1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
#!/usr/bin/env python3
# Unix SMB/CIFS implementation.
# Copyright (C) Stefan Metzmacher 2020
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import os
from samba.tests.krb5.kdc_base_test import KDCBaseTest
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
global_asn1_print = False
global_hexdump = False
class RodcKerberosTests(KDCBaseTest):
def setUp(self):
super().setUp()
self.do_asn1_print = global_asn1_print
self.do_hexdump = global_hexdump
# Ensure that an RODC correctly issues tickets signed with its krbtgt key
# and including the RODCIdentifier.
def test_rodc_ticket_signature(self):
user_creds = self.get_cached_creds(
account_type=self.AccountType.USER,
opts={
'allowed_replication': True,
'revealed_to_rodc': True
})
target_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
opts={
'allowed_replication': True,
'revealed_to_rodc': True
})
krbtgt_creds = self.get_rodc_krbtgt_creds()
rodc_key = self.TicketDecryptionKey_from_creds(krbtgt_creds)
# Get a TGT from the RODC.
tgt = self.get_tgt(user_creds, to_rodc=True)
# Ensure the PAC contains the expected checksums.
self.verify_ticket(tgt, rodc_key, service_ticket=False)
# Get a service ticket from the RODC.
service_ticket = self.get_service_ticket(tgt, target_creds,
to_rodc=True)
# Ensure the PAC contains the expected checksums.
self.verify_ticket(service_ticket, rodc_key, service_ticket=True,
expect_ticket_checksum=True,
expect_full_checksum=True)
if __name__ == "__main__":
global_asn1_print = False
global_hexdump = False
import unittest
unittest.main()
|