From: Jo Sutton <josutton@catalyst.net.nz>
Date: Fri, 26 Apr 2024 01:08:23 +0000 (+1200)
Subject: tests/krb5: Test that gMSA passwords cannot be viewed over an unsealed connection
X-Git-Tag: tdb-1.4.11~668
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9fac9b776e7aeef9b918d0c0f02edc4df0e49ddd;p=thirdparty%2Fsamba.git

tests/krb5: Test that gMSA passwords cannot be viewed over an unsealed connection

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/python/samba/tests/krb5/gmsa_tests.py b/python/samba/tests/krb5/gmsa_tests.py
index 9ecdacda8f7..bd3e06275e0 100755
--- a/python/samba/tests/krb5/gmsa_tests.py
+++ b/python/samba/tests/krb5/gmsa_tests.py
@@ -735,6 +735,47 @@ class GmsaTests(GkdiBaseTest, KDCBaseTest):
             self.gmsa_account(msa_membership=deny_world_sddl), expect_access=False
         )
 
+    def test_retrieving_password_over_sealed_connection(self):
+        lp = self.get_lp()
+        samdb = SamDB(
+            f"ldap://{self.dc_host}",
+            credentials=self.get_admin_creds(),
+            session_info=auth.system_session(lp),
+            lp=lp,
+        )
+
+        self.check_managed_password_access(
+            self.gmsa_account(), samdb=samdb, expect_access=True
+        )
+
+    def test_retrieving_password_over_unsealed_connection(self):
+        # Requires --use-kerberos=required, or it automatically upgrades to an
+        # encrypted connection.
+
+        # Remove FEATURE_SEAL which gets added by insta_creds.
+        creds = self.insta_creds(template=self.get_admin_creds())
+        creds.set_gensec_features(creds.get_gensec_features() & ~gensec.FEATURE_SEAL)
+
+        lp = self.get_lp()
+
+        sasl_wrap = lp.get("client ldap sasl wrapping")
+        self.addCleanup(lp.set, "client ldap sasl wrapping", sasl_wrap)
+        lp.set("client ldap sasl wrapping", "sign")
+
+        # Create a second ldb connection without seal.
+        samdb = SamDB(
+            f"ldap://{self.dc_host}",
+            credentials=creds,
+            session_info=auth.system_session(lp),
+            lp=lp,
+        )
+
+        self.check_managed_password_access(
+            self.gmsa_account(),
+            samdb=samdb,
+            expected_werror=werror.WERR_DS_CONFIDENTIALITY_REQUIRED,
+        )
+
     def test_retrieving_denied_password_over_unsealed_connection(self):
         # Requires --use-kerberos=required, or it automatically upgrades to an
         # encrypted connection.