCD
'modify_service_tgt_fn': self.remove_ticket_pac,
'service2_opts': {
'no_auth_data_required': True
- }
+ },
+ 'expect_edata': False
})
def test_rbcd_non_forwardable(self):
for checksum in self.pac_checksum_types:
with self.subTest(checksum=checksum):
if checksum == krb5pac.PAC_TYPE_TICKET_CHECKSUM:
- expected_error_mode = (KDC_ERR_BADOPTION,
- KDC_ERR_MODIFIED)
+ expected_error_mode = (KDC_ERR_MODIFIED,
+ KDC_ERR_BADOPTION)
else:
expected_error_mode = KDC_ERR_GENERIC
for checksum in self.pac_checksum_types:
with self.subTest(checksum=checksum):
if checksum == krb5pac.PAC_TYPE_SRV_CHECKSUM:
- expected_error_mode = (KDC_ERR_MODIFIED,
- KDC_ERR_BAD_INTEGRITY)
+ expected_error_mode = KDC_ERR_MODIFIED
expected_status = ntstatus.NT_STATUS_WRONG_PASSWORD
else:
expected_error_mode = 0
with self.subTest(checksum=checksum, ctype=ctype):
if checksum == krb5pac.PAC_TYPE_SRV_CHECKSUM:
if ctype == Cksumtype.SHA1:
- expected_error_mode = (KDC_ERR_SUMTYPE_NOSUPP,
- KDC_ERR_BAD_INTEGRITY)
+ expected_error_mode = KDC_ERR_SUMTYPE_NOSUPP
expected_status = ntstatus.NT_STATUS_LOGON_FAILURE
else:
expected_error_mode = KDC_ERR_GENERIC
# S4U tests
#
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_bronze_bit_rbcd_old_checksum
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_client_pac(?!_no_auth_data_required)
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac\(.*\)$
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac_no_auth_data_required
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_existing_delegation_info
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_missing_client_checksum
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_a
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_b
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_service_pac
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_service_pac_no_auth_data_required
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_client_checksum
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_unkeyed_service_checksum
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_pac
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed
#
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_not_revealed
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_not_revealed
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_not_revealed
+#
+# Alias tests
+#
+^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_create_alias_delete
+^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_create_alias_rename
+^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_dc_alias_delete
+^samba.tests.krb5.alias_tests.samba.tests.krb5.alias_tests.AliasTests.test_dc_alias_rename
+#
+# KDC TGS tests
+#
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_logon_info_only_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_client_no_auth_data_required
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_remove_pac_service_no_auth_data_required
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_authdata_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_rodc_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_requester_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_authdata_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_pac_request_false
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_rodc_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_authdata_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_from_rodc_no_requester_sid
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_req_no_requester_sid
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_renew
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_requester_sid_missing_rodc_renew
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_pac_request_false
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_requester_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_authdata_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_rodc_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_wrong_sname_krbtgt
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_authdata_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_rodc_sid_mismatch_nonexisting
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_existing
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_sid_mismatch_nonexisting