samba.git/python/samba/tests/krb5/test_ldap.py, branch talloc-2.3.4 Unnamed repository; edit this file 'description' to name the repository. CVE-2020-25719 tests/krb5: Add tests for using a ticket with a renamed account 2021-11-09T19:45:34+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2021-10-29T02:07:07+00:00 f5baabd987bbe71bbf37277e11f51f03372c28f1 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-25719 CVE-2020-25717 tests/krb5: Adapt tests for connecting without a PAC to new error codes 2021-11-09T19:45:32+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2021-10-28T21:27:41+00:00 b4ea50f8b272a3b1d1d9d9ceda3641c22a082604 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-25719 CVE-2020-25717 tests/krb5: Add tests for connecting to services anonymously and without a PAC 2021-11-09T19:45:32+00:00 Stefan Metzmacher metze@samba.org 2021-08-24T15:11:24+00:00 9fe1b719e1b35ae4053cbb13f29f76f4b2f950ef At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if no PAC is available. For now we want to look for ACCESS_DENIED as this allows the test to pass (showing that gensec:require_pac = true is a useful partial mitigation). This will also help others doing backports that do not take the full patch set. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
At the end of the patchset we assume NT_STATUS_NO_IMPERSONATION_TOKEN if
no PAC is available.

For now we want to look for ACCESS_DENIED as this allows
the test to pass (showing that gensec:require_pac = true
is a useful partial mitigation).

This will also help others doing backports that do not
take the full patch set.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
CVE-2020-25719 CVE-2020-25717 tests/krb5: Refactor create_ccache_with_user() to take credentials of target service 2021-11-09T19:45:32+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2021-10-21T22:37:31+00:00 873ac6d814c814fdf2088745dbd562cd91caddd3 This allows us to use get_tgt() and get_service_ticket() to obtain tickets, which simplifies the logic. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This allows us to use get_tgt() and get_service_ticket() to obtain
tickets, which simplifies the logic.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14799
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
tests/krb5: Disable debugging output for tests 2021-10-14T18:59:31+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2021-10-07T22:48:41+00:00 dfd613661eec4b81e162f2d86a8fa9266c2fdc03 This reduces the time spent running the tests in a testenv. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> 
This reduces the time spent running the tests in a testenv.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
tests/krb5/kdc_base_test.py: Create loadparm only when needed 2021-07-01T17:46:31+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2021-06-15T23:40:41+00:00 210e544016a3a4de1cdb76ce28a2148811ff07eb Now the .conf file is only loaded on its first use, which means that SMB_CONF_PATH need not be defined for tests that don't make use of it. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
Now the .conf file is only loaded on its first use, which means that
SMB_CONF_PATH need not be defined for tests that don't make use of it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
tests/krb5/kdc_base_test.py: Create database connection only when needed 2021-07-01T17:46:31+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2021-06-15T23:04:00+00:00 4f5566be4839838e0e3e501a030bcf6e85ff5159 Now the database connection is only created on its first use, which means database credentials are no longer required for tests that don't make use of it. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org> 
Now the database connection is only created on its first use, which
means database credentials are no longer required for tests that don't
make use of it.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
python: Add LDAP credentials cache test 2021-05-19T01:32:34+00:00 Joseph Sutton josephsutton@catalyst.net.nz 2021-04-29T08:58:11+00:00 7663b5c37fa3413f7c67c018107322494e4a6fd9 Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> 
Test that we can use a credentials cache with a user's service ticket
obtained with our Python code to connect to a service through LDAP.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>