summaryrefslogtreecommitdiff
path: root/python/samba/tests/krb5
AgeCommit message (Collapse)AuthorFilesLines
2025-08-27tests/krb5: Remove redundant lineJennifer Sutton1-2/+0
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-08-07pytest:krb5_base: use BinaryDn not dsdb_dnDouglas Bagnall1-4/+2
Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
2025-05-26tests/krb5: Correct commentJennifer Sutton1-1/+1
Signed-off-by: Jennifer Sutton <jennifersutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2025-04-03python:tests/krb5: let _{get,modify}_tgt() also change the objectsid in ↵Stefan Metzmacher1-0/+13
UPN_DNS_INFO Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-04-03python:tests/krb5: allow set_pac_sids() to take upn_dns_sidStefan Metzmacher1-2/+6
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-04-03python:tests/krb5: let check_device_info() allow an empty rid arrayStefan Metzmacher1-1/+4
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-04-03python:tests/krb5: allow create_account_opts() to take ↵Stefan Metzmacher1-0/+27
selective_auth_allowed_sid This will add a GUID_DRS_ALLOWED_TO_AUTHENTICATE ace with CONTROL_ACCESS to the created account. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-04-03python:tests/krb5: allow tgs_exchange_dict() to take ↵Stefan Metzmacher1-0/+42
expected_[device_]duplicated_groups This allows us to expect duplicated sids in the PAC. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-04-03python:tests/krb5: let check_device_info() handle EXTRA_DOMAIN_SIDStefan Metzmacher1-8/+21
device info does not really have RESOURCE_SID, so we need to map RESOURCE_SID as well as EXTRA_SID (with a S-1-5-21- prefix) to EXTRA_DOMAIN_SID. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-04-03python:tests/krb5: create_account_opts() can't handle self.AccountType.TRUSTStefan Metzmacher1-0/+1
create_trust() is used for that... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-04-03python:tests/krb5: add KDC_ERR_PATH_NOT_ACCEPTEDStefan Metzmacher1-0/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-02-24python:tests/krb5: let create_trust() take {ingress,egress}_claims_tf_rulesStefan Metzmacher1-0/+99
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> Autobuild-User(master): Ralph Böhme <slow@samba.org> Autobuild-Date(master): Mon Feb 24 10:28:02 UTC 2025 on atb-devel-224
2025-02-24python:tests/krb5: let create_trust() take forest_infoStefan Metzmacher1-0/+17
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-02-24python:tests/krb5: let modified_ticket() to take modify_{tkt,enc}_fnStefan Metzmacher1-9/+33
This makes it possible modify the public ticket part well as the enc part. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-02-24python:tests/krb5: add remove_pac_buffers()Stefan Metzmacher1-0/+13
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-02-24python:tests/krb5: set_pac_claims with claims=[] should be an empty blobStefan Metzmacher1-16/+21
Review with: git show -w Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-02-24python:tests/krb5: let set_pac_sids() replace the requester_sidStefan Metzmacher1-2/+4
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-02-24python:tests/krb5: add set_pac_names() to modify the names in a pacStefan Metzmacher1-0/+49
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-02-24python:tests/krb5: give KerberosTicketCreds a basic __str__() functionStefan Metzmacher1-0/+4
This makes debugging easier... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-02-24python:tests/krb5: let create_ccache[_with_ticket] use the correct crealmStefan Metzmacher1-3/+3
It can be different from the servers realm. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-02-24python:tests/krb5: allow get_service_ticket() to fail with expected_statusStefan Metzmacher1-2/+19
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-02-24python:tests/krb5: add KerberosTicketCreds.set_srealm()Stefan Metzmacher1-0/+3
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-02-17python:lsa_utils: Fix fallback to OpenPolicy2Stefan Metzmacher1-9/+20
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680 Pair-Programmed-With: Andreas Schneider <asn@samba.org> Signed-off-by: Andreas Schneider <asn@samba.org> Signed-off-by: Stefan Metzmacher <metze@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Mon Feb 17 18:33:15 UTC 2025 on atb-devel-224
2025-02-17python:lsa_utils: Don't use optional arguments for OpenPolicyFallback()Andreas Schneider1-1/+2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15680 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2025-02-14python:tests/krb5: only expect compressed claims if the compression reduces ↵Stefan Metzmacher1-9/+27
the size I have captures showing that claims compression depends on the payload itself and how well it compresses, instead of the pure length of the payload. E.g. a single string claim with a value of 68 'a' characters has an unpressed size of 336 and compressed size is 335. While a single string with random string s1 has an unpressed size of 504 and it's still uncompressed on the wire. A different random string s2 also has an unpressed size of 504, but it is compressed into a size of 502. So it really depends if the compression makes it actually smaller than the uncompressed version. This makes the tests more reliable against Windows DCs with existing claims defined. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
2025-02-08security.idl: change ORGANISATION into ORGANIZATIONStefan Metzmacher1-1/+1
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-01-15python:tests/krb5: let netlogon.py check for NETLOGON_NTLMV2_ENABLEDStefan Metzmacher1-0/+22
It's there for network_samlogon and interactive_samlogon, but not in ticket_samlogon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15783 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2025-01-08python:tests/krb5: let netlogon.py test referral ticket for SEC_CHAN_DNS_DOMAINStefan Metzmacher1-2/+21
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-01-08python:tests/krb5: allow get_service_ticket to accept a trust referral ↵Stefan Metzmacher1-0/+2
ticket without kvno Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-01-08python:tests/krb5: allow tickets without a kvnoStefan Metzmacher1-1/+5
This is needed for trust referrals. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-01-08python:tests/krb5: let netlogon.py export changed passwords to keytabStefan Metzmacher1-0/+14
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-01-08python:tests/krb5: add domain trust tests to netlogon.pyStefan Metzmacher1-26/+176
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-01-08python:tests/krb5: add a create_trust() helper function to test trusted domainsStefan Metzmacher1-2/+292
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-01-08python:tests/krb5: allow exporting a keytab file of the accounts used by the ↵Stefan Metzmacher2-1/+197
tests EXPORT_KEYTAB_FILE=/dev/shm/export.keytab EXPORT_KEYTAB_APPEND=0 or 1 EXPORT_EXISTING_CREDS_TO_KEYTAB=0 or 1 EXPORT_GIVEN_CREDS_TO_KEYTAB=0 or 1 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-01-08python:tests/krb5: add ↵Stefan Metzmacher1-0/+25
KerberosCredentials.[g|s]et_trust_{incoming,outgoing,account}_creds Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-01-08python:tests/krb5: let netlogon.py run the tests also as rodcStefan Metzmacher1-1/+14
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-01-08python:tests/krb5: allow netlogon.py tests to work against a KDC with claims ↵Stefan Metzmacher1-4/+8
enabled Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-01-08python:tests/krb5: allow get_mock_rodc_krbtgt_creds(preserve=False) to ↵Stefan Metzmacher2-19/+89
create a tmp rodc This also exposes credentials for the machine account for netlogon testing. Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2025-01-08python:tests/krb5: fix etypes_to_test values in RawKerberosTestStefan Metzmacher1-2/+2
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
2024-12-12python:tests/krb5: add ServerAuthenticateKerberos related tests to netlogon.pyStefan Metzmacher1-4/+468
Works against Windows 2025 preview: SMB_CONF_PATH=/dev/null \ SERVER=172.31.9.115 DC_SERVER=w2025p-115.w2025p-l8.base \ DOMAIN="W2025P-L8" REALM="W2025P-L8.BASE" \ ADMIN_USERNAME="Administrator" ADMIN_PASSWORD="A1b2C3d4" \ NETLOGON_STRONG_KEY_SUPPORT=1 NETLOGON_AUTH_KRB5_SUPPORT=1 \ STRICT_CHECKING=0 python/samba/tests/krb5/netlogon.py The code still works against Windows 2022 with the following options: SMB_CONF_PATH=/dev/null \ SERVER=172.31.9.118 DC_SERVER=w2022-118.w2022-l7.base \ DOMAIN="W2022-L7" REALM="W2022-L7.BASE" \ ADMIN_USERNAME="Administrator" ADMIN_PASSWORD="A1b2C3d4" \ NETLOGON_STRONG_KEY_SUPPORT=1 NETLOGON_AUTH_KRB5_SUPPORT=0 \ STRICT_CHECKING=0 python/samba/tests/krb5/netlogon.py Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-12python:tests/krb5: let netlogon.py test strong key without arcfourStefan Metzmacher1-1/+13
It shows that there's no encryption on buffers... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05python:tests/krb5: add netlogon.pyStefan Metzmacher1-0/+1483
This adds tests for the application layer encryption used based on the secure channel session key. This will get tests for netr_ServerAuthenticateKerberos() in order to explore its details. This runs against Windows 2022 as well as Windows 2025 (preview) using something like this: SMB_CONF_PATH=/dev/null \ SERVER=172.31.9.118 DC_SERVER=w2022-118.w2022-l7.base \ DOMAIN="W2022-L7" REALM="W2022-L7.BASE" \ ADMIN_USERNAME="Administrator" ADMIN_PASSWORD="A1b2C3d4" \ STRICT_CHECKING=0 \python/samba/tests/krb5/netlogon.py Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05python:tests/krb5: avoid some problems when running against w2025 (preview) ↵Stefan Metzmacher1-2/+3
with STRICT_CHECKING=0 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05python:tests/krb5: remember the objectGUID of created accountsStefan Metzmacher2-1/+14
Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-12-05tests/krb5: make use of conn.auth_info() in _test_samlogon()Stefan Metzmacher1-2/+1
In future we'll have KRB5 instead of SCHANNEL... Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2024-11-27python: Fix length of Common Name x509 attributeAndreas Schneider1-2/+1
File "bin/python/samba/tests/krb5/pkinit_tests.py", line 1496, in create_certificate x509.NameAttribute(NameOID.COMMON_NAME, ~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^ f'{cert_name}/emailAddress={cert_name}'), ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/lib64/python3.13/site-packages/cryptography/x509/name.py", line 152, in __init__ raise ValueError(msg) ValueError: Attribute's length must be >= 1 and <= 64, but it was 84 Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Stefan Metzmacher <metze@samba.org>
2024-10-30python/tests: use encrypt_netr_PasswordInfo in KDCBaseTest._test_samlogon()Stefan Metzmacher1-2/+8
This will make it easier to implement netr_ServerAuthenticateKerberos() later... BUG: https://bugzilla.samba.org/show_bug.cgi?id=15425 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-08-04tests/krb5: Remove unneeded machine account creationJo Sutton1-10/+2
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-08-04tests/krb5: Remove unneeded parameter ‘samdb’Jo Sutton1-14/+9
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2024-07-02tests/krb5: Simplify code using dict.get()Jo Sutton1-20/+5
Signed-off-by: Jo Sutton <josutton@catalyst.net.nz> Reviewed-by: Martin Schwenke <martin@meltin.net>
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-11 01:21:25 +0000