summaryrefslogtreecommitdiff
path: root/python/samba
Commit message (Collapse)AuthorAgeFilesLines
* s4-dsdb: Add tests of SamDB.get_nc_root()Andrew Bartlett2023-02-031-0/+122
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=10635 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 2c7bb58703c1fa26782ac6959ea7d81fccf3905c)
* CVE-2022-37966 python:/tests/krb5: call sys.path.insert(0, "bin/python") ↵Stefan Metzmacher2022-12-1420-64/+72
| | | | | | | | | | | | | | | | | | | | | before any other imports This allows the tests to be executed without an explicit PYTHONPATH="bin/python". BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184 (similar to commit 987cba90573f955fe9c781830daec85ad4d5bf92) Autobuild-User(v4-17-test): Stefan Metzmacher <metze@samba.org> Autobuild-Date(v4-17-test): Wed Dec 14 12:40:42 UTC 2022 on sn-devel-184
* CVE-2022-37966 samba-tool: add 'domain trust modify' commandStefan Metzmacher2022-12-141-0/+121
| | | | | | | | | | | | For now it only allows the admin to modify the msDS-SupportedEncryptionTypes values. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> (cherry picked from commit d1999c152acdf939b4cd7eb446dd9921d3edae29)
* CVE-2022-37966 param: let "kdc default domain supportedenctypes = 0" mean ↵Stefan Metzmacher2022-12-142-1/+7
| | | | | | | | | | | | | | the default In order to allow better upgrades we need the default value for smb.conf to the same even if the effective default value of the software changes in future. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit fa64f8fa8d92167ed15d1109af65bbb4daab4bad)
* CVE-2022-37966 python:tests/krb5: test much more etype combinationsStefan Metzmacher2022-12-141-14/+139
| | | | | | | | | | | | | | | | This tests work out the difference between - msDS-SupportedEncryptionTypes value or it's default - software defined extra flags for DC accounts - accounts with only an nt hash being stored - the resulting value in the KRB5_PADATA_SUPPORTED_ETYPES announcement BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 1dfa91682efd3b12d7d6af75287efb12ebd9e526)
* CVE-2022-37966 python:tests/krb5: add better PADATA_SUPPORTED_ETYPES assert ↵Stefan Metzmacher2022-12-141-2/+2
| | | | | | | | | | | message BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit c7c576208960e336da276e251ad7a526e1b3ed45)
* CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash' for account creation ↵Stefan Metzmacher2022-12-141-6/+32
| | | | | | | | | | | | | | of KDCBaseTest This will allow us to create tests accounts with only an nt4 hash stored, without any aes keys. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 77bd3258f1db0ddf4639a83a81a1aad3ee52c87d)
* CVE-2022-37966 python:tests/krb5: ignore empty supplementalCredentials ↵Stefan Metzmacher2022-12-141-0/+2
| | | | | | | | | | | attributes BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit f434a30ee7c40aac4a223fcabac9ddd160a155a5)
* CVE-2022-37966 python:tests/krb5: allow ticket/supported_etypes to be passed ↵Stefan Metzmacher2022-12-141-3/+8
| | | | | | | | | | | KdcTgsBaseTests._{as,tgs}_req() BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit d8fd6a22b67a2b3ae03a2e428cc4987f07af6e29)
* CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022Stefan Metzmacher2022-12-143-7/+39
| | | | | | | | | | | | | | | | | | | | | | | I'm using the following options: SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \ SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \ DOMAIN=W2022-L7 REALM=W2022-L7.BASE \ ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \ CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \ FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1 in order to run these: python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit e0f89b7bc8025db615dccf096aab4ca87e655368)
* CVE-2022-37966 selftest: Run S4U tests against FL2003 DCJoseph Sutton2022-12-141-4/+57
| | | | | | | | | | | | This shows that changes around RC4 encryption types do not break older functional levels where only RC4 keys are available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 44802c46b18caf3c7f9f2fb1b66025fc30e22ac5)
* CVE-2022-37966 selftest: Add tests for Kerberos session key behaviour since ↵Joseph Sutton2022-12-146-132/+424
| | | | | | | | | | | | | | | | | | | | ENC_HMAC_SHA1_96_AES256_SK was added ENC_HMAC_SHA1_96_AES256_SK is a flag introduced for by Microsoft in this CVE to indicate that additionally, AES session keys are available. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (similar to commit 371d7e63fcb966ab54915a3dedb888d48adbf0c0) [jsutton@samba.org Removed unneeded fast_tests.py change, added non_etype_bits in raw_testcase.py, fixed conflicts in knownfails and tests.py]
* CVE-2022-37966 tests/krb5: Test different preauth etypes with Protected ↵Joseph Sutton2022-12-141-9/+38
| | | | | | | | | | | | | | | Users group Extend the RC4 Protected Users tests to use different preauth etypes. This helps test the nuances of the new expected behaviour and allows the tests to continue passing. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit a7a0b9ad0757d6586905d64bc645a8946fe5c10e)
* CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objectsJoseph Sutton2022-12-141-2/+5
| | | | | | | | | | | | | As we will assume, as part of the fixes for CVE-2022-37966, that trust objects with no msDS-SupportedEncryptionTypes attribute support AES keys, RC4 support must now be explicitly indicated. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 086646865eef247a54897f5542495a2105563a5e)
* CVE-2022-37966 samba-tool: Fix 'domain trust create' documentationJoseph Sutton2022-12-141-1/+1
| | | | | | | | | | | This option does the opposite of what the documentation claims. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 6b155b22e6afa52ce29cc475840c1d745b0f1f5e)
* CVE-2022-37967 Add new PAC checksumJoseph Sutton2022-12-146-17/+215
| | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15231 Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (similar to commit a50a2be622afaa7a280312ea12f5eb9c9a0c41da) [jsutton@samba.org Fixed conflicts in krb5pac.idl and raw_testcase.py]
* CVE-2022-37966 tests/krb5: Add a test requesting tickets with various ↵Joseph Sutton2022-12-143-0/+363
| | | | | | | | | | | | | | | | encryption types The KDC should leave the choice of ticket encryption type up to the target service, and admit no influence from the client. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (similar to commit 177334c04230d0ad74bfc2b6825ffbebd5afb9af) [jsutton@samba.org Fixed conflicts in usage.py, knownfails, tests.py]
* CVE-2022-37966 tests/krb5: Add 'etypes' parameter to _tgs_req()Joseph Sutton2022-12-141-1/+3
| | | | | | | | | | | | | | | This lets us select the encryption types we claim to support in the request body. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (similar to commit e0a91dddc4a6c70d7425c2c6836dcf2dd6d9a2de) [jsutton@samba.org Adapted to 4.17 version of function taking different parameters]
* CVE-2022-37966 tests/krb5: Split out _tgs_req() into base classJoseph Sutton2022-12-141-131/+133
| | | | | | | | | | | | | We will use it for testing our handling of encryption types. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (similar to commit 50e075d2db21e9f23d686684ea3df9454b6b560e) [jsutton@samba.org Adapted to 4.17 version of function]
* CVE-2022-37966 selftest: Allow krb5 tests to run against an IP by using the ↵Andrew Bartlett2022-12-142-3/+12
| | | | | | | | | | | | target_hostname binding string This makes it easier to test against a server that is not accessible via DNS. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit c7cd6889177e8c705bb637172a60a5cf26734a3f)
* CVE-2022-37966 tests/krb5: Add test requesting a TGT expiring post-2038Joseph Sutton2022-12-141-2/+11
| | | | | | | | | | | | | | | | | | | This demonstrates the behaviour of Windows 11 22H2 over Kerberos, which changed to use a year 9999 date for a forever timetime in tickets. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184 (cherry picked from commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2) BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org>
* CVE-2022-44640 selftest: Exclude Heimdal fuzz-inputs from source_chars testAndrew Bartlett2022-12-061-0/+1
| | | | | | | | | | A new file will shorlty fail as it is binary input BUG: https://bugzilla.samba.org/show_bug.cgi?id=14929 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit 5a02915913a2410904886e186ada90a36492571f)
* python/samba/tests: fix samba.tests.auth_log_pass_change for later gnutlsNoel Power2022-10-311-4/+16
| | | | | | | | | | | | | | later gnutls that support GNUTLS_PBKDF2 currently fail, we need to conditionally switch test data to reflect use of 'samr_ChangePasswordUser3' or 'samr_ChangePasswordUser4' depending on whether GNUTLS_PBKDF2 is supported or not Signed-off-by: Noel Power <noel.power@suse.com> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit ce7c418ca4f8f82e61a9a02a6589ab1c4df51d63) Autobuild-User(v4-17-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-17-test): Mon Oct 31 10:08:34 UTC 2022 on sn-devel-184
* python-drs: Add client-side debug and fallback for GET_ANCAndrew Bartlett2022-10-072-11/+90
| | | | | | | | | | | | | Samba 4.5 and earlier will fail to do GET_ANC correctly and will not replicate non-critical parents of objects with isCriticalSystemObject=TRUE when DRSUAPI_DRS_CRITICAL_ONLY is set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> (cherry picked from commit bff2bc9c7d69ec2fbe9339c2353a0a846182f1ea)
* pytest/samdb: use TestCaseInTempDir.rm_files/.rm_dirsDouglas Bagnall2022-10-071-6/+2
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Noel Power <npower@samba.org> (cherry picked from commit 251360d6e58986dd53f0317319544e930dc61444)
* pytest/join: use TestCaseInTempDir.rm_files/dirsDouglas Bagnall2022-10-071-4/+2
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Noel Power <npower@samba.org> (cherry picked from commit 7455c53fa4f7871b3980f820d22b0fd411195704)
* pytest/samdb_api: use TestCaseInTempDir.rm_filesDouglas Bagnall2022-10-071-9/+1
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Noel Power <npower@samba.org> (cherry picked from commit 4e3dabad0be0900a203896c2c2acb270d31b0a42)
* pytest/downgradedatabase: use TestCaseInTempDir.rm_filesDouglas Bagnall2022-10-071-8/+6
| | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Noel Power <npower@samba.org> (cherry picked from commit 85bc1552e3919d049d39a065824172a24933d38b)
* pytest: add file removal helpers for TestCaseInTempDirDouglas Bagnall2022-10-071-0/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In several places we end a test by deleting a number of files and directories, but we do it rather haphazardly with unintentionally differing error handling. For example, in some tests we currently have something like: try: shutil.rmtree(os.path.join(self.tempdir, "a")) os.remove(os.path.join(self.tempdir, "b")) shutil.rmtree(os.path.join(self.tempdir, "c")) except Exception: pass where if, for example, the removal of "b" fails, the removal of "c" will not be attempted. That will result in the tearDown method raising an exception, and we're no better off. If the above code is replaced with self.rm_files('b') self.rm_dirs('a', 'c') the failure to remove 'b' will cause a test error, *unless* the failure was due to a FileNotFoundError (a.k.a. an OSError with errno ENOENT), in which case we ignore it, as was probably the original intention. If on the other hand, we have self.rm_files('b', must_exist=True) self.rm_dirs('a', 'c') then the FileNotFoundError causes a failure (not an error). We take a little bit of care to stay within self.tempdir, to protect test authors who accidentally write something like `self.rm_dirs('/')`. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15191 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15189 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Noel Power <npower@samba.org> (cherry picked from commit 2359741b2854a8de9d151fe189be80a4bd087ff9)
* CVE-2021-20251 tests/krb5: Add tests for password lockout raceJoseph Sutton2022-09-194-1/+1099
| | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 91e2e5616ccd507fcaf097533c5fc25974119c1e) [jsutton@samba.org Fixed conflicts in usage.py, knownfails, and tests.py due to not having claims tests]
* samba-tool gpo: clean up tmpdir after createDouglas Bagnall2022-08-061-0/+4
| | | | | | | | | | | | | 'fetch' and 'backup' might also leave files in /tmp, but in those cases we want the files. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15006 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: David Mulder <dmulder@suse.com> Autobuild-User(master): Douglas Bagnall <dbagnall@samba.org> Autobuild-Date(master): Sat Aug 6 01:42:09 UTC 2022 on sn-devel-184
* samba-tool: allow testparm to dump global section onlyDouglas Bagnall2022-08-061-1/+4
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15070 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: David Mulder <dmulder@suse.com>
* pytest/netcmd: test samba-tool testparm global sectionDouglas Bagnall2022-08-061-0/+8
| | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: David Mulder <dmulder@suse.com>
* CVE-2022-32743 tests/py_credentials: Add tests for setting dNSHostName with ↵Joseph Sutton2022-07-281-2/+279
| | | | | | | | | | | | LogonGetDomainInfo() Test that the value is properly validated, and that it can be set regardless of rights on the account. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14833 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* py/uptodateness: more details in missing dn reportDouglas Bagnall2022-07-281-1/+1
| | | | | | | | | | | | This does not fix bug 15127, but it improves reporting. https://bugzilla.samba.org/show_bug.cgi?id=15127 Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Thu Jul 28 06:18:43 UTC 2022 on sn-devel-184
* CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswdJoseph Sutton2022-07-271-0/+28
| | | | | | | | | | | The kpasswd service should require a kpasswd service ticket, and disallow TGTs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Test truncated forms of server principalsJoseph Sutton2022-07-271-3/+27
| | | | | | | | | We should not be able to use krb@REALM instead of krbtgt@REALM. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Add tests for kpasswd serviceJoseph Sutton2022-07-274-1/+1033
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Consider kadmin/* principals as TGS for MIT KRB5 ↵Joseph Sutton2022-07-272-5/+28
| | | | | | | | | | | | | | | >= 1.20 With MIT Kerberos >= 1.20, we should not expect a ticket checksum in tickets to principals such as kpasswd/changepw, as they are encrypted with the krbtgt's key. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Add kpasswd_exchange() methodJoseph Sutton2022-07-271-13/+251
| | | | | | | | | | | Now we can test the kpasswd service from Python. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realmJoseph Sutton2022-07-271-6/+13
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* tests/krb5: Add option for creating accounts with expired passwordsJoseph Sutton2022-07-271-2/+8
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* tests/krb5: Fix enum typoJoseph Sutton2022-07-271-2/+2
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Add methods to send and receive generic messagesJoseph Sutton2022-07-271-17/+27
| | | | | | | | | | | | This allows us to send and receive kpasswd messages, while avoiding the existing logic for encoding and decoding other Kerberos message types. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Add 'port' parameter to connect()Joseph Sutton2022-07-271-5/+6
| | | | | | | | | | | This allows us to use the kpasswd port, 464. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structuresJoseph Sutton2022-07-271-0/+95
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Add new definitions for kpasswdJoseph Sutton2022-07-273-1/+31
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accountsJoseph Sutton2022-07-272-0/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Split out _make_tgs_request()Joseph Sutton2022-07-272-84/+85
| | | | | | | | | This allows us to make use of it in other tests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-32744 tests/krb5: Correctly handle specifying account kvnoJoseph Sutton2022-07-271-1/+1
| | | | | | | | | The environment variable is a string, but we expect an integer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
View Lorry Controller Status