From: Joseph Sutton Date: Tue, 31 Oct 2023 03:08:41 +0000 (+1300) Subject: tests/krb5: Test device info generated from RODC‐issued tickets without certain SIDs X-Git-Tag: talloc-2.4.2~920 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f8bfd607ca3701384622caf2a223883f57ce1c36;p=thirdparty%2Fsamba.git tests/krb5: Test device info generated from RODC‐issued tickets without certain SIDs These tests crash Windows, but we can assume reasonable behaviour for Samba. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- diff --git a/python/samba/tests/krb5/device_tests.py b/python/samba/tests/krb5/device_tests.py index 02856215abd..1a0879a29ea 100755 --- a/python/samba/tests/krb5/device_tests.py +++ b/python/samba/tests/krb5/device_tests.py @@ -1774,6 +1774,106 @@ class DeviceTests(KDCBaseTest): # SIDs removed, and our elevation of privilege attack foiled. }, }, + { + 'test': 'rodc-issued without claims valid', + 'as:expected': { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + 'tgs:mach:sids': { + (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None), + (asserted_identity, SidType.EXTRA_SID, default_attrs), + # The Claims Valid SID is missing. + }, + # The armor ticket was issued by an RODC. + 'tgs:mach:from_rodc': True, + 'tgs:to_krbtgt': False, + 'tgs:compression': True, + 'tgs:expected': { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (compounded_auth, SidType.EXTRA_SID, default_attrs), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + 'tgs:device:expected': { + (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None), + (asserted_identity, SidType.EXTRA_SID, default_attrs), + # The Claims Valid SID is still added to the device info. + frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]), + }, + }, + { + 'test': 'rodc-issued without asserted identity', + 'as:expected': { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + 'tgs:mach:sids': { + (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None), + # The Asserted Identity SID is missing. + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + # The armor ticket was issued by an RODC. + 'tgs:mach:from_rodc': True, + 'tgs:to_krbtgt': False, + 'tgs:compression': True, + 'tgs:expected': { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (compounded_auth, SidType.EXTRA_SID, default_attrs), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + 'tgs:device:expected': { + (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None), + # The Asserted Identity SID is not added to the device info. + frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]), + }, + }, + { + 'test': 'rodc-issued asserted identity without attributes', + 'as:expected': { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + 'tgs:mach:sids': { + (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None), + # The Asserted Identity SID has no attributes set. + (asserted_identity, SidType.EXTRA_SID, 0), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + # The armor ticket was issued by an RODC. + 'tgs:mach:from_rodc': True, + 'tgs:to_krbtgt': False, + 'tgs:compression': True, + 'tgs:expected': { + (security.DOMAIN_RID_USERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_USERS, SidType.PRIMARY_GID, None), + (asserted_identity, SidType.EXTRA_SID, default_attrs), + (compounded_auth, SidType.EXTRA_SID, default_attrs), + (security.SID_CLAIMS_VALID, SidType.EXTRA_SID, default_attrs), + }, + 'tgs:device:expected': { + (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.BASE_SID, default_attrs), + (security.DOMAIN_RID_DOMAIN_MEMBERS, SidType.PRIMARY_GID, None), + # The Asserted Identity SID appears in the device info with its + # attributes as normal. + (asserted_identity, SidType.EXTRA_SID, default_attrs), + frozenset([(security.SID_CLAIMS_VALID, SidType.RESOURCE_SID, default_attrs)]), + }, + }, ] @classmethod diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 01fcb132458..55fc8697a35 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -58,6 +58,7 @@ ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_base_sid_resource_attrs_to_service.ad_dc ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_krbtgt.ad_dc ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_extra_sids_to_service.ad_dc +^samba\.tests\.krb5\.device_tests\.samba\.tests\.krb5\.device_tests\.DeviceTests\.test_device_info_rodc_issued_without_asserted_identity\(ad_dc\)$ # # Authentication policy tests # diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 5870ca734d8..84596cf1dd7 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -3701,6 +3701,9 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_user_from_trust_domain_local_groups_to_krbtgt.ad_dc ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_user_from_trust_domain_local_groups_to_service_compressed.ad_dc ^samba.tests.krb5.device_tests.samba.tests.krb5.device_tests.DeviceTests.test_device_info_user_from_trust_domain_local_groups_to_service_uncompressed.ad_dc +^samba\.tests\.krb5\.device_tests\.samba\.tests\.krb5\.device_tests\.DeviceTests\.test_device_info_rodc_issued_asserted_identity_without_attributes\(ad_dc\)$ +^samba\.tests\.krb5\.device_tests\.samba\.tests\.krb5\.device_tests\.DeviceTests\.test_device_info_rodc_issued_without_asserted_identity\(ad_dc\)$ +^samba\.tests\.krb5\.device_tests\.samba\.tests\.krb5\.device_tests\.DeviceTests\.test_device_info_rodc_issued_without_claims_valid\(ad_dc\)$ # # Authentication policy tests #