]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
tests/krb5: Get supported enctypes for credentials from database
authorJoseph Sutton <josephsutton@catalyst.net.nz>
Tue, 21 Sep 2021 05:10:49 +0000 (17:10 +1200)
committerAndrew Bartlett <abartlet@samba.org>
Thu, 23 Sep 2021 18:32:29 +0000 (18:32 +0000)
Look up the account's msDS-SupportedEncryptionTypes attribute to get the
encryption types that it supports. Move the fallback to RC4 to when the
ticket decryption key is obtained.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
python/samba/tests/krb5/as_req_tests.py
python/samba/tests/krb5/kdc_base_test.py
python/samba/tests/krb5/raw_testcase.py

index 35f88a0c92011a7e1b5c256feee8f03597d8d461..8d9b90fee69aea694b10c38834ea249445f80fbe 100755 (executable)
@@ -60,7 +60,7 @@ class AsReqKerberosTests(KDCBaseTest):
                                initial_kdc_options=None):
         client_creds = self.get_client_creds()
         client_account = client_creds.get_username()
-        client_as_etypes = client_creds.get_as_krb5_etypes()
+        client_as_etypes = self.get_default_enctypes()
         krbtgt_creds = self.get_krbtgt_creds(require_keys=False)
         krbtgt_account = krbtgt_creds.get_username()
         realm = krbtgt_creds.get_realm()
@@ -114,7 +114,7 @@ class AsReqKerberosTests(KDCBaseTest):
     def test_as_req_enc_timestamp(self):
         client_creds = self.get_client_creds()
         client_account = client_creds.get_username()
-        client_as_etypes = client_creds.get_as_krb5_etypes()
+        client_as_etypes = self.get_default_enctypes()
         client_kvno = client_creds.get_kvno()
         krbtgt_creds = self.get_krbtgt_creds(require_strongest_key=True)
         krbtgt_account = krbtgt_creds.get_username()
index 10ad9e6961f1d8f92ec1e98ebc5d683547ea1c55..cdaeaf9f3e189cbc7ccfd79756ef74620bc187ee 100644 (file)
@@ -289,6 +289,8 @@ class KDCBaseTest(RawKerberosTest):
         # Save the account name so it can be deleted in tearDownClass
         self.accounts.add(dn)
 
+        self.creds_set_enctypes(creds)
+
         return (creds, dn)
 
     def create_rodc(self, ctx):
@@ -522,13 +524,28 @@ class KDCBaseTest(RawKerberosTest):
             for enctype, key in keys.items():
                 creds.set_forced_key(enctype, key)
 
-        supported_enctypes = 0
-        if kcrypto.Enctype.AES256 in keys:
-            supported_enctypes |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
-        if kcrypto.Enctype.AES128 in keys:
-            supported_enctypes |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
-        if kcrypto.Enctype.RC4 in keys:
-            supported_enctypes |= security.KERB_ENCTYPE_RC4_HMAC_MD5
+    def creds_set_enctypes(self, creds):
+        samdb = self.get_samdb()
+
+        res = samdb.search(creds.get_dn(),
+                           scope=ldb.SCOPE_BASE,
+                           attrs=['msDS-SupportedEncryptionTypes'])
+        supported_enctypes = res[0].get('msDS-SupportedEncryptionTypes', idx=0)
+
+        if supported_enctypes is None:
+            supported_enctypes = 0
+
+        creds.set_as_supported_enctypes(supported_enctypes)
+        creds.set_tgs_supported_enctypes(supported_enctypes)
+        creds.set_ap_supported_enctypes(supported_enctypes)
+
+    def creds_set_default_enctypes(self, creds, fast_support=False):
+        default_enctypes = self.get_default_enctypes()
+        supported_enctypes = KerberosCredentials.etypes_to_bits(
+            default_enctypes)
+
+        if fast_support:
+            supported_enctypes |= KerberosCredentials.fast_supported_bits
 
         creds.set_as_supported_enctypes(supported_enctypes)
         creds.set_tgs_supported_enctypes(supported_enctypes)
@@ -662,14 +679,6 @@ class KDCBaseTest(RawKerberosTest):
         keys = self.get_keys(samdb, dn)
         self.creds_set_keys(creds, keys)
 
-        if machine_account:
-            if supported_enctypes is not None:
-                tgs_enctypes = supported_enctypes
-            else:
-                tgs_enctypes = security.KERB_ENCTYPE_RC4_HMAC_MD5
-
-            creds.set_tgs_supported_enctypes(tgs_enctypes)
-
         # Handle secret replication to the RODC.
 
         if allowed_replication or revealed_to_rodc:
@@ -814,6 +823,11 @@ class KDCBaseTest(RawKerberosTest):
             keys = self.get_keys(samdb, krbtgt_dn)
             self.creds_set_keys(creds, keys)
 
+            # The RODC krbtgt account should support the default enctypes,
+            # although it might not have the msDS-SupportedEncryptionTypes
+            # attribute.
+            self.creds_set_default_enctypes(creds)
+
             return creds
 
         c = self._get_krb5_creds(prefix='RODC_KRBTGT',
@@ -858,6 +872,8 @@ class KDCBaseTest(RawKerberosTest):
             keys = self.get_keys(samdb, dn)
             self.creds_set_keys(creds, keys)
 
+            self.creds_set_enctypes(creds)
+
             return creds
 
         c = self._get_krb5_creds(prefix='MOCK_RODC_KRBTGT',
@@ -898,6 +914,12 @@ class KDCBaseTest(RawKerberosTest):
             keys = self.get_keys(samdb, dn)
             self.creds_set_keys(creds, keys)
 
+            # The krbtgt account should support the default enctypes, although
+            # it might not (on Samba) have the msDS-SupportedEncryptionTypes
+            # attribute.
+            self.creds_set_default_enctypes(creds,
+                                            fast_support=self.kdc_fast_support)
+
             return creds
 
         c = self._get_krb5_creds(prefix='KRBTGT',
index 57579126f8adf3ff505bf406042f1c1edc2cbca8..8d7778602f59302055c3cbb17e8f04e0a8f4b131 100644 (file)
@@ -1082,7 +1082,10 @@ class RawKerberosTest(TestCaseInTempDir):
 
         if etype is None:
             etypes = creds.get_tgs_krb5_etypes()
-            etype = etypes[0]
+            if etypes:
+                etype = etypes[0]
+            else:
+                etype = kcrypto.Enctype.RC4
 
         forced_key = creds.get_forced_key(etype)
         if forced_key is not None: