summaryrefslogtreecommitdiff
path: root/python
AgeCommit message (Collapse)AuthorFilesLines
2021-09-02tests/krb5: Remove harmful and a-typical return in as_req testcaseAndrew Bartlett1-8/+6
A test in a TestCase class should not return a value, the test is determined by the assertions raised. Other changes will shortly cause kdc_exchange_dict[preauth_etype_info2] to not always be filled, so we need to remove this rudundent code. This also fixes a *lot* of tests against the MIT KDC BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02CVE-2021-3671 tests/krb5: Add tests for omitting sname in outer requestJoseph Sutton1-0/+39
Note: Without the previous patch, 'test_fast_tgs_outer_no_sname' would crash the Heimdal KDC. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02tests/krb5: Add test for sending PA-ENCRYPTED-CHALLENGE without FASTJoseph Sutton1-0/+15
Note: This test crashed the MIT KDC prior to MIT commit fc98f520caefff2e5ee9a0026fdf5109944b3562 which was given CVE-2021-36222. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02tests/krb5: Make cname checking less strictJoseph Sutton1-2/+3
Without this additional 'self.strict_checking' check, the tests in the following patches do not get far enough to trigger a crash with the MIT KDC. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02tests/krb5: Make e-data checking less strictJoseph Sutton1-2/+3
Without this additional 'self.strict_checking' check, the tests in the following patches do not get far enough to trigger a crash with the MIT KDC, instead failing when obtaining a TGT for the user or machine. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14770 Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-09-02pydsdb: Add API to return strings of known UF_ flagsAndrew Bartlett1-0/+57
Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
2021-08-30gpo: Add Group Policy Firefox ExtensionDavid Mulder1-1/+148
Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Jeremy Allison <jra@samba.org> Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Mon Aug 30 21:57:09 UTC 2021 on sn-devel-184
2021-08-30gpo: Test Group Policy Firefox ExtensionDavid Mulder2-0/+1741
Signed-off-by: David Mulder <dmulder@suse.com> Reviewed-by: Jeremy Allison <jra@samba.org>
2021-08-24samba-tool domain backup: Use tdbbackup on metadata.tdbAndrew Bartlett1-0/+3
metadata.tdb is inside sam.ldb.d/ but should be backed up with tdbbackup. Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org> Autobuild-Date(master): Tue Aug 24 13:22:04 UTC 2021 on sn-devel-184
2021-08-24samba-tool: Rework transations/locks to hold a lock during mdb backupAndrew Bartlett1-6/+32
We now also get sidForRestore under that lock, rather than after the backup. This avoids using the database again after the backup process While not entirely clear how/why this matters with LMDB as seen in Fedora 34, likely due to the same issues seen with 0.9.26 or later fixed by commmit bb3dcd403ced922574a89011dd3814c4fe87dd76. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-24samba-tool domain backup offline: Use passed in samdb when backing up sam.ldbAndrew Bartlett1-7/+8
This avoids opening the database again by having the caller pass in the DB open BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Add FAST testsJoseph Sutton1-166/+1483
Example command: SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \ KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \ ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \ PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Andrew Bartlett <abartlet@samba.org> Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184
2021-08-18initial FAST testsGary Lockyer2-0/+246
Currently incomplete, and tested only against MIT Kerberos. [abartlet@samba.org Originally "WIP inital FAST tests" Samba's general policy that we don't push WIP patches, we polish into a 'perfect' patch stream. However, I think there are good reasons to keep this patch distinct in this particular case. Gary is being modest in titling this WIP (now removed from the title to avoid confusion). They are not WIP in the normal sense of partially or untested code or random unfinished thoughts. The primary issue is that at that point where Gary had to finish up he had trouble getting FAST support enabled on Windows, so couldn't test against our standard reference. They are instead good, working initial tests written against the RFC and tested against Samba's AD DC in the mode backed by MIT Kerberos. This preserves clear authorship for the two distinct bodies of work, as in the next patch Joseph was able to extend and improve the tests significantly. ] Signed-off-by: Gary Lockyer <gary@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Check PADATA-FX-ERROR in replyJoseph Sutton1-0/+14
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Allow generic_check_kdc_error() to check inner FAST errorsJoseph Sutton1-3/+9
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Check PADATA-PAC-OPTIONS in replyJoseph Sutton1-0/+9
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Make generic_check_kdc_error() also work for checking TGS repliesJoseph Sutton1-1/+11
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Make check_rep_padata() also work for checking TGS repliesJoseph Sutton1-27/+45
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Check PADATA-FX-COOKIE in replyJoseph Sutton1-0/+15
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in replyJoseph Sutton1-0/+54
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Adjust reply padata checking depending on whether FAST was sentJoseph Sutton1-7/+55
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Check reply FAST padata if request included FASTJoseph Sutton1-0/+15
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Check sname is krbtgt for FAST generic errorJoseph Sutton1-1/+7
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Add get_krbtgt_sname() methodJoseph Sutton1-0/+10
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Remove unused variablesJoseph Sutton2-3/+0
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error replyJoseph Sutton1-1/+1
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Add check_rep_padata() method to check padata in replyJoseph Sutton1-35/+48
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Add generate_simple_fast() method to generate FX-FAST padataJoseph Sutton1-0/+34
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Include authdata in kdc_exchange_dictJoseph Sutton1-1/+7
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Add expected_cname_private parameter to kdc_exchange_dictJoseph Sutton1-1/+15
This is useful for testing the 'hide client names' FAST option. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Check encrypted-pa-dataJoseph Sutton1-1/+51
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Add methods to determine whether elements were included in the ↵Joseph Sutton1-0/+25
request Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Add functions to get dicts of request padataJoseph Sutton1-0/+11
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Check FAST responseJoseph Sutton1-2/+39
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Add method to verify ticket checksum for FASTJoseph Sutton1-0/+12
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Add method to check PA-FX-FAST-REPLYJoseph Sutton1-0/+31
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Allow specifying parameters specific to the outer request bodyJoseph Sutton1-5/+20
This is useful for testing FAST. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Add FAST armor generation to _generic_kdc_exchange()Joseph Sutton1-7/+88
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQJoseph Sutton1-13/+32
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Include authenticator_subkey in AS-REQ exchange dictJoseph Sutton1-0/+2
This is needed for FAST. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()Joseph Sutton2-6/+6
This method will also be useful in checking TGS-REP error replies. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Add methods to calculate keys for FASTJoseph Sutton1-0/+37
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Add method to generate FAST encrypted challenge padataJoseph Sutton1-0/+19
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Add more methods to create ASN1 objects for FASTJoseph Sutton1-0/+70
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Add more ASN1 definitions for FASTJoseph Sutton3-3/+236
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()Joseph Sutton1-0/+21
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Ensure generated padata is not NoneJoseph Sutton2-2/+12
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Add generate_ap_req() methodJoseph Sutton1-4/+14
This method will be useful to generate an AP-REQ for use as FAST armor. Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Check nonce in EncKDCRepPartJoseph Sutton1-3/+7
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
2021-08-18tests/krb5: Make checking less strictJoseph Sutton1-25/+27
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org>
generated by cgit v1.2.3 (git 2.25.1) at 2026-06-26 04:58:49 +0000