client_opts={'no_auth_data_required': True})
def test_simple_as_req_self_pac_request_false(self):
+ expect_pac = self.always_include_pac
self._run_test_sequence([
{
'rep_type': KRB_AS_REP,
'gen_padata_fn': self.generate_enc_timestamp_padata,
'as_req_self': True,
'pac_request': False,
- 'expect_pac': False
+ 'expect_pac': expect_pac
}
], client_account=self.AccountType.COMPUTER)
pac_request=False, expect_pac=False)
pac = self.get_ticket_pac(ticket, expect_pac=False)
- self.assertIsNone(pac)
+ if not self.always_include_pac:
+ self.assertIsNone(pac)
+ else:
+ self.assertIsNotNone(pac)
def test_request_enterprise_canon(self):
upn = self.get_new_username()
ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False)
pac = self.get_ticket_pac(ticket, expect_pac=False)
- self.assertIsNone(pac)
+ if not self.always_include_pac:
+ self.assertIsNone(pac)
+ else:
+ self.assertIsNotNone(pac)
def test_tgs_pac_request_true(self):
creds = self._get_creds()
ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False)
pac = self.get_ticket_pac(ticket, expect_pac=False)
- self.assertIsNone(pac)
+ if not self.always_include_pac:
+ self.assertIsNone(pac)
+ else:
+ self.assertIsNotNone(pac)
def test_renew_pac_request_true(self):
creds = self._get_creds()
ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False)
pac = self.get_ticket_pac(ticket, expect_pac=False)
- self.assertIsNone(pac)
+ if not self.always_include_pac:
+ self.assertIsNone(pac)
+ else:
+ self.assertIsNotNone(pac)
def test_validate_pac_request_true(self):
creds = self._get_creds()
expect_pac=False)
pac = self.get_ticket_pac(ticket, expect_pac=False)
- self.assertIsNone(pac)
+ if not self.always_include_pac:
+ self.assertIsNone(pac)
+ else:
+ self.assertIsNotNone(pac)
def test_user2user_user_pac_request_true(self):
creds = self._get_creds()
from samba.dcerpc import claims, krb5pac, netlogon, samr, security, krb5ccache
from samba.gensec import FEATURE_SEAL
from samba.ndr import ndr_pack, ndr_unpack
+from samba.param import LoadParm
from samba.dcerpc.misc import (
SEC_CHAN_WKSTA,
SEC_CHAN_BDC,
SEC_CHAN_DOMAIN,
SEC_CHAN_DNS_DOMAIN,
)
-from samba.dsdb import (
- UF_SMARTCARD_REQUIRED
-)
import samba.tests
from samba.tests import TestCase
padata_checking = '1'
cls.padata_checking = bool(int(padata_checking))
+ using_embedded_heimdal = samba.tests.env_get_var_value(
+ 'USING_EMBEDDED_HEIMDAL',
+ allow_missing=True)
+ if using_embedded_heimdal is None:
+ using_embedded_heimdal = False
+ else:
+ using_embedded_heimdal = bool(int(using_embedded_heimdal))
+ cls.always_include_pac = False
+ # Always generating the PAC is currently only supported by
+ # the Embedded heimdal
+ if using_embedded_heimdal:
+ # get_loadparm loads the client smb.conf
+ # we need to load the server smb.conf to get the server
+ # settings.
+ server_conf = samba.tests.env_get_var_value('SERVERCONFFILE')
+ lp = LoadParm(filename_for_non_global_lp=server_conf)
+ always_include = lp.get("kdc always include pac")
+ if always_include is None:
+ always_include = "True"
+
+ cls.always_include_pac = bool(always_include)
+
kadmin_is_tgs = samba.tests.env_get_var_value('KADMIN_IS_TGS',
allow_missing=True)
if kadmin_is_tgs is None:
pac_data = self.get_ticket_pac(ticket_creds, expect_pac=expect_pac)
if expect_pac is True:
self.assertIsNotNone(pac_data)
- elif expect_pac is False:
+ elif expect_pac is False and self.always_include_pac is False:
self.assertIsNone(pac_data)
if pac_data is not None:
self.assertEqual(expect_pac_attrs_pac_request is True,
requested_pac)
- self.assertEqual(expect_pac_attrs_pac_request is None,
- given_pac)
+ if not self.always_include_pac:
+ self.assertEqual(expect_pac_attrs_pac_request is None,
+ given_pac)
elif (pac_buffer.type == krb5pac.PAC_TYPE_REQUESTER_SID
and expect_requester_sid):
--- /dev/null
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_pac_request_false.*ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_request_no_pac.*ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_request_false.*ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_pac_request_false.*ad_dc
+^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_pac_request_false.*ad_dc
+^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_pac_request_false
expect_nt_status = int('SAMBA4_USES_HEIMDAL' in config_hash)
as_req_logging_support = int('SAMBA4_USES_HEIMDAL' in config_hash)
tgs_req_logging_support = int('SAMBA4_USES_HEIMDAL' in config_hash)
+embedded_heimdal = int('USING_EMBEDDED_HEIMDAL' in config_hash)
ca_dir = os.path.join('selftest', 'manage-ca', 'CA-samba.example.com')
'CA_CERT': ca_cert_path,
'CA_PRIVATE_KEY': ca_private_key_path,
'CA_PASS': ca_pass,
+ 'USING_EMBEDDED_HEIMDAL' : embedded_heimdal,
}
planoldpythontestsuite("none", "samba.tests.krb5.kcrypto")
planoldpythontestsuite("none", "samba.tests.krb5.claims_in_pac")
projects / thirdparty / samba.git / commitdiff
