summaryrefslogtreecommitdiff
path: root/source4/torture/krb5
Commit message (Collapse)AuthorAgeFilesLines
* CVE-2018-16860 selftest: Add test for S4U2Self with unkeyed checksumIsaac Boukris2019-05-071-4/+111
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685 Signed-off-by: Isaac Boukris <iboukris@gmail.com> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* s4-smbtorture: Show that the KDC provides no protection from CVE-2017-11103Andrew Bartlett2017-11-021-10/+99
| | | | | | | | | | | | The server name in the AS-REQ is unprotected, sadly. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Nov 2 07:16:50 CET 2017 on sn-devel-144
* s4-smbtorture: Add test krb5.kdc to prove fix for CVE-2017-11103Andrew Bartlett2017-11-021-2/+169
| | | | | | | BUG: https://bugzilla.samba.org/show_bug.cgi?id=12894 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* s4: popt: Global replace of cmdline_credentials -> ↵Jeremy Allison2017-05-113-20/+32
| | | | | | | | | | | popt_get_cmdline_credentials(). Add one use of popt_set_cmdline_credentials(). Fix 80 column limits when cmdline_credentials changes to popt_get_cmdline_credentials(). Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* s4: torture: Change torture_register_suite() to add a TALLOC_CTX *.Jeremy Allison2017-05-052-4/+4
| | | | | | | | Change callers to use the passed in TALLOC_CTX * instead of talloc_autofree_context(). Signed-off-by: Jeremy Allison <jra@samba.org> Reviewed-by: Ralph Böhme <slow@samba.org>
* s4-torture: Add AES and RC4 enctype checksAndreas Schneider2017-04-291-0/+175
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-torture: Add TORTURE_KRB5_TEST_CLOCK_SKEW testAndreas Schneider2017-04-291-2/+60
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-torture: Add TORTURE_KRB5_TEST_BREAK_PW testAndreas Schneider2017-04-291-8/+92
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-torture: Add TORTURE_KRB5_TEST_PAC_REQUEST testAndreas Schneider2017-04-291-1/+83
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* s4-torture: Add KDC test harness and first testAndreas Schneider2017-04-291-4/+343
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* waf: Only build KRB5 KDC tests when AD_DC build is enabledAndreas Schneider2017-04-291-17/+17
| | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org>
* lib: modules: Change XXX_init interface from XXX_init(void) to ↵Jeremy Allison2017-04-222-2/+2
| | | | | | | | | | | | | | | | | | | | XXX_init(TALLOC_CTX *) Not currently used - no logic changes inside. This will make it possible to pass down a long-lived talloc context from the loading function for modules to use instead of having them internally all use talloc_autofree_context() which is a hidden global. Updated all known module interface numbers, and added a WHATSNEW. Signed-off-by: Jeremy Allison <jra@samba.org> Signed-off-by: Ralph Böhme <slow@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Sat Apr 22 01:17:00 CEST 2017 on sn-devel-144
* s4-torture: Add AES and RC4 enctype checksAndreas Schneider2016-07-061-1/+226
| | | | | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Jul 6 19:06:19 CEST 2016 on sn-devel-144
* s4-torture: Add torture_check_krb5_error() functionAndreas Schneider2016-07-061-74/+111
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlet <abartlet@samba.org>
* kerberos: Return enc data on PREAUTH_FAILEDGarming Sam2016-07-051-0/+18
| | | | | | | | | | | | Without the enc data, Windows clients will perform two AS-REQ causing the password lockout count to increase by two instead of one. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11539 Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Tue Jul 5 10:52:32 CEST 2016 on sn-devel-144
* torture: Add a dummy test for MIT Kerberos caseAndreas Schneider2016-06-024-2/+66
| | | | | | | This is a preperatory test to add tests for the MIT KDC. Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* torture: Fix trailing whitespaces in krb5 testsAndreas Schneider2016-06-022-52/+52
| | | | | Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Alexander Bokovoy <ab@samba.org>
* s4:torture/krb5: add a --option=torture:run_removedollar_test=true option to ↵Stefan Metzmacher2015-06-241-3/+23
| | | | | | | | | | | | kdc-conon With this option a machine account is tested without the trailing '$' in the account name. Bug: https://bugzilla.samba.org/show_bug.cgi?id=11130 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Test accepting the ticket to ensure PAC is well-formedAndrew Bartlett2015-03-121-1/+134
| | | | | | | | | | A future test will ask for impersonation to a different user, and validate returned principal and the PAC matches that user. BUG: https://bugzilla.samba.org/show_bug.cgi?id=11142 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Guenther Deschner <gd@samba.org>
* torture-krb5: Add an initial test for s4u2self behaviourAndrew Bartlett2015-03-091-3/+15
| | | | | | | | | | | | | This test only checks for S4U2Self of the same user, but shows that a user account is not a valid service for this purpose. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Stefan Metzmacher <metze@samba.org> Autobuild-Date(master): Mon Mar 9 12:10:09 CET 2015 on sn-devel-104
* torture-krb5: Provide a generic handler to catch and print unexpected ↵Andrew Bartlett2015-02-081-10/+22
| | | | | | | | | | | | | KRB_ERROR packets This may aid debugging in the future. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-By: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Kamen Mazdrashki <kamenim@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Sun Feb 8 10:37:23 CET 2015 on sn-devel-104
* torture-krb5: Add test for TGS-REQ with type KRB5_NT_PRINCIPAL, ↵Andrew Bartlett2015-02-081-24/+152
| | | | | | | | KRB5_NT_SRV_INST, KRB5_NT_SRV_HST Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz>
* torture-krb5: Add test in for normal TGS-REQAndrew Bartlett2015-02-081-1/+172
| | | | | | | | For example, host/server Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz>
* torture-krb5: Split out TEST_AS_REQ_SELF recv testing routineAndrew Bartlett2015-02-081-50/+186
| | | | | | | | This duplicates more code, but re-using the callbacks makes it much, much harder to debug Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz>
* torture-krb5: Add additional assertions for non-canon TGS-REPAndrew Bartlett2015-02-081-0/+9
| | | | | | | | This confirms that the KDC does not modify the returned principal in a TGS-REP unconditionally. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Further test improvements to cover KRB5_GC_CANONICALIZE on krbtgt/Andrew Bartlett2015-02-081-16/+243
| | | | | | | | This covers more of the protocol, and confirms which tests actually send network packets (and so actually run the assertions in the send_and_recv handlers. Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Add tests for AS-REQ to our own nameAndrew Bartlett2015-02-081-29/+166
| | | | | | | | | | This allows us to probe the behaviour of AS-REQ requests against a principal other than krbtgt/ This alos allows verification of behaviour of principals of type KRB5_NT_ENTERPRISE_PRINCIPAL Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Improve the assertions in our KDC tests to be more explicitAndrew Bartlett2015-02-081-0/+11
| | | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz>
* torture-krb5: Reformat and re-work test to be easier to followAndrew Bartlett2015-02-081-282/+573
| | | | | | | | | | | | | | | | The behaviour is the same as in the previous commit, but it is much easier to follow as the main test code now indicates to the send_and_recv callbacks what stage of the test we are at, and resets the packet counter between stages. This also re-orders the code so that the send and recv callbacks for each stage are next to each other, and uses a case statement in the main send_and_recv driver for clarity. Andrew Bartlett Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz>
* torture-krb5: Add tests for the canonicalise TGS-REQ caseAndrew Bartlett2015-02-081-26/+173
| | | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz>
* torture-krb5: add TGS-REQ testing to krb5.kdc.canon testsuiteAndrew Bartlett2015-02-081-25/+294
| | | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Garming Sam <garming@catalyst.net.nz>
* torture-krb5: Do not do post-recv checks if the packet recv failedAndrew Bartlett2015-02-082-2/+8
| | | | | | | | | This may be the cause of the flapping tests in this code previously, as the recv_buf would be 0 length. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-By: Jelmer Vernooij <jelmer@samba.org> Reviewed-by: Kamen Mazdrashki <kamenim@samba.org>
* s4-torture: the new krb5 kdc tests are heimdal, not dc specific.Günther Deschner2015-01-261-1/+1
| | | | | | | Guenther Signed-off-by: Günther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
* torture-krb5: Check for UPN hanlding in krb5.kdc.canon testAndrew Bartlett2015-01-231-18/+90
| | | | | | | | | This allows us to confirm correct behaviour when a UPN is in use, particularly with the canonicalize flag and with enterprise principal names Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Move checking of server and client names to krb5.kdc.canonAndrew Bartlett2015-01-232-20/+25
| | | | | | | | This keeps this test in one place, rather than duplicated between krb5.kdc and krb5.kdc.canon Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Move test of krb5_get_init_creds_opt_set_win2k to krb5.kdc.canonAndrew Bartlett2015-01-232-25/+11
| | | | | | | | | | This allows the impact of this to be verified with the other options we are setting This also removes duplication in the kdc.c testsuite. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Split the expected behaviour of the RODC upAndrew Bartlett2015-01-232-4/+4
| | | | | | | | The expectations of the cached accounts are different to those of the RODC in general. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-kdc: Skip the request-pac behaviour for now against an RODCAndrew Bartlett2015-01-231-0/+3
| | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Add commentsAndrew Bartlett2015-01-232-0/+79
| | | | Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture-krb5: Add tests for combinations of enterprise, cannon, and ↵Andrew Bartlett2015-01-233-2/+404
| | | | | | | | | | | different input principals This combinational test confirms the interactions between a number of differnet kerberos flags and principal types. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz>
* torture: Extend krb5.kdc test to confirm correct RODC proxy behaviourAndrew Bartlett2015-01-231-1/+18
| | | | | | | | | | | The RODC should answer some requests locally, and others it should defer to the main DC. We can tell which KDC we talk do by the KVNO of the encrypted parts that are returned to the KDC. Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Extend KDC test to cover more options and modesAndrew Bartlett2015-01-231-7/+147
| | | | | | Signed-off-by: Garming Sam <garming@catalyst.net.nz> Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Decode expected packets and test KDC behaviour for wrong passwordsAndrew Bartlett2015-01-231-9/+164
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Run new testsuite for krb5 and KDC behaviour with machine account alsoAndrew Bartlett2015-01-231-5/+11
| | | | | | Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
* torture: Start a new testsuite for krb5 and KDC behaviourAndrew Bartlett2015-01-232-0/+129
Pair-programmed-with: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Garming Sam <garming@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org>
View Lorry Controller Status