sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
-from samba.tests.krb5.raw_testcase import RawKerberosTest
+from samba.tests.krb5.kdc_base_test import KDCBaseTest
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
from samba.tests.krb5.rfc4120_constants import (
AES128_CTS_HMAC_SHA1_96,
ENC_PA_REP_FLAG = 0x00010000
-class SimpleKerberosTests(RawKerberosTest):
+class SimpleKerberosTests(KDCBaseTest):
def setUp(self):
super(SimpleKerberosTests, self).setUp()
self.fail(
"(Heimdal) Salt populated for ARCFOUR_HMAC_MD5 encryption")
+ def test_heimdal_ticket_signature(self):
+ # Ensure that a DC correctly issues tickets signed with its krbtgt key.
+ user_creds = self.get_client_creds()
+ target_creds = self.get_service_creds()
+
+ krbtgt_creds = self.get_krbtgt_creds()
+ key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
+
+ # Get a TGT from the DC.
+ tgt = self.get_tgt(user_creds)
+
+ # Ensure the PAC contains the expected checksums.
+ self.verify_ticket(tgt, key)
+
+ # Get a service ticket from the DC.
+ service_ticket = self.get_service_ticket(tgt, target_creds)
+
+ # Ensure the PAC contains the expected checksums.
+ self.verify_ticket(service_ticket, key, expect_ticket_checksum=True)
+
+ def test_mit_ticket_signature(self):
+ # Ensure that a DC does not issue tickets signed with its krbtgt key.
+ user_creds = self.get_client_creds()
+ target_creds = self.get_service_creds()
+
+ krbtgt_creds = self.get_krbtgt_creds()
+ key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
+
+ # Get a TGT from the DC.
+ tgt = self.get_tgt(user_creds)
+
+ # Ensure the PAC contains the expected checksums.
+ self.verify_ticket(tgt, key)
+
+ # Get a service ticket from the DC.
+ service_ticket = self.get_service_ticket(tgt, target_creds)
+
+ # Ensure the PAC does not contain the expected checksums.
+ self.verify_ticket(service_ticket, key, expect_ticket_checksum=False)
+
def as_pre_auth_req(self, creds, etypes):
user = creds.get_username()
realm = creds.get_realm()
#
# We expect all the MIT specific compatability tests to fail on heimdal
# kerberos
-^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_
+^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_(?!ticket_signature)
#
# Heimdal currently fails the following MS-KILE client principal lookup
# tests
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_inner_no_sname.ad_dc
^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_inner_no_sname.ad_dc
+#
+# Heimdal currently does not generate ticket signatures
+#
+^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_heimdal_ticket_signature
'ADMIN_USERNAME': '$USERNAME',
'ADMIN_PASSWORD': '$PASSWORD'
})
-planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests")
+planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests",
+ environ={
+ 'ADMIN_USERNAME': '$USERNAME',
+ 'ADMIN_PASSWORD': '$PASSWORD',
+ 'STRICT_CHECKING': '0',
+ })
planpythontestsuite("ad_dc", "samba.tests.krb5.kdc_tests")
planpythontestsuite(
"ad_dc",
projects / thirdparty / samba.git / commitdiff
