From: Joseph Sutton Date: Wed, 24 Nov 2021 23:46:40 +0000 (+1300) Subject: tests/krb5: Add a test for S4U2Self with no authorization data required X-Git-Tag: samba-4.14.14~55 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d3436300745c41226d7ed146f269c929133f8f49;p=thirdparty%2Fsamba.git tests/krb5: Add a test for S4U2Self with no authorization data required Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett (cherry picked from commit 192d6edfe912105ec344dc554f872a24c03540a3) --- diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index 2953766ef21..6ec9af11423 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -324,6 +324,13 @@ class S4UKerberosTests(KDCBaseTest): sname=service_sname, etypes=etypes) + if not expected_error_mode: + # Check that the ticket contains a PAC. + ticket = kdc_exchange_dict['rep_ticket_creds'] + + pac = self.get_ticket_pac(ticket) + self.assertIsNotNone(pac) + # Ensure we used all the parameters given to us. self.assertEqual({}, kdc_dict) @@ -504,6 +511,24 @@ class S4UKerberosTests(KDCBaseTest): self.set_ticket_forwardable, flag=True) }) + # Do an S4U2Self where the service does not require authorization data. The + # resulting ticket should still contain a PAC. + def test_s4u2self_no_auth_data_required(self): + self._run_s4u2self_test( + { + 'client_opts': { + 'not_delegated': False + }, + 'service_opts': { + 'trusted_to_auth_for_delegation': True, + 'no_auth_data_required': True + }, + 'kdc_options': 'forwardable', + 'modify_service_tgt_fn': functools.partial( + self.set_ticket_forwardable, flag=True), + 'expected_flags': 'forwardable' + }) + def _run_delegation_test(self, kdc_dict): client_opts = kdc_dict.pop('client_opts', None) client_creds = self.get_cached_creds( @@ -654,6 +679,15 @@ class S4UKerberosTests(KDCBaseTest): etypes=etypes, additional_tickets=additional_tickets) + if not expected_error_mode: + # Check whether the ticket contains a PAC. + ticket = kdc_exchange_dict['rep_ticket_creds'] + pac = self.get_ticket_pac(ticket, expect_pac=expect_pac) + if expect_pac: + self.assertIsNotNone(pac) + else: + self.assertIsNone(pac) + # Ensure we used all the parameters given to us. self.assertEqual({}, kdc_dict) diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 5e94cb63d7a..2025032a278 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -242,6 +242,7 @@ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_auth_data_required ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed # ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required