diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2021-11-25 10:05:17 +1300 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-07-24 11:42:01 +0200 |
commit | c62a2b7a218e2c4bdbd476a055049e78b8c0f4ce (patch) | |
tree | 1b37b80efacaf3dcd1a05c5c997b4976cf2a0922 | |
parent | 5556f97c782c9be9af47c76f2432bb8480bc0622 (diff) | |
download | samba-c62a2b7a218e2c4bdbd476a055049e78b8c0f4ce.tar.gz |
tests/krb5: Add test for S4U2Self with wrong sname
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit bac5f75059450898937be891e863826e1350b62c)
-rwxr-xr-x | python/samba/tests/krb5/s4u_tests.py | 32 | ||||
-rw-r--r-- | selftest/knownfail_heimdal_kdc | 1 |
2 files changed, 32 insertions, 1 deletions
diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index 5f37525f393..2953766ef21 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -36,6 +36,7 @@ from samba.tests.krb5.raw_testcase import ( from samba.tests.krb5.rfc4120_constants import ( AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5, + KDC_ERR_BADMATCH, KDC_ERR_BADOPTION, KDC_ERR_BAD_INTEGRITY, KDC_ERR_GENERIC, @@ -243,7 +244,9 @@ class S4UKerberosTests(KDCBaseTest): client_dn = client_creds.get_dn() sid = self.get_objectSid(samdb, client_dn) - service_name = service_creds.get_username()[:-1] + service_name = kdc_dict.pop('service_name', None) + if service_name is None: + service_name = service_creds.get_username()[:-1] service_sname = self.PrincipalName_create(name_type=NT_PRINCIPAL, names=['host', service_name]) @@ -474,6 +477,33 @@ class S4UKerberosTests(KDCBaseTest): 'expected_flags': 'forwardable' }) + # Do an S4U2Self with the sname in the request different to that of the + # service. We expect an error. + def test_s4u2self_wrong_sname(self): + other_creds = self.get_cached_creds( + account_type=self.AccountType.COMPUTER, + opts={ + 'trusted_to_auth_for_delegation': True, + 'id': 0 + }) + other_sname = other_creds.get_username()[:-1] + + self._run_s4u2self_test( + { + 'expected_error_mode': KDC_ERR_BADMATCH, + 'expect_edata': False, + 'client_opts': { + 'not_delegated': False + }, + 'service_opts': { + 'trusted_to_auth_for_delegation': True + }, + 'service_name': other_sname, + 'kdc_options': 'forwardable', + 'modify_service_tgt_fn': functools.partial( + self.set_ticket_forwardable, flag=True) + }) + def _run_delegation_test(self, kdc_dict): client_opts = kdc_dict.pop('client_opts', None) client_creds = self.get_cached_creds( diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index bc644587319..483145f1473 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -243,6 +243,7 @@ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_wrong_sname # ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required |