From: Jennifer Sutton Date: Tue, 20 Jan 2026 03:35:40 +0000 (+1300) Subject: s4:test: Add kdc-canon-mit tests X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3374f20957ec6ffdecbf016fb12e83e762c70870;p=thirdparty%2Fsamba.git s4:test: Add kdc-canon-mit tests These are modelled after the kdc-canon-heimdal tests. Signed-off-by: Jennifer Sutton Reviewed-by: Douglas Bagnall --- diff --git a/selftest/knownfail_mit_kdc.d/krb5-kdc b/selftest/knownfail_mit_kdc.d/krb5-kdc new file mode 100644 index 00000000000..78402f90fa3 --- /dev/null +++ b/selftest/knownfail_mit_kdc.d/krb5-kdc @@ -0,0 +1,15 @@ +^samba4.krb5.kdc\ with\ account\ having\ identical\ UPN\ and\ SPN.canon.no-canon.no-enterprise.lc-user.spn.no-canon.no-enterprise.lc-user.spn\(promoted_dc\) +^samba4.krb5.kdc\ with\ account\ having\ identical\ UPN\ and\ SPN.canon.no-canon.no-enterprise.lc-user.upn.no-canon.no-enterprise.lc-user.upn\(promoted_dc\) +^samba4.krb5.kdc\ with\ account\ having\ identical\ UPN\ and\ SPN.canon.no-canon.no-enterprise.uc-user.samaccountname.no-canon.no-enterprise.uc-user.samaccountname\(promoted_dc\) +^samba4.krb5.kdc\ with\ account\ having\ identical\ UPN\ and\ SPN.canon.no-canon.no-enterprise.uc-user.spn.no-canon.no-enterprise.uc-user.spn\(promoted_dc\) +^samba4.krb5.kdc\ with\ account\ having\ identical\ UPN\ and\ SPN.canon.no-canon.no-enterprise.uc-user.upn.no-canon.no-enterprise.uc-user.upn\(promoted_dc\) +^samba4.krb5.kdc\ with\ machine\ account.canon.no-canon.no-enterprise.lc-user.removedollar.no-canon.no-enterprise.lc-user.removedollar\(fl2000dc:local\) +^samba4.krb5.kdc\ with\ machine\ account.canon.no-canon.no-enterprise.lc-user.removedollar.no-canon.no-enterprise.lc-user.removedollar\(promoted_dc:local\) +^samba4.krb5.kdc\ with\ machine\ account.canon.no-canon.no-enterprise.uc-user.removedollar.no-canon.no-enterprise.uc-user.removedollar\(fl2000dc:local\) +^samba4.krb5.kdc\ with\ machine\ account.canon.no-canon.no-enterprise.uc-user.removedollar.no-canon.no-enterprise.uc-user.removedollar\(promoted_dc:local\) +^samba4.krb5.kdc\ with\ machine\ account\ require\ canonicalization.canon.no-canon.no-enterprise.lc-user.removedollar.no-canon.no-enterprise.lc-user.removedollar\(schema_dc:local\) +^samba4.krb5.kdc\ with\ machine\ account\ require\ canonicalization.canon.no-canon.no-enterprise.lc-user.samaccountname.no-canon.no-enterprise.lc-user.samaccountname\(schema_dc:local\) +^samba4.krb5.kdc\ with\ machine\ account\ require\ canonicalization.canon.no-canon.no-enterprise.lc-user.spn.no-canon.no-enterprise.lc-user.spn\(schema_dc:local\) +^samba4.krb5.kdc\ with\ machine\ account\ require\ canonicalization.canon.no-canon.no-enterprise.uc-user.removedollar.no-canon.no-enterprise.uc-user.removedollar\(schema_dc:local\) +^samba4.krb5.kdc\ with\ machine\ account\ require\ canonicalization.canon.no-canon.no-enterprise.uc-user.samaccountname.no-canon.no-enterprise.uc-user.samaccountname\(schema_dc:local\) +^samba4.krb5.kdc\ with\ machine\ account\ require\ canonicalization.canon.no-canon.no-enterprise.uc-user.spn.no-canon.no-enterprise.uc-user.spn\(schema_dc:local\) diff --git a/source4/torture/krb5/kdc-canon-mit.c b/source4/torture/krb5/kdc-canon-mit.c new file mode 100644 index 00000000000..e37684fb6e4 --- /dev/null +++ b/source4/torture/krb5/kdc-canon-mit.c @@ -0,0 +1,871 @@ +/* + Unix SMB/CIFS implementation. + + Validate the krb5 pac generation routines + + Copyright (C) Andrew Bartlett 2005-2015 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 3 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + + You should have received a copy of the GNU General Public License + along with this program. If not, see . +*/ + +#include "includes.h" +#include "system/kerberos.h" +#include "torture/smbtorture.h" +#include "torture/krb5/proto.h" +#include "auth/credentials/credentials.h" +#include "lib/cmdline/cmdline.h" +#include "source4/auth/kerberos/kerberos.h" +#include "lib/util/util_net.h" +#include "auth/auth.h" +#include "auth/gensec/gensec.h" +#include "param/param.h" + +#undef strcasecmp + +#define TEST_CANONICALIZE 0x0000001 +#define TEST_ENTERPRISE 0x0000002 +#define TEST_UPPER_USERNAME 0x0000004 +#define TEST_UPN 0x0000008 +#define TEST_REMOVEDOLLAR 0x0000010 +#define TEST_AS_REQ_SPN 0x0000020 +#define TEST_ALL 0x000003F + +struct test_data { + const char *test_name; + const char *realm; + const char *real_realm; + const char *real_domain; + const char *username; + const char *real_username; + bool canonicalize; + bool enterprise; + bool upper_username; + bool upn; + bool other_upn_suffix; + bool removedollar; + bool as_req_spn; + bool spn_is_upn; + const char *krb5_service; + const char *krb5_hostname; +}; + +struct torture_krb5_context { + struct smb_krb5_context *smb_krb5_context; + struct torture_context *tctx; + struct addrinfo *server; +}; + +struct pac_data { + const char *principal_name; +}; + +/* + * A helper function which avoids touching the local databases to + * generate the session info, as we just want to verify the principal + * name that we found in the ticket not the full local token + */ +static NTSTATUS test_generate_session_info_pac(struct auth4_context *auth_ctx, + TALLOC_CTX *mem_ctx, + struct smb_krb5_context *smb_krb5_context, + DATA_BLOB *pac_blob, + const char *principal_name, + const struct tsocket_address *remote_address, + uint32_t session_info_flags, + struct auth_session_info **session_info) +{ + NTSTATUS nt_status; + struct auth_user_info_dc *user_info_dc; + TALLOC_CTX *tmp_ctx; + struct pac_data *pac_data; + + if (pac_blob == NULL) { + DBG_ERR("pac_blob missing\n"); + return NT_STATUS_NO_IMPERSONATION_TOKEN; + } + + tmp_ctx = talloc_named(mem_ctx, 0, "gensec_gssapi_session_info context"); + NT_STATUS_HAVE_NO_MEMORY(tmp_ctx); + + auth_ctx->private_data = pac_data = talloc_zero(auth_ctx, struct pac_data); + + pac_data->principal_name = talloc_strdup(pac_data, principal_name); + if (!pac_data->principal_name) { + talloc_free(tmp_ctx); + return NT_STATUS_NO_MEMORY; + } + + nt_status = kerberos_pac_blob_to_user_info_dc(tmp_ctx, + *pac_blob, + smb_krb5_context->krb5_context, + &user_info_dc, NULL, NULL); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return nt_status; + } + + if (!(user_info_dc->info->user_flags & NETLOGON_GUEST)) { + session_info_flags |= AUTH_SESSION_INFO_AUTHENTICATED; + } + + session_info_flags |= AUTH_SESSION_INFO_SIMPLE_PRIVILEGES; + nt_status = auth_generate_session_info(mem_ctx, + NULL, + NULL, + user_info_dc, session_info_flags, + session_info); + if (!NT_STATUS_IS_OK(nt_status)) { + talloc_free(tmp_ctx); + return nt_status; + } + + talloc_free(tmp_ctx); + return NT_STATUS_OK; +} + +/* Check to see if we can pass the PAC across to the NETLOGON server for validation */ + +/* Also happens to be a really good one-step verification of our Kerberos stack */ + +static bool test_accept_ticket(struct torture_context *tctx, + struct cli_credentials *credentials, + const char *principal, + DATA_BLOB client_to_server) +{ + NTSTATUS status; + struct gensec_security *gensec_server_context; + DATA_BLOB server_to_client; + struct auth4_context *auth_context; + struct auth_session_info *session_info; + struct pac_data *pac_data; + TALLOC_CTX *tmp_ctx = talloc_new(tctx); + + torture_assert(tctx, tmp_ctx != NULL, "talloc_new() failed"); + + auth_context = talloc_zero(tmp_ctx, struct auth4_context); + torture_assert(tctx, auth_context != NULL, "talloc_new() failed"); + + auth_context->generate_session_info_pac = test_generate_session_info_pac; + + status = gensec_server_start(tctx, + lpcfg_gensec_settings(tctx, tctx->lp_ctx), + auth_context, &gensec_server_context); + torture_assert_ntstatus_ok(tctx, status, "gensec_server_start (server) failed"); + + status = gensec_set_credentials(gensec_server_context, credentials); + torture_assert_ntstatus_ok(tctx, status, "gensec_set_credentials (server) failed"); + + status = gensec_start_mech_by_name(gensec_server_context, "krb5"); + torture_assert_ntstatus_ok(tctx, status, "gensec_start_mech_by_name (server) failed"); + + server_to_client = data_blob(NULL, 0); + + /* Do a client-server update dance */ + status = gensec_update(gensec_server_context, tmp_ctx, client_to_server, &server_to_client); + torture_assert_ntstatus_ok(tctx, status, "gensec_update (server) failed"); + + /* Extract the PAC using Samba's code */ + + status = gensec_session_info(gensec_server_context, gensec_server_context, &session_info); + torture_assert_ntstatus_ok(tctx, status, "gensec_session_info failed"); + + pac_data = talloc_get_type(auth_context->private_data, struct pac_data); + + torture_assert(tctx, pac_data != NULL, "gensec_update failed to fill in pac_data in auth_context"); + torture_assert(tctx, pac_data->principal_name != NULL, "principal_name not present"); + torture_assert_str_equal(tctx, pac_data->principal_name, principal, "wrong principal name"); + return true; +} + +static int test_context_destructor(struct torture_krb5_context *test_context) +{ + freeaddrinfo(test_context->server); + return 0; +} + + +static bool torture_krb5_init_context_canon(struct torture_context *tctx, + struct torture_krb5_context **torture_krb5_context) +{ + const char *host = torture_setting_string(tctx, "host", NULL); + krb5_error_code k5ret; + bool ok; + + struct torture_krb5_context *test_context = talloc_zero(tctx, struct torture_krb5_context); + torture_assert(tctx, test_context != NULL, "Failed to allocate"); + + test_context->tctx = tctx; + + k5ret = smb_krb5_init_context(test_context, tctx->lp_ctx, &test_context->smb_krb5_context); + torture_assert_int_equal(tctx, k5ret, 0, "smb_krb5_init_context failed"); + + ok = interpret_string_addr_internal(&test_context->server, host, AI_NUMERICHOST); + torture_assert(tctx, ok, "Failed to parse target server"); + + talloc_set_destructor(test_context, test_context_destructor); + + set_sockaddr_port(test_context->server->ai_addr, 88); + + *torture_krb5_context = test_context; + return true; +} + + +static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void *tcase_data) +{ + krb5_error_code k5ret; + krb5_get_init_creds_opt *krb_options = NULL; + struct test_data *test_data = talloc_get_type_abort(tcase_data, struct test_data); + krb5_principal principal = NULL; + krb5_principal canonical_principal = NULL; + krb5_principal expected_principal = NULL; + const char *principal_string = NULL; + int principal_flags; + const char *canonical_principal_string = NULL; + const char *expected_principal_string = NULL; + char *canonical_unparse_principal_string = NULL; + char *expected_unparse_principal_string = NULL; + int expected_principal_flags; + char *got_principal_string = NULL; + char *assertion_message = NULL; + const char *password = cli_credentials_get_password( + samba_cmdline_get_creds()); + krb5_context k5_context = NULL; + struct torture_krb5_context *test_context = NULL; + bool ok; + krb5_creds my_creds; + krb5_creds *server_creds = NULL; + krb5_ccache ccache = NULL; + krb5_auth_context auth_context = NULL; + char *cc_name = NULL; + krb5_data in_data, enc_ticket; + + bool require_canon = \ + lpcfg_kdc_require_canonicalization(tctx->lp_ctx); + + bool implicit_dollar_requires_canonicalize = + !lpcfg_kdc_name_match_implicit_dollar_without_canonicalization( + tctx->lp_ctx); + bool krb5_acceptor_report_canonical_client_name = + lpcfg_krb5_acceptor_report_canonical_client_name(tctx->lp_ctx); + + const char *spn = NULL; + const char *spn_real_realm = NULL; + const char *upn = torture_setting_string(tctx, "krb5-upn", ""); + test_data->krb5_service = torture_setting_string(tctx, "krb5-service", "host"); + test_data->krb5_hostname = torture_setting_string(tctx, "krb5-hostname", ""); + + /* + * If we have not passed a UPN on the command line, + * then skip the UPN tests. + */ + if (test_data->upn && upn[0] == '\0') { + torture_skip(tctx, "This test needs a UPN specified as --option=torture:krb5-upn=user@example.com to run"); + } + + /* + * If we have not passed a SPN on the command line, + * then skip the SPN tests. + */ + if (test_data->as_req_spn && test_data->krb5_hostname[0] == '\0') { + torture_skip(tctx, "This test needs a hostname specified as --option=torture:krb5-hostname=hostname.example.com and optionally --option=torture:krb5-service=service (defaults to host) to run"); + } + + if (test_data->removedollar && + !torture_setting_bool(tctx, "run_removedollar_test", false)) + { + torture_skip(tctx, "--option=torture:run_removedollar_test=true not specified"); + } + + test_data->realm = test_data->real_realm; + + if (test_data->upn) { + char *p; + test_data->username = talloc_strdup(test_data, upn); + p = strchr(test_data->username, '@'); + if (p) { + *p = '\0'; + p++; + } + /* + * Test the UPN behaviour carefully. We can + * test in two different modes, depending on + * what UPN has been set up for us. + * + * If the UPN is in our realm, then we do all the tests with this name also. + * + * If the UPN is not in our realm, then we + * expect the tests that replace the realm to + * fail (as it won't match) + */ + if (strcasecmp(p, test_data->real_realm) != 0) { + test_data->other_upn_suffix = true; + } else { + test_data->other_upn_suffix = false; + } + + /* + * This lets us test the combination of the UPN prefix + * with a valid domain, without adding even more + * combinations + */ + test_data->realm = p; + } + + ok = torture_krb5_init_context_canon(tctx, &test_context); + torture_assert(tctx, ok, "torture_krb5_init_context failed"); + k5_context = test_context->smb_krb5_context->krb5_context; + + test_data->realm = strupper_talloc(test_data, test_data->realm); + if (test_data->upper_username) { + test_data->username = strupper_talloc(test_data, test_data->username); + } else { + test_data->username = talloc_strdup(test_data, test_data->username); + } + + if (test_data->removedollar) { + char *p; + + p = strchr_m(test_data->username, '$'); + torture_assert(tctx, p != NULL, talloc_asprintf(tctx, + "username[%s] contains no '$'\n", + test_data->username)); + *p = '\0'; + } + + spn = talloc_asprintf(test_data, "%s/%s@%s", + test_data->krb5_service, + test_data->krb5_hostname, + test_data->realm); + + spn_real_realm = talloc_asprintf(test_data, "%s/%s@%s", + test_data->krb5_service, + test_data->krb5_hostname, + test_data->real_realm); + + if (!test_data->canonicalize && test_data->enterprise) { + torture_skip(tctx, + "This test combination " + "is skipped intentionally"); + } + + if (test_data->as_req_spn) { + if (test_data->enterprise) { + torture_skip(tctx, + "This test combination " + "is skipped intentionally"); + } + principal_string = spn; + } else { + principal_string = talloc_asprintf(test_data, + "%s@%s", + test_data->username, + test_data->realm); + + } + + test_data->spn_is_upn + = (strcasecmp(upn, spn) == 0); + + if (test_data->as_req_spn && !test_data->spn_is_upn) { + canonical_principal_string = spn; + } else { + canonical_principal_string = talloc_asprintf( + test_data, + "%s@%s", + test_data->real_username, + test_data->real_realm); + } + + /* + * If we are set to canonicalize, we get back the fixed UPPER + * case realm, and the real username (ie matching LDAP + * samAccountName) + * + * Otherwise, if we are set to enterprise, we + * get back the whole principal as-sent + * + * Finally, if we are not set to canonicalize, we get back the + * fixed UPPER case realm, but the as-sent username + */ + if (test_data->as_req_spn && !test_data->spn_is_upn) { + expected_principal_string = spn; + } else if (test_data->canonicalize) { + expected_principal_string = talloc_asprintf(test_data, + "%s@%s", + test_data->real_username, + test_data->real_realm); + } else if (test_data->as_req_spn && test_data->spn_is_upn) { + expected_principal_string = spn_real_realm; + } else { + expected_principal_string = talloc_asprintf(test_data, + "%s@%s", + test_data->username, + test_data->real_realm); + } + + if (test_data->enterprise) { + principal_flags = KRB5_PRINCIPAL_PARSE_ENTERPRISE; + } else { + if (test_data->upn && test_data->other_upn_suffix) { + torture_skip(tctx, "UPN test for UPN with other UPN suffix only runs with enterprise principals"); + } + principal_flags = 0; + } + + if (test_data->canonicalize) { + expected_principal_flags = 0; + } else { + expected_principal_flags = principal_flags; + } + + torture_assert_int_equal(tctx, + krb5_parse_name_flags(k5_context, + principal_string, + principal_flags, + &principal), + 0, "krb5_parse_name_flags failed"); + torture_assert_int_equal(tctx, + krb5_parse_name_flags(k5_context, + canonical_principal_string, + expected_principal_flags, + &canonical_principal), + 0, "krb5_parse_name_flags failed"); + torture_assert_int_equal(tctx, + krb5_parse_name_flags(k5_context, + expected_principal_string, + expected_principal_flags, + &expected_principal), + 0, "krb5_parse_name_flags failed"); + + if (test_data->as_req_spn) { + if (test_data->upn) { + smb_krb5_principal_set_type(k5_context, + principal, + KRB5_NT_PRINCIPAL); + smb_krb5_principal_set_type(k5_context, + canonical_principal, + KRB5_NT_PRINCIPAL); + smb_krb5_principal_set_type(k5_context, + expected_principal, + KRB5_NT_PRINCIPAL); + } else { + smb_krb5_principal_set_type(k5_context, + principal, + KRB5_NT_SRV_HST); + smb_krb5_principal_set_type(k5_context, + canonical_principal, + KRB5_NT_SRV_HST); + smb_krb5_principal_set_type(k5_context, + expected_principal, + KRB5_NT_SRV_HST); + } + } + + torture_assert_int_equal(tctx, + krb5_unparse_name(k5_context, + canonical_principal, + &canonical_unparse_principal_string), + 0, "krb5_unparse_name failed"); + torture_assert_int_equal(tctx, + krb5_unparse_name(k5_context, + expected_principal, + &expected_unparse_principal_string), + 0, "krb5_unparse_name failed"); + /* + * Prepare a AS-REQ and run the TEST_AS_REQ tests + * + */ + + /* + * Set the canonicalize flag if this test requires it + */ + torture_assert_int_equal(tctx, + krb5_get_init_creds_opt_alloc(k5_context, &krb_options), + 0, "krb5_get_init_creds_opt_alloc failed"); + + krb5_get_init_creds_opt_set_canonicalize(krb_options, + test_data->canonicalize); + + k5ret = krb5_get_init_creds_password(k5_context, &my_creds, principal, + password, NULL, NULL, 0, + NULL, krb_options); + + if (test_data->as_req_spn + && !test_data->spn_is_upn) { + torture_assert_int_equal(tctx, k5ret, + KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, + "Got wrong error_code from " + "krb5_get_init_creds_password"); + /* We can't proceed with more checks */ + return true; + } else if (implicit_dollar_requires_canonicalize && + test_data->removedollar && !test_data->canonicalize) + { + /* + * We are trying to match "foo" to "foo$", but we the + * server is configured to not make that match without + * canonicalization. + */ + torture_assert_int_equal(tctx, k5ret, + KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, + "Got wrong error_code from " + "krb5_get_init_creds_password " + "(with no implicit dollar config)"); + return true; + } else if (require_canon && !test_data->canonicalize) { + /* + * The server is requiring canonicalization, and we are not + * using it. This should always fail. + */ + torture_assert_int_equal(tctx, + k5ret, + KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN, + "Principal should not match with " + "'require canonicalization = yes' " + "when canonicalization is not used."); + return true; + } else { + assertion_message = talloc_asprintf(tctx, + "krb5_get_init_creds_password for %s failed: %s", + principal_string, + smb_get_krb5_error_message(k5_context, k5ret, tctx)); + torture_assert_int_equal(tctx, k5ret, 0, assertion_message); + } + + /* + * Assert that the reply was with the correct type of + * principal, depending on the flags we set + */ + if (!test_data->canonicalize && test_data->as_req_spn) { + torture_assert_int_equal(tctx, + smb_krb5_principal_get_type( + k5_context, my_creds.client), + KRB5_NT_SRV_HST, + "smb_krb5_init_context gave incorrect " + "client->name.name_type"); + } else { + torture_assert_int_equal(tctx, + smb_krb5_principal_get_type( + k5_context, my_creds.client), + KRB5_NT_PRINCIPAL, + "smb_krb5_init_context gave incorrect " + "client->name.name_type"); + } + + torture_assert_int_equal(tctx, + krb5_unparse_name(k5_context, + my_creds.client, &got_principal_string), 0, + "krb5_unparse_name failed"); + + assertion_message = talloc_asprintf(tctx, + "krb5_get_init_creds_password returned a different principal %s to what was expected %s", + got_principal_string, expected_principal_string); + krb5_free_unparsed_name(k5_context, got_principal_string); + + torture_assert(tctx, krb5_principal_compare(k5_context, + my_creds.client, expected_principal), + assertion_message); + + torture_assert_int_equal( + tctx, + smb_krb5_principal_get_type(k5_context, my_creds.server), + KRB5_NT_SRV_INST, + "smb_krb5_init_context gave incorrect server->name.name_type"); + + torture_assert_int_equal(tctx, + krb5_princ_size(k5_context, my_creds.server), + 2, + "smb_krb5_init_context gave incorrect number " + "of components in my_creds.server->name"); + + { + char *princ_component = NULL; + + torture_assert_int_equal( + tctx, + smb_krb5_principal_get_comp_string(test_data, + k5_context, + my_creds.server, + 0, + &princ_component), + 0, + "smb_krb5_principal_get_comp_string failed"); + torture_assert_str_equal( + tctx, + princ_component, + "krbtgt", + "smb_krb5_init_context gave incorrect " + "my_creds.server->name.name_string[0]"); + + if (test_data->canonicalize) { + torture_assert_int_equal( + tctx, + smb_krb5_principal_get_comp_string( + test_data, + k5_context, + my_creds.server, + 1, + &princ_component), + 0, + "smb_krb5_principal_get_comp_string failed"); + torture_assert_str_equal( + tctx, + princ_component, + test_data->real_realm, + "smb_krb5_init_context gave incorrect " + "my_creds.server->name.name_string[1]"); + } else { + torture_assert_int_equal( + tctx, + smb_krb5_principal_get_comp_string( + test_data, + k5_context, + my_creds.server, + 1, + &princ_component), + 0, + "smb_krb5_principal_get_comp_string failed"); + torture_assert_str_equal( + tctx, + princ_component, + test_data->realm, + "smb_krb5_init_context gave incorrect " + "my_creds.server->name.name_string[1]"); + } + } + + torture_assert_str_equal( + tctx, + smb_krb5_principal_get_realm(test_data, + k5_context, + my_creds.server), + test_data->real_realm, + "smb_krb5_init_context gave incorrect my_creds.server->realm"); + + /* Store the result of the 'kinit' above into a memory ccache */ + cc_name = talloc_asprintf(tctx, "MEMORY:%s", test_data->test_name); + torture_assert_int_equal(tctx, krb5_cc_resolve(k5_context, cc_name, + &ccache), + 0, "krb5_cc_resolve failed"); + + torture_assert_int_equal(tctx, krb5_cc_initialize(k5_context, + ccache, my_creds.client), + 0, "krb5_cc_initialize failed"); + + torture_assert_int_equal(tctx, krb5_cc_store_cred(k5_context, + ccache, &my_creds), + 0, "krb5_cc_store_cred failed"); + + /* + * Prepare a TGS-REQ and run the TEST_TGS_REQ_KRBTGT_CANON tests + * + * This tests krb5_get_creds behaviour, which allows us to set + * the KRB5_GC_CANONICALIZE option against the krbtgt/ principal + */ + + /* Confirm if we can get a ticket to our own name */ + k5ret = krb5_get_credentials(k5_context, + KRB5_GC_NO_STORE | KRB5_GC_CANONICALIZE, + ccache, + &my_creds, + &server_creds); + + /* + * In these situations, the code above does not store a + * principal in the credentials cache matching what + * krb5_get_creds() needs, so the test fails. + * + */ + assertion_message = talloc_asprintf( + tctx, + "krb5_get_creds for %s failed: %s", + principal_string, + smb_get_krb5_error_message(k5_context, k5ret, tctx)); + torture_assert_int_equal(tctx, k5ret, 0, assertion_message); + torture_assert_int_equal(tctx, + krb5_cc_store_cred(k5_context, + ccache, + server_creds), + 0, + "krb5_cc_store_cred failed"); + + krb5_free_creds(k5_context, server_creds); + + /* + * Confirm getting a ticket to pass to the server, running + * either the TEST_TGS_REQ or TEST_SELF_TRUST_TGS_REQ stage. + * + * This triggers the client to attempt to get a + * cross-realm ticket between the alternate names of + * the server, and we need to confirm that behaviour. + * + */ + + torture_assert_int_equal(tctx, krb5_auth_con_init(k5_context, &auth_context), + 0, "krb5_auth_con_init failed"); + + in_data = (krb5_data){}; + + { + krb5_creds *credsp = NULL; + krb5_creds creds = {}; + + torture_assert_int_equal(tctx, + krb5_copy_principal(k5_context, + principal, + &creds.server), + 0, + "krb5_copy_principal failed"); + torture_assert_int_equal(tctx, + krb5_cc_get_principal(k5_context, + ccache, + &creds.client), + 0, + "krb5_cc_get_principal failed"); + + + /* + * Only machine accounts (strictly, accounts with a + * servicePrincipalName) can expect this test to succeed + */ + if (torture_setting_bool(tctx, "expect_machine_account", false) + && (test_data->enterprise + || test_data->spn_is_upn + || !test_data->upn)) { + torture_assert_int_equal( + tctx, + krb5_get_credentials( + k5_context, 0, ccache, &creds, &credsp), + 0, + "krb5_get_credentials failed"); + } else { + torture_assert_int_equal( + tctx, + krb5_get_credentials( + k5_context, 0, ccache, &creds, &credsp), + KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, + "krb5_get_credentials failed"); + return true; + } + + k5ret = krb5_mk_req_extended(k5_context, + &auth_context, + AP_OPTS_USE_SUBKEY, + &in_data, + credsp, + &enc_ticket); + krb5_free_creds(k5_context, credsp); + krb5_free_cred_contents(k5_context, &creds); + } + + assertion_message = talloc_asprintf(tctx, + "krb5_mk_req_extended for %s failed: %s", + principal_string, + smb_get_krb5_error_message(k5_context, k5ret, tctx)); + + /* + * Only machine accounts (strictly, accounts with a + * servicePrincipalName) can expect this test to succeed + */ + if (torture_setting_bool(tctx, "expect_machine_account", false) + && (test_data->enterprise || + (test_data->as_req_spn + || test_data->spn_is_upn) + || !test_data->upn)) { + DATA_BLOB client_to_server; + torture_assert_int_equal(tctx, k5ret, 0, assertion_message); + client_to_server = data_blob_const(enc_ticket.data, enc_ticket.length); + + if (krb5_acceptor_report_canonical_client_name) { + torture_assert(tctx, + test_accept_ticket(tctx, + samba_cmdline_get_creds(), + canonical_unparse_principal_string, + client_to_server), + "test_accept_ticket failed - failed to accept the ticket we just created"); + } else { + torture_assert(tctx, + test_accept_ticket(tctx, + samba_cmdline_get_creds(), + expected_unparse_principal_string, + client_to_server), + "test_accept_ticket failed - failed to accept the ticket we just created"); + } + krb5_free_data_contents(k5_context, &enc_ticket); + } else { + torture_assert_int_equal(tctx, k5ret, KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN, + assertion_message); + } + + krb5_free_principal(k5_context, principal); + krb5_get_init_creds_opt_free(k5_context, krb_options); + + krb5_free_cred_contents(k5_context, &my_creds); + + return true; +} + +struct torture_suite *torture_krb5_canon_mit(TALLOC_CTX *mem_ctx) +{ + unsigned int i; + struct torture_suite *suite = torture_suite_create(mem_ctx, "canon"); + suite->description = talloc_strdup(suite, "Kerberos Canonicalisation tests"); + + for (i = 0; i < TEST_ALL; i++) { + char *name = talloc_asprintf(suite, "%s.%s.%s.%s", + (i & TEST_CANONICALIZE) ? "canon" : "no-canon", + (i & TEST_ENTERPRISE) ? "enterprise" : "no-enterprise", + (i & TEST_UPPER_USERNAME) ? "uc-user" : "lc-user", + (i & TEST_UPN) ? "upn" : + ((i & TEST_AS_REQ_SPN) ? "spn" : + ((i & TEST_REMOVEDOLLAR) ? "removedollar" : "samaccountname"))); + struct torture_suite *sub_suite = torture_suite_create(mem_ctx, name); + + struct test_data *test_data = talloc_zero(suite, struct test_data); + if (i & TEST_UPN) { + if (i & TEST_AS_REQ_SPN) { + continue; + } + } + if ((i & TEST_UPN) || (i & TEST_AS_REQ_SPN)) { + if (i & TEST_REMOVEDOLLAR) { + continue; + } + } + + test_data->test_name = name; + test_data->real_realm + = strupper_talloc(test_data, + cli_credentials_get_realm( + samba_cmdline_get_creds())); + test_data->real_domain = cli_credentials_get_domain( + samba_cmdline_get_creds()); + test_data->username = cli_credentials_get_username( + samba_cmdline_get_creds()); + test_data->real_username = cli_credentials_get_username( + samba_cmdline_get_creds()); + test_data->canonicalize = (i & TEST_CANONICALIZE) != 0; + test_data->enterprise = (i & TEST_ENTERPRISE) != 0; + test_data->upper_username = (i & TEST_UPPER_USERNAME) != 0; + test_data->upn = (i & TEST_UPN) != 0; + test_data->removedollar = (i & TEST_REMOVEDOLLAR) != 0; + test_data->as_req_spn = (i & TEST_AS_REQ_SPN) != 0; + torture_suite_add_simple_tcase_const(sub_suite, name, torture_krb5_as_req_canon, + test_data); + torture_suite_add_suite(suite, sub_suite); + + } + return suite; +} diff --git a/source4/torture/krb5/kdc-mit.c b/source4/torture/krb5/kdc-mit.c index 020643a97cb..f74302f921e 100644 --- a/source4/torture/krb5/kdc-mit.c +++ b/source4/torture/krb5/kdc-mit.c @@ -772,9 +772,8 @@ NTSTATUS torture_krb5_init(TALLOC_CTX *ctx) torture_suite_add_simple_test(kdc_suite, "as-req-clock-skew", torture_krb5_as_req_clock_skew); -#if 0 - torture_suite_add_suite(kdc_suite, torture_krb5_canon(kdc_suite)); -#endif + torture_suite_add_suite(kdc_suite, torture_krb5_canon_mit(kdc_suite)); + torture_suite_add_simple_test(kdc_suite, "as-req-aes", torture_krb5_as_req_aes); diff --git a/source4/torture/krb5/wscript_build b/source4/torture/krb5/wscript_build index f59aa8847f0..039ce426953 100644 --- a/source4/torture/krb5/wscript_build +++ b/source4/torture/krb5/wscript_build @@ -11,7 +11,7 @@ if bld.CONFIG_SET('AD_DC_BUILD_IS_ENABLED'): internal_module=True) else: bld.SAMBA_MODULE('TORTURE_KRB5', - source='kdc-mit.c', + source='kdc-mit.c kdc-canon-mit.c', autoproto='proto.h', subsystem='smbtorture', init_function='torture_krb5_init',