CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC...

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/test_ccache.py b/python/samba/tests/krb5/test_ccache.py
index cb5061b92d9c5f8f623295629c2022253c51f943..d21ec84796e5fe1486130482839d1e1f5d99b1e8 100755 (executable)
--- a/python/samba/tests/krb5/test_ccache.py
+++ b/python/samba/tests/krb5/test_ccache.py
@@ -25,7 +25,7 @@ from samba import NTSTATUSError, gensec
 from samba.auth import AuthContext
 from samba.dcerpc import security
 from samba.ndr import ndr_unpack
-from samba.ntstatus import NT_STATUS_ACCESS_DENIED
+from samba.ntstatus import NT_STATUS_NO_IMPERSONATION_TOKEN
 
 from samba.tests.krb5.kdc_base_test import KDCBaseTest
 
@@ -84,6 +84,7 @@ class CcacheTests(KDCBaseTest):
         # cached credentials.
 
         lp = self.get_lp()
+        lp.set('server role', 'active directory domain controller')
 
         settings = {}
         settings["lp_ctx"] = lp
@@ -135,7 +136,7 @@ class CcacheTests(KDCBaseTest):
                 self.fail()
 
             enum, _ = e.args
-            self.assertEqual(NT_STATUS_ACCESS_DENIED, enum)
+            self.assertEqual(NT_STATUS_NO_IMPERSONATION_TOKEN, enum)
             return
 
         token = session.security_token

diff --git a/python/samba/tests/krb5/test_ldap.py b/python/samba/tests/krb5/test_ldap.py
index 31e50487338b02a0da9290fb5f8ffa114417942a..0205bdf6fb730d8ffa3b55c86edcbda847d8b2fd 100755 (executable)
--- a/python/samba/tests/krb5/test_ldap.py
+++ b/python/samba/tests/krb5/test_ldap.py
@@ -96,7 +96,7 @@ class LdapTests(KDCBaseTest):
 
             enum, estr = e.args
             self.assertEqual(ERR_OPERATIONS_ERROR, enum)
-            self.assertIn('NT_STATUS_ACCESS_DENIED', estr)
+            self.assertIn('NT_STATUS_NO_IMPERSONATION_TOKEN', estr)
             return
 
         ldb_res = ldb_as_user.search('',

diff --git a/python/samba/tests/krb5/test_rpc.py b/python/samba/tests/krb5/test_rpc.py
index 54ad7cf0e481227e7c31ec98cdbe55bd2fe85ca4..0f2170a8dede8eb8cc38e6d0e7c3d042a2bfcbc6 100755 (executable)
--- a/python/samba/tests/krb5/test_rpc.py
+++ b/python/samba/tests/krb5/test_rpc.py
@@ -22,7 +22,7 @@ import os
 
 from samba import NTSTATUSError, credentials
 from samba.dcerpc import lsa
-from samba.ntstatus import NT_STATUS_ACCESS_DENIED
+from samba.ntstatus import NT_STATUS_NO_IMPERSONATION_TOKEN
 
 from samba.tests.krb5.kdc_base_test import KDCBaseTest
 
@@ -84,7 +84,7 @@ class RpcTests(KDCBaseTest):
                 self.fail()
 
             enum, _ = e.args
-            self.assertEqual(NT_STATUS_ACCESS_DENIED, enum)
+            self.assertEqual(NT_STATUS_NO_IMPERSONATION_TOKEN, enum)
             return
 
         (account_name, _) = conn.GetUserName(None, None, None)

diff --git a/python/samba/tests/krb5/test_smb.py b/python/samba/tests/krb5/test_smb.py
index 79ff16ac8795cc1021c5ce6ffd47349a7cc51cc8..7408e5dbecea1704b803bc544ea85ca1f311c507 100755 (executable)
--- a/python/samba/tests/krb5/test_smb.py
+++ b/python/samba/tests/krb5/test_smb.py
@@ -24,7 +24,7 @@ from ldb import SCOPE_SUBTREE
 from samba import NTSTATUSError
 from samba.dcerpc import security
 from samba.ndr import ndr_unpack
-from samba.ntstatus import NT_STATUS_ACCESS_DENIED
+from samba.ntstatus import NT_STATUS_NO_IMPERSONATION_TOKEN
 from samba.samba3 import libsmb_samba_internal as libsmb
 from samba.samba3 import param as s3param
 
@@ -114,7 +114,7 @@ class SmbTests(KDCBaseTest):
                 self.fail()
 
             enum, _ = e.args
-            self.assertEqual(NT_STATUS_ACCESS_DENIED, enum)
+            self.assertEqual(NT_STATUS_NO_IMPERSONATION_TOKEN, enum)
             return
         else:
             self.assertFalse(expect_error)