self._get_tgt(client_creds, armor_tgt=mach_tgt)
def test_authn_policy_allowed_from_user_allow(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
mach_tgt = self.get_tgt(mach_creds)
- mach_sid = self.get_objectSid(samdb, mach_creds.get_dn())
# Create an authentication policy that explicitly allows the machine
# account for a user. Include some different TGT lifetimes for testing
# what gets logged.
- allowed = f'O:SYD:(A;;CR;;;{mach_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{mach_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
self._get_tgt(client_creds, armor_tgt=mach_tgt)
def test_authn_policy_allowed_from_user_deny(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
mach_tgt = self.get_tgt(mach_creds)
- mach_sid = self.get_objectSid(samdb, mach_creds.get_dn())
# Create an authentication policy that explicitly denies the machine
# account for a user. Include some different TGT lifetimes for testing
# what gets logged.
allowed = 'O:SYD:(A;;CR;;;WD)'
- denied = f'O:SYD:(D;;CR;;;{mach_sid})'
+ denied = f'O:SYD:(D;;CR;;;{mach_creds.get_sid()})'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
enforced=True,
expected_error=KDC_ERR_POLICY)
def test_authn_policy_allowed_from_service_allow(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
mach_tgt = self.get_tgt(mach_creds)
- mach_sid = self.get_objectSid(samdb, mach_creds.get_dn())
# Create an authentication policy that explicitly allows the machine
# account for a service.
- allowed = f'O:SYD:(A;;CR;;;{mach_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{mach_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
self._get_tgt(client_creds, armor_tgt=mach_tgt)
def test_authn_policy_allowed_from_service_deny(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
mach_tgt = self.get_tgt(mach_creds)
- mach_sid = self.get_objectSid(samdb, mach_creds.get_dn())
# Create an authentication policy that explicitly denies the machine
# account for a service.
allowed = 'O:SYD:(A;;CR;;;WD)'
- denied = f'O:SYD:(D;;CR;;;{mach_sid})'
+ denied = f'O:SYD:(D;;CR;;;{mach_creds.get_sid()})'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
enforced=True,
self._get_tgt(client_creds, armor_tgt=mach_tgt)
def test_authn_policy_allowed_from_owner_self(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
mach_tgt = self.get_tgt(mach_creds)
- mach_sid = self.get_objectSid(samdb, mach_creds.get_dn())
# Create an authentication policy that explicitly allows the machine
# account for a user. Set the owner to the machine account.
- allowed = f'O:{mach_sid}D:(A;;CR;;;WD)'
+ allowed = f'O:{mach_creds.get_sid()}D:(A;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
enforced=True,
expected_error=KDC_ERR_POLICY)
def test_authn_policy_allowed_from_user_allow_from_rodc(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self._get_creds(account_type=self.AccountType.COMPUTER,
allowed_rodc=True)
# Modify the TGT to be issued by an RODC.
mach_tgt = self.issued_by_rodc(self.get_tgt(mach_creds))
- mach_sid = self.get_objectSid(samdb, mach_creds.get_dn())
# Create an authentication policy that explicitly allows the machine
# account for a user.
- allowed = f'O:SYD:(A;;CR;;;{mach_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{mach_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
self._get_tgt(client_creds, armor_tgt=mach_tgt)
def test_authn_policy_allowed_from_user_deny_from_rodc(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self._get_creds(account_type=self.AccountType.COMPUTER,
allowed_rodc=True)
# Modify the TGT to be issued by an RODC.
mach_tgt = self.issued_by_rodc(self.get_tgt(mach_creds))
- mach_sid = self.get_objectSid(samdb, mach_creds.get_dn())
# Create an authentication policy that explicitly denies the machine
# account for a user.
allowed = 'O:SYD:(A;;CR;;;WD)'
- denied = f'O:SYD:(D;;CR;;;{mach_sid})'
+ denied = f'O:SYD:(D;;CR;;;{mach_creds.get_sid()})'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
enforced=True,
expected_error=KDC_ERR_POLICY)
def test_authn_policy_allowed_from_service_allow_from_rodc(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self._get_creds(account_type=self.AccountType.COMPUTER,
allowed_rodc=True)
# Modify the TGT to be issued by an RODC.
mach_tgt = self.issued_by_rodc(self.get_tgt(mach_creds))
- mach_sid = self.get_objectSid(samdb, mach_creds.get_dn())
# Create an authentication policy that explicitly allows the machine
# account for a service.
- allowed = f'O:SYD:(A;;CR;;;{mach_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{mach_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
self._get_tgt(client_creds, armor_tgt=mach_tgt)
def test_authn_policy_allowed_from_service_deny_from_rodc(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self._get_creds(account_type=self.AccountType.COMPUTER,
allowed_rodc=True)
# Modify the TGT to be issued by an RODC.
mach_tgt = self.issued_by_rodc(self.get_tgt(mach_creds))
- mach_sid = self.get_objectSid(samdb, mach_creds.get_dn())
# Create an authentication policy that explicitly denies the machine
# account for a service.
allowed = 'O:SYD:(A;;CR;;;WD)'
- denied = f'O:SYD:(D;;CR;;;{mach_sid})'
+ denied = f'O:SYD:(D;;CR;;;{mach_creds.get_sid()})'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
enforced=True,
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
mach_tgt = self.get_tgt(mach_creds)
- mach_sid = self.get_objectSid(samdb, mach_creds.get_dn())
+ mach_sid = mach_creds.get_sid()
# Create a user account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
use_cache=False)
client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
+ client_sid = client_creds.get_sid()
# Create an authentication policy that explicitly allows the machine
# account for a user, while denying the user account itself.
armor_tgt=mach_tgt)
def test_authn_policy_allowed_to_computer_allow(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
# Create a user account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a computer and
# explicitly allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
armor_tgt=mach_tgt)
def test_authn_policy_allowed_to_computer_deny(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
# Create a user account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a computer and
# explicitly denies the user account to obtain a service ticket.
- denied = f'O:SYD:(D;;CR;;;{client_sid})'
+ denied = f'O:SYD:(D;;CR;;;{client_creds.get_sid()})'
allowed = 'O:SYD:(A;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
check_patypes=False)
def test_authn_policy_allowed_to_computer_allow_but_deny_mach(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
mach_tgt = self.get_tgt(mach_creds)
- mach_sid = self.get_objectSid(samdb, mach_creds.get_dn())
+ mach_sid = mach_creds.get_sid()
# Create a user account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
+ client_sid = client_creds.get_sid()
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a computer and
armor_tgt=mach_tgt)
def test_authn_policy_allowed_to_computer_allow_mach(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
mach_tgt = self.get_tgt(mach_creds)
- mach_sid = self.get_objectSid(samdb, mach_creds.get_dn())
# Create a user account.
client_creds = self.get_cached_creds(
# Create an authentication policy that applies to a computer and
# explicitly allows the machine account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{mach_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{mach_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
check_patypes=False)
def test_authn_policy_allowed_no_fast(self):
- samdb = self.get_samdb()
-
# Create a user account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a computer and
# explicitly allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
self._tgs_req(tgt, 0, client_creds, target_creds)
def test_authn_policy_denied_no_fast(self):
- samdb = self.get_samdb()
-
# Create a user account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a computer and
# explicitly disallows the user account to obtain a service ticket.
- denied = f'O:SYD:(D;;CR;;;{client_sid})'
+ denied = f'O:SYD:(D;;CR;;;{client_creds.get_sid()})'
allowed = 'O:SYD:(A;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
check_patypes=False)
def test_authn_policy_allowed_to_no_owner(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
# Create a user account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a computer and
# explicitly allows the user account to obtain a service ticket. Omit
# the owner (O:SY) from the SDDL.
- allowed = f'D:(A;;CR;;;{client_sid})'
+ allowed = f'D:(A;;CR;;;{client_creds.get_sid()})'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
enforced=True,
check_patypes=False)
def test_authn_policy_allowed_to_no_owner_unenforced(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
# Create a user account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
tgt = self.get_tgt(client_creds)
# Create an unenforced authentication policy that applies to a computer
# and explicitly allows the user account to obtain a service
# ticket. Omit the owner (O:SY) from the SDDL.
- allowed = f'D:(A;;CR;;;{client_sid})'
+ allowed = f'D:(A;;CR;;;{client_creds.get_sid()})'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
enforced=False,
armor_tgt=mach_tgt)
def test_authn_policy_allowed_to_owner_self(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
# Create a user account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
+ client_sid = client_creds.get_sid()
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a computer and
armor_tgt=mach_tgt)
def test_authn_policy_allowed_to_owner_anon(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
# Create a user account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a computer and
# explicitly allows the user account to obtain a service ticket. Set
# the owner to be anonymous.
- allowed = f'O:AND:(A;;CR;;;{client_sid})'
+ allowed = f'O:AND:(A;;CR;;;{client_creds.get_sid()})'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
enforced=True,
armor_tgt=mach_tgt)
def test_authn_policy_allowed_to_user_allow(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
# Create a user account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a user and explicitly
# allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
armor_tgt=mach_tgt)
def test_authn_policy_allowed_to_user_deny(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
# Create a user account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a user and
# explicitly denies the user account to obtain a service ticket.
- denied = f'O:SYD:(D;;CR;;;{client_sid})'
+ denied = f'O:SYD:(D;;CR;;;{client_creds.get_sid()})'
allowed = 'O:SYD:(A;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
check_patypes=False)
def test_authn_policy_allowed_to_service_allow(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
# Create a user account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a managed service and
# explicitly allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
armor_tgt=mach_tgt)
def test_authn_policy_allowed_to_service_deny(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
# Create a user account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a managed service and
# explicitly denies the user account to obtain a service ticket.
- denied = f'O:SYD:(D;;CR;;;{client_sid})'
+ denied = f'O:SYD:(D;;CR;;;{client_creds.get_sid()})'
allowed = 'O:SYD:(A;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
check_patypes=False)
def test_authn_policy_allowed_to_user_allow_from_rodc(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
# Create a user account.
client_creds = self._get_creds(account_type=self.AccountType.USER,
allowed_rodc=True)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
# Modify the TGT to be issued by an RODC.
tgt = self.issued_by_rodc(self.get_tgt(client_creds))
# Create an authentication policy that applies to a user and explicitly
# allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
armor_tgt=mach_tgt)
def test_authn_policy_allowed_to_user_deny_from_rodc(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
# Create a user account.
client_creds = self._get_creds(account_type=self.AccountType.USER,
allowed_rodc=True)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
# Modify the TGT to be issued by an RODC.
tgt = self.issued_by_rodc(self.get_tgt(client_creds))
# Create an authentication policy that applies to a user and
# explicitly denies the user account to obtain a service ticket.
- denied = f'O:SYD:(D;;CR;;;{client_sid})'
+ denied = f'O:SYD:(D;;CR;;;{client_creds.get_sid()})'
allowed = 'O:SYD:(A;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
expected_status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED)
def test_authn_policy_allowed_to_computer_allow_from_rodc(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
# Create a user account.
client_creds = self._get_creds(account_type=self.AccountType.USER,
allowed_rodc=True)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
# Modify the TGT to be issued by an RODC.
tgt = self.issued_by_rodc(self.get_tgt(client_creds))
# Create an authentication policy that applies to a computer and
# explicitly allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
armor_tgt=mach_tgt)
def test_authn_policy_allowed_to_computer_deny_from_rodc(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
# Create a user account.
client_creds = self._get_creds(account_type=self.AccountType.USER,
allowed_rodc=True)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
# Modify the TGT to be issued by an RODC.
tgt = self.issued_by_rodc(self.get_tgt(client_creds))
# Create an authentication policy that applies to a computer and
# explicitly denies the user account to obtain a service ticket.
- denied = f'O:SYD:(D;;CR;;;{client_sid})'
+ denied = f'O:SYD:(D;;CR;;;{client_creds.get_sid()})'
allowed = 'O:SYD:(A;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
expected_status=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED,)
def test_authn_policy_allowed_to_service_allow_from_rodc(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
# Create a user account.
client_creds = self._get_creds(account_type=self.AccountType.USER,
allowed_rodc=True)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
# Modify the TGT to be issued by an RODC.
tgt = self.issued_by_rodc(self.get_tgt(client_creds))
# Create an authentication policy that applies to a managed service and
# explicitly allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
armor_tgt=mach_tgt)
def test_authn_policy_allowed_to_service_deny_from_rodc(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
# Create a user account.
client_creds = self._get_creds(account_type=self.AccountType.USER,
allowed_rodc=True)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
# Modify the TGT to be issued by an RODC.
tgt = self.issued_by_rodc(self.get_tgt(client_creds))
# Create an authentication policy that applies to a managed service and
# explicitly denies the user account to obtain a service ticket.
- denied = f'O:SYD:(D;;CR;;;{client_sid})'
+ denied = f'O:SYD:(D;;CR;;;{client_creds.get_sid()})'
allowed = 'O:SYD:(A;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
opts={'id': 1},
use_cache=False)
client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a computer and
# explicitly allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
opts={'id': 1},
use_cache=False)
client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a computer and
# explicitly denies the user account to obtain a service ticket.
- denied = f'O:SYD:(D;;CR;;;{client_sid})'
+ denied = f'O:SYD:(D;;CR;;;{client_creds.get_sid()})'
allowed = 'O:SYD:(A;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
account_type=self.AccountType.COMPUTER,
use_cache=False)
client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a computer and
# explicitly allows the account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
account_type=self.AccountType.COMPUTER,
use_cache=False)
client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a computer and
# explicitly denies the account to obtain a service ticket.
- denied = f'O:SYD:(D;;CR;;;{client_sid})'
+ denied = f'O:SYD:(D;;CR;;;{client_creds.get_sid()})'
allowed = 'O:SYD:(A;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
armor_tgt=tgt)
def test_authn_policy_allowed_to_user_allow_s4u2self(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
name_type=NT_PRINCIPAL,
names=[client_creds.get_username()])
client_realm = client_creds.get_realm()
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
# Create an authentication policy that applies to a computer and
# explicitly allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
enforced=True,
armor_tgt=mach_tgt)
def test_authn_policy_allowed_to_user_deny_s4u2self(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
name_type=NT_PRINCIPAL,
names=[client_creds.get_username()])
client_realm = client_creds.get_realm()
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
# Create an authentication policy that applies to a computer and
# explicitly denies the user account to obtain a service ticket.
- denied = f'O:SYD:(D;;CR;;;{client_sid})'
+ denied = f'O:SYD:(D;;CR;;;{client_creds.get_sid()})'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
enforced=True,
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
+ client_sid = client_creds.get_sid()
client_username = client_creds.get_username()
client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
opts={
'delegation_to_spn': target_spn,
})
- service_sid = self.get_objectSid(samdb, service_creds.get_dn())
+ service_sid = service_creds.get_sid()
service_tgt = self.get_tgt(service_creds)
# Create an authentication policy that applies to a computer and
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
+ client_sid = client_creds.get_sid()
client_tkt_options = 'forwardable'
expected_flags = krb5_asn1.TicketFlags(client_tkt_options)
opts={
'delegation_to_spn': target_spn,
})
- service_sid = self.get_objectSid(samdb, service_creds.get_dn())
+ service_sid = service_creds.get_sid()
service_tgt = self.get_tgt(service_creds)
# Create an authentication policy that applies to a computer and
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
+ client_sid = client_creds.get_sid()
client_username = client_creds.get_username()
client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
service_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
opts={'id': 1})
- service_sid = self.get_objectSid(samdb, service_creds.get_dn())
+ service_sid = service_creds.get_sid()
service_tgt = self.get_tgt(service_creds)
# Create an authentication policy that applies to a computer and
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
+ client_sid = client_creds.get_sid()
client_tkt_options = 'forwardable'
expected_flags = krb5_asn1.TicketFlags(client_tkt_options)
service_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
opts={'id': 1})
- service_sid = self.get_objectSid(samdb, service_creds.get_dn())
+ service_sid = service_creds.get_sid()
service_tgt = self.get_tgt(service_creds)
# Create an authentication policy that applies to a computer and
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
+ client_sid = client_creds.get_sid()
client_username = client_creds.get_username()
client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
use_cache=False)
service_dn_str = str(service_creds.get_dn())
service_spn = service_creds.get_spn()
- service_sid = self.get_objectSid(samdb, service_creds.get_dn())
+ service_sid = service_creds.get_sid()
service_tgt = self.get_tgt(service_creds)
# Allow delegation to ourselves.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
+ client_sid = client_creds.get_sid()
client_username = client_creds.get_username()
client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
use_cache=False)
service_dn_str = str(service_creds.get_dn())
service_spn = service_creds.get_spn()
- service_sid = self.get_objectSid(samdb, service_creds.get_dn())
+ service_sid = service_creds.get_sid()
service_tgt = self.get_tgt(service_creds)
# Allow delegation to ourselves.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
+ client_sid = client_creds.get_sid()
client_tkt_options = 'forwardable'
expected_flags = krb5_asn1.TicketFlags(client_tkt_options)
opts={'id': 1},
use_cache=False)
service_dn_str = str(service_creds.get_dn())
- service_sid = self.get_objectSid(samdb, service_creds.get_dn())
+ service_sid = service_creds.get_sid()
service_tgt = self.get_tgt(service_creds)
# Don’t set msDS-AllowedToDelegateTo.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
+ client_sid = client_creds.get_sid()
client_username = client_creds.get_username()
client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
opts={'delegation_from_dn': ndr_pack(security_descriptor)},
use_cache=False)
service_dn_str = str(service_creds.get_dn())
- service_sid = self.get_objectSid(samdb, service_creds.get_dn())
+ service_sid = service_creds.get_sid()
service_tgt = self.get_tgt(service_creds)
# Create an authentication policy that applies to a computer and
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
+ client_sid = client_creds.get_sid()
client_username = client_creds.get_username()
client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
opts={'delegation_from_dn': ndr_pack(security_descriptor)},
use_cache=False)
service_dn_str = str(service_creds.get_dn())
- service_sid = self.get_objectSid(samdb, service_creds.get_dn())
+ service_sid = service_creds.get_sid()
service_tgt = self.get_tgt(service_creds)
client_service_tkt = self.get_service_ticket(
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
+ client_sid = client_creds.get_sid()
client_tkt_options = 'forwardable'
expected_flags = krb5_asn1.TicketFlags(client_tkt_options)
opts={'id': 1},
use_cache=False)
service_dn_str = str(service_creds.get_dn())
- service_sid = self.get_objectSid(samdb, service_creds.get_dn())
+ service_sid = service_creds.get_sid()
service_tgt = self.get_tgt(service_creds)
# Don’t set msDS-AllowedToActOnBehalfOfOtherIdentity.
check_patypes=False)
def test_authn_policy_allowed_to_computer_allow_user2user(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
mach_tgt = self.get_tgt(mach_creds)
client_creds = self.get_mach_creds()
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
client_tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a computer and
# explicitly allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
enforced=True,
additional_ticket=target_tgt)
def test_authn_policy_allowed_to_computer_deny_user2user(self):
- samdb = self.get_samdb()
-
# Create a machine account with which to perform FAST.
mach_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER)
mach_tgt = self.get_tgt(mach_creds)
client_creds = self.get_mach_creds()
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
client_tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a computer and
# explicitly denies the user account to obtain a service ticket.
- denied = f'O:SYD:(D;;CR;;;{client_sid})'
+ denied = f'O:SYD:(D;;CR;;;{client_creds.get_sid()})'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
enforced=True,
# Create a user account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a user and explicitly
# allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
# Create a user account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a computer and
# explicitly allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
# Create a user account.
client_creds = self.get_cached_creds(
account_type=self.AccountType.USER)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
tgt = self.get_tgt(client_creds)
# Create an authentication policy that applies to a managed service and
# explicitly allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
logon_type=netlogon.NetlogonNetworkInformation)
def test_samlogon_allowed_to_computer_allow(self):
- samdb = self.get_samdb()
-
# Create a user account.
client_creds = self._get_creds(account_type=self.AccountType.USER,
ntlm=True)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
# Create an authentication policy that applies to a computer and
# explicitly allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
logon_type=netlogon.NetlogonInteractiveInformation)
def test_samlogon_allowed_to_computer_deny(self):
- samdb = self.get_samdb()
-
# Create a user account.
client_creds = self._get_creds(account_type=self.AccountType.USER,
ntlm=True)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
# Create an authentication policy that applies to a computer and
# explicitly denies the user account to obtain a service ticket.
- denied = f'O:SYD:(D;;CR;;;{client_sid})'
+ denied = f'O:SYD:(D;;CR;;;{client_creds.get_sid()})'
allowed = 'O:SYD:(A;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
expect_error=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED)
def test_samlogon_allowed_to_computer_deny_protected(self):
- samdb = self.get_samdb()
-
# Create a protected user account.
client_creds = self._get_creds(account_type=self.AccountType.USER,
protected=True,
ntlm=True)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
# Create an authentication policy that applies to a computer and
# explicitly denies the user account to obtain a service ticket.
- denied = f'O:SYD:(D;;CR;;;{client_sid})'
+ denied = f'O:SYD:(D;;CR;;;{client_creds.get_sid()})'
allowed = 'O:SYD:(A;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
expect_error=ntstatus.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED)
def test_samlogon_allowed_to_no_owner(self):
- samdb = self.get_samdb()
-
# Create a user account.
client_creds = self._get_creds(account_type=self.AccountType.USER,
ntlm=True)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
# Create an authentication policy that applies to a computer and
# explicitly allows the user account to obtain a service ticket. Omit
# the owner (O:SY) from the SDDL.
- allowed = f'D:(A;;CR;;;{client_sid})'
+ allowed = f'D:(A;;CR;;;{client_creds.get_sid()})'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
enforced=True,
expect_error=ntstatus.NT_STATUS_INVALID_PARAMETER)
def test_samlogon_allowed_to_no_owner_unenforced(self):
- samdb = self.get_samdb()
-
# Create a user account.
client_creds = self._get_creds(account_type=self.AccountType.USER,
ntlm=True)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
# Create an unenforced authentication policy that applies to a computer
# and explicitly allows the user account to obtain a service
# ticket. Omit the owner (O:SY) from the SDDL.
- allowed = f'D:(A;;CR;;;{client_sid})'
+ allowed = f'D:(A;;CR;;;{client_creds.get_sid()})'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
enforced=False,
logon_type=netlogon.NetlogonInteractiveInformation)
def test_samlogon_allowed_to_service_allow(self):
- samdb = self.get_samdb()
-
# Create a user account.
client_creds = self._get_creds(account_type=self.AccountType.USER,
ntlm=True)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
# Create an authentication policy that applies to a managed service and
# explicitly allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
logon_type=netlogon.NetlogonInteractiveInformation)
def test_samlogon_allowed_to_service_deny(self):
- samdb = self.get_samdb()
-
# Create a user account.
client_creds = self._get_creds(account_type=self.AccountType.USER,
ntlm=True)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
# Create an authentication policy that applies to a managed service and
# explicitly denies the user account to obtain a service ticket.
- denied = f'O:SYD:(D;;CR;;;{client_sid})'
+ denied = f'O:SYD:(D;;CR;;;{client_creds.get_sid()})'
allowed = 'O:SYD:(A;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
ntlm=True,
cached=False)
client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
# Create an authentication policy that applies to a computer and
# explicitly allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
ntlm=True,
cached=False)
client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
# Create an authentication policy that applies to a computer and
# explicitly denies the user account to obtain a service ticket.
- denied = f'O:SYD:(D;;CR;;;{client_sid})'
+ denied = f'O:SYD:(D;;CR;;;{client_creds.get_sid()})'
allowed = 'O:SYD:(A;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
ntlm=True,
cached=False)
client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
# Create an authentication policy that applies to a managed service and
# explicitly allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
ntlm=True,
cached=False)
client_dn = client_creds.get_dn()
- client_sid = self.get_objectSid(samdb, client_dn)
# Create an authentication policy that applies to a managed service and
# explicitly denies the user account to obtain a service ticket.
- denied = f'O:SYD:(D;;CR;;;{client_sid})'
+ denied = f'O:SYD:(D;;CR;;;{client_creds.get_sid()})'
allowed = 'O:SYD:(A;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
# Create a user account.
client_creds = self._get_creds(account_type=self.AccountType.USER,
ntlm=True)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
# Create an authentication policy that applies to a computer and
# explicitly allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
# Create a user account.
client_creds = self._get_creds(account_type=self.AccountType.USER,
ntlm=True)
- client_sid = self.get_objectSid(samdb, client_creds.get_dn())
# Create an authentication policy that applies to a managed service and
# explicitly allows the user account to obtain a service ticket.
- allowed = f'O:SYD:(A;;CR;;;{client_sid})'
+ allowed = f'O:SYD:(A;;CR;;;{client_creds.get_sid()})'
denied = 'O:SYD:(D;;CR;;;WD)'
policy_id = self.get_new_username()
policy = self.create_authn_policy(policy_id,
projects / thirdparty / samba.git / commitdiff
