samba.git/python/samba/tests/krb5/as_req_tests.py, branch talloc-2.4.4 Unnamed repository; edit this file 'description' to name the repository. python/samba/tests/krb5: Add tests for password expiry with krb5 ENC-TS 2024-06-13T00:45:36+00:00 Andrew Bartlett abartlet@samba.org 2024-06-11T22:24:18+00:00 aecbfe5218326c2b4eb9a4e6c6b05719035585f9 This augments the PKINIT based tests to show this is correctly handled for the fare more usual case. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: David Mulder <dmulder@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Thu Jun 13 00:45:36 UTC 2024 on atb-devel-224 
This augments the PKINIT based tests to show this is correctly handled
for the fare more usual case.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: David Mulder <dmulder@samba.org>

Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Jun 13 00:45:36 UTC 2024 on atb-devel-224
python: tests: update all super calls to python 3 style in tests 2023-11-30T01:05:32+00:00 Rob van der Linde rob@catalyst.net.nz 2023-11-28T03:38:22+00:00 6ac48336780813cd5cb0cd9e5b5f1355aa342096 Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> [abartlet@samba.org Some python2 style super() calls remain due to being an actual, even if reasonable, behaviour change] 
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

[abartlet@samba.org Some python2 style super() calls remain due
 to being an actual, even if reasonable, behaviour change]
tests/krb5: Test Kerberos principal names containing non–BMP Unicode characters 2023-11-09T08:00:30+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-10-26T04:11:43+00:00 5ebd1b8daefd2235a8aa68613fe234bddb2e65b6 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
tests/krb5: Add tests for single‐component krbtgt principals 2023-10-26T01:24:32+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-09-25T00:26:07+00:00 3917a1995c319a70828b7b29866a6db1fb42e637 BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15482

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
tests/krb5: Add test for authenticating with disabled account and wrong password 2023-06-26T11:10:31+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-06-21T04:54:36+00:00 1abc2543cd44f3b9c4b5da4537f69c48bc2b6e02 This shows us that the client’s access is checked prior to passwords being checked. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
This shows us that the client’s access is checked prior to passwords
being checked.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
tests/krb5: Handle NT hashes being disabled 2023-05-05T02:54:30+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-05-24T07:11:22+00:00 6f3b7f95f3cc093175507e9eb079cc8241dadedf If NT hashes are disabled, we should not expect the RC4 enctype to be available for non-computer accounts. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
If NT hashes are disabled, we should not expect the RC4 enctype to be
available for non-computer accounts.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
tests/krb5: Pass client credentials down into kdc_exchange_dict 2023-05-05T02:54:30+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2023-04-05T23:09:31+00:00 e4ec3d6f3d3f3b5a9c6f37d78ab3f41daff5d49a These are useful inside the test infrastructure. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
These are useful inside the test infrastructure.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
tests/krb5: Remove client_as_etypes parameter 2023-03-03T01:07:36+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2021-10-11T01:53:21+00:00 4ae7f1cb987665c754a31954a13281d657c68fce The client_as_etypes parameter previously indicated which etypes we thought the client supported. In practice, this was rarely specified, so we simply assumed that all three main enctypes were supported. Now that we have removed this parameter, rewrite the etype-info padata checking code to be simpler, and no longer to contain loops. Use get_default_enctypes() to determine which enctypes are supported. For tests that inherit from KDCBaseTest, this is based on the domain functional level, and will be more correct for tests that previously passed in client_as_etypes=None. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
The client_as_etypes parameter previously indicated which etypes we
thought the client supported. In practice, this was rarely specified, so
we simply assumed that all three main enctypes were supported.

Now that we have removed this parameter, rewrite the etype-info padata
checking code to be simpler, and no longer to contain loops.

Use get_default_enctypes() to determine which enctypes are supported.
For tests that inherit from KDCBaseTest, this is based on the domain
functional level, and will be more correct for tests that previously
passed in client_as_etypes=None.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
tests/krb5: Use consistent ordering for etypes 2023-02-08T00:03:40+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2022-12-19T00:43:08+00:00 77036bba013751021f7229f0d78011298b634501 The 'etype' field in a Kerberos request is ordered. Make this fact clearer by using a tuple or an array to represent etypes rather than a set. get_default_enctypes() now returns encryption types in order of strength. As a consequence, the encryption type chosen by the MIT KDC matches up with that chosen by Windows, and more tests begin to pass. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
The 'etype' field in a Kerberos request is ordered. Make this fact
clearer by using a tuple or an array to represent etypes rather than a
set.

get_default_enctypes() now returns encryption types in order of
strength. As a consequence, the encryption type chosen by the MIT KDC
matches up with that chosen by Windows, and more tests begin to pass.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2022-37966 python:tests/krb5: fix some tests running against Windows 2022 2022-12-13T13:07:30+00:00 Stefan Metzmacher metze@samba.org 2022-11-29T08:48:09+00:00 e0f89b7bc8025db615dccf096aab4ca87e655368 I'm using the following options: SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \ SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \ DOMAIN=W2022-L7 REALM=W2022-L7.BASE \ ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \ CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \ FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1 in order to run these: python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
I'm using the following options:

SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \
SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \
DOMAIN=W2022-L7 REALM=W2022-L7.BASE \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \
CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \
FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1

in order to run these:

python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests
python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>