summaryrefslogtreecommitdiff
path: root/python
Commit message (Collapse)AuthorAgeFilesLines
* CVE-2022-2031 tests/krb5: Add test that we cannot provide a TGT to kpasswdJoseph Sutton2022-07-241-0/+28
| | | | | | | | | | | | | | | The kpasswd service should require a kpasswd service ticket, and disallow TGTs. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Fixed knownfail conflicts] [jsutton@samba.org Fixed knownfail conflicts]
* CVE-2022-2031 tests/krb5: Test truncated forms of server principalsJoseph Sutton2022-07-241-4/+36
| | | | | | | | | | | | We should not be able to use krb@REALM instead of krbtgt@REALM. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Fixed conflicts due to having older version of _run_as_req_enc_timestamp()]
* CVE-2022-2031 tests/krb5: Add tests for kpasswd serviceJoseph Sutton2022-07-244-1/+1033
| | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Fixed conflicts in usage.py and knownfails; removed MIT KDC 1.20-specific knownfails as it's not supported] [jsutton@samba.org Fixed conflicts in usage.py, knownfails, and tests.py]
* CVE-2022-2031 tests/krb5: Add kpasswd_exchange() methodJoseph Sutton2022-07-241-13/+251
| | | | | | | | | | | | | Now we can test the kpasswd service from Python. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Fixed conflicts in imports]
* CVE-2022-2031 tests/krb5: Allow requesting a TGT to a different sname and realmJoseph Sutton2022-07-241-6/+13
| | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Fixed conflict due to lacking rc4_support parameter] [jsutton@samba.org Fixed conflicts due to lacking client_name_type and expected_cname parameters]
* tests/krb5: Add option for creating accounts with expired passwordsJoseph Sutton2022-07-241-2/+8
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* tests/krb5: Fix enum typoJoseph Sutton2022-07-241-2/+2
| | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Add methods to send and receive generic messagesJoseph Sutton2022-07-241-17/+27
| | | | | | | | | | | | This allows us to send and receive kpasswd messages, while avoiding the existing logic for encoding and decoding other Kerberos message types. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Add 'port' parameter to connect()Joseph Sutton2022-07-241-5/+6
| | | | | | | | | | | This allows us to use the kpasswd port, 464. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Add methods to create ASN1 kpasswd structuresJoseph Sutton2022-07-241-0/+95
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Add new definitions for kpasswdJoseph Sutton2022-07-243-1/+31
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-32744 tests/krb5: Correctly calculate salt for pre-existing accountsJoseph Sutton2022-07-242-0/+2
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* CVE-2022-2031 tests/krb5: Split out _make_tgs_request()Joseph Sutton2022-07-242-76/+77
| | | | | | | | | | | | This allows us to make use of it in other tests. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> [jsutton@samba.org Fixed conflicts due to having older version of _make_tgs_request()]
* CVE-2022-32744 tests/krb5: Correctly handle specifying account kvnoJoseph Sutton2022-07-241-1/+1
| | | | | | | | | The environment variable is a string, but we expect an integer. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15074 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
* tests/krb5: Add helper function to modify ticket flagsJoseph Sutton2022-07-243-30/+19
| | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> (cherry picked from commit ded5115f73dff5b8b2f3212988e03f9dbe0c2aa3)
* tests/krb5: Correctly determine whether tickets are service ticketsJoseph Sutton2022-07-244-15/+19
| | | | | | | | | | | Previously we expected tickets to contain a ticket checksum if the sname was not the krbtgt. However, the ticket checksum should not be present if we are performing an AS-REQ to our own account. Now we determine a ticket is a service ticket only if the request is also a TGS-REQ. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 100be7eb8e70ba270a8e92957a5e47466160a901)
* tests/krb5: Add a test for S4U2Self with no authorization data requiredJoseph Sutton2022-07-241-0/+34
| | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 192d6edfe912105ec344dc554f872a24c03540a3)
* tests/krb5: Add tests for renewal and validation of RODC TGTs with PAC requestsJoseph Sutton2022-07-241-0/+90
| | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 73a48063469205099f02efdf3b8f0f1040dc7a3d)
* tests/krb5: Add test for S4U2Self with wrong snameJoseph Sutton2022-07-241-1/+31
| | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit bac5f75059450898937be891e863826e1350b62c)
* tests/krb5: Add comments for tests that fail against WindowsJoseph Sutton2022-07-241-0/+6
| | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 749349efab9b401d33a4fc286473a924364a41c9)
* tests/krb5: Add tests for validation with requester SID PAC bufferJoseph Sutton2022-07-241-0/+67
| | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit ca80c47406e0f2b6fac2c55229306e21ccef9745)
* tests/krb5: Align PAC buffer checking to more closely match Windows with ↵Joseph Sutton2022-07-242-46/+114
| | | | | | | | | | | | | | PacRequestorEnforcement=2 We set EXPECT_EXTRA_PAC_BUFFERS to 0 for the moment. This signifies that these checks are currently not enforced, which avoids a lot of test failures. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit ebc9137cee94dee9dcf0e47d5bc0dc83de7aaaa1) [jsutton@samba.org Fixed conflicts]
* tests/krb5: Add TGS-REQ tests with FASTJoseph Sutton2022-07-241-2/+182
| | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit ec823c2a83c639f1d7c422153a53d366750e5f2a)
* tests/krb5: Add tests for TGS requests with a non-TGTJoseph Sutton2022-07-241-0/+51
| | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 778029c1dc443b87f4ed4b9d2c613d0e6fc45b0d)
* tests/krb5: Add tests for invalid TGTsJoseph Sutton2022-07-242-0/+17
| | | | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 7574ba9f580fca552b80532a49d00e657fbdf4fd) [jsutton@samba.org Removed some MIT knownfail changes]
* tests/krb5: Remove unnecessary expect_pac argumentsJoseph Sutton2022-07-241-3/+3
| | | | | | | | The value of expect_pac is not considered if we are expecting an error. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 28d501875a98fa2817262eb8ec68bf91528428c2)
* tests/krb5: Adjust error codes to better match Windows with ↵Joseph Sutton2022-07-245-133/+108
| | | | | | | | | | PacRequestorEnforcement=2 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit d95705172bcf6fe24817800a4c0009e9cc8be595) [jsutton@samba.org Fixed MIT knownfail conflict]
* tests/krb5: Split out methods to create renewable or invalid ticketsJoseph Sutton2022-07-241-32/+36
| | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit e930274aa43810d6485c3c8a7c82958ecb409630)
* tests/krb5: Allow PasswordKey_create() to use s2kparamsJoseph Sutton2022-07-241-3/+6
| | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit a560c2e9ad8abb824d1805c86c656943745f81eb)
* tests/krb5: Run test_rpc against member serverJoseph Sutton2022-07-241-5/+4
| | | | | | | | We were instead always running against the DC. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 167bd2070483004cd0b9a96ffb40ea73c6ddf579)
* tests/krb5: Deduplicate AS-REQ testsJoseph Sutton2022-07-242-82/+85
| | | | | | | | | salt_tests was running the tests defined in the base class as well as its own tests. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit f0b222e3ecf72c8562bc97bedd9f3a92980b60d5)
* tests/krb5: Remove unused variableJoseph Sutton2022-07-241-2/+0
| | | | | | Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit 57b1b76154d699b9d70ad04fa5e94c4b30f0e4bf)
* python:tests: let insta_creds() also copy the bind_dn from the templateStefan Metzmacher2022-03-161-0/+4
| | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (cherry picked from commit a30a7626254c863f95b98c97ea46ff54b98078ad)
* upgradehelpers.py: add a comment to update_krbtgt_account_password()Stefan Metzmacher2022-03-071-3/+6
| | | | | | | | | | | The backend generates its own random krbtgt password values. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit ad0b5561b492dfa28acfc9604b2358bb8b490703)
* provision: add a comment that the value of krbtgtpass is ignored in the backendStefan Metzmacher2022-03-071-0/+3
| | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 725c94d57d3d656bc94633dacbac683a4c11d3e6)
* upgradehelpers.py: let update_machine_account_password() use 120 character ↵Stefan Metzmacher2022-03-071-1/+1
| | | | | | | | | | | | | | passwords We already changed provision to use 120 character passwords with commit 609ca657652862fd9c81fd11f818efb74f72ff55. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 6bb7c0f24918329804b7f4fb71908e8fab99e266)
* provision: use 120 characters for the dns account passwordStefan Metzmacher2022-03-071-1/+1
| | | | | | | | | | | We should use the same as for the computer account. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 3b91be36581de1007427d539daffdaa62752412d)
* provision: Decrease the length of random machine passwordsJoseph Sutton2022-03-072-2/+2
| | | | | | | | | | | | | | | The current length of 128-255 UTF-16 characters currently causes generation of crypt() passwords to typically fail. This commit decreases the length to 120 UTF-16 characters, which is the same as that used by Windows. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14621 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> (similar to commit 609ca657652862fd9c81fd11f818efb74f72ff55) BUG: https://bugzilla.samba.org/show_bug.cgi?id=14984
* pytest:auth_log: expect TLS connections when using ldapsDouglas Bagnall2022-03-071-4/+4
| | | | | | | Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Volker Lendecke <vl@samba.org> (cherry picked from commit f37682747898591b37405f9e96a8135c15638637) BUG: https://bugzilla.samba.org/show_bug.cgi?id=14996
* Merge tag 'samba-4.14.12' into v4-14-testJule Anger2022-01-311-0/+7
|\ | | | | | | samba: tag release samba-4.14.12
| * CVE-2022-0336: pytest: Add a test for an SPN conflict with a re-added SPNJoseph Sutton2022-01-311-0/+7
| | | | | | | | | | | | | | | | | | | | This test currently fails, as re-adding an SPN means that later checks do not run. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14950 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* | blackbox.ndrdump: fix ↵Stefan Metzmacher2022-01-301-3/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | test_ndrdump_fuzzed_NULL_struct_ntlmssp_CHALLENGE_MESSAGE test This actually reveals that ndr_push_string() for TargetName="" was failing before because it resulted in 1 byte for a subcontext with TargetLen=0. This is fixed now and we no longer expect ndrdump to exit with 1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Jan 24 16:18:34 UTC 2022 on sn-devel-184 (cherry picked from commit 12464bd4c222d996aac6d6250b7945d63f20f4bc) Autobuild-User(v4-14-test): Jule Anger <janger@samba.org> Autobuild-Date(v4-14-test): Sun Jan 30 10:21:21 UTC 2022 on sn-devel-184
* | blackbox.ndrdump: adjust example files to the usage of dump_data_diff output.Stefan Metzmacher2022-01-301-0/+4
| | | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 1dc385cb648f0c37b04f4ede6b1c96916e379b23)
* | blackbox.ndrdump: adjust example files to changed dump_data() output.Stefan Metzmacher2022-01-301-5/+5
|/ | | | | | | | | | The cleanup using dump_data_block16() fixed the space handling. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14956 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> (cherry picked from commit 9110a8854a518befa2908c26076e17a085c5ec48)
* CVE-2020-25717: tests/krb5: Add a test for idmap_nss mapping users to SIDsJoseph Sutton2021-11-182-0/+233
| | | | | | | | | | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Stefan Metzmacher <metze@samba.org> [metze@samba.org removed unused tests for a feature that was removed before merging] Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 494bf7de6ff3e9abeb3753df0635737b80ce5bb7)
* CVE-2020-25717: tests/krb5: Add method to automatically obtain server ↵Joseph Sutton2021-11-181-0/+42
| | | | | | | | | | | credentials BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> (cherry picked from commit 5ea347d3673e35891613c90ca837d1ce4833c1b0)
* CVE-2021-23192: python/tests/dcerpc: add tests to check how security ↵Stefan Metzmacher2021-11-081-0/+1273
| | | | | | | | | contexts relate to fragmented requests BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
* CVE-2021-23192: python/tests/dcerpc: fix do_single_request(send_req=False)Stefan Metzmacher2021-11-081-17/+20
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
* CVE-2021-23192: python/tests/dcerpc: let generate_request_auth() use ↵Stefan Metzmacher2021-11-081-3/+3
| | | | | | | | | g_auth_level in all places BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
* CVE-2021-23192: python/tests/dcerpc: change assertNotEquals() into ↵Stefan Metzmacher2021-11-082-151/+151
| | | | | | | | | assertNotEqual() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14875 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Samuel Cabrero <scabrero@samba.org>
View Lorry Controller Status