CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswd

The kpasswd service should require a kpasswd service ticket, and
disallow TGTs.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
[jsutton@samba.org Fixed knownfail conflicts]

[jsutton@samba.org Fixed knownfail conflicts]

diff --git a/python/samba/tests/krb5/kpasswd_tests.py b/python/samba/tests/krb5/kpasswd_tests.py
index 3a6c7d818dc52a5940ad7cfd4ee3f4fe181fe8c6..0db857f7bbd1d3d3dad9ee2d94a76d952568c145 100755 (executable)
--- a/python/samba/tests/krb5/kpasswd_tests.py
+++ b/python/samba/tests/krb5/kpasswd_tests.py
@@ -31,6 +31,7 @@ from samba.tests.krb5.rfc4120_constants import (
     KDC_ERR_TGT_REVOKED,
     KDC_ERR_TKT_EXPIRED,
     KPASSWD_ACCESSDENIED,
+    KPASSWD_AUTHERROR,
     KPASSWD_HARDERROR,
     KPASSWD_INITIAL_FLAG_NEEDED,
     KPASSWD_MALFORMED,
@@ -779,6 +780,33 @@ class KpasswdTests(KDCBaseTest):
         self._make_tgs_request(creds, service_creds, ticket,
                                expect_error=False)
 
+    # Show that we cannot provide a TGT to kpasswd to change the password.
+    def test_kpasswd_tgt(self):
+        # Create an account for testing, and get a TGT.
+        creds = self._get_creds()
+        tgt = self.get_tgt(creds)
+
+        # Change the sname of the ticket to match that of kadmin/changepw.
+        tgt.set_sname(self.get_kpasswd_sname())
+
+        expected_code = KPASSWD_AUTHERROR
+        expected_msg = b'A TGT may not be used as a ticket to kpasswd'
+
+        # Set the password.
+        new_password = generate_random_password(32, 32)
+        self.kpasswd_exchange(tgt,
+                              new_password,
+                              expected_code,
+                              expected_msg,
+                              mode=self.KpasswdMode.SET)
+
+        # Change the password.
+        self.kpasswd_exchange(tgt,
+                              new_password,
+                              expected_code,
+                              expected_msg,
+                              mode=self.KpasswdMode.CHANGE)
+
     # Test that kpasswd rejects requests with a service ticket.
     def test_kpasswd_non_initial(self):
         # Create an account for testing, and get a TGT.

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 424a8b81c38b00f11668a431624ce785328c8980..42beccaed5830056b962be3a33949c86815ec27a 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -271,3 +271,7 @@
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_service_ticket
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_existing
 ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_fast_sid_mismatch_nonexisting
+#
+# Kpasswd tests
+#
+^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_tgt.ad_dc

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 0d2f5bab6d2e531f65207e505c5a0e9186ae75b8..9fc34e5d8db89f79b558cc468f28c2a8ae3240e4 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -581,3 +581,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_canonicalize_realm_case.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_no_canonicalize_realm_case.ad_dc
 ^samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_ticket_requester_sid_tgs.ad_dc
+#
+# Kpasswd tests
+#
+samba.tests.krb5.kpasswd_tests.samba.tests.krb5.kpasswd_tests.KpasswdTests.test_kpasswd_tgt.ad_dc