diff options
author | Stefan Metzmacher <metze@samba.org> | 2022-11-29 09:48:09 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-12-14 00:48:49 +0100 |
commit | a1e91681158d24c453cd23ab9f8760189e7de813 (patch) | |
tree | a1b780a7a157f6417a99e46a533c726891bdd2ce | |
parent | 1db952fab82eddf0d4100080a64da33786f7c882 (diff) | |
download | samba-a1e91681158d24c453cd23ab9f8760189e7de813.tar.gz |
CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022
I'm using the following options:
SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \
SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \
DOMAIN=W2022-L7 REALM=W2022-L7.BASE \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \
CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \
FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1
in order to run these:
python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests
python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e0f89b7bc8025db615dccf096aab4ca87e655368)
[jsutton@samba.org Fixed conflicts in parameters; brought in rep_padata
non-None assertion]
[jsutton@samba.org Fixed parameter conflicts in as_req_tests.py; removed
changes to non-existent check_reply_padata()]
-rwxr-xr-x | python/samba/tests/krb5/as_req_tests.py | 21 | ||||
-rw-r--r-- | python/samba/tests/krb5/kdc_base_test.py | 9 | ||||
-rw-r--r-- | python/samba/tests/krb5/raw_testcase.py | 11 |
3 files changed, 33 insertions, 8 deletions
diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py index 054a49b64aa..da2c0b9d097 100755 --- a/python/samba/tests/krb5/as_req_tests.py +++ b/python/samba/tests/krb5/as_req_tests.py @@ -42,7 +42,8 @@ global_hexdump = False class AsReqBaseTest(KDCBaseTest): def _run_as_req_enc_timestamp(self, client_creds, sname=None, - expected_error=None): + expected_error=None, + expected_pa_error=None, expect_pa_edata=None): client_account = client_creds.get_username() client_as_etypes = self.get_default_enctypes() client_kvno = client_creds.get_kvno() @@ -111,6 +112,8 @@ class AsReqBaseTest(KDCBaseTest): preauth_etypes = client_as_etypes preauth_kdc_options = krb5_asn1.KDCOptions('forwardable') preauth_error_mode = 0 # AS-REP + if expected_pa_error is not None: + preauth_error_mode = expected_pa_error krbtgt_decryption_key = ( self.TicketDecryptionKey_from_creds(krbtgt_creds)) @@ -130,6 +133,7 @@ class AsReqBaseTest(KDCBaseTest): preauth_etypes, preauth_padata, preauth_kdc_options, + expect_edata=expect_pa_edata, preauth_key=preauth_key, ticket_decryption_key=krbtgt_decryption_key, pac_request=True) @@ -236,10 +240,17 @@ class AsReqKerberosTests(AsReqBaseTest): name_type=NT_SRV_INST, names=[krbtgt_account, realm]) - self._run_as_req_enc_timestamp( - client_creds, - sname=wrong_krbtgt_princ, - expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN) + if self.strict_checking: + self._run_as_req_enc_timestamp( + client_creds, + sname=wrong_krbtgt_princ, + expected_pa_error=KDC_ERR_S_PRINCIPAL_UNKNOWN, + expect_pa_edata=False) + else: + self._run_as_req_enc_timestamp( + client_creds, + sname=wrong_krbtgt_princ, + expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN) if __name__ == "__main__": diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index c40a873dd8b..68862aefc3a 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -48,6 +48,11 @@ from samba.dsdb import ( UF_SERVER_TRUST_ACCOUNT, UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION ) +from samba.dcerpc.misc import ( + SEC_CHAN_NULL, + SEC_CHAN_WKSTA, + SEC_CHAN_BDC, +) from samba.join import DCJoinContext from samba.ndr import ndr_pack, ndr_unpack from samba import net @@ -264,6 +269,7 @@ class KDCBaseTest(RawKerberosTest): # run failed delete_force(samdb, dn) account_name = name + secure_schannel_type = SEC_CHAN_NULL if account_type is self.AccountType.USER: object_class = "user" account_control |= UF_NORMAL_ACCOUNT @@ -273,8 +279,10 @@ class KDCBaseTest(RawKerberosTest): account_name += '$' if account_type is self.AccountType.COMPUTER: account_control |= UF_WORKSTATION_TRUST_ACCOUNT + secure_schannel_type = SEC_CHAN_WKSTA elif account_type is self.AccountType.SERVER: account_control |= UF_SERVER_TRUST_ACCOUNT + secure_schannel_type = SEC_CHAN_BDC else: self.fail() @@ -311,6 +319,7 @@ class KDCBaseTest(RawKerberosTest): creds.set_workstation('') else: creds.set_workstation(name) + creds.set_secure_channel_type(secure_schannel_type) creds.set_dn(ldb.Dn(samdb, dn)) creds.set_upn(upn) creds.set_spn(spn) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 4b9a468777e..e4b6402bb27 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -41,6 +41,10 @@ from samba.credentials import Credentials from samba.dcerpc import krb5pac, security from samba.gensec import FEATURE_SEAL from samba.ndr import ndr_pack, ndr_unpack +from samba.dcerpc.misc import ( + SEC_CHAN_WKSTA, + SEC_CHAN_BDC, +) import samba.tests from samba.tests import TestCaseInTempDir @@ -475,7 +479,8 @@ class KerberosCredentials(Credentials): else: salt_name = self.get_username() - if self.get_workstation(): + secure_schannel_type = self.get_secure_channel_type() + if secure_schannel_type in [SEC_CHAN_WKSTA,SEC_CHAN_BDC]: salt_name = self.get_username().lower() if salt_name[-1] == '$': salt_name = salt_name[:-1] @@ -2863,7 +2868,7 @@ class RawKerberosTest(TestCaseInTempDir): else: self.assertElementMissing(ticket_private, 'renew-till') if self.strict_checking: - self.assertElementEqual(ticket_private, 'caddr', []) + self.assertElementMissing(ticket_private, 'caddr') if expect_pac is not None: self.assertElementPresent(ticket_private, 'authorization-data', expect_empty=not expect_pac) @@ -2904,7 +2909,7 @@ class RawKerberosTest(TestCaseInTempDir): self.assertElementEqualPrincipal(encpart_private, 'sname', expected_sname) if self.strict_checking: - self.assertElementEqual(encpart_private, 'caddr', []) + self.assertElementMissing(encpart_private, 'caddr') sent_pac_options = self.get_sent_pac_options(kdc_exchange_dict) |