diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2021-11-25 12:46:40 +1300 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-07-24 11:42:01 +0200 |
commit | d3436300745c41226d7ed146f269c929133f8f49 (patch) | |
tree | de14dfe0d8f3857313d9c0288cfa19d5c6aaed5c | |
parent | 29f15fe2d92831dcf5f4eb6d295df866ff689ee3 (diff) | |
download | samba-d3436300745c41226d7ed146f269c929133f8f49.tar.gz |
tests/krb5: Add a test for S4U2Self with no authorization data required
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 192d6edfe912105ec344dc554f872a24c03540a3)
-rwxr-xr-x | python/samba/tests/krb5/s4u_tests.py | 34 | ||||
-rw-r--r-- | selftest/knownfail_heimdal_kdc | 1 |
2 files changed, 35 insertions, 0 deletions
diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index 2953766ef21..6ec9af11423 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -324,6 +324,13 @@ class S4UKerberosTests(KDCBaseTest): sname=service_sname, etypes=etypes) + if not expected_error_mode: + # Check that the ticket contains a PAC. + ticket = kdc_exchange_dict['rep_ticket_creds'] + + pac = self.get_ticket_pac(ticket) + self.assertIsNotNone(pac) + # Ensure we used all the parameters given to us. self.assertEqual({}, kdc_dict) @@ -504,6 +511,24 @@ class S4UKerberosTests(KDCBaseTest): self.set_ticket_forwardable, flag=True) }) + # Do an S4U2Self where the service does not require authorization data. The + # resulting ticket should still contain a PAC. + def test_s4u2self_no_auth_data_required(self): + self._run_s4u2self_test( + { + 'client_opts': { + 'not_delegated': False + }, + 'service_opts': { + 'trusted_to_auth_for_delegation': True, + 'no_auth_data_required': True + }, + 'kdc_options': 'forwardable', + 'modify_service_tgt_fn': functools.partial( + self.set_ticket_forwardable, flag=True), + 'expected_flags': 'forwardable' + }) + def _run_delegation_test(self, kdc_dict): client_opts = kdc_dict.pop('client_opts', None) client_creds = self.get_cached_creds( @@ -654,6 +679,15 @@ class S4UKerberosTests(KDCBaseTest): etypes=etypes, additional_tickets=additional_tickets) + if not expected_error_mode: + # Check whether the ticket contains a PAC. + ticket = kdc_exchange_dict['rep_ticket_creds'] + pac = self.get_ticket_pac(ticket, expect_pac=expect_pac) + if expect_pac: + self.assertIsNotNone(pac) + else: + self.assertIsNone(pac) + # Ensure we used all the parameters given to us. self.assertEqual({}, kdc_dict) diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 5e94cb63d7a..2025032a278 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -242,6 +242,7 @@ ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_client_checksum ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_no_auth_data_required ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed # ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required |