From 3dd918f3186699b2908d6fc8cda83b49d6b9c39c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 13 Dec 2024 15:46:02 +0100 Subject: [PATCH] python:tests/krb5: let netlogon.py run the tests also as rodc Signed-off-by: Stefan Metzmacher Reviewed-by: Jennifer Sutton --- python/samba/tests/krb5/netlogon.py | 15 +++++++++++- .../knownfail.d/samba.tests.krb5.netlogon | 23 +++++++++++++++++++ 2 files changed, 37 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/netlogon.py b/python/samba/tests/krb5/netlogon.py index ac377f0b3c6..391211153aa 100755 --- a/python/samba/tests/krb5/netlogon.py +++ b/python/samba/tests/krb5/netlogon.py @@ -63,7 +63,7 @@ class NetlogonSchannel(KDCBaseTest): ] for test in tests: - for trust in ["wks", "bdc"]: + for trust in ["wks", "bdc", "rodc"]: for auth3_flags in [0x603fffff, 0x613fffff, 0xe13fffff]: setup_test(test, trust, "auth3", auth3_flags) for auth3_flags in [0x00004004, 0x00004000, 0x01000000]: @@ -121,6 +121,11 @@ class NetlogonSchannel(KDCBaseTest): 'supported_enctypes': 0x18, 'secure_channel_type': misc.SEC_CHAN_BDC}) + def get_rodc1_creds(self): + krbtgt_creds = self.get_mock_rodc_krbtgt_creds(preserve=False) + computer_creds = krbtgt_creds.get_rodc_computer_creds() + return computer_creds + def get_anon_conn(self): dc_server = self.dc_server conn = netlogon.netlogon(f'ncacn_ip_tcp:{dc_server}', @@ -964,6 +969,8 @@ class NetlogonSchannel(KDCBaseTest): creds = self.get_wks1_creds() elif trust == "bdc": creds = self.get_bdc1_creds() + elif trust == "rodc": + creds = self.get_rodc1_creds() self.assertIsNotNone(creds) proposed_flags = flags @@ -1067,6 +1074,8 @@ class NetlogonSchannel(KDCBaseTest): if ncreds.secure_channel_type == misc.SEC_CHAN_WKSTA: expect_get_error = ntstatus.NT_STATUS_ACCESS_DENIED + elif ncreds.secure_channel_type == misc.SEC_CHAN_RODC: + expect_get_error = ntstatus.NT_STATUS_ACCESS_DENIED else: expect_get_error = None self.do_ServerPasswordGet(ncreds, conn, @@ -1315,6 +1324,8 @@ class NetlogonSchannel(KDCBaseTest): expect_not_found_error = ntstatus.NT_STATUS_ACCESS_DENIED elif expect_broken_crypto: expect_not_found_error = ntstatus.NT_STATUS_INVALID_PARAMETER + elif ncreds.secure_channel_type == misc.SEC_CHAN_RODC: + expect_not_found_error = ntstatus.NT_STATUS_INTERNAL_ERROR else: expect_not_found_error = ntstatus.NT_STATUS_OBJECT_NAME_NOT_FOUND self.do_SendToSam(ncreds, conn, opaque_buffer, @@ -1332,6 +1343,8 @@ class NetlogonSchannel(KDCBaseTest): expect_no_error = ntstatus.NT_STATUS_ACCESS_DENIED elif expect_broken_crypto: expect_no_error = ntstatus.NT_STATUS_INVALID_PARAMETER + elif ncreds.secure_channel_type == misc.SEC_CHAN_RODC: + expect_no_error = ntstatus.NT_STATUS_ACCESS_DENIED else: expect_no_error = None self.do_SendToSam(ncreds, conn, opaque_buffer, diff --git a/selftest/knownfail.d/samba.tests.krb5.netlogon b/selftest/knownfail.d/samba.tests.krb5.netlogon index dc2304c1162..7f551d802b5 100644 --- a/selftest/knownfail.d/samba.tests.krb5.netlogon +++ b/selftest/knownfail.d/samba.tests.krb5.netlogon @@ -1,2 +1,25 @@ # This is not implemented yet ^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_ticket_samlogon +# The RODC handling is wrong +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_check_passwords_rodc_auth3_01000000 +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_check_passwords_rodc_auth3_613fffff +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_check_passwords_rodc_auth3_e13fffff +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_check_passwords_rodc_authK_00000000 +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_check_passwords_rodc_authK_00000004 +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_check_passwords_rodc_authK_00004000 +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_check_passwords_rodc_authK_01000000 +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_check_passwords_rodc_authK_01004004 +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_check_passwords_rodc_authK_400001ff +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_check_passwords_rodc_authK_413fffff +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_check_passwords_rodc_authK_603fbffb +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_check_passwords_rodc_authK_613fffff +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_check_passwords_rodc_authK_80000000 +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_check_passwords_rodc_authK_e13fffff +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_send_to_sam_rodc_auth3_01000000 +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_send_to_sam_rodc_auth3_613fffff +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_send_to_sam_rodc_auth3_e13fffff +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_send_to_sam_rodc_authK_00000000 +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_send_to_sam_rodc_authK_00004000 +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_send_to_sam_rodc_authK_603fbffb +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_send_to_sam_rodc_authK_80000000 +^samba.tests.krb5.netlogon.*.NetlogonSchannel.test_send_to_sam_rodc_authK_e13fffff -- 2.47.3