AES256_CTS_HMAC_SHA1_96,
ARCFOUR_HMAC_MD5,
KDC_ERR_PREAUTH_REQUIRED,
+ KDC_ERR_TGT_REVOKED,
KRB_AS_REP,
KRB_TGS_REP,
KRB_ERROR,
return ticket_creds
+ def _make_tgs_request(self, client_creds, service_creds, tgt,
+ pac_request=None, expect_pac=True,
+ expect_error=False,
+ expected_account_name=None,
+ expected_upn_name=None,
+ expected_sid=None):
+ client_account = client_creds.get_username()
+ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=[client_account])
+
+ service_account = service_creds.get_username()
+ sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=[service_account])
+
+ realm = service_creds.get_realm()
+
+ expected_crealm = realm
+ expected_cname = cname
+ expected_srealm = realm
+ expected_sname = sname
+
+ expected_supported_etypes = service_creds.tgs_supported_enctypes
+
+ etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
+
+ kdc_options = str(krb5_asn1.KDCOptions('canonicalize'))
+
+ target_decryption_key = self.TicketDecryptionKey_from_creds(
+ service_creds)
+
+ authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256)
+
+ if expect_error:
+ expected_error_mode = KDC_ERR_TGT_REVOKED
+ check_error_fn = self.generic_check_kdc_error
+ check_rep_fn = None
+ else:
+ expected_error_mode = 0
+ check_error_fn = None
+ check_rep_fn = self.generic_check_kdc_rep
+
+ kdc_exchange_dict = self.tgs_exchange_dict(
+ expected_crealm=expected_crealm,
+ expected_cname=expected_cname,
+ expected_srealm=expected_srealm,
+ expected_sname=expected_sname,
+ expected_account_name=expected_account_name,
+ expected_upn_name=expected_upn_name,
+ expected_sid=expected_sid,
+ expected_supported_etypes=expected_supported_etypes,
+ ticket_decryption_key=target_decryption_key,
+ check_error_fn=check_error_fn,
+ check_rep_fn=check_rep_fn,
+ check_kdc_private_fn=self.generic_check_kdc_private,
+ expected_error_mode=expected_error_mode,
+ tgt=tgt,
+ authenticator_subkey=authenticator_subkey,
+ kdc_options=kdc_options,
+ pac_request=pac_request,
+ expect_pac=expect_pac,
+ expect_edata=False)
+
+ rep = self._generic_kdc_exchange(kdc_exchange_dict,
+ cname=cname,
+ realm=realm,
+ sname=sname,
+ etypes=etypes)
+ if expect_error:
+ self.check_error_rep(rep, expected_error_mode)
+
+ return None
+ else:
+ self.check_reply(rep, KRB_TGS_REP)
+
+ return kdc_exchange_dict['rep_ticket_creds']
+
# Named tuple to contain values of interest when the PAC is decoded.
PacData = namedtuple(
"PacData",
pac_data.account_sid,
"rep = {%s},%s" % (rep, pac_data))
- def _make_tgs_request(self, client_creds, service_creds, tgt,
- pac_request=None, expect_pac=True,
- expect_error=False,
- expected_account_name=None,
- expected_upn_name=None,
- expected_sid=None):
- client_account = client_creds.get_username()
- cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
- names=[client_account])
-
- service_account = service_creds.get_username()
- sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
- names=[service_account])
-
- realm = service_creds.get_realm()
-
- expected_crealm = realm
- expected_cname = cname
- expected_srealm = realm
- expected_sname = sname
-
- expected_supported_etypes = service_creds.tgs_supported_enctypes
-
- etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
-
- kdc_options = str(krb5_asn1.KDCOptions('canonicalize'))
-
- target_decryption_key = self.TicketDecryptionKey_from_creds(
- service_creds)
-
- authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256)
-
- if expect_error:
- expected_error_mode = KDC_ERR_TGT_REVOKED
- check_error_fn = self.generic_check_kdc_error
- check_rep_fn = None
- else:
- expected_error_mode = 0
- check_error_fn = None
- check_rep_fn = self.generic_check_kdc_rep
-
- kdc_exchange_dict = self.tgs_exchange_dict(
- expected_crealm=expected_crealm,
- expected_cname=expected_cname,
- expected_srealm=expected_srealm,
- expected_sname=expected_sname,
- expected_account_name=expected_account_name,
- expected_upn_name=expected_upn_name,
- expected_sid=expected_sid,
- expected_supported_etypes=expected_supported_etypes,
- ticket_decryption_key=target_decryption_key,
- check_error_fn=check_error_fn,
- check_rep_fn=check_rep_fn,
- check_kdc_private_fn=self.generic_check_kdc_private,
- expected_error_mode=expected_error_mode,
- tgt=tgt,
- authenticator_subkey=authenticator_subkey,
- kdc_options=kdc_options,
- pac_request=pac_request,
- expect_pac=expect_pac,
- expect_edata=False)
-
- rep = self._generic_kdc_exchange(kdc_exchange_dict,
- cname=cname,
- realm=realm,
- sname=sname,
- etypes=etypes)
- if expect_error:
- self.check_error_rep(rep, expected_error_mode)
-
- return None
- else:
- self.check_reply(rep, KRB_TGS_REP)
-
- return kdc_exchange_dict['rep_ticket_creds']
-
def test_request(self):
client_creds = self.get_client_creds()
service_creds = self.get_service_creds()
git.samba.org / samba.git / commitdiff