tests/krb5: Test device info generated from RODC‐issued tickets without certain SIDs

These tests crash Windows, but we can assume reasonable behaviour for
Samba.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/python/samba/tests/krb5/device_tests.py b/python/samba/tests/krb5/device_tests.py
index 02856215abde323a1e1b668dc55b66b228c2a741..1a0879a29ea3a0764aef562040d6ec3e3c987de8 100755 (executable)
--- a/python/samba/tests/krb5/device_tests.py
+++ b/python/samba/tests/krb5/device_tests.py
@@ -1774,6 +1774,106 @@ class DeviceTests(KDCBaseTest):
                 # SIDs removed, and our elevation of privilege attack foiled.
             },
         },
+        {
+            'test': 'rodc-issued without claims valid',
+            'as:expected': {
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+            'tgs:mach:sids': {
+                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                # The Claims Valid SID is missing.
+            },
+            # The armor ticket was issued by an RODC.
+            'tgs:mach:from_rodc': True,
+            'tgs:to_krbtgt': False,
+            'tgs:compression': True,
+            'tgs:expected': {
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (compounded_auth, SidType.EXTRA_SID, default_attrs),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+            'tgs:device:expected': {
+                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                # The Claims Valid SID is still added to the device info.
+                frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
+            },
+        },
+        {
+            'test': 'rodc-issued without asserted identity',
+            'as:expected': {
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+            'tgs:mach:sids': {
+                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
+                # The Asserted Identity SID is missing.
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+            # The armor ticket was issued by an RODC.
+            'tgs:mach:from_rodc': True,
+            'tgs:to_krbtgt': False,
+            'tgs:compression': True,
+            'tgs:expected': {
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (compounded_auth, SidType.EXTRA_SID, default_attrs),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+            'tgs:device:expected': {
+                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
+                # The Asserted Identity SID is not added to the device info.
+                frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
+            },
+        },
+        {
+            'test': 'rodc-issued asserted identity without attributes',
+            'as:expected': {
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+            'tgs:mach:sids': {
+                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
+                # The Asserted Identity SID has no attributes set.
+                (asserted_identity, SidType.EXTRA_SID, 0),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+            # The armor ticket was issued by an RODC.
+            'tgs:mach:from_rodc': True,
+            'tgs:to_krbtgt': False,
+            'tgs:compression': True,
+            'tgs:expected': {
+                (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None),
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                (compounded_auth, SidType.EXTRA_SID, default_attrs),
+                (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs),
+            },
+            'tgs:device:expected': {
+                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs),
+                (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None),
+                # The Asserted Identity SID appears in the device info with its
+                # attributes as normal.
+                (asserted_identity, SidType.EXTRA_SID, default_attrs),
+                frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]),
+            },
+        },
     ]
 
     @classmethod

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 01fcb1324583903c3c549334718f8bfafa5367cf..55fc8697a35eb6b99d31b637f903d8a0a3d93615 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -58,6 +58,7 @@
 ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_base_sid_resource_attrs_to_service.ad_dc
 ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_krbtgt.ad_dc
 ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_service.ad_dc
+^samba\.tests\.krb5\.device_tests\.samba\.tests\.krb5\.device_tests\.DeviceTests\.test_device_info_rodc_issued_without_asserted_identity\(ad_dc\)$
 #
 # Authentication policy tests
 #

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 5870ca734d887b8150809e13982538b564bd7725..84596cf1dd7abc06564d42860a8a8b8cf5c92870 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -3701,6 +3701,9 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
 ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_user_from_trust_domain_local_groups_to_krbtgt.ad_dc
 ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_user_from_trust_domain_local_groups_to_service_compressed.ad_dc
 ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_user_from_trust_domain_local_groups_to_service_uncompressed.ad_dc
+^samba\.tests\.krb5\.device_tests\.samba\.tests\.krb5\.device_tests\.DeviceTests\.test_device_info_rodc_issued_asserted_identity_without_attributes\(ad_dc\)$
+^samba\.tests\.krb5\.device_tests\.samba\.tests\.krb5\.device_tests\.DeviceTests\.test_device_info_rodc_issued_without_asserted_identity\(ad_dc\)$
+^samba\.tests\.krb5\.device_tests\.samba\.tests\.krb5\.device_tests\.DeviceTests\.test_device_info_rodc_issued_without_claims_valid\(ad_dc\)$
 #
 # Authentication policy tests
 #