sname=wrong_krbtgt_princ,
expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
+ def test_krbtgt_single_component_krbtgt(self):
+ """Test that we can make a request to the single‐component krbtgt
+ principal."""
+
+ client_creds = self.get_client_creds()
+
+ # Create a krbtgt principal with a single component.
+ single_component_krbtgt_principal = self.PrincipalName_create(
+ name_type=NT_SRV_INST,
+ names=['krbtgt'])
+
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ sname=single_component_krbtgt_principal,
+ # Don’t ask for canonicalization.
+ kdc_options=0)
+
# Test that we can make a request for a ticket expiring post-2038.
def test_future_till(self):
client_creds = self.get_client_creds()
unexpected_client_claims=None,
expected_device_claims=None,
unexpected_device_claims=None,
- pac_request=True, expect_pac=True, fresh=False):
+ pac_request=True, expect_pac=True,
+ expect_requester_sid=None,
+ expect_pac_attrs=None,
+ expect_pac_attrs_pac_request=None,
+ fresh=False):
user_name = tgt.cname['name-string'][0]
ticket_sname = tgt.sname
if target_name is None:
str(unexpected_client_claims),
str(expected_device_claims),
str(unexpected_device_claims),
- expect_pac)
+ expect_pac,
+ expect_requester_sid,
+ expect_pac_attrs,
+ expect_pac_attrs_pac_request)
if not fresh:
ticket = self.tkt_cache.get(cache_key)
kdc_options=kdc_options,
pac_request=pac_request,
expect_pac=expect_pac,
+ expect_requester_sid=expect_requester_sid,
+ expect_pac_attrs=expect_pac_attrs,
+ expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
rc4_support=rc4_support,
to_rodc=to_rodc)
expected_error=(KDC_ERR_POLICY,
KDC_ERR_S_PRINCIPAL_UNKNOWN))
+ def test_single_component_krbtgt_requester_sid_as_req(self):
+ """Test that TGTs issued to a single‐component krbtgt principal always
+ contain a requester SID PAC buffer.
+ """
+
+ creds = self._get_creds()
+
+ # Create a single‐component principal of the form ‘krbtgt@REALM’.
+ sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=['krbtgt'])
+
+ # Don’t request canonicalization.
+ kdc_options = 'forwardable,renewable,renewable-ok'
+
+ # Get a TGT and assert that the requester SID PAC buffer is present.
+ self.get_tgt(creds,
+ sname=sname,
+ kdc_options=kdc_options,
+ expect_requester_sid=True)
+
+ def test_single_component_krbtgt_requester_sid_tgs_req(self):
+ """Test that TGTs issued to a single‐component krbtgt principal always
+ contain a requester SID PAC buffer.
+ """
+
+ creds = self._get_creds()
+ tgt = self.get_tgt(creds)
+
+ # Create a single‐component principal of the form ‘krbtgt@REALM’.
+ sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=['krbtgt'])
+
+ # Don’t request canonicalization.
+ kdc_options = '0'
+
+ # Get a TGT and assert that the requester SID PAC buffer is present.
+ self.get_service_ticket(tgt,
+ self.get_krbtgt_creds(),
+ sname=sname,
+ kdc_options=kdc_options,
+ expect_requester_sid=True)
+
+ def test_single_component_krbtgt_no_pac_as_req(self):
+ """Test that TGTs issued to a single‐component krbtgt principal always
+ contain a PAC.
+ """
+
+ creds = self._get_creds()
+
+ # Create a single‐component principal of the form ‘krbtgt@REALM’.
+ sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=['krbtgt'])
+
+ # Don’t request canonicalization.
+ kdc_options = 'forwardable,renewable,renewable-ok'
+
+ # Get a TGT and assert that the requester SID PAC buffer is present.
+ self.get_tgt(creds,
+ sname=sname,
+ kdc_options=kdc_options,
+ # Request that no PAC be issued.
+ pac_request=False,
+ # Ensure that a PAC is issued nonetheless.
+ expect_pac=True)
+
+ def test_single_component_krbtgt_no_pac_tgs_req(self):
+ """Test that TGTs issued to a single‐component krbtgt principal always
+ contain a PAC.
+ """
+
+ creds = self._get_creds()
+ tgt = self.get_tgt(creds)
+
+ # Create a single‐component principal of the form ‘krbtgt@REALM’.
+ sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=['krbtgt'])
+
+ # Don’t request canonicalization.
+ kdc_options = '0'
+
+ # Get a TGT and assert that the requester SID PAC buffer is present.
+ self.get_service_ticket(tgt,
+ self.get_krbtgt_creds(),
+ sname=sname,
+ kdc_options=kdc_options,
+ # Request that no PAC be issued.
+ pac_request=False,
+ # Ensure that a PAC is issued nonetheless.
+ expect_pac=True,
+ expect_pac_attrs=True,
+ expect_pac_attrs_pac_request=True)
+
+ def test_single_component_krbtgt_service_ticket(self):
+ """Test that TGTs issued to a single‐component krbtgt principal can be
+ used to get service tickets.
+ """
+
+ creds = self._get_creds()
+
+ # Create a single‐component principal of the form ‘krbtgt@REALM’.
+ sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=['krbtgt'])
+
+ # Don’t request canonicalization.
+ kdc_options = 'forwardable,renewable,renewable-ok'
+
+ # Get a TGT.
+ tgt = self.get_tgt(creds,
+ sname=sname,
+ kdc_options=kdc_options)
+
+ # Ensure that we can use the TGT to get a service ticket.
+ self._run_tgs(tgt, creds, expected_error=0)
+
def test_pac_attrs_none(self):
creds = self._get_creds()
self.get_tgt(creds, pac_request=None,
expected_msg,
mode=self.KpasswdMode.CHANGE)
+ # Show that we cannot provide a TGT to kpasswd that was obtained with a
+ # single‐component principal.
+ def test_kpasswd_tgt_single_component_krbtgt(self):
+ # Create an account for testing.
+ creds = self._get_creds()
+
+ # Create a single‐component principal of the form ‘krbtgt@REALM’.
+ sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=['krbtgt'])
+
+ # Don’t request canonicalization.
+ kdc_options = 'forwardable,renewable,renewable-ok'
+
+ # Get a TGT.
+ tgt = self.get_tgt(creds, sname=sname, kdc_options=kdc_options)
+
+ # Change the sname of the ticket to match that of kadmin/changepw.
+ tgt.set_sname(self.get_kpasswd_sname())
+
+ expected_code = KPASSWD_AUTHERROR
+ expected_msg = b'A TGT may not be used as a ticket to kpasswd'
+
+ # Set the password.
+ new_password = generate_random_password(32, 32)
+ self.kpasswd_exchange(tgt,
+ new_password,
+ expected_code,
+ expected_msg,
+ mode=self.KpasswdMode.SET)
+
+ # Change the password.
+ self.kpasswd_exchange(tgt,
+ new_password,
+ expected_code,
+ expected_msg,
+ mode=self.KpasswdMode.CHANGE)
+
# Test that kpasswd rejects requests with a service ticket.
def test_kpasswd_non_initial(self):
# Create an account for testing, and get a TGT.
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.ConditionalAceTests\.test_device_in_network_group_rbcd\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.DeviceRestrictionTests\.test_device_in_network_group\(ad_dc\)$
^samba\.tests\.krb5\.conditional_ace_tests\.samba\.tests\.krb5\.conditional_ace_tests\.TgsReqServicePolicyTests\.test_device_in_network_group\(ad_dc\)$
+#
+# Single‐component krbtgt principal tests
+#
+^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_krbtgt_single_component_krbtgt\(fl2003dc\)$
+^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_krbtgt_single_component_krbtgt\(fl2008r2dc\)$
+^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_as_req\(ad_dc\)$
+^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_tgs_req\(ad_dc\)$
+^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_requester_sid_as_req\(ad_dc\)$
+^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_requester_sid_tgs_req\(ad_dc\)$
+^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_service_ticket\(ad_dc\)$
+^samba\.tests\.krb5\.kpasswd_tests\.samba\.tests\.krb5\.kpasswd_tests\.KpasswdTests\.test_kpasswd_tgt_single_component_krbtgt\(ad_dc\)$
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_sha256_certificate_signature_win2k.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_sha256_signature_win2k.ad_dc
^samba.tests.krb5.pkinit_tests.samba.tests.krb5.pkinit_tests.PkInitTests.test_pkinit_win2k.ad_dc
+#
+# Single‐component krbtgt principal tests
+#
+^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_krbtgt_single_component_krbtgt\(fl2003dc\)$
+^samba\.tests\.krb5\.as_req_tests\.samba\.tests\.krb5\.as_req_tests\.AsReqKerberosTests\.test_krbtgt_single_component_krbtgt\(fl2008r2dc\)$
+^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_as_req\(ad_dc\)$
+^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_no_pac_tgs_req\(ad_dc\)$
+^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_requester_sid_as_req\(ad_dc\)$
+^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_requester_sid_tgs_req\(ad_dc\)$
+^samba\.tests\.krb5\.kdc_tgs_tests\.samba\.tests\.krb5\.kdc_tgs_tests\.KdcTgsTests\.test_single_component_krbtgt_service_ticket\(ad_dc\)$
+^samba\.tests\.krb5\.kpasswd_tests\.samba\.tests\.krb5\.kpasswd_tests\.KpasswdTests\.test_kpasswd_tgt_single_component_krbtgt\(ad_dc\)$
projects / thirdparty / samba.git / commitdiff
