pac = self.get_ticket_pac(ticket)
self.assertIsNotNone(pac)
+ def test_tgs_rename(self):
+ creds = self.get_cached_creds(account_type=self.AccountType.USER,
+ use_cache=False)
+ tgt = self.get_tgt(creds)
+
+ # Rename the account.
+ new_name = self.get_new_username()
+
+ samdb = self.get_samdb()
+ msg = ldb.Message(creds.get_dn())
+ msg['sAMAccountName'] = ldb.MessageElement(new_name,
+ ldb.FLAG_MOD_REPLACE,
+ 'sAMAccountName')
+ samdb.modify(msg)
+
+ self._run_tgs(tgt, expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN)
+
def _get_tgt(self,
client_creds,
renewable=False,
import sys
import os
+import ldb
+
from ldb import SCOPE_SUBTREE
from samba import NTSTATUSError, gensec
from samba.auth import AuthContext
"""
def test_ccache(self):
- self._run_ccache_test("ccacheusr")
+ self._run_ccache_test()
+
+ def test_ccache_rename(self):
+ self._run_ccache_test(rename=True)
def test_ccache_no_pac(self):
- self._run_ccache_test("ccacheusr_nopac", include_pac=False,
+ self._run_ccache_test(include_pac=False,
expect_anon=True, allow_error=True)
- def _run_ccache_test(self, user_name, include_pac=True,
+ def _run_ccache_test(self, rename=False, include_pac=True,
expect_anon=False, allow_error=False):
# Create a user account and a machine account, along with a Kerberos
# credentials cache file where the service ticket authenticating the
samdb = self.get_samdb()
# Create the user account.
- (user_credentials, _) = self.create_account(samdb, user_name)
+ user_credentials = self.get_cached_creds(
+ account_type=self.AccountType.USER,
+ use_cache=False)
+ user_name = user_credentials.get_username()
# Create the machine account.
(mach_credentials, _) = self.create_account(
# Remove the cached credentials file.
self.addCleanup(os.remove, cachefile.name)
+ # Retrieve the user account's SID.
+ ldb_res = samdb.search(scope=SCOPE_SUBTREE,
+ expression="(sAMAccountName=%s)" % user_name,
+ attrs=["objectSid"])
+ self.assertEqual(1, len(ldb_res))
+ sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0])
+
+ if rename:
+ # Rename the account.
+
+ new_name = self.get_new_username()
+
+ msg = ldb.Message(user_credentials.get_dn())
+ msg['sAMAccountName'] = ldb.MessageElement(new_name,
+ ldb.FLAG_MOD_REPLACE,
+ 'sAMAccountName')
+ samdb.modify(msg)
+
# Authenticate in-process to the machine account using the user's
# cached credentials.
# Ensure that the first SID contained within the obtained security
# token is the SID of the user we created.
- # Retrieve the user account's SID.
- ldb_res = samdb.search(scope=SCOPE_SUBTREE,
- expression="(sAMAccountName=%s)" % user_name,
- attrs=["objectSid"])
- self.assertEqual(1, len(ldb_res))
- sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0])
-
# Retrieve the SIDs from the security token.
try:
session = gensec_server.session_info()
import sys
import os
+import ldb
+
from ldb import LdbError, ERR_OPERATIONS_ERROR, SCOPE_BASE, SCOPE_SUBTREE
from samba.dcerpc import security
from samba.ndr import ndr_unpack
"""
def test_ldap(self):
- self._run_ldap_test("ldapusr")
+ self._run_ldap_test()
+
+ def test_ldap_rename(self):
+ self._run_ldap_test(rename=True)
def test_ldap_no_pac(self):
- self._run_ldap_test("ldapusr_nopac", include_pac=False,
+ self._run_ldap_test(include_pac=False,
expect_anon=True, allow_error=True)
- def _run_ldap_test(self, user_name, include_pac=True,
+ def _run_ldap_test(self, rename=False, include_pac=True,
expect_anon=False, allow_error=False):
# Create a user account and a machine account, along with a Kerberos
# credentials cache file where the service ticket authenticating the
service = "ldap"
# Create the user account.
- (user_credentials, _) = self.create_account(samdb, user_name)
+ user_credentials = self.get_cached_creds(
+ account_type=self.AccountType.USER,
+ use_cache=False)
+ user_name = user_credentials.get_username()
mach_credentials = self.get_dc_creds()
# Remove the cached credentials file.
self.addCleanup(os.remove, cachefile.name)
- # Authenticate in-process to the machine account using the user's
- # cached credentials.
-
# Retrieve the user account's SID.
ldb_res = samdb.search(scope=SCOPE_SUBTREE,
expression="(sAMAccountName=%s)" % user_name,
self.assertEqual(1, len(ldb_res))
sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0])
+ if rename:
+ # Rename the account.
+
+ new_name = self.get_new_username()
+
+ msg = ldb.Message(user_credentials.get_dn())
+ msg['sAMAccountName'] = ldb.MessageElement(new_name,
+ ldb.FLAG_MOD_REPLACE,
+ 'sAMAccountName')
+ samdb.modify(msg)
+
+ # Authenticate in-process to the machine account using the user's
+ # cached credentials.
+
# Connect to the machine account and retrieve the user SID.
try:
ldb_as_user = SamDB(url="ldap://%s" % mach_name,
import sys
import os
+import ldb
+
from samba import NTSTATUSError, credentials
from samba.dcerpc import lsa
from samba.ntstatus import NT_STATUS_NO_IMPERSONATION_TOKEN
"""
def test_rpc(self):
- self._run_rpc_test("rpcusr")
+ self._run_rpc_test()
+
+ def test_rpc_rename(self):
+ self._run_rpc_test(rename=True)
def test_rpc_no_pac(self):
- self._run_rpc_test("rpcusr_nopac", include_pac=False,
+ self._run_rpc_test(include_pac=False,
expect_anon=True, allow_error=True)
- def _run_rpc_test(self, user_name, include_pac=True,
+ def _run_rpc_test(self, rename=False, include_pac=True,
expect_anon=False, allow_error=False):
# Create a user account and a machine account, along with a Kerberos
# credentials cache file where the service ticket authenticating the
service = "cifs"
# Create the user account.
- (user_credentials, _) = self.create_account(samdb, user_name)
+ user_credentials = self.get_cached_creds(
+ account_type=self.AccountType.USER,
+ use_cache=False)
+ user_name = user_credentials.get_username()
mach_credentials = self.get_dc_creds()
# Remove the cached credentials file.
self.addCleanup(os.remove, cachefile.name)
+ if rename:
+ # Rename the account.
+
+ new_name = self.get_new_username()
+
+ msg = ldb.Message(user_credentials.get_dn())
+ msg['sAMAccountName'] = ldb.MessageElement(new_name,
+ ldb.FLAG_MOD_REPLACE,
+ 'sAMAccountName')
+ samdb.modify(msg)
+
# Authenticate in-process to the machine account using the user's
# cached credentials.
import sys
import os
+import ldb
+
from ldb import SCOPE_SUBTREE
from samba import NTSTATUSError
from samba.dcerpc import security
"""
def test_smb(self):
- self._run_smb_test("smbusr")
+ self._run_smb_test()
+
+ def test_smb_rename(self):
+ self._run_smb_test(rename=True)
def test_smb_no_pac(self):
- self._run_smb_test("smbusr_nopac", include_pac=False,
+ self._run_smb_test(include_pac=False,
expect_error=True)
- def _run_smb_test(self, user_name, include_pac=True,
+ def _run_smb_test(self, rename=False, include_pac=True,
expect_error=False):
# Create a user account and a machine account, along with a Kerberos
# credentials cache file where the service ticket authenticating the
share = "tmp"
# Create the user account.
- (user_credentials, _) = self.create_account(samdb, user_name)
+ user_credentials = self.get_cached_creds(
+ account_type=self.AccountType.USER,
+ use_cache=False)
+ user_name = user_credentials.get_username()
+
+ mach_credentials = self.get_dc_creds()
mach_credentials = self.get_dc_creds()
# Remove the cached credentials file.
self.addCleanup(os.remove, cachefile.name)
+ # Retrieve the user account's SID.
+ ldb_res = samdb.search(scope=SCOPE_SUBTREE,
+ expression="(sAMAccountName=%s)" % user_name,
+ attrs=["objectSid"])
+ self.assertEqual(1, len(ldb_res))
+ sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0])
+
+ if rename:
+ # Rename the account.
+
+ new_name = self.get_new_username()
+
+ msg = ldb.Message(user_credentials.get_dn())
+ msg['sAMAccountName'] = ldb.MessageElement(new_name,
+ ldb.FLAG_MOD_REPLACE,
+ 'sAMAccountName')
+ samdb.modify(msg)
+
# Set the Kerberos 5 credentials cache environment variable. This is
# required because the codepath that gets run (gse_krb5) looks for it
# in here and not in the credentials object.
# Authenticate in-process to the machine account using the user's
# cached credentials.
- # Retrieve the user account's SID.
- ldb_res = samdb.search(scope=SCOPE_SUBTREE,
- expression="(sAMAccountName=%s)" % user_name,
- attrs=["objectSid"])
- self.assertEqual(1, len(ldb_res))
- sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0])
-
# Connect to a share and retrieve the user SID.
s3_lp = s3param.get_context()
s3_lp.load(self.get_lp().configfile)
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_s4u2self_sid_mismatch_nonexisting
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_authdata_no_pac
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_no_pac
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rename
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_allowed_denied
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_denied
^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_rodc_no_krbtgt_link