Jule Anger [Fri, 29 Oct 2021 06:11:43 +0000 (08:11 +0200)]
VERSION: Disable GIT_SNAPSHOT for the 4.13.13 release.
Signed-off-by: Jule Anger <janger@samba.org>
Jule Anger [Fri, 29 Oct 2021 06:11:05 +0000 (08:11 +0200)]
WHATSNEW: Add release notes for Samba 4.13.13.
Signed-off-by: Jule Anger <janger@samba.org>
Andrew Bartlett [Mon, 4 Oct 2021 08:57:25 +0000 (21:57 +1300)]
ldb: Release ldb 2.2.1
* Corrected python behaviour for 'in' for LDAP attributes
contained as part of ldb.Message (bug 14845)
* Fix memory handling in ldb.msg_diff (bug 14836)
* Corrected python docstrings
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(v4-14-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-14-test): Tue Oct 26 13:03:37 UTC 2021 on sn-devel-184
Autobuild-User(v4-13-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-13-test): Thu Oct 28 09:49:45 UTC 2021 on sn-devel-184
Joseph Sutton [Sat, 25 Sep 2021 02:39:59 +0000 (14:39 +1200)]
pyldb: Make ldb.Message containment testing consistent with indexing
Previously, containment testing using the 'in' operator was handled by
performing an equality comparison between the chosen object and each of
the message's keys in turn. This behaviour was prone to errors due to
not considering differences in case between otherwise equal elements, as
the indexing operations do.
Containment testing should now be more consistent with the indexing
operations and with the get() method of ldb.Message.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
860d8902a9c502d4be83396598cf4a53c80fea69)
Joseph Sutton [Sat, 25 Sep 2021 01:48:57 +0000 (13:48 +1200)]
pyldb: Add tests for ldb.Message containment testing
These tests verify that the 'in' operator on ldb.Message is consistent
with indexing and the get() method. This means that the 'dn' element
should always be present, lookups should be case-insensitive, and use of
an invalid type should result in a TypeError.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
865fe238599a732360b77e06e592cb85d459acf8)
Joseph Sutton [Sat, 25 Sep 2021 01:39:56 +0000 (13:39 +1200)]
pyldb: Raise TypeError for an invalid ldb.Message index
Previously, a TypeError was raised and subsequently overridden by a
KeyError.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
22353767ca75af9d9e8fa1e7da372dcb5eddfcb7)
Joseph Sutton [Sat, 25 Sep 2021 01:22:05 +0000 (13:22 +1200)]
pyldb: Add test for an invalid ldb.Message index type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
b018e51d2725a23b2fedd3058644b8021f6a6a06)
Joseph Sutton [Sat, 25 Sep 2021 07:18:39 +0000 (19:18 +1200)]
s4/torture/drs/python: Fix attribute existence check
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
fb758c32e7633178f42dc2c031667b10c2ca6e90)
Joseph Sutton [Fri, 24 Sep 2021 23:16:09 +0000 (11:16 +1200)]
pyldb: Fix deleting an ldb.Control critical flag
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
9d25a21d6024c6c2f8e4634f45e3944d8acbf8b8)
Joseph Sutton [Fri, 24 Sep 2021 23:13:02 +0000 (11:13 +1200)]
pytest:segfault: Add test for deleting an ldb.Control critical flag
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backported from commit
b1adaa517c1237a473bdcf818523f5107df3d6b0
as @no_gdb_backtrace is not in Samba 4.14]
Joseph Sutton [Fri, 24 Sep 2021 23:12:16 +0000 (11:12 +1200)]
pyldb: Fix deleting an ldb.Message dn
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backported from commit
d7af772de88885f46708329ff7bb5798da91d2c7
due to conflicts in knownfail.d/python-segfaults]
Joseph Sutton [Fri, 24 Sep 2021 22:56:25 +0000 (10:56 +1200)]
pytest:segfault: Add test for deleting an ldb.Message dn
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14845
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backported from commit
6a041f6a99c39632d5c32e9d53b06719c20bef2c
as other segfaulting tests are listed in knownfail.d/python-segfaults
and @no_gdb_backtrace is not in 4.14]
Joseph Sutton [Wed, 28 Apr 2021 04:48:55 +0000 (16:48 +1200)]
Fix Python docstrings
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Sat Sep 4 00:55:32 UTC 2021 on sn-devel-184
(cherry picked from commit
02b187303369d3ce0c19dfb72ffa78f86a3911f0)
Joseph Sutton [Sun, 12 Sep 2021 23:15:17 +0000 (11:15 +1200)]
pyldb: Avoid use-after-free in msg_diff()
Make a deep copy of the message elements in msg_diff() so that if either
of the input messages are deallocated early, the result does not refer
to non-existing elements.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14645
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
[abartlet@samba.org backported from commit
19a2af02f57d99db8ed3c6b028c3abdf4b553700 due to conflicts in
the knownfail.d/python-segfaults file]
Autobuild-User(v4-14-test): Jule Anger <janger@samba.org>
Autobuild-Date(v4-14-test): Wed Sep 29 13:14:22 UTC 2021 on sn-devel-184
Joseph Sutton [Mon, 13 Sep 2021 23:08:41 +0000 (11:08 +1200)]
ldb_msg: Don't fail in ldb_msg_copy() if source DN is NULL
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14645
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
(cherry picked from commit
c2bbe774ce03661666a1f48922a9ab681ef4f64b)
Joseph Sutton [Sun, 12 Sep 2021 23:34:56 +0000 (11:34 +1200)]
pytest:segfault: Add test for ldb.msg_diff()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14645
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14848
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
[abartlet@samba.org backported form from commit
a99a76722d6046a5d63032e3d2bb3f791da948a6 due to conflicts
with other new segfault tests]
Andrew Bartlett [Thu, 21 Oct 2021 21:50:36 +0000 (10:50 +1300)]
lib/krb5_wrap: Fix missing error check in new salt code
CID
1492905: Control flow issues (DEADCODE)
This was a regression in
5eeb441b771a1ffe1ba1c69b72e8795f525a58ed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sat Oct 23 08:07:13 UTC 2021 on sn-devel-184
(cherry picked from commit
5094d986b7686f057195dcb10764295b88967019)
Autobuild-User(v4-13-test): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(v4-13-test): Wed Oct 27 23:29:34 UTC 2021 on sn-devel-184
Andrew Bartlett [Tue, 19 Oct 2021 03:01:36 +0000 (16:01 +1300)]
dsdb: Allow special chars like "@" in samAccountName when generating the salt
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 12:54:54 UTC 2021 on sn-devel-184
(cherry picked from commit
5eeb441b771a1ffe1ba1c69b72e8795f525a58ed)
Joseph Sutton [Tue, 19 Oct 2021 23:46:36 +0000 (12:46 +1300)]
tests/krb5: Add tests for account salt calculation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org backported from commit
46039baa81377df10e5b134e4bb064ed246795e4
as the no_preauth side of the testsuite shows differences in enctypes
in Samba 4.14. The change is only in salt calculation so this is
not vital]
Joseph Sutton [Tue, 19 Oct 2021 23:45:47 +0000 (12:45 +1300)]
tests/krb5: Fix account salt calculation to match Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
25bdf4c994e4fdb74abbacb1e22237f3f2cc37fe)
Joseph Sutton [Tue, 19 Oct 2021 23:45:08 +0000 (12:45 +1300)]
tests/krb5: Allow specifying the UPN for test accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
889476d1754f8ce2a41557ed3bf5242c1293584e)
Joseph Sutton [Tue, 19 Oct 2021 23:44:19 +0000 (12:44 +1300)]
tests/krb5: Allow creating machine accounts without a trailing dollar
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
f4785ccfefe7c89f84ad847ca3c12f604172b321)
Joseph Sutton [Tue, 19 Oct 2021 23:41:39 +0000 (12:41 +1300)]
tests/krb5: Allow specifying prefix or suffix for test account names
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
7e39994ed341883ac4c8c257220c19dbf70c7bc5)
Joseph Sutton [Tue, 19 Oct 2021 23:39:05 +0000 (12:39 +1300)]
tests/krb5: Decrease length of test account prefix
This allows us more room to test with different account names.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14874
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
a5a6296e57cab2b53617d997c37b4e92d4124cc7)
Stefan Metzmacher [Tue, 5 Oct 2021 14:42:00 +0000 (16:42 +0200)]
selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline")
This is much more flexible and concentrates the logic in a single place.
We'll use winbindd => "offline" in other places soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
4dc3c68c9a28f71888e3d6dd3b1f0bcdb8fa45de)
Stefan Metzmacher [Fri, 8 Oct 2021 16:04:55 +0000 (18:04 +0200)]
selftest/Samba3: remove unused close(USERMAP); calls
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backported from commit
d998f7f8df215866ab32e05be772e24fc0b2131c
as offline login tests are not in Samba 4.14]
Andreas Schneider [Mon, 4 Oct 2021 11:02:35 +0000 (13:02 +0200)]
waf: Allow building with MIT KRB5 >= 1.20
gssrpc/xdr.h:105:1: error: function declaration isn’t a prototype
[-Werror=strict-prototypes]
105 | typedef bool_t (*xdrproc_t)();
| ^~~~~~~
This can't be fixed, as the protoype is variadic. It can take up to three
arguments.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14870
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
5d8e794551b5df835f07e2bd8348fef746144601)
Andrew Bartlett [Sun, 17 Oct 2021 22:55:14 +0000 (11:55 +1300)]
selftest: Improve error handling and perl style when setting up users in Samba4.pm
This catches errors and avoids using global varibles (the old
style file handles are global).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
459200caba04fd83ed650b9cdfe5b158cf9a149f)
Andrew Bartlett [Mon, 18 Oct 2021 07:44:54 +0000 (20:44 +1300)]
selftest: Remove duplicate setup of $base_dn and $ldbmodify
These are already set up to the same values above for the full
DC and correct values for the (strange) s4member environment.
By not setting $base_dn again we avoid an error once we start
checking for them.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit
2c0658d408f17af2abc223b0cb18d8d33e0ecd1a)
Joseph Sutton [Fri, 8 Oct 2021 02:40:09 +0000 (15:40 +1300)]
selftest: krb5 account creation: clarify account type as an enum
This makes the code clearer with a symbolic constant rather
than a True/False boolean.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
49306f74eb29a2192019fab9260f9d242f9d5fd9)
Douglas Bagnall [Thu, 5 Aug 2021 23:08:10 +0000 (11:08 +1200)]
pytest: dynamic tests optionally add __doc__
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14869
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
aacb18f920349e13b562c7c97901a0be7b273137)
Joseph Sutton [Mon, 20 Sep 2021 04:27:40 +0000 (16:27 +1200)]
selftest: Increase account lockout windows to make test more realiable
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
6292f0597f208d7953382341380921cf0fd0a8a8)
Douglas Bagnall [Wed, 8 Sep 2021 05:01:26 +0000 (17:01 +1200)]
pytest/rodc_rwdc: try to avoid race.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14868
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
a169e013e66bab15e594ce49b805edebfcd503cf)
Viktor Dukhovni [Wed, 10 Aug 2016 23:31:14 +0000 (23:31 +0000)]
HEIMDAL:kdc: Fix transit path validation CVE-2017-6594
Commit
f469fc6 (2010-10-02) inadvertently caused the previous hop realm
to not be added to the transit path of issued tickets. This may, in
some cases, enable bypass of capath policy in Heimdal versions 1.5
through 7.2.
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
(similar to heimdal commit
b1e699103f08d6a0ca46a122193c9da65f6cf837)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12998
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 10:58:37 UTC 2021 on sn-devel-184
(cherry picked from commit
7e961f3f7a815960ae25377d5b7515184d439690)
Joseph Sutton [Mon, 18 Oct 2021 03:07:11 +0000 (16:07 +1300)]
tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 09:22:43 UTC 2021 on sn-devel-184
(cherry picked from commit
83a654a4efd39a6e792a6d49e0ecf586e9bc53ef)
Joseph Sutton [Mon, 18 Oct 2021 03:05:19 +0000 (16:05 +1300)]
tests/krb5: Ensure PAC is not present if expect_pac is false
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
cc3d27596b9e8a8a46e8ba9c3c1a445477d458cf)
Andrew Bartlett [Mon, 18 Oct 2021 03:00:45 +0000 (16:00 +1300)]
kdc: Correctly strip PAC, rather than error on UF_NO_AUTH_DATA_REQUIRED for servers
UF_NO_AUTH_DATA_REQUIRED on a server/service account should cause
the PAC to be stripped not to given an error if the PAC was still
present.
Tested against Windows 2019
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit
031a8287642e3c4b9d0b7c6b51f3b1d79b227542)
Andrew Bartlett [Mon, 18 Oct 2021 02:21:50 +0000 (15:21 +1300)]
kdc: Remove UF_NO_AUTH_DATA_REQUIRED from client principals
Tests against Windows 2019 show that UF_NO_AUTH_DATA_REQUIRED
applies to services only, not to clients.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
[abartlet@samba.org backported from commit
92e8ce18a79e88c9b961dc20e39436c4cf653013
as there was a knownfail conflict with the test_remove_pac case
which succeeds on this branch]
Joseph Sutton [Fri, 15 Oct 2021 01:29:26 +0000 (14:29 +1300)]
tests/krb5: Add tests for requesting a service ticket without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Sun Oct 17 23:40:33 UTC 2021 on sn-devel-184
[abartlet@samba.org backported from commit
9d3a691920205f8a9dc05d0e173e25e6a335f139
as the MIT KDC 1.16 seen on the reference Ubuntu 18.04 does not fail
test_remove_pac]
Joseph Sutton [Fri, 15 Oct 2021 01:27:25 +0000 (14:27 +1300)]
tests/krb5: Add method to get the PAC from a ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
288355896a2b6f460c42559ec46ff980ab57782e)
Joseph Sutton [Fri, 15 Oct 2021 01:27:15 +0000 (14:27 +1300)]
tests/krb5: Allow specifying whether to expect a PAC with _test_as_exchange()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
0dc69c1327f72384628a869a00482f6528b8671b)
Joseph Sutton [Fri, 15 Oct 2021 01:26:40 +0000 (14:26 +1300)]
tests/krb5: Allow get_tgt() to request including or omitting a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e086c6193f6da6fcb5d0bcada2199e9bc7ad25f5)
Joseph Sutton [Thu, 14 Oct 2021 23:12:30 +0000 (12:12 +1300)]
heimdal:kdc: Fix ticket signing without a PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d23d8e859357b0fac4d1f4a49f1dce6cf60d6216)
Andrew Bartlett [Fri, 15 Oct 2021 00:09:20 +0000 (13:09 +1300)]
selftest/dbcheck: Fix up RODC one-way links (use correct dbcheck rule)
The previous commit was correct on intention, but it was not noticed
as there is a race, that the incorrect rule was appended to.
These links are removed by remove_plausible_deleted_DN_links not
fix_all_old_dn_string_component_mismatch
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Fri Oct 15 10:00:47 UTC 2021 on sn-devel-184
(cherry picked from commit
a7ad665e65f0701eb75cac5bc10a366ccd9689f4)
Nicolas Williams [Mon, 11 Oct 2021 02:55:59 +0000 (21:55 -0500)]
krb5: Fix PAC signature leak affecting KDC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton@samba.org Cherry-picked from Heimdal commit
54581d2d52443a9a07ed5980df331f660b397dcf]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
f6adfefbbb41b9100736134d0f975f1ec0c33c42)
Joseph Sutton [Fri, 8 Oct 2021 03:08:39 +0000 (16:08 +1300)]
s4:kdc: Check ticket signature
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
02fa69c6c73c01d82807be4370e838f3e7c66f35)
Joseph Sutton [Fri, 8 Oct 2021 02:43:41 +0000 (15:43 +1300)]
heimdal: Make _krb5_pac_get_kdc_checksum_info() into a global function
This lets us call it from Samba.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
3bdce12789af1e7a7aba56691f184625a432410d)
Joseph Sutton [Wed, 11 Aug 2021 01:27:11 +0000 (13:27 +1200)]
s4/heimdal/lib/krb5/pac.c: Align PAC buffers to match Windows
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
28a5a586c8e9cd155d676dcfcb81a2587ace99d1)
Luke Howard [Thu, 23 Sep 2021 07:51:51 +0000 (17:51 +1000)]
kdc: correctly generate PAC TGS signature
When generating an AS-REQ, the TGS signature was incorrectly generated using
the server key, which would fail to validate if the server was not also the
TGS. Fix this.
Patch from Isaac Bourkis <iboukris@gmail.com>.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton@samba.org Backported from Heimdal commit
e7863e2af922809dad25a2e948e98c408944d551
- Samba's Heimdal version does not have the generate_pac() helper
function.
- Samba's Heimdal version does not use the 'r' context variable.
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
91e684f5dcb48b76e6a322c15acb53cbce5c275a)
Luke Howard [Thu, 23 Sep 2021 04:39:35 +0000 (14:39 +1000)]
kdc: use ticket client name when signing PAC
The principal in the PAC_LOGON_NAME buffer is expected to match the client name
in the ticket. Previously we were setting this to the canonical client name,
which would have broken PAC validation if the client did not request name
canonicalization
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton@samba.org Backported from Heimdal commit
3b0856cab2b25624deb1f6e0e67637ba96a647ac
- Renamed variable to avoid shadowing existing variable
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
75d1a7cd14b134506061ed64ddb9b99856231d2c)
Luke Howard [Sun, 6 Jan 2019 06:54:58 +0000 (17:54 +1100)]
kdc: only set HDB_F_GET_KRBTGT when requesting TGS principal
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton@samba.org Backported from Heimdal commit
f1dd2b818aa0866960945edea02a6bc782ed697c
- Removed change to _kdc_find_etype() use_strongest_session_key
parameter since Samba's Heimdal version uses different logic
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
db30b71f79864a20b38a1f812a5df833f3a92de8)
Luke Howard [Fri, 17 Sep 2021 03:57:57 +0000 (13:57 +1000)]
krb5: return KRB5KRB_AP_ERR_INAPP_CKSUM if PAC checksum fails
Return KRB5KRB_AP_ERR_INAPP_CKSUM instead of EINVAL when verifying a PAC, if
the checksum is absent or unkeyed.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton@samba.org Cherry-picked from Heimdal commit
c4b99b48c4b18f30d504b427bc1961d7a71f631e]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d6a472e953545ec3858ca969c1a4191e4f27ba63)
Isaac Boukris [Sun, 19 Sep 2021 12:16:58 +0000 (15:16 +0300)]
krb5: rework PAC validation loop
Avoid allocating the PAC on error.
Closes: #836
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton@samba.org Cherry-picked from Heimdal commit
6df8be5091363a1c9a9165465ab8292f817bec81]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
2773379603a5a625c5d1c6e62f29c442942ff570)
Isaac Boukris [Sun, 19 Sep 2021 12:04:14 +0000 (15:04 +0300)]
krb5: allow NULL parameter to krb5_pac_free()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton@samba.org Cherry-picked from Heimdal commit
b295167208a96e68515902138f6ce93972892ec5]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
2d09de5c41e729bccc2d7949d8a3568a95e80e76)
Isaac Boukris [Fri, 13 Aug 2021 09:44:37 +0000 (12:44 +0300)]
kdc: sign ticket using Windows PAC
Split Windows PAC signing and verification logic, as the signing has to be when
the ticket is ready.
Create sign and verify the PAC KDC signature if the plugin did not, allowing
for S4U2Proxy to work, instead of KRB5SignedPath.
Use the header key to verify PAC server signature, as the same key used to
encrypt/decrypt the ticket should be used for PAC server signature, like U2U
tickets are signed witht the tgt session-key and not with the longterm key,
and so krbtgt should be no different and the header key should be used.
Lookup the delegated client in DB instead of passing the delegator DB entry.
Add PAC ticket-signatures and related functions.
Note: due to the change from KRB5SignedPath to PAC, S4U2Proxy requests
against new KDC will not work if the evidence ticket was acquired from
an old KDC, and vide versa.
Closes: #767
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton@samba.org Backported from Heimdal commit
2ffaba9401d19c718764d4bd24180960290238e9
- Removed tests
- Adapted to Samba's version of Heimdal
- Addressed build failures with -O3
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backported from commit
d7b03394a9012960d71489e775d40d10fd6f5232
due to conflicts in knownfail due to missing tests that crash the
MIT KDC]
Isaac Boukris [Mon, 28 Dec 2020 20:07:10 +0000 (22:07 +0200)]
kdc: remove KRB5SignedPath, to be replaced with PAC
KRB5SignedPath was a Heimdal-specific authorization data element used to
protect the authenticity of evidence tickets when used in constrained
delegation (without a Windows PAC).
Remove this, to be replaced with the Windows PAC which itself now supports
signing the entire ticket in the TGS key.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
[jsutton@samba.org Backported from Heimdal commit
bb1d8f2a8c2545bccdf2c9179ce9259bf1050086
- Removed tests
- Removed auditing hook (only present in Heimdal master)
- Added knownfails
]
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ccabc7f16cca5b0dcb46233e934e708167f1071b)
Joseph Sutton [Fri, 8 Oct 2021 02:42:29 +0000 (15:42 +1300)]
s4/torture: Expect ticket checksum PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backported from commit
d5002c34ce1ffef795dc83af3175ca0e04d17dfd
due to missing tests in Samba 4.14 that crashed the MIT KDC]
Joseph Sutton [Wed, 6 Oct 2021 03:40:21 +0000 (16:40 +1300)]
s4:kdc: Fix debugging messages
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
c14c61748b5a2d2a4f4de00615c476fcf381309e)
Joseph Sutton [Fri, 8 Oct 2021 03:06:58 +0000 (16:06 +1300)]
s4:kdc: Simplify samba_kdc_update_pac_blob() to take ldb_context as parameter
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
7149eeaceb426470b1b8181749d2d081c2fb83a4)
Joseph Sutton [Fri, 8 Oct 2021 02:40:39 +0000 (15:40 +1300)]
tests/krb5: Fix duplicate account creation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
3dede18c5a1801023a60cc55b99022b033428350)
Joseph Sutton [Fri, 8 Oct 2021 02:41:35 +0000 (15:41 +1300)]
tests/krb5: Allow bypassing cache when creating accounts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
3948701f1d0f3ccd06f6dad56ca72833d66b1d84)
Joseph Sutton [Tue, 28 Sep 2021 23:07:40 +0000 (12:07 +1300)]
tests/krb5: Don't include empty AD-IF-RELEVANT
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
1a08399cd8169a525cc9e7aed99da84ef20e5b9c)
Joseph Sutton [Thu, 30 Sep 2021 02:03:04 +0000 (15:03 +1300)]
tests/krb5: Add constrained delegation tests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
56ccdba54e0c7cf3409d8430ea1012e5d3d9b092)
Joseph Sutton [Wed, 6 Oct 2021 03:35:47 +0000 (16:35 +1300)]
tests/krb5: Verify tickets obtained with get_service_ticket()
We only require the ticket checksum with Heimdal, because MIT currently
doesn't add it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
d86eee2fd0fb72e52d878ceba0c476ca58abe6cf)
Joseph Sutton [Tue, 5 Oct 2021 02:39:11 +0000 (15:39 +1300)]
tests/krb5: Require ticket checksums if decryption key is available
We perform this check conditionally, because MIT doesn't currently add
ticket checksums.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
bf63221722903665e7b20991021fb5cdf4e4327e)
Joseph Sutton [Thu, 14 Oct 2021 03:58:15 +0000 (16:58 +1300)]
tests/krb5: Add TKT_SIG_SUPPORT environment variable
This lets us indicate that service tickets should be issued with ticket
checksums in the PAC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backported from commit
ae2c57fb0332f94ac44d0886c5edbed707ef52fe
due to changes in other tests nearby in tests.py]
Joseph Sutton [Tue, 12 Oct 2021 23:26:22 +0000 (12:26 +1300)]
selftest/dbcheck: Fix up RODC one-way links
Test accounts were replicated to the RODC and then deleted, causing
state links to remain in the database.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
40e5db4aabcd32834ee524857b77d36921f6bdfe)
Joseph Sutton [Tue, 5 Oct 2021 03:32:01 +0000 (16:32 +1300)]
tests/krb5: Fix sha1 checksum type
Previously, sha1 signatures were being designated as rsa-md5-des3
signatures.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ebe729786806c69e95b26ffc410e887e203accb8)
Joseph Sutton [Tue, 5 Oct 2021 06:47:22 +0000 (19:47 +1300)]
tests/krb5: Provide clearer assertion messages for test failures
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
5233f002000f196875af488b4f4d1df26fca90de)
Joseph Sutton [Thu, 7 Oct 2021 22:48:41 +0000 (11:48 +1300)]
tests/krb5: Disable debugging output for tests
This reduces the time spent running the tests in a testenv.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
dfd613661eec4b81e162f2d86a8fa9266c2fdc03)
Joseph Sutton [Mon, 11 Oct 2021 01:49:34 +0000 (14:49 +1300)]
tests/krb5: Simplify padata checking
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
cf3ca6ac4567d7c7954ea4ecc8cc9dd5effcc094)
Joseph Sutton [Mon, 11 Oct 2021 01:48:03 +0000 (14:48 +1300)]
tests/krb5: Check logon name in PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
e7c39cc44f2e16aecb01c0afc195911a474ef0b9)
Joseph Sutton [Mon, 11 Oct 2021 01:45:45 +0000 (14:45 +1300)]
tests/krb5: Check padata types when STRICT_CHECKING=0
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backported from commit
bd22dcd9cc4dfda827f892224eb2da4a16564176
to Samba 4.14 due to conflicts in
knownfail as the test which crashes older MIT KDC versions is
omitted]
Joseph Sutton [Mon, 11 Oct 2021 22:34:59 +0000 (11:34 +1300)]
tests/krb5: Add environment variable to specify KDC FAST support
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backportd from commit
238f52bad811688624e9fd4b1595266e2149094a
because tests.py changed in more recent releases with new tests nearby]
Joseph Sutton [Mon, 11 Oct 2021 03:15:43 +0000 (16:15 +1300)]
tests/krb5: Fix padata checking at functional level 2003
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
72265227e9c2037b63cdfb01a456a86ac8932f59)
Joseph Sutton [Mon, 11 Oct 2021 01:39:26 +0000 (14:39 +1300)]
tests/krb5: Clarify checksum type assertion message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ee2b7e2c77f021984ec583fa0c4c756979197b0f)
Joseph Sutton [Mon, 11 Oct 2021 01:37:03 +0000 (14:37 +1300)]
tests/krb5: Use correct principal name type
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
687c8f94c68af9f1e44771dfd7219eeb41382bba)
Joseph Sutton [Thu, 14 Oct 2021 03:43:05 +0000 (16:43 +1300)]
tests/krb5: Add compatability tests for ticket checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org: Backported from
ec4b264bdf9ab64a728212580b344fbf35c3c673
to Samba 4.14 due to conflicts in
knownfail as the test which crashes older MIT KDC versions is
omitted]
Joseph Sutton [Thu, 30 Sep 2021 03:53:35 +0000 (16:53 +1300)]
tests/krb5: Add parameter to enforce presence of ticket checksums
This allows existing tests to pass before this functionality is
implemented.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ef24fe982d750a42be81808379b0254d8488c559)
Joseph Sutton [Wed, 29 Sep 2021 03:52:01 +0000 (16:52 +1300)]
tests/krb5: Supply supported account enctypes in tgs_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
248249dc0acac89d1495c3572cbd2cbe8bdca362)
Joseph Sutton [Wed, 29 Sep 2021 03:48:50 +0000 (16:48 +1300)]
tests/krb5: Allow specifying options and expected flags when obtaining a ticket
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
34020766bb7094d1ab5d4fc4c0ee89ccb81f39f1)
Joseph Sutton [Wed, 29 Sep 2021 03:41:23 +0000 (16:41 +1300)]
tests/krb5: Save account SPN
This is useful for testing delegation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
bb58b4b58c66a6ada79e886dd0c44401e1c5878c)
Joseph Sutton [Wed, 29 Sep 2021 03:26:54 +0000 (16:26 +1300)]
tests/krb5: Check constrained delegation PAC buffer
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
0e232fa1c9e5760ae6b9a99b5e7aa5513b84aa8b)
Joseph Sutton [Wed, 29 Sep 2021 03:15:26 +0000 (16:15 +1300)]
tests/krb5: Check buffer types in PAC with STRICT_CHECKING=1
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
aa2e583fdea4fd93e4e71c54630e32a1035d1e2a)
Joseph Sutton [Wed, 29 Sep 2021 03:10:07 +0000 (16:10 +1300)]
tests/krb5: Add expect_claims parameter to kdc_exchange_dict
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
7cfc225b549108739bd86e222f2f35eb96af4ea3)
Joseph Sutton [Wed, 29 Sep 2021 02:48:58 +0000 (15:48 +1300)]
tests/krb5: Fix checking for presence of error data
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ab92dc16d20b0996b8c46714652c15019c795095)
Joseph Sutton [Wed, 29 Sep 2021 01:02:37 +0000 (14:02 +1300)]
tests/krb5: Remove unneeded parameters from ticket cache key
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
7fba83c6c6309a525742c38e904d3e473db99ef1)
Joseph Sutton [Wed, 29 Sep 2021 00:03:49 +0000 (13:03 +1300)]
tests/krb5: Fix assertElementFlags()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
788b3a29eea62f9f38ca8865c7cb7860bdc94bec)
Joseph Sutton [Wed, 29 Sep 2021 00:01:30 +0000 (13:01 +1300)]
tests/krb5: Make expected_sname checking more explicit
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
[abartlet@samba.org backported from commit
8f6d369d709614e2f5c0684882c62f0476bcafa2
as Samba 4.14 as the test which crashes older MIT KDC versions is
omitted]
Joseph Sutton [Tue, 28 Sep 2021 23:16:58 +0000 (12:16 +1300)]
tests/krb5: Fix status code checking
The type used to encode the status code is actually KERB-ERROR-DATA,
rather than PA-DATA.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
012b6fcd1976c6570e9b92c133d8c21e543e5a4f)
Joseph Sutton [Tue, 28 Sep 2021 23:06:03 +0000 (12:06 +1300)]
tests/krb5: Fix handling authdata with missing PAC
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a4bc712ee02f32c2d04dfc2d99d58931344e5ceb)
Joseph Sutton [Tue, 28 Sep 2021 23:03:33 +0000 (12:03 +1300)]
tests/krb5: Allow excluding the PAC server checksum
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
dcf45a151a198f7165cd332a26db78a5d8e8f8c5)
Joseph Sutton [Tue, 28 Sep 2021 22:59:42 +0000 (11:59 +1300)]
tests/krb5: Fix checksum generation and verification
The KDC and server checksums may be generated using the same key, but
only the KDC checksum should have an RODCIdentifier. To fix this,
instead of overriding the existing methods, add additional ones for
RODC-specific signatures, so that both types of signatures can be
generated or verified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
a927cecafdd5ad6dc5189fa98cb42684c9c3b033)
Joseph Sutton [Tue, 28 Sep 2021 22:56:21 +0000 (11:56 +1300)]
tests/krb5: Fix method for creating invalid length zeroed checksum
Previously the base class method was being used.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
ae09219c3a1c6d47817f51baf3784e8986c7478d)
Joseph Sutton [Tue, 28 Sep 2021 22:54:49 +0000 (11:54 +1300)]
tests/krb5: Introduce helper method for creating invalid length checksums
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
9d142dc3a452b0f06efc66f422402ee6e553ee7c)
Joseph Sutton [Tue, 28 Sep 2021 22:52:17 +0000 (11:52 +1300)]
tests/krb5: Add assertion to make failures clearer
These failures may occur if tests are not run against an RODC.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
cda50b5c505072989abf84c209e16ff4efe2e628)
Joseph Sutton [Tue, 28 Sep 2021 22:50:36 +0000 (11:50 +1300)]
tests/krb5: Allow created accounts to use resource-based constrained delegation
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
bba8cb8dce19e47a7b813efd9a7527e38856435e)
Joseph Sutton [Tue, 28 Sep 2021 22:47:39 +0000 (11:47 +1300)]
tests/krb5: Rename allowed_to_delegate_to parameter for clarity
This helps to distinguish resourced-based and non-resource-based
constrained delegation.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
31817c383c2014224b1397fde610624663313246)
Joseph Sutton [Wed, 29 Sep 2021 21:54:33 +0000 (10:54 +1300)]
tests/krb5: Fix PA-PAC-OPTIONS checking
Make the check work correctly if bits other than the claims bit are
specified.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit
1fd00135fa4dff4331d86b228ccc01f834476997)
Joseph Sutton [Wed, 29 Sep 2021 21:51:01 +0000 (10:51 +1300)]
tests/krb5: Fix sending PA-PAC-OPTIONS and PA-PAC-REQUEST
These padata were not being sent if other FAST padata was not specified.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14881
(cherry picked from commit
6f1282e8d34073d8499ce919908b39645b017cb8)