From: Joseph Sutton Date: Wed, 27 Sep 2023 23:47:49 +0000 (+1300) Subject: tests/krb5: Test that the correct Asserted Identity SID is added when inner FX‐FAST... X-Git-Tag: tevent-0.16.0~255 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b6c17359ba4f264e4f84e5495c79c62a3e9bb89;p=thirdparty%2Fsamba.git tests/krb5: Test that the correct Asserted Identity SID is added when inner FX‐FAST padata is used BUG: https://bugzilla.samba.org/show_bug.cgi?id=15477 Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Autobuild-User(master): Joseph Sutton Autobuild-Date(master): Sun Oct 1 23:46:44 UTC 2023 on atb-devel-224 --- diff --git a/python/samba/tests/krb5/authn_policy_tests.py b/python/samba/tests/krb5/authn_policy_tests.py index adb8a9ae99a..8c5216ec7be 100755 --- a/python/samba/tests/krb5/authn_policy_tests.py +++ b/python/samba/tests/krb5/authn_policy_tests.py @@ -41,6 +41,7 @@ import samba.tests.krb5.kcrypto as kcrypto from samba.tests.krb5.kdc_base_test import GroupType from samba.tests.krb5.kdc_tgs_tests import KdcTgsBaseTests from samba.tests.auth_log_base import AuthLogTestBase, NoMessageException +from samba.tests.krb5.raw_testcase import RawKerberosTest from samba.tests.krb5.rfc4120_constants import ( FX_FAST_ARMOR_AP_REQUEST, KDC_ERR_BADOPTION, @@ -49,9 +50,12 @@ from samba.tests.krb5.rfc4120_constants import ( KDC_ERR_POLICY, NT_PRINCIPAL, NT_SRV_INST, + PADATA_FX_FAST, ) import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +SidType = RawKerberosTest.SidType + global_asn1_print = False global_hexdump = False @@ -5068,6 +5072,62 @@ class AuthnPolicyTests(AuthnPolicyBaseTests): # appear in the logs. self.check_tgs_log(client_creds, target_creds, policy=None) + def test_authn_policy_allowed_to_user_allow_s4u2self_inner_fast(self): + """Test that the correct Asserted Identity SID is placed into the PAC + when an S4U2Self requests contains inner FX‐FAST padata.""" + mach_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER) + mach_tgt = self.get_tgt(mach_creds) + + # Create a user account. + client_creds = self.get_cached_creds( + account_type=self.AccountType.USER) + client_cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[client_creds.get_username()]) + client_realm = client_creds.get_realm() + + # Create a target account. + target_creds = self.get_service_creds() + target_tgt = self.get_tgt(target_creds) + + def generate_s4u2self_padata(_kdc_exchange_dict, + _callback_dict, + req_body): + s4u2self_padata = self.PA_S4U2Self_create( + name=client_cname, + realm=client_realm, + tgt_session_key=target_tgt.session_key, + ctype=None) + + # Add empty FX‐FAST padata to the inner request. + fx_fast_padata = self.PA_DATA_create(PADATA_FX_FAST, b'') + + padata = [s4u2self_padata, fx_fast_padata] + + return padata, req_body + + # Check that the PAC contains the correct groups. + self._tgs_req( + target_tgt, 0, target_creds, target_creds, + expected_cname=client_cname, + generate_fast_padata_fn=generate_s4u2self_padata, + armor_tgt=mach_tgt, + expected_groups={ + ( + # Expect to get the Service Asserted Identity SID. + security.SID_SERVICE_ASSERTED_IDENTITY, + SidType.EXTRA_SID, + security.SE_GROUP_DEFAULT_FLAGS, + ), + ..., + }, + unexpected_groups={ + # Expect not to get the Authentication Authority Asserted + # Identity SID. + security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY, + }) + def test_authn_policy_allowed_to_user_allow_constrained_delegation(self): samdb = self.get_samdb() diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 50e4221e20c..22cc6f4358d 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -3770,6 +3770,7 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_rbcd_to_self.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_rbcd_wrong_sname.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_s4u2self.ad_dc +^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_allow_s4u2self_inner_fast.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_constrained_delegation.ad_dc ^samba.tests.krb5.authn_policy_tests.samba.tests.krb5.authn_policy_tests.AuthnPolicyTests.test_authn_policy_allowed_to_user_deny_constrained_delegation_to_self.ad_dc