From: Joseph Sutton Date: Wed, 15 Mar 2023 22:06:19 +0000 (+1300) Subject: tests/krb5: Add tests for RODC-issued armor tickets X-Git-Tag: talloc-2.4.1~1393 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9d7594729207fc2a1139d2fa1a3f7a17c8df096f;p=thirdparty%2Fsamba.git tests/krb5: Add tests for RODC-issued armor tickets Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index 302fc98edf1..4126c24785c 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -192,6 +192,47 @@ class FAST_Tests(KDCBaseTest): } ]) + def test_fast_rodc_issued_armor(self): + self._run_test_sequence([ + { + 'rep_type': KRB_AS_REP, + 'expected_error_mode': KDC_ERR_PREAUTH_REQUIRED, + 'use_fast': True, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_rodc_issued_mach_tgt, + }, + { + 'rep_type': KRB_AS_REP, + # Test that RODC-issued armor tickets are permitted. + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_padata_fn': self.generate_enc_challenge_padata, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + 'gen_armor_tgt_fn': self.get_rodc_issued_mach_tgt, + } + ], + armor_opts={ + 'allowed_replication_mock': True, + 'revealed_to_mock_rodc': True, + }) + + def test_fast_tgs_rodc_issued_armor(self): + self._run_test_sequence([ + { + 'rep_type': KRB_TGS_REP, + # Test that RODC-issued armor tickets are not permitted. + 'expected_error_mode': 0, + 'use_fast': True, + 'gen_tgt_fn': self.get_user_tgt, + 'gen_armor_tgt_fn': self.get_rodc_issued_mach_tgt, + 'fast_armor': FX_FAST_ARMOR_AP_REQUEST, + } + ], + armor_opts={ + 'allowed_replication_mock': True, + 'revealed_to_mock_rodc': True, + }) + def test_simple_enc_pa_rep(self): self._run_test_sequence([ { @@ -1930,6 +1971,9 @@ class FAST_Tests(KDCBaseTest): }) return self.get_tgt(mach_creds) + def get_rodc_issued_mach_tgt(self, opts): + return self.issued_by_rodc(self.get_mach_tgt(opts)) + def get_user_tgt(self, opts): user_creds = self.get_cached_creds( account_type=self.AccountType.USER, diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 9168afacb66..e790f290668 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -247,10 +247,12 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_outer_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_outer_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_rodc_issued_armor.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_enc_pa_rep.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_armor_session_key.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_enc_pa_rep.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_no_sname.ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_fast_tgs_rodc_issued_armor.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_no_auth_data.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_no_sname.ad_dc ^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_tgs_enc_pa_rep.ad_dc