diff options
| author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2023-09-29 13:21:01 +1300 |
|---|---|---|
| committer | Joseph Sutton <jsutton@samba.org> | 2023-10-01 22:45:38 +0000 |
| commit | 989fb009852e8b80691f71fd784c93bb29a58465 (patch) | |
| tree | 1f3d4ef6127dde28485d76bef9d8989ee6a18745 /python/samba | |
| parent | 849ee959845832b206ae315ab5911c623ea61148 (diff) | |
| download | samba-989fb009852e8b80691f71fd784c93bb29a58465.tar.gz samba-989fb009852e8b80691f71fd784c93bb29a58465.tar.bz2 samba-989fb009852e8b80691f71fd784c93bb29a58465.zip | |
tests/krb5: Add tests performing AS‐REQs armored with unacceptable tickets
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Diffstat (limited to 'python/samba')
| -rwxr-xr-x | python/samba/tests/krb5/kdc_tgs_tests.py | 33 |
1 files changed, 33 insertions, 0 deletions
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py index 6619081a844..7dccdf2479f 100755 --- a/python/samba/tests/krb5/kdc_tgs_tests.py +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -1163,6 +1163,11 @@ class KdcTgsTests(KdcTgsBaseTests): self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED, expected_sname=self.get_krbtgt_sname()) + def test_fast_as_req_no_pac(self): + creds = self._get_creds() + tgt = self._get_tgt(creds, remove_pac=True) + self._fast_as_req(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) + # Test making a request with authdata and without a PAC. def test_tgs_authdata_no_pac(self): creds = self._get_creds() @@ -1199,6 +1204,11 @@ class KdcTgsTests(KdcTgsBaseTests): self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED, expected_sname=self.get_krbtgt_sname()) + def test_fast_as_req_authdata_no_pac(self): + creds = self._get_creds() + tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True) + self._fast_as_req(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED) + # Test changing the SID in the PAC to that of another account. def test_tgs_sid_mismatch_existing(self): creds = self._get_creds() @@ -1240,6 +1250,13 @@ class KdcTgsTests(KdcTgsBaseTests): expected_error=KDC_ERR_TGT_REVOKED, expected_sname=self.get_krbtgt_sname()) + def test_fast_as_req_sid_mismatch_existing(self): + creds = self._get_creds() + existing_rid = self._get_existing_rid() + tgt = self._get_tgt(creds, new_rid=existing_rid) + self._fast_as_req(tgt, creds, + expected_error=KDC_ERR_TGT_REVOKED) + def test_requester_sid_mismatch_existing(self): creds = self._get_creds() existing_rid = self._get_existing_rid() @@ -1304,6 +1321,13 @@ class KdcTgsTests(KdcTgsBaseTests): expected_error=KDC_ERR_TGT_REVOKED, expected_sname=self.get_krbtgt_sname()) + def test_fast_as_req_sid_mismatch_nonexisting(self): + creds = self._get_creds() + nonexistent_rid = self._get_non_existent_rid() + tgt = self._get_tgt(creds, new_rid=nonexistent_rid) + self._fast_as_req(tgt, creds, + expected_error=KDC_ERR_TGT_REVOKED) + def test_requester_sid_mismatch_nonexisting(self): creds = self._get_creds() nonexistent_rid = self._get_non_existent_rid() @@ -3207,6 +3231,15 @@ class KdcTgsTests(KdcTgsBaseTests): expect_pac=expect_pac, expect_edata=expect_edata) + def _fast_as_req(self, armor_tgt, armor_tgt_creds, expected_error): + user_creds = self._get_mach_creds() + target_creds = self.get_service_creds() + + return self._armored_as_req(user_creds, target_creds, armor_tgt, + expected_error=expected_error, + expected_sname=self.get_krbtgt_sname(), + expect_edata=False) + if __name__ == "__main__": global_asn1_print = False |