CVE-2020-25722 tests/krb5: Allow creating server accounts

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14776

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 813af767dbd15b1c0af0c5b6b100bf6a9c70570d..a0da89041c4f33dd7713e7cc2513033f8411ed2b 100644 (file)
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -38,12 +38,14 @@ from samba.dsdb import (
     DS_DOMAIN_FUNCTION_2000,
     DS_DOMAIN_FUNCTION_2008,
     DS_GUID_COMPUTERS_CONTAINER,
+    DS_GUID_DOMAIN_CONTROLLERS_CONTAINER,
     DS_GUID_USERS_CONTAINER,
     UF_WORKSTATION_TRUST_ACCOUNT,
     UF_NO_AUTH_DATA_REQUIRED,
     UF_NORMAL_ACCOUNT,
     UF_NOT_DELEGATED,
     UF_PARTIAL_SECRETS_ACCOUNT,
+    UF_SERVER_TRUST_ACCOUNT,
     UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
 )
 from samba.join import DCJoinContext
@@ -94,6 +96,7 @@ class KDCBaseTest(RawKerberosTest):
     class AccountType(Enum):
         USER = auto()
         COMPUTER = auto()
+        SERVER = auto()
 
     @classmethod
     def setUpClass(cls):
@@ -245,6 +248,8 @@ class KDCBaseTest(RawKerberosTest):
         if ou is None:
             if account_type is account_type.COMPUTER:
                 guid = DS_GUID_COMPUTERS_CONTAINER
+            elif account_type is account_type.SERVER:
+                guid = DS_GUID_DOMAIN_CONTROLLERS_CONTAINER
             else:
                 guid = DS_GUID_USERS_CONTAINER
 
@@ -265,6 +270,8 @@ class KDCBaseTest(RawKerberosTest):
                 account_name += '$'
             if account_type is self.AccountType.COMPUTER:
                 account_control |= UF_WORKSTATION_TRUST_ACCOUNT
+            elif account_type is self.AccountType.SERVER:
+                account_control |= UF_SERVER_TRUST_ACCOUNT
             else:
                 self.fail()