diff options
author | Stefan Metzmacher <metze@samba.org> | 2022-11-29 16:42:58 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-12-13 13:07:30 +0000 |
commit | 77bd3258f1db0ddf4639a83a81a1aad3ee52c87d (patch) | |
tree | ff05ea1a4789b2784d0d808b27a8f51deae84c66 /python | |
parent | f434a30ee7c40aac4a223fcabac9ddd160a155a5 (diff) | |
download | samba-77bd3258f1db0ddf4639a83a81a1aad3ee52c87d.tar.gz |
CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation of KDCBaseTest
This will allow us to create tests accounts with only an nt4 hash
stored, without any aes keys.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'python')
-rw-r--r-- | python/samba/tests/krb5/kdc_base_test.py | 38 |
1 files changed, 32 insertions, 6 deletions
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index ebea13d199a..5a027d021cd 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -414,7 +414,7 @@ class KDCBaseTest(RawKerberosTest): def create_account(self, samdb, name, account_type=AccountType.USER, spn=None, upn=None, additional_details=None, ou=None, account_control=0, add_dollar=True, - expired_password=False): + expired_password=False, force_nt4_hash=False): '''Create an account for testing. The dn of the created account is added to self.accounts, which is used by tearDownClass to clean up the created accounts. @@ -479,6 +479,26 @@ class KDCBaseTest(RawKerberosTest): self.accounts.append(dn) samdb.add(details) + expected_kvno = 1 + + if force_nt4_hash: + admin_creds = self.get_admin_creds() + lp = self.get_lp() + net_ctx = net.Net(admin_creds, lp, server=self.dc_host) + domain = samdb.domain_netbios_name().upper() + + password = generate_random_password(32, 32) + utf16pw = ('"%s"' % password).encode('utf-16-le') + + try: + net_ctx.set_password(newpassword=password, + account_name=account_name, + domain_name=domain, + force_samr_18=True) + expected_kvno += 1 + except Exception as e: + self.fail(e) + creds = KerberosCredentials() creds.guess(self.get_lp()) creds.set_realm(samdb.domain_dns_name().upper()) @@ -501,8 +521,8 @@ class KDCBaseTest(RawKerberosTest): attrs=['msDS-KeyVersionNumber']) kvno = res[0].get('msDS-KeyVersionNumber', idx=0) if kvno is not None: - self.assertEqual(int(kvno), 1) - creds.set_kvno(1) + self.assertEqual(int(kvno), expected_kvno) + creds.set_kvno(expected_kvno) return (creds, dn) @@ -918,7 +938,8 @@ class KDCBaseTest(RawKerberosTest): 'member_of': None, 'kerberos_enabled': True, 'secure_channel_type': None, - 'id': None + 'id': None, + 'force_nt4_hash': False, } account_opts = { @@ -966,7 +987,8 @@ class KDCBaseTest(RawKerberosTest): member_of, kerberos_enabled, secure_channel_type, - id): + id, + force_nt4_hash): if account_type is self.AccountType.USER: self.assertIsNone(spn) self.assertIsNone(delegation_to_spn) @@ -1026,9 +1048,13 @@ class KDCBaseTest(RawKerberosTest): additional_details=details, account_control=user_account_control, add_dollar=add_dollar, + force_nt4_hash=force_nt4_hash, expired_password=expired_password) - keys = self.get_keys(samdb, dn) + expected_etypes = None + if force_nt4_hash: + expected_etypes = {kcrypto.Enctype.RC4} + keys = self.get_keys(samdb, dn, expected_etypes=expected_etypes) self.creds_set_keys(creds, keys) # Handle secret replication to the RODC. |