From: Gary Lockyer Date: Thu, 30 Oct 2025 19:31:33 +0000 (+1300) Subject: s4:kdc:tests: support "kdc always generate pac" X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b71282b05daf413da02660119181c07c4d5bda28;p=thirdparty%2Fsamba.git s4:kdc:tests: support "kdc always generate pac" Update the tests to check the "kdc always generate pac" configuration and expect the presence of a PAC accordingly. Signed-off-by: Gary Lockyer Reviewed-by: Jennifer Sutton --- diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py index 3feafc22f53..f75161bb9e0 100755 --- a/python/samba/tests/krb5/fast_tests.py +++ b/python/samba/tests/krb5/fast_tests.py @@ -126,6 +126,7 @@ class FAST_Tests(KDCBaseTest): client_opts={'no_auth_data_required': True}) def test_simple_as_req_self_pac_request_false(self): + expect_pac = self.always_include_pac self._run_test_sequence([ { 'rep_type': KRB_AS_REP, @@ -140,7 +141,7 @@ class FAST_Tests(KDCBaseTest): 'gen_padata_fn': self.generate_enc_timestamp_padata, 'as_req_self': True, 'pac_request': False, - 'expect_pac': False + 'expect_pac': expect_pac } ], client_account=self.AccountType.COMPUTER) diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index de52378e591..64397530caf 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -667,7 +667,10 @@ class KdcTgsTests(KdcTgsBaseTests): pac_request=False, expect_pac=False) pac = self.get_ticket_pac(ticket, expect_pac=False) - self.assertIsNone(pac) + if not self.always_include_pac: + self.assertIsNone(pac) + else: + self.assertIsNotNone(pac) def test_request_enterprise_canon(self): upn = self.get_new_username() @@ -2644,7 +2647,10 @@ class KdcTgsTests(KdcTgsBaseTests): ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False) pac = self.get_ticket_pac(ticket, expect_pac=False) - self.assertIsNone(pac) + if not self.always_include_pac: + self.assertIsNone(pac) + else: + self.assertIsNotNone(pac) def test_tgs_pac_request_true(self): creds = self._get_creds() @@ -2683,7 +2689,10 @@ class KdcTgsTests(KdcTgsBaseTests): ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False) pac = self.get_ticket_pac(ticket, expect_pac=False) - self.assertIsNone(pac) + if not self.always_include_pac: + self.assertIsNone(pac) + else: + self.assertIsNotNone(pac) def test_renew_pac_request_true(self): creds = self._get_creds() @@ -2773,7 +2782,10 @@ class KdcTgsTests(KdcTgsBaseTests): ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False) pac = self.get_ticket_pac(ticket, expect_pac=False) - self.assertIsNone(pac) + if not self.always_include_pac: + self.assertIsNone(pac) + else: + self.assertIsNotNone(pac) def test_validate_pac_request_true(self): creds = self._get_creds() @@ -2916,7 +2928,10 @@ class KdcTgsTests(KdcTgsBaseTests): expect_pac=False) pac = self.get_ticket_pac(ticket, expect_pac=False) - self.assertIsNone(pac) + if not self.always_include_pac: + self.assertIsNone(pac) + else: + self.assertIsNotNone(pac) def test_user2user_user_pac_request_true(self): creds = self._get_creds() diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 357345a8d8c..c87ea37b372 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -52,6 +52,7 @@ from samba.credentials import Credentials from samba.dcerpc import claims, krb5pac, netlogon, samr, security, krb5ccache from samba.gensec import FEATURE_SEAL from samba.ndr import ndr_pack, ndr_unpack +from samba.param import LoadParm from samba.dcerpc.misc import ( SEC_CHAN_WKSTA, SEC_CHAN_BDC, @@ -59,9 +60,6 @@ from samba.dcerpc.misc import ( SEC_CHAN_DOMAIN, SEC_CHAN_DNS_DOMAIN, ) -from samba.dsdb import ( - UF_SMARTCARD_REQUIRED -) import samba.tests from samba.tests import TestCase @@ -864,6 +862,28 @@ class RawKerberosTest(TestCase): padata_checking = '1' cls.padata_checking = bool(int(padata_checking)) + using_embedded_heimdal = samba.tests.env_get_var_value( + 'USING_EMBEDDED_HEIMDAL', + allow_missing=True) + if using_embedded_heimdal is None: + using_embedded_heimdal = False + else: + using_embedded_heimdal = bool(int(using_embedded_heimdal)) + cls.always_include_pac = False + # Always generating the PAC is currently only supported by + # the Embedded heimdal + if using_embedded_heimdal: + # get_loadparm loads the client smb.conf + # we need to load the server smb.conf to get the server + # settings. + server_conf = samba.tests.env_get_var_value('SERVERCONFFILE') + lp = LoadParm(filename_for_non_global_lp=server_conf) + always_include = lp.get("kdc always include pac") + if always_include is None: + always_include = "True" + + cls.always_include_pac = bool(always_include) + kadmin_is_tgs = samba.tests.env_get_var_value('KADMIN_IS_TGS', allow_missing=True) if kadmin_is_tgs is None: @@ -4304,7 +4324,7 @@ class RawKerberosTest(TestCase): pac_data = self.get_ticket_pac(ticket_creds, expect_pac=expect_pac) if expect_pac is True: self.assertIsNotNone(pac_data) - elif expect_pac is False: + elif expect_pac is False and self.always_include_pac is False: self.assertIsNone(pac_data) if pac_data is not None: @@ -4820,8 +4840,9 @@ class RawKerberosTest(TestCase): self.assertEqual(expect_pac_attrs_pac_request is True, requested_pac) - self.assertEqual(expect_pac_attrs_pac_request is None, - given_pac) + if not self.always_include_pac: + self.assertEqual(expect_pac_attrs_pac_request is None, + given_pac) elif (pac_buffer.type == krb5pac.PAC_TYPE_REQUESTER_SID and expect_requester_sid): diff --git a/selftest/knownfail.d/always-include-pac b/selftest/knownfail.d/always-include-pac new file mode 100644 index 00000000000..74f39dc8d0b --- /dev/null +++ b/selftest/knownfail.d/always-include-pac @@ -0,0 +1,6 @@ +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_renew_pac_request_false.*ad_dc +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_request_no_pac.*ad_dc +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_tgs_pac_request_false.*ad_dc +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_user2user_user_pac_request_false.*ad_dc +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_validate_pac_request_false.*ad_dc +^samba.tests.krb5.fast_tests.samba.tests.krb5.fast_tests.FAST_Tests.test_simple_as_req_self_pac_request_false diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 6419786620d..1675112cc1b 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1320,6 +1320,7 @@ check_padata = int('SAMBA4_USES_HEIMDAL' in config_hash) expect_nt_status = int('SAMBA4_USES_HEIMDAL' in config_hash) as_req_logging_support = int('SAMBA4_USES_HEIMDAL' in config_hash) tgs_req_logging_support = int('SAMBA4_USES_HEIMDAL' in config_hash) +embedded_heimdal = int('USING_EMBEDDED_HEIMDAL' in config_hash) ca_dir = os.path.join('selftest', 'manage-ca', 'CA-samba.example.com') @@ -1357,6 +1358,7 @@ krb5_environ = { 'CA_CERT': ca_cert_path, 'CA_PRIVATE_KEY': ca_private_key_path, 'CA_PASS': ca_pass, + 'USING_EMBEDDED_HEIMDAL' : embedded_heimdal, } planoldpythontestsuite("none", "samba.tests.krb5.kcrypto") planoldpythontestsuite("none", "samba.tests.krb5.claims_in_pac")