UF_SERVER_TRUST_ACCOUNT,
UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION,
UF_WORKSTATION_TRUST_ACCOUNT,
+ UF_SMARTCARD_REQUIRED
)
from samba.join import DCJoinContext
from samba.ndr import ndr_pack, ndr_unpack
creds.set_upn(upn)
creds.set_spn(spn)
creds.set_type(account_type)
+ creds.set_user_account_control(account_control)
self.creds_set_enctypes(creds)
'assigned_policy': None,
'assigned_silo': None,
'logon_hours': None,
+ 'smartcard_required': False
}
account_opts = {
force_nt4_hash,
assigned_policy,
assigned_silo,
- logon_hours):
+ logon_hours,
+ smartcard_required):
if account_type is self.AccountType.USER:
self.assertIsNone(delegation_to_spn)
self.assertIsNone(delegation_from_dn)
user_account_control |= UF_NOT_DELEGATED
if no_auth_data_required:
user_account_control |= UF_NO_AUTH_DATA_REQUIRED
+ if smartcard_required:
+ user_account_control |= UF_SMARTCARD_REQUIRED
if additional_details:
details = {k: v for k, v in additional_details}
preserve=use_cache)
expected_etypes = None
- if force_nt4_hash:
+
+ # We don't force fetching the keys other than the NT hash as
+ # how the server stores the unused KDC keys for the
+ # smartcard_required case is not important and makes unrelated
+ # tests break because of differences between Samba and
+ # Windows.
+ #
+ # The NT hash is different, as it is returned to the client in
+ # the PAC so is visible in the network behaviour.
+ if force_nt4_hash or smartcard_required:
expected_etypes = {kcrypto.Enctype.RC4}
keys = self.get_keys(creds, expected_etypes=expected_etypes)
self.creds_set_keys(creds, keys)
from cryptography.x509.oid import NameOID
import samba.tests
-from samba.dcerpc import security
+from samba import credentials, generate_random_password, ntstatus
+from samba.dcerpc import security, netlogon
from samba.tests.krb5 import kcrypto
from samba.tests.krb5.kdc_base_test import KDCBaseTest
from samba.tests.krb5.raw_testcase import PkInit, RawKerberosTest
KDC_ERR_CLIENT_NOT_TRUSTED,
KDC_ERR_ETYPE_NOSUPP,
KDC_ERR_MODIFIED,
+ KDC_ERR_POLICY,
KDC_ERR_PREAUTH_EXPIRED,
KDC_ERR_PREAUTH_FAILED,
KDC_ERR_PREAUTH_REQUIRED,
self.do_asn1_print = global_asn1_print
self.do_hexdump = global_hexdump
- def _get_creds(self, account_type=KDCBaseTest.AccountType.USER):
+ def _get_creds(self, account_type=KDCBaseTest.AccountType.USER, use_cache=False, smartcard_required=False):
"""Return credentials with an account having a UPN for performing
PK-INIT."""
samdb = self.get_samdb()
return self.get_cached_creds(
account_type=account_type,
- opts={'upn': f'{{account}}.{realm}@{realm}'})
+ opts={'upn': f'{{account}}.{realm}@{realm}',
+ 'smartcard_required': smartcard_required},
+ use_cache=use_cache)
def test_pkinit_no_des3(self):
"""Test public-key PK-INIT without specifying the DES3 encryption
target_creds,
*,
expect_error=0,
+ expect_status=False,
+ expected_status=None,
expect_edata=False,
etypes=None,
freshness=None,
expected_salt=creds.get_salt(),
preauth_key=preauth_key,
kdc_options=str(kdc_options),
- expect_edata=expect_edata)
+ expect_edata=expect_edata,
+ expect_status=expect_status,
+ expected_status=expected_status)
till = self.get_KerberosTime(offset=36000)
SEC_CHAN_WKSTA,
SEC_CHAN_BDC,
)
-
+from samba.dsdb import (
+ UF_SMARTCARD_REQUIRED
+)
import samba.tests
from samba.tests import TestCase
'spn',
'tgs_supported_enctypes',
'upn',
+ 'user_account_control'
]
non_etype_bits = (
self.sid = None
self.account_type = None
+ self.user_account_control = None
+
self._private_key = None
def set_as_supported_enctypes(self, value):
def set_ap_supported_enctypes(self, value):
self.ap_supported_enctypes = int(value)
+ def set_user_account_control(self, value):
+ self.user_account_control = int(value)
+
etype_map = collections.OrderedDict([
(kcrypto.Enctype.AES256,
security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96),
creds = kdc_exchange_dict['creds']
nt_password = bytes(ntlm_package.nt_password.hash)
- self.assertEqual(creds.get_nt_hash(), nt_password)
+ if creds.user_account_control & UF_SMARTCARD_REQUIRED:
+ self.assertNotEqual(creds.get_nt_hash(), nt_password)
+ else:
+ self.assertEqual(creds.get_nt_hash(), nt_password)
lm_password = bytes(ntlm_package.lm_password.hash)
self.assertEqual(bytes(16), lm_password)