From 3fc9dc2395ebc292087ae050bd721747e851056d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 2 Dec 2021 16:51:26 +1300 Subject: tests/krb5: Check logon name in PAC for canonicalization tests This allows us to ensure that the correct name makes it through to the PAC. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett --- .../samba/tests/krb5/as_canonicalization_tests.py | 35 ++++++++++++++++++++++ 1 file changed, 35 insertions(+) (limited to 'python') diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index 7c64ce19bb7..700a03622e1 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -28,7 +28,9 @@ os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests.krb5.kdc_base_test import KDCBaseTest import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.credentials import DONT_USE_KERBEROS +from samba.dcerpc import krb5pac from samba.dcerpc.misc import SEC_CHAN_WKSTA +from samba.ndr import ndr_unpack from samba.tests import DynamicTestCase from samba.tests.krb5.rfc4120_constants import ( AES256_CTS_HMAC_SHA1_96, @@ -39,6 +41,7 @@ from samba.tests.krb5.rfc4120_constants import ( KU_AS_REP_ENC_PART, KRB_ERROR, KU_PA_ENC_TIMESTAMP, + KU_TICKET, PADATA_ENC_TIMESTAMP, NT_ENTERPRISE_PRINCIPAL, NT_PRINCIPAL, @@ -229,6 +232,38 @@ class KerberosASCanonicalizationTests(KDCBaseTest): srealm = as_rep['srealm'].decode('ascii') self.check_srealm(srealm, data) + if TestOptions.AsReqSelf.is_set(data.options): + ticket_creds = creds + else: + ticket_creds = self.get_krbtgt_creds() + ticket_key = self.TicketDecryptionKey_from_creds(ticket_creds) + + ticket_encpart = rep['ticket']['enc-part'] + self.assertElementEqual(ticket_encpart, 'etype', + ticket_key.etype) + self.assertElementEqual(ticket_encpart, 'kvno', + ticket_key.kvno) + ticket_decpart = ticket_key.decrypt(KU_TICKET, + ticket_encpart['cipher']) + ticket_private = self.der_decode( + ticket_decpart, + asn1Spec=krb5_asn1.EncTicketPart()) + + pac_data = self.get_pac(ticket_private['authorization-data']) + pac = ndr_unpack(krb5pac.PAC_DATA, pac_data) + + for pac_buffer in pac.buffers: + if pac_buffer.type == krb5pac.PAC_TYPE_LOGON_NAME: + if TestOptions.Canonicalize.is_set(data.options): + expected = data.user_creds.get_username() + else: + expected = data.user_name + + self.assertEqual(expected, pac_buffer.info.account_name) + break + else: + self.fail('PAC_TYPE_LOGON_NAME not found') + def as_req(self, data): user_creds = data.user_creds realm = data.realm -- cgit v1.2.1