diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2021-11-12 14:14:55 +1300 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2021-11-17 14:35:14 +0000 |
commit | 302bb70ebc9b47d9f1d46212deac17470e64740d (patch) | |
tree | b26108524d5fa2b14c29aee106711926fa7e62b5 | |
parent | a6eddc3bd7a032e1fd3921cd7ea213b5c48f2eab (diff) | |
download | samba-302bb70ebc9b47d9f1d46212deac17470e64740d.tar.gz |
CVE-2020-25717: tests/krb5: Add method to automatically obtain server credentials
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 5ea347d3673e35891613c90ca837d1ce4833c1b0)
-rw-r--r-- | python/samba/tests/krb5/kdc_base_test.py | 42 |
1 files changed, 42 insertions, 0 deletions
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index f64bd0b206e..6e96b982167 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -1063,6 +1063,48 @@ class KDCBaseTest(RawKerberosTest): fallback_creds_fn=download_dc_creds) return c + def get_server_creds(self, + require_keys=True, + require_strongest_key=False): + if require_strongest_key: + self.assertTrue(require_keys) + + def download_server_creds(): + samdb = self.get_samdb() + + res = samdb.search(base=samdb.get_default_basedn(), + expression=(f'(|(sAMAccountName={self.host}*)' + f'(dNSHostName={self.host}))'), + scope=ldb.SCOPE_SUBTREE, + attrs=['sAMAccountName', + 'msDS-KeyVersionNumber']) + self.assertEqual(1, len(res)) + dn = res[0].dn + username = str(res[0]['sAMAccountName']) + + creds = KerberosCredentials() + creds.set_domain(self.env_get_var('DOMAIN', 'SERVER')) + creds.set_realm(self.env_get_var('REALM', 'SERVER')) + creds.set_username(username) + + kvno = int(res[0]['msDS-KeyVersionNumber'][0]) + creds.set_kvno(kvno) + creds.set_dn(dn) + + keys = self.get_keys(samdb, dn) + self.creds_set_keys(creds, keys) + + self.creds_set_enctypes(creds) + + return creds + + c = self._get_krb5_creds(prefix='SERVER', + allow_missing_password=True, + allow_missing_keys=not require_keys, + require_strongest_key=require_strongest_key, + fallback_creds_fn=download_server_creds) + return c + def as_req(self, cname, sname, realm, etypes, padata=None, kdc_options=0): '''Send a Kerberos AS_REQ, returns the undecoded response ''' |