2 # Unix SMB/CIFS implementation.
3 # Copyright (C) Stefan Metzmacher 2020
4 # Copyright (C) 2020 Catalyst.Net Ltd
6 # This program is free software; you can redistribute it and/or modify
7 # it under the terms of the GNU General Public License as published by
8 # the Free Software Foundation; either version 3 of the License, or
9 # (at your option) any later version.
11 # This program is distributed in the hope that it will be useful,
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU General Public License for more details.
16 # You should have received a copy of the GNU General Public License
17 # along with this program. If not, see <http://www.gnu.org/licenses/>.
23 sys.path.insert(0, "bin/python")
24 os.environ["PYTHONUNBUFFERED"] = "1"
28 from samba import dsdb, ntstatus
30 from samba.dcerpc import krb5pac, security
33 import samba.tests.krb5.kcrypto as kcrypto
34 from samba.tests.krb5.kdc_base_test import KDCBaseTest
35 from samba.tests.krb5.raw_testcase import Krb5EncryptionKey
36 from samba.tests.krb5.rfc4120_constants import (
37 AES256_CTS_HMAC_SHA1_96,
47 KDC_ERR_PREAUTH_REQUIRED,
48 KDC_ERR_C_PRINCIPAL_UNKNOWN,
49 KDC_ERR_S_PRINCIPAL_UNKNOWN,
53 NT_ENTERPRISE_PRINCIPAL,
57 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
59 global_asn1_print = False
60 global_hexdump = False
63 class KdcTgsBaseTests(KDCBaseTest):
69 expected_ticket_etype=None):
70 user_name = creds.get_username()
71 cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
72 names=user_name.split('/'))
74 target_name = target_creds.get_username()
75 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
76 names=['host', target_name[:-1]])
79 expected_sname = sname
81 expected_sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
84 realm = creds.get_realm()
85 salt = creds.get_salt()
87 till = self.get_KerberosTime(offset=36000)
89 ticket_decryption_key = (
90 self.TicketDecryptionKey_from_creds(target_creds,
91 etype=expected_ticket_etype))
92 expected_etypes = target_creds.tgs_supported_enctypes
94 kdc_options = ('forwardable,'
98 kdc_options = krb5_asn1.KDCOptions(kdc_options)
101 initial_error = (KDC_ERR_PREAUTH_REQUIRED, expected_error)
103 initial_error = KDC_ERR_PREAUTH_REQUIRED
105 rep, kdc_exchange_dict = self._test_as_exchange(
111 expected_error_mode=initial_error,
112 expected_crealm=realm,
113 expected_cname=cname,
114 expected_srealm=realm,
115 expected_sname=sname,
117 expected_supported_etypes=expected_etypes,
120 kdc_options=kdc_options,
122 ticket_decryption_key=ticket_decryption_key)
123 self.assertIsNotNone(rep)
124 self.assertEqual(KRB_ERROR, rep['msg-type'])
125 error_code = rep['error-code']
127 self.assertIn(error_code, initial_error)
128 if error_code == expected_error:
131 self.assertEqual(initial_error, error_code)
133 etype_info2 = kdc_exchange_dict['preauth_etype_info2']
135 preauth_key = self.PasswordKey_from_etype_info2(creds,
139 ts_enc_padata = self.get_enc_timestamp_pa_data_from_key(preauth_key)
141 padata = [ts_enc_padata]
143 expected_realm = realm.upper()
145 rep, kdc_exchange_dict = self._test_as_exchange(
151 expected_error_mode=expected_error,
152 expected_crealm=expected_realm,
153 expected_cname=cname,
154 expected_srealm=expected_realm,
155 expected_sname=expected_sname,
157 expected_supported_etypes=expected_etypes,
160 kdc_options=kdc_options,
161 preauth_key=preauth_key,
162 ticket_decryption_key=ticket_decryption_key,
165 self.check_error_rep(rep, expected_error)
168 self.check_as_reply(rep)
169 return kdc_exchange_dict['rep_ticket_creds']
171 def _tgs_req(self, tgt, expected_error, creds, target_creds, *,
177 expected_account_name=None,
178 additional_ticket=None,
180 generate_padata_fn=None,
181 generate_fast_padata_fn=None,
186 expected_ticket_etype=None,
187 expected_supported_etypes=None,
189 expect_pac_attrs=None,
190 expect_pac_attrs_pac_request=None,
191 expect_requester_sid=None,
195 expected_status=None,
196 expected_proxy_target=None,
197 expected_transited_services=None,
202 srealm = target_creds.get_realm()
206 if expected_sname is None:
207 expected_sname = self.get_krbtgt_sname()
210 target_name = target_creds.get_username()
211 if target_name == 'krbtgt':
212 sname = self.PrincipalName_create(
213 name_type=NT_SRV_INST,
214 names=[target_name, srealm])
216 if target_name[-1] == '$':
217 target_name = target_name[:-1]
218 sname = self.PrincipalName_create(
219 name_type=NT_PRINCIPAL,
220 names=['host', target_name])
222 if expected_sname is None:
223 expected_sname = sname
225 if additional_ticket is not None:
226 additional_tickets = [additional_ticket.ticket]
227 if decryption_key is None:
228 decryption_key = additional_ticket.session_key
230 additional_tickets = None
231 if decryption_key is None:
232 decryption_key = self.TicketDecryptionKey_from_creds(
233 target_creds, etype=expected_ticket_etype)
235 subkey = self.RandomKey(tgt.session_key.etype)
237 if armor_tgt is not None:
238 armor_subkey = self.RandomKey(subkey.etype)
239 explicit_armor_key = self.generate_armor_key(armor_subkey,
240 armor_tgt.session_key)
241 armor_key = kcrypto.cf2(explicit_armor_key.key,
245 armor_key = Krb5EncryptionKey(armor_key, None)
247 generate_fast_fn = self.generate_simple_fast
248 generate_fast_armor_fn = self.generate_ap_req
250 if pac_options is None:
251 pac_options = '1' # claims support
255 generate_fast_fn = None
256 generate_fast_armor_fn = None
259 etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
262 check_error_fn = self.generic_check_kdc_error
265 check_error_fn = None
266 check_rep_fn = self.generic_check_kdc_rep
268 if expected_cname is None:
269 expected_cname = tgt.cname
271 kdc_exchange_dict = self.tgs_exchange_dict(
273 expected_crealm=tgt.crealm,
274 expected_cname=expected_cname,
275 expected_srealm=srealm,
276 expected_sname=expected_sname,
277 expected_account_name=expected_account_name,
278 ticket_decryption_key=decryption_key,
279 generate_padata_fn=generate_padata_fn,
280 generate_fast_padata_fn=generate_fast_padata_fn,
281 generate_fast_fn=generate_fast_fn,
282 generate_fast_armor_fn=generate_fast_armor_fn,
283 check_error_fn=check_error_fn,
284 check_rep_fn=check_rep_fn,
285 check_kdc_private_fn=self.generic_check_kdc_private,
286 expected_error_mode=expected_error,
287 expect_status=expect_status,
288 expected_status=expected_status,
292 armor_subkey=armor_subkey,
293 pac_options=pac_options,
294 authenticator_subkey=subkey,
295 kdc_options=kdc_options,
296 expected_supported_etypes=expected_supported_etypes,
297 expect_edata=expect_edata,
298 expect_pac=expect_pac,
299 expect_pac_attrs=expect_pac_attrs,
300 expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
301 expect_requester_sid=expect_requester_sid,
302 expected_sid=expected_sid,
303 expected_proxy_target=expected_proxy_target,
304 expected_transited_services=expected_transited_services,
305 check_patypes=check_patypes)
307 rep = self._generic_kdc_exchange(kdc_exchange_dict,
313 additional_tickets=additional_tickets)
315 self.check_error_rep(rep, expected_error)
318 self.check_tgs_reply(rep)
319 return kdc_exchange_dict['rep_ticket_creds']
322 class KdcTgsTests(KdcTgsBaseTests):
326 self.do_asn1_print = global_asn1_print
327 self.do_hexdump = global_hexdump
329 def test_tgs_req_cname_does_not_not_match_authenticator_cname(self):
330 ''' Try and obtain a ticket from the TGS, but supply a cname
331 that differs from that provided to the krbtgt
333 # Create the user account
334 samdb = self.get_samdb()
335 user_name = "tsttktusr"
336 (uc, _) = self.create_account(samdb, user_name)
337 realm = uc.get_realm().lower()
339 # Do the initial AS-REQ, should get a pre-authentication required
341 etype = (AES256_CTS_HMAC_SHA1_96,)
342 cname = self.PrincipalName_create(
343 name_type=NT_PRINCIPAL, names=[user_name])
344 sname = self.PrincipalName_create(
345 name_type=NT_SRV_INST, names=["krbtgt", realm])
347 rep = self.as_req(cname, sname, realm, etype)
348 self.check_pre_authentication(rep)
351 padata = self.get_enc_timestamp_pa_data(uc, rep)
352 key = self.get_as_rep_key(uc, rep)
353 rep = self.as_req(cname, sname, realm, etype, padata=[padata])
354 self.check_as_reply(rep)
356 # Request a service ticket, but use a cname that does not match
357 # that in the original AS-REQ
358 enc_part2 = self.get_as_rep_enc_data(key, rep)
359 key = self.EncryptionKey_import(enc_part2['key'])
360 ticket = rep['ticket']
362 cname = self.PrincipalName_create(
363 name_type=NT_PRINCIPAL,
364 names=["Administrator"])
365 sname = self.PrincipalName_create(
366 name_type=NT_PRINCIPAL,
367 names=["host", samdb.host_dns_name()])
369 (rep, enc_part) = self.tgs_req(cname, sname, realm, ticket, key, etype,
371 expected_error_mode=KDC_ERR_BADMATCH,
376 "rep = {%s}, enc_part = {%s}" % (rep, enc_part))
377 self.assertEqual(KRB_ERROR, rep['msg-type'], "rep = {%s}" % rep)
383 def test_ldap_service_ticket(self):
384 '''Get a ticket to the ldap service
386 # Create the user account
387 samdb = self.get_samdb()
388 user_name = "tsttktusr"
389 (uc, _) = self.create_account(samdb, user_name)
390 realm = uc.get_realm().lower()
392 # Do the initial AS-REQ, should get a pre-authentication required
394 etype = (AES256_CTS_HMAC_SHA1_96,)
395 cname = self.PrincipalName_create(
396 name_type=NT_PRINCIPAL, names=[user_name])
397 sname = self.PrincipalName_create(
398 name_type=NT_SRV_INST, names=["krbtgt", realm])
400 rep = self.as_req(cname, sname, realm, etype)
401 self.check_pre_authentication(rep)
404 padata = self.get_enc_timestamp_pa_data(uc, rep)
405 key = self.get_as_rep_key(uc, rep)
406 rep = self.as_req(cname, sname, realm, etype, padata=[padata])
407 self.check_as_reply(rep)
409 enc_part2 = self.get_as_rep_enc_data(key, rep)
410 key = self.EncryptionKey_import(enc_part2['key'])
411 ticket = rep['ticket']
413 # Request a ticket to the ldap service
414 sname = self.PrincipalName_create(
415 name_type=NT_SRV_INST,
416 names=["ldap", samdb.host_dns_name()])
418 (rep, _) = self.tgs_req(
419 cname, sname, uc.get_realm(), ticket, key, etype,
420 service_creds=self.get_dc_creds())
422 self.check_tgs_reply(rep)
424 def test_get_ticket_for_host_service_of_machine_account(self):
426 # Create a user and machine account for the test.
428 samdb = self.get_samdb()
429 user_name = "tsttktusr"
430 (uc, dn) = self.create_account(samdb, user_name)
431 (mc, _) = self.create_account(samdb, "tsttktmac",
432 account_type=self.AccountType.COMPUTER)
433 realm = uc.get_realm().lower()
435 # Do the initial AS-REQ, should get a pre-authentication required
437 etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
438 cname = self.PrincipalName_create(
439 name_type=NT_PRINCIPAL, names=[user_name])
440 sname = self.PrincipalName_create(
441 name_type=NT_SRV_INST, names=["krbtgt", realm])
443 rep = self.as_req(cname, sname, realm, etype)
444 self.check_pre_authentication(rep)
447 padata = self.get_enc_timestamp_pa_data(uc, rep)
448 key = self.get_as_rep_key(uc, rep)
449 rep = self.as_req(cname, sname, realm, etype, padata=[padata])
450 self.check_as_reply(rep)
452 # Request a ticket to the host service on the machine account
453 ticket = rep['ticket']
454 enc_part2 = self.get_as_rep_enc_data(key, rep)
455 key = self.EncryptionKey_import(enc_part2['key'])
456 cname = self.PrincipalName_create(
457 name_type=NT_PRINCIPAL,
459 sname = self.PrincipalName_create(
460 name_type=NT_PRINCIPAL,
461 names=[mc.get_username()])
463 (rep, enc_part) = self.tgs_req(
464 cname, sname, uc.get_realm(), ticket, key, etype,
466 self.check_tgs_reply(rep)
468 # Check the contents of the service ticket
469 ticket = rep['ticket']
470 enc_part = self.decode_service_ticket(mc, ticket)
472 pac_data = self.get_pac_data(enc_part['authorization-data'])
473 sid = self.get_objectSid(samdb, dn)
474 upn = "%s@%s" % (uc.get_username(), realm)
477 str(pac_data.account_name),
478 "rep = {%s},%s" % (rep, pac_data))
482 "rep = {%s},%s" % (rep, pac_data))
485 pac_data.domain_name,
486 "rep = {%s},%s" % (rep, pac_data))
490 "rep = {%s},%s" % (rep, pac_data))
493 pac_data.account_sid,
494 "rep = {%s},%s" % (rep, pac_data))
496 def test_request(self):
497 client_creds = self.get_client_creds()
498 service_creds = self.get_service_creds()
500 tgt = self.get_tgt(client_creds)
502 pac = self.get_ticket_pac(tgt)
503 self.assertIsNotNone(pac)
505 ticket = self._make_tgs_request(client_creds, service_creds, tgt)
507 pac = self.get_ticket_pac(ticket)
508 self.assertIsNotNone(pac)
510 def test_request_no_pac(self):
511 client_creds = self.get_client_creds()
512 service_creds = self.get_service_creds()
514 tgt = self.get_tgt(client_creds, pac_request=False)
516 pac = self.get_ticket_pac(tgt)
517 self.assertIsNotNone(pac)
519 ticket = self._make_tgs_request(client_creds, service_creds, tgt,
520 pac_request=False, expect_pac=False)
522 pac = self.get_ticket_pac(ticket, expect_pac=False)
523 self.assertIsNone(pac)
525 def test_request_enterprise_canon(self):
526 upn = self.get_new_username()
527 client_creds = self.get_cached_creds(
528 account_type=self.AccountType.USER,
530 service_creds = self.get_service_creds()
532 user_name = client_creds.get_username()
533 realm = client_creds.get_realm()
534 client_account = f'{user_name}@{realm}'
536 expected_cname = self.PrincipalName_create(
537 name_type=NT_PRINCIPAL,
540 kdc_options = 'canonicalize'
542 tgt = self.get_tgt(client_creds,
543 client_account=client_account,
544 client_name_type=NT_ENTERPRISE_PRINCIPAL,
545 expected_cname=expected_cname,
546 expected_account_name=user_name,
547 kdc_options=kdc_options)
549 self._make_tgs_request(
550 client_creds, service_creds, tgt,
551 client_account=client_account,
552 client_name_type=NT_ENTERPRISE_PRINCIPAL,
553 expected_cname=expected_cname,
554 expected_account_name=user_name,
555 kdc_options=kdc_options)
557 def test_request_enterprise_canon_case(self):
558 upn = self.get_new_username()
559 client_creds = self.get_cached_creds(
560 account_type=self.AccountType.USER,
562 service_creds = self.get_service_creds()
564 user_name = client_creds.get_username()
565 realm = client_creds.get_realm().lower()
566 client_account = f'{user_name}@{realm}'
568 expected_cname = self.PrincipalName_create(
569 name_type=NT_PRINCIPAL,
572 kdc_options = 'canonicalize'
574 tgt = self.get_tgt(client_creds,
575 client_account=client_account,
576 client_name_type=NT_ENTERPRISE_PRINCIPAL,
577 expected_cname=expected_cname,
578 expected_account_name=user_name,
579 kdc_options=kdc_options)
581 self._make_tgs_request(
582 client_creds, service_creds, tgt,
583 client_account=client_account,
584 client_name_type=NT_ENTERPRISE_PRINCIPAL,
585 expected_cname=expected_cname,
586 expected_account_name=user_name,
587 kdc_options=kdc_options)
589 def test_request_enterprise_canon_mac(self):
590 upn = self.get_new_username()
591 client_creds = self.get_cached_creds(
592 account_type=self.AccountType.COMPUTER,
594 service_creds = self.get_service_creds()
596 user_name = client_creds.get_username()
597 realm = client_creds.get_realm()
598 client_account = f'{user_name}@{realm}'
600 expected_cname = self.PrincipalName_create(
601 name_type=NT_PRINCIPAL,
604 kdc_options = 'canonicalize'
606 tgt = self.get_tgt(client_creds,
607 client_account=client_account,
608 client_name_type=NT_ENTERPRISE_PRINCIPAL,
609 expected_cname=expected_cname,
610 expected_account_name=user_name,
611 kdc_options=kdc_options)
613 self._make_tgs_request(
614 client_creds, service_creds, tgt,
615 client_account=client_account,
616 client_name_type=NT_ENTERPRISE_PRINCIPAL,
617 expected_cname=expected_cname,
618 expected_account_name=user_name,
619 kdc_options=kdc_options)
621 def test_request_enterprise_canon_case_mac(self):
622 upn = self.get_new_username()
623 client_creds = self.get_cached_creds(
624 account_type=self.AccountType.COMPUTER,
626 service_creds = self.get_service_creds()
628 user_name = client_creds.get_username()
629 realm = client_creds.get_realm().lower()
630 client_account = f'{user_name}@{realm}'
632 expected_cname = self.PrincipalName_create(
633 name_type=NT_PRINCIPAL,
636 kdc_options = 'canonicalize'
638 tgt = self.get_tgt(client_creds,
639 client_account=client_account,
640 client_name_type=NT_ENTERPRISE_PRINCIPAL,
641 expected_cname=expected_cname,
642 expected_account_name=user_name,
643 kdc_options=kdc_options)
645 self._make_tgs_request(
646 client_creds, service_creds, tgt,
647 client_account=client_account,
648 client_name_type=NT_ENTERPRISE_PRINCIPAL,
649 expected_cname=expected_cname,
650 expected_account_name=user_name,
651 kdc_options=kdc_options)
653 def test_request_enterprise_no_canon(self):
654 upn = self.get_new_username()
655 client_creds = self.get_cached_creds(
656 account_type=self.AccountType.USER,
658 service_creds = self.get_service_creds()
660 user_name = client_creds.get_username()
661 realm = client_creds.get_realm()
662 client_account = f'{user_name}@{realm}'
666 tgt = self.get_tgt(client_creds,
667 client_account=client_account,
668 client_name_type=NT_ENTERPRISE_PRINCIPAL,
669 expected_account_name=user_name,
670 kdc_options=kdc_options)
672 self._make_tgs_request(
673 client_creds, service_creds, tgt,
674 client_account=client_account,
675 client_name_type=NT_ENTERPRISE_PRINCIPAL,
676 expected_account_name=user_name,
677 kdc_options=kdc_options)
679 def test_request_enterprise_no_canon_case(self):
680 upn = self.get_new_username()
681 client_creds = self.get_cached_creds(
682 account_type=self.AccountType.USER,
684 service_creds = self.get_service_creds()
686 user_name = client_creds.get_username()
687 realm = client_creds.get_realm().lower()
688 client_account = f'{user_name}@{realm}'
692 tgt = self.get_tgt(client_creds,
693 client_account=client_account,
694 client_name_type=NT_ENTERPRISE_PRINCIPAL,
695 expected_account_name=user_name,
696 kdc_options=kdc_options)
698 self._make_tgs_request(
699 client_creds, service_creds, tgt,
700 client_account=client_account,
701 client_name_type=NT_ENTERPRISE_PRINCIPAL,
702 expected_account_name=user_name,
703 kdc_options=kdc_options)
705 def test_request_enterprise_no_canon_mac(self):
706 upn = self.get_new_username()
707 client_creds = self.get_cached_creds(
708 account_type=self.AccountType.COMPUTER,
710 service_creds = self.get_service_creds()
712 user_name = client_creds.get_username()
713 realm = client_creds.get_realm()
714 client_account = f'{user_name}@{realm}'
718 tgt = self.get_tgt(client_creds,
719 client_account=client_account,
720 client_name_type=NT_ENTERPRISE_PRINCIPAL,
721 expected_account_name=user_name,
722 kdc_options=kdc_options)
724 self._make_tgs_request(
725 client_creds, service_creds, tgt,
726 client_account=client_account,
727 client_name_type=NT_ENTERPRISE_PRINCIPAL,
728 expected_account_name=user_name,
729 kdc_options=kdc_options)
731 def test_request_enterprise_no_canon_case_mac(self):
732 upn = self.get_new_username()
733 client_creds = self.get_cached_creds(
734 account_type=self.AccountType.COMPUTER,
736 service_creds = self.get_service_creds()
738 user_name = client_creds.get_username()
739 realm = client_creds.get_realm().lower()
740 client_account = f'{user_name}@{realm}'
744 tgt = self.get_tgt(client_creds,
745 client_account=client_account,
746 client_name_type=NT_ENTERPRISE_PRINCIPAL,
747 expected_account_name=user_name,
748 kdc_options=kdc_options)
750 self._make_tgs_request(
751 client_creds, service_creds, tgt,
752 client_account=client_account,
753 client_name_type=NT_ENTERPRISE_PRINCIPAL,
754 expected_account_name=user_name,
755 kdc_options=kdc_options)
757 def test_client_no_auth_data_required(self):
758 client_creds = self.get_cached_creds(
759 account_type=self.AccountType.USER,
760 opts={'no_auth_data_required': True})
761 service_creds = self.get_service_creds()
763 tgt = self.get_tgt(client_creds)
765 pac = self.get_ticket_pac(tgt)
766 self.assertIsNotNone(pac)
768 ticket = self._make_tgs_request(client_creds, service_creds, tgt)
770 pac = self.get_ticket_pac(ticket)
771 self.assertIsNotNone(pac)
773 def test_no_pac_client_no_auth_data_required(self):
774 client_creds = self.get_cached_creds(
775 account_type=self.AccountType.USER,
776 opts={'no_auth_data_required': True})
777 service_creds = self.get_service_creds()
779 tgt = self.get_tgt(client_creds)
781 pac = self.get_ticket_pac(tgt)
782 self.assertIsNotNone(pac)
784 ticket = self._make_tgs_request(client_creds, service_creds, tgt,
785 pac_request=False, expect_pac=True)
787 pac = self.get_ticket_pac(ticket)
788 self.assertIsNotNone(pac)
790 def test_service_no_auth_data_required(self):
791 client_creds = self.get_client_creds()
792 service_creds = self.get_cached_creds(
793 account_type=self.AccountType.COMPUTER,
794 opts={'no_auth_data_required': True})
796 tgt = self.get_tgt(client_creds)
798 pac = self.get_ticket_pac(tgt)
799 self.assertIsNotNone(pac)
801 ticket = self._make_tgs_request(client_creds, service_creds, tgt,
804 pac = self.get_ticket_pac(ticket, expect_pac=False)
805 self.assertIsNone(pac)
807 def test_no_pac_service_no_auth_data_required(self):
808 client_creds = self.get_client_creds()
809 service_creds = self.get_cached_creds(
810 account_type=self.AccountType.COMPUTER,
811 opts={'no_auth_data_required': True})
813 tgt = self.get_tgt(client_creds, pac_request=False)
815 pac = self.get_ticket_pac(tgt)
816 self.assertIsNotNone(pac)
818 ticket = self._make_tgs_request(client_creds, service_creds, tgt,
819 pac_request=False, expect_pac=False)
821 pac = self.get_ticket_pac(ticket, expect_pac=False)
822 self.assertIsNone(pac)
824 def test_remove_pac_service_no_auth_data_required(self):
825 client_creds = self.get_client_creds()
826 service_creds = self.get_cached_creds(
827 account_type=self.AccountType.COMPUTER,
828 opts={'no_auth_data_required': True})
830 tgt = self.modified_ticket(self.get_tgt(client_creds),
833 pac = self.get_ticket_pac(tgt, expect_pac=False)
834 self.assertIsNone(pac)
836 self._make_tgs_request(client_creds, service_creds, tgt,
839 def test_remove_pac_client_no_auth_data_required(self):
840 client_creds = self.get_cached_creds(
841 account_type=self.AccountType.USER,
842 opts={'no_auth_data_required': True})
843 service_creds = self.get_service_creds()
845 tgt = self.modified_ticket(self.get_tgt(client_creds),
848 pac = self.get_ticket_pac(tgt, expect_pac=False)
849 self.assertIsNone(pac)
851 self._make_tgs_request(client_creds, service_creds, tgt,
854 def test_remove_pac(self):
855 client_creds = self.get_client_creds()
856 service_creds = self.get_service_creds()
858 tgt = self.modified_ticket(self.get_tgt(client_creds),
861 pac = self.get_ticket_pac(tgt, expect_pac=False)
862 self.assertIsNone(pac)
864 self._make_tgs_request(client_creds, service_creds, tgt,
867 def test_upn_dns_info_ex_user(self):
868 client_creds = self.get_client_creds()
869 self._run_upn_dns_info_ex_test(client_creds)
871 def test_upn_dns_info_ex_mac(self):
872 mach_creds = self.get_mach_creds()
873 self._run_upn_dns_info_ex_test(mach_creds)
875 def test_upn_dns_info_ex_upn_user(self):
876 client_creds = self.get_cached_creds(
877 account_type=self.AccountType.USER,
878 opts={'upn': 'upn_dns_info_test_upn0@bar'})
879 self._run_upn_dns_info_ex_test(client_creds)
881 def test_upn_dns_info_ex_upn_mac(self):
882 mach_creds = self.get_cached_creds(
883 account_type=self.AccountType.COMPUTER,
884 opts={'upn': 'upn_dns_info_test_upn1@bar'})
885 self._run_upn_dns_info_ex_test(mach_creds)
887 def _run_upn_dns_info_ex_test(self, client_creds):
888 service_creds = self.get_service_creds()
890 samdb = self.get_samdb()
891 dn = client_creds.get_dn()
893 account_name = client_creds.get_username()
894 upn_name = client_creds.get_upn()
896 realm = client_creds.get_realm().lower()
897 upn_name = f'{account_name}@{realm}'
898 sid = self.get_objectSid(samdb, dn)
900 tgt = self.get_tgt(client_creds,
901 expected_account_name=account_name,
902 expected_upn_name=upn_name,
905 self._make_tgs_request(client_creds, service_creds, tgt,
906 expected_account_name=account_name,
907 expected_upn_name=upn_name,
910 # Test making a TGS request.
911 def test_tgs_req(self):
912 creds = self._get_creds()
913 tgt = self._get_tgt(creds)
914 self._run_tgs(tgt, creds, expected_error=0)
916 def test_renew_req(self):
917 creds = self._get_creds()
918 tgt = self._get_tgt(creds, renewable=True)
919 self._renew_tgt(tgt, creds, expected_error=0,
920 expect_pac_attrs=True,
921 expect_pac_attrs_pac_request=True,
922 expect_requester_sid=True)
924 def test_validate_req(self):
925 creds = self._get_creds()
926 tgt = self._get_tgt(creds, invalid=True)
927 self._validate_tgt(tgt, creds, expected_error=0,
928 expect_pac_attrs=True,
929 expect_pac_attrs_pac_request=True,
930 expect_requester_sid=True)
932 def test_s4u2self_req(self):
933 creds = self._get_creds()
934 tgt = self._get_tgt(creds)
935 self._s4u2self(tgt, creds, expected_error=0)
937 def test_user2user_req(self):
938 creds = self._get_creds()
939 tgt = self._get_tgt(creds)
940 self._user2user(tgt, creds, expected_error=0)
942 def test_fast_req(self):
943 creds = self._get_creds()
944 tgt = self._get_tgt(creds)
945 self._fast(tgt, creds, expected_error=0)
947 def test_tgs_req_invalid(self):
948 creds = self._get_creds()
949 tgt = self._get_tgt(creds, invalid=True)
950 self._run_tgs(tgt, creds, expected_error=KRB_ERR_TKT_NYV)
952 def test_s4u2self_req_invalid(self):
953 creds = self._get_creds()
954 tgt = self._get_tgt(creds, invalid=True)
955 self._s4u2self(tgt, creds, expected_error=KRB_ERR_TKT_NYV)
957 def test_user2user_req_invalid(self):
958 creds = self._get_creds()
959 tgt = self._get_tgt(creds, invalid=True)
960 self._user2user(tgt, creds, expected_error=KRB_ERR_TKT_NYV)
962 def test_fast_req_invalid(self):
963 creds = self._get_creds()
964 tgt = self._get_tgt(creds, invalid=True)
965 self._fast(tgt, creds, expected_error=KRB_ERR_TKT_NYV,
966 expected_sname=self.get_krbtgt_sname())
968 def test_tgs_req_no_requester_sid(self):
969 creds = self._get_creds()
970 tgt = self._get_tgt(creds, remove_requester_sid=True)
972 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
974 def test_tgs_req_no_pac_attrs(self):
975 creds = self._get_creds()
976 tgt = self._get_tgt(creds, remove_pac_attrs=True)
978 self._run_tgs(tgt, creds, expected_error=0, expect_pac=True,
979 expect_pac_attrs=False)
981 def test_tgs_req_from_rodc_no_requester_sid(self):
982 creds = self._get_creds(replication_allowed=True,
983 revealed_to_rodc=True)
984 tgt = self._get_tgt(creds, from_rodc=True, remove_requester_sid=True)
986 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
988 def test_tgs_req_from_rodc_no_pac_attrs(self):
989 creds = self._get_creds(replication_allowed=True,
990 revealed_to_rodc=True)
991 tgt = self._get_tgt(creds, from_rodc=True, remove_pac_attrs=True)
992 self._run_tgs(tgt, creds, expected_error=0, expect_pac=True,
993 expect_pac_attrs=False)
995 # Test making a request without a PAC.
996 def test_tgs_no_pac(self):
997 creds = self._get_creds()
998 tgt = self._get_tgt(creds, remove_pac=True)
999 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1001 def test_renew_no_pac(self):
1002 creds = self._get_creds()
1003 tgt = self._get_tgt(creds, renewable=True, remove_pac=True)
1004 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1006 def test_validate_no_pac(self):
1007 creds = self._get_creds()
1008 tgt = self._get_tgt(creds, invalid=True, remove_pac=True)
1009 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1011 def test_s4u2self_no_pac(self):
1012 creds = self._get_creds()
1013 tgt = self._get_tgt(creds, remove_pac=True)
1014 self._s4u2self(tgt, creds,
1015 expected_error=KDC_ERR_TGT_REVOKED,
1018 def test_user2user_no_pac(self):
1019 creds = self._get_creds()
1020 tgt = self._get_tgt(creds, remove_pac=True)
1021 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1023 def test_fast_no_pac(self):
1024 creds = self._get_creds()
1025 tgt = self._get_tgt(creds, remove_pac=True)
1026 self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
1027 expected_sname=self.get_krbtgt_sname())
1029 # Test making a request with authdata and without a PAC.
1030 def test_tgs_authdata_no_pac(self):
1031 creds = self._get_creds()
1032 tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
1033 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1035 def test_renew_authdata_no_pac(self):
1036 creds = self._get_creds()
1037 tgt = self._get_tgt(creds, renewable=True, remove_pac=True,
1038 allow_empty_authdata=True)
1039 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1041 def test_validate_authdata_no_pac(self):
1042 creds = self._get_creds()
1043 tgt = self._get_tgt(creds, invalid=True, remove_pac=True,
1044 allow_empty_authdata=True)
1045 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1047 def test_s4u2self_authdata_no_pac(self):
1048 creds = self._get_creds()
1049 tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
1050 self._s4u2self(tgt, creds,
1051 expected_error=KDC_ERR_TGT_REVOKED,
1054 def test_user2user_authdata_no_pac(self):
1055 creds = self._get_creds()
1056 tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
1057 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1059 def test_fast_authdata_no_pac(self):
1060 creds = self._get_creds()
1061 tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
1062 self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
1063 expected_sname=self.get_krbtgt_sname())
1065 # Test changing the SID in the PAC to that of another account.
1066 def test_tgs_sid_mismatch_existing(self):
1067 creds = self._get_creds()
1068 existing_rid = self._get_existing_rid()
1069 tgt = self._get_tgt(creds, new_rid=existing_rid)
1070 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1072 def test_renew_sid_mismatch_existing(self):
1073 creds = self._get_creds()
1074 existing_rid = self._get_existing_rid()
1075 tgt = self._get_tgt(creds, renewable=True, new_rid=existing_rid)
1076 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1078 def test_validate_sid_mismatch_existing(self):
1079 creds = self._get_creds()
1080 existing_rid = self._get_existing_rid()
1081 tgt = self._get_tgt(creds, invalid=True, new_rid=existing_rid)
1082 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1084 def test_s4u2self_sid_mismatch_existing(self):
1085 creds = self._get_creds()
1086 existing_rid = self._get_existing_rid()
1087 tgt = self._get_tgt(creds, new_rid=existing_rid)
1088 self._s4u2self(tgt, creds,
1089 expected_error=KDC_ERR_TGT_REVOKED)
1091 def test_user2user_sid_mismatch_existing(self):
1092 creds = self._get_creds()
1093 existing_rid = self._get_existing_rid()
1094 tgt = self._get_tgt(creds, new_rid=existing_rid)
1095 self._user2user(tgt, creds,
1096 expected_error=KDC_ERR_TGT_REVOKED)
1098 def test_fast_sid_mismatch_existing(self):
1099 creds = self._get_creds()
1100 existing_rid = self._get_existing_rid()
1101 tgt = self._get_tgt(creds, new_rid=existing_rid)
1102 self._fast(tgt, creds,
1103 expected_error=KDC_ERR_TGT_REVOKED,
1104 expected_sname=self.get_krbtgt_sname())
1106 def test_requester_sid_mismatch_existing(self):
1107 creds = self._get_creds()
1108 existing_rid = self._get_existing_rid()
1109 tgt = self._get_tgt(creds, new_rid=existing_rid,
1110 can_modify_logon_info=False)
1111 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1113 def test_logon_info_sid_mismatch_existing(self):
1114 creds = self._get_creds()
1115 existing_rid = self._get_existing_rid()
1116 tgt = self._get_tgt(creds, new_rid=existing_rid,
1117 can_modify_requester_sid=False)
1118 self._run_tgs(tgt, creds, expected_error=0)
1120 def test_logon_info_only_sid_mismatch_existing(self):
1121 creds = self._get_creds()
1122 existing_rid = self._get_existing_rid()
1123 tgt = self._get_tgt(creds, new_rid=existing_rid,
1124 remove_requester_sid=True)
1125 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1127 # Test changing the SID in the PAC to a non-existent one.
1128 def test_tgs_sid_mismatch_nonexisting(self):
1129 creds = self._get_creds()
1130 nonexistent_rid = self._get_non_existent_rid()
1131 tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
1132 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1134 def test_renew_sid_mismatch_nonexisting(self):
1135 creds = self._get_creds()
1136 nonexistent_rid = self._get_non_existent_rid()
1137 tgt = self._get_tgt(creds, renewable=True,
1138 new_rid=nonexistent_rid)
1139 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1141 def test_validate_sid_mismatch_nonexisting(self):
1142 creds = self._get_creds()
1143 nonexistent_rid = self._get_non_existent_rid()
1144 tgt = self._get_tgt(creds, invalid=True,
1145 new_rid=nonexistent_rid)
1146 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1148 def test_s4u2self_sid_mismatch_nonexisting(self):
1149 creds = self._get_creds()
1150 nonexistent_rid = self._get_non_existent_rid()
1151 tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
1152 self._s4u2self(tgt, creds,
1153 expected_error=KDC_ERR_TGT_REVOKED)
1155 def test_user2user_sid_mismatch_nonexisting(self):
1156 creds = self._get_creds()
1157 nonexistent_rid = self._get_non_existent_rid()
1158 tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
1159 self._user2user(tgt, creds,
1160 expected_error=KDC_ERR_TGT_REVOKED)
1162 def test_fast_sid_mismatch_nonexisting(self):
1163 creds = self._get_creds()
1164 nonexistent_rid = self._get_non_existent_rid()
1165 tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
1166 self._fast(tgt, creds,
1167 expected_error=KDC_ERR_TGT_REVOKED,
1168 expected_sname=self.get_krbtgt_sname())
1170 def test_requester_sid_mismatch_nonexisting(self):
1171 creds = self._get_creds()
1172 nonexistent_rid = self._get_non_existent_rid()
1173 tgt = self._get_tgt(creds, new_rid=nonexistent_rid,
1174 can_modify_logon_info=False)
1175 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1177 def test_logon_info_sid_mismatch_nonexisting(self):
1178 creds = self._get_creds()
1179 nonexistent_rid = self._get_non_existent_rid()
1180 tgt = self._get_tgt(creds, new_rid=nonexistent_rid,
1181 can_modify_requester_sid=False)
1182 self._run_tgs(tgt, creds, expected_error=0)
1184 def test_logon_info_only_sid_mismatch_nonexisting(self):
1185 creds = self._get_creds()
1186 nonexistent_rid = self._get_non_existent_rid()
1187 tgt = self._get_tgt(creds, new_rid=nonexistent_rid,
1188 remove_requester_sid=True)
1189 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1191 # Test with an RODC-issued ticket where the client is revealed to the RODC.
1192 def test_tgs_rodc_revealed(self):
1193 creds = self._get_creds(replication_allowed=True,
1194 revealed_to_rodc=True)
1195 tgt = self._get_tgt(creds, from_rodc=True)
1196 self._run_tgs(tgt, creds, expected_error=0)
1198 def test_renew_rodc_revealed(self):
1199 creds = self._get_creds(replication_allowed=True,
1200 revealed_to_rodc=True)
1201 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1202 self._renew_tgt(tgt, creds, expected_error=0,
1203 expect_pac_attrs=False,
1204 expect_requester_sid=True)
1206 def test_validate_rodc_revealed(self):
1207 creds = self._get_creds(replication_allowed=True,
1208 revealed_to_rodc=True)
1209 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1210 self._validate_tgt(tgt, creds, expected_error=0,
1211 expect_pac_attrs=False,
1212 expect_requester_sid=True)
1214 # This test fails on Windows, which gives KDC_ERR_C_PRINCIPAL_UNKNOWN when
1215 # attempting to use S4U2Self with a TGT from an RODC.
1216 def test_s4u2self_rodc_revealed(self):
1217 creds = self._get_creds(replication_allowed=True,
1218 revealed_to_rodc=True)
1219 tgt = self._get_tgt(creds, from_rodc=True)
1220 self._s4u2self(tgt, creds,
1221 expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN)
1223 def test_user2user_rodc_revealed(self):
1224 creds = self._get_creds(replication_allowed=True,
1225 revealed_to_rodc=True)
1226 tgt = self._get_tgt(creds, from_rodc=True)
1227 self._user2user(tgt, creds, expected_error=0)
1229 # Test with an RODC-issued ticket where the SID in the PAC is changed to
1230 # that of another account.
1231 def test_tgs_rodc_sid_mismatch_existing(self):
1232 creds = self._get_creds(replication_allowed=True,
1233 revealed_to_rodc=True)
1234 existing_rid = self._get_existing_rid(replication_allowed=True,
1235 revealed_to_rodc=True)
1236 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid)
1237 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1239 def test_renew_rodc_sid_mismatch_existing(self):
1240 creds = self._get_creds(replication_allowed=True,
1241 revealed_to_rodc=True)
1242 existing_rid = self._get_existing_rid(replication_allowed=True,
1243 revealed_to_rodc=True)
1244 tgt = self._get_tgt(creds, renewable=True, from_rodc=True,
1245 new_rid=existing_rid)
1246 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1248 def test_validate_rodc_sid_mismatch_existing(self):
1249 creds = self._get_creds(replication_allowed=True,
1250 revealed_to_rodc=True)
1251 existing_rid = self._get_existing_rid(replication_allowed=True,
1252 revealed_to_rodc=True)
1253 tgt = self._get_tgt(creds, invalid=True, from_rodc=True,
1254 new_rid=existing_rid)
1255 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1257 def test_s4u2self_rodc_sid_mismatch_existing(self):
1258 creds = self._get_creds(replication_allowed=True,
1259 revealed_to_rodc=True)
1260 existing_rid = self._get_existing_rid(replication_allowed=True,
1261 revealed_to_rodc=True)
1262 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid)
1263 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1265 def test_user2user_rodc_sid_mismatch_existing(self):
1266 creds = self._get_creds(replication_allowed=True,
1267 revealed_to_rodc=True)
1268 existing_rid = self._get_existing_rid(replication_allowed=True,
1269 revealed_to_rodc=True)
1270 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid)
1271 self._user2user(tgt, creds,
1272 expected_error=KDC_ERR_TGT_REVOKED)
1274 def test_fast_rodc_sid_mismatch_existing(self):
1275 creds = self._get_creds(replication_allowed=True,
1276 revealed_to_rodc=True)
1277 existing_rid = self._get_existing_rid(replication_allowed=True,
1278 revealed_to_rodc=True)
1279 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid)
1280 self._fast(tgt, creds,
1281 expected_error=KDC_ERR_TGT_REVOKED,
1282 expected_sname=self.get_krbtgt_sname())
1284 def test_tgs_rodc_requester_sid_mismatch_existing(self):
1285 creds = self._get_creds(replication_allowed=True,
1286 revealed_to_rodc=True)
1287 existing_rid = self._get_existing_rid(replication_allowed=True,
1288 revealed_to_rodc=True)
1289 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid,
1290 can_modify_logon_info=False)
1291 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1293 def test_tgs_rodc_logon_info_sid_mismatch_existing(self):
1294 creds = self._get_creds(replication_allowed=True,
1295 revealed_to_rodc=True)
1296 existing_rid = self._get_existing_rid(replication_allowed=True,
1297 revealed_to_rodc=True)
1298 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid,
1299 can_modify_requester_sid=False)
1300 self._run_tgs(tgt, creds, expected_error=0)
1302 def test_tgs_rodc_logon_info_only_sid_mismatch_existing(self):
1303 creds = self._get_creds(replication_allowed=True,
1304 revealed_to_rodc=True)
1305 existing_rid = self._get_existing_rid(replication_allowed=True,
1306 revealed_to_rodc=True)
1307 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid,
1308 remove_requester_sid=True)
1309 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1311 # Test with an RODC-issued ticket where the SID in the PAC is changed to a
1313 def test_tgs_rodc_sid_mismatch_nonexisting(self):
1314 creds = self._get_creds(replication_allowed=True,
1315 revealed_to_rodc=True)
1316 nonexistent_rid = self._get_non_existent_rid()
1317 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid)
1318 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1320 def test_renew_rodc_sid_mismatch_nonexisting(self):
1321 creds = self._get_creds(replication_allowed=True,
1322 revealed_to_rodc=True)
1323 nonexistent_rid = self._get_non_existent_rid()
1324 tgt = self._get_tgt(creds, renewable=True, from_rodc=True,
1325 new_rid=nonexistent_rid)
1326 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1328 def test_validate_rodc_sid_mismatch_nonexisting(self):
1329 creds = self._get_creds(replication_allowed=True,
1330 revealed_to_rodc=True)
1331 nonexistent_rid = self._get_non_existent_rid()
1332 tgt = self._get_tgt(creds, invalid=True, from_rodc=True,
1333 new_rid=nonexistent_rid)
1334 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1336 def test_s4u2self_rodc_sid_mismatch_nonexisting(self):
1337 creds = self._get_creds(replication_allowed=True,
1338 revealed_to_rodc=True)
1339 nonexistent_rid = self._get_non_existent_rid()
1340 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid)
1341 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1343 def test_user2user_rodc_sid_mismatch_nonexisting(self):
1344 creds = self._get_creds(replication_allowed=True,
1345 revealed_to_rodc=True)
1346 nonexistent_rid = self._get_non_existent_rid()
1347 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid)
1348 self._user2user(tgt, creds,
1349 expected_error=KDC_ERR_TGT_REVOKED)
1351 def test_fast_rodc_sid_mismatch_nonexisting(self):
1352 creds = self._get_creds(replication_allowed=True,
1353 revealed_to_rodc=True)
1354 nonexistent_rid = self._get_non_existent_rid()
1355 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid)
1356 self._fast(tgt, creds,
1357 expected_error=KDC_ERR_TGT_REVOKED,
1358 expected_sname=self.get_krbtgt_sname())
1360 def test_tgs_rodc_requester_sid_mismatch_nonexisting(self):
1361 creds = self._get_creds(replication_allowed=True,
1362 revealed_to_rodc=True)
1363 nonexistent_rid = self._get_non_existent_rid()
1364 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid,
1365 can_modify_logon_info=False)
1366 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1368 def test_tgs_rodc_logon_info_sid_mismatch_nonexisting(self):
1369 creds = self._get_creds(replication_allowed=True,
1370 revealed_to_rodc=True)
1371 nonexistent_rid = self._get_non_existent_rid()
1372 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid,
1373 can_modify_requester_sid=False)
1374 self._run_tgs(tgt, creds, expected_error=0)
1376 def test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting(self):
1377 creds = self._get_creds(replication_allowed=True,
1378 revealed_to_rodc=True)
1379 nonexistent_rid = self._get_non_existent_rid()
1380 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid,
1381 remove_requester_sid=True)
1382 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1384 # Test with an RODC-issued ticket where the client is not revealed to the
1386 def test_tgs_rodc_not_revealed(self):
1387 creds = self._get_creds(replication_allowed=True)
1388 tgt = self._get_tgt(creds, from_rodc=True)
1390 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1392 def test_renew_rodc_not_revealed(self):
1393 creds = self._get_creds(replication_allowed=True)
1394 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1395 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1397 def test_validate_rodc_not_revealed(self):
1398 creds = self._get_creds(replication_allowed=True)
1399 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1400 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1402 def test_s4u2self_rodc_not_revealed(self):
1403 creds = self._get_creds(replication_allowed=True)
1404 tgt = self._get_tgt(creds, from_rodc=True)
1405 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1407 def test_user2user_rodc_not_revealed(self):
1408 creds = self._get_creds(replication_allowed=True)
1409 tgt = self._get_tgt(creds, from_rodc=True)
1410 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1412 # Test with an RODC-issued ticket where the RODC account does not have the
1413 # PARTIAL_SECRETS bit set.
1414 def test_tgs_rodc_no_partial_secrets(self):
1415 creds = self._get_creds(replication_allowed=True,
1416 revealed_to_rodc=True)
1417 tgt = self._get_tgt(creds, from_rodc=True)
1418 self._remove_rodc_partial_secrets()
1419 self._run_tgs(tgt, creds, expected_error=KDC_ERR_POLICY)
1421 def test_renew_rodc_no_partial_secrets(self):
1422 creds = self._get_creds(replication_allowed=True,
1423 revealed_to_rodc=True)
1424 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1425 self._remove_rodc_partial_secrets()
1426 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_POLICY)
1428 def test_validate_rodc_no_partial_secrets(self):
1429 creds = self._get_creds(replication_allowed=True,
1430 revealed_to_rodc=True)
1431 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1432 self._remove_rodc_partial_secrets()
1433 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_POLICY)
1435 def test_s4u2self_rodc_no_partial_secrets(self):
1436 creds = self._get_creds(replication_allowed=True,
1437 revealed_to_rodc=True)
1438 tgt = self._get_tgt(creds, from_rodc=True)
1439 self._remove_rodc_partial_secrets()
1440 self._s4u2self(tgt, creds, expected_error=KDC_ERR_POLICY)
1442 def test_user2user_rodc_no_partial_secrets(self):
1443 creds = self._get_creds(replication_allowed=True,
1444 revealed_to_rodc=True)
1445 tgt = self._get_tgt(creds, from_rodc=True)
1446 self._remove_rodc_partial_secrets()
1447 self._user2user(tgt, creds, expected_error=KDC_ERR_POLICY)
1449 def test_fast_rodc_no_partial_secrets(self):
1450 creds = self._get_creds(replication_allowed=True,
1451 revealed_to_rodc=True)
1452 tgt = self._get_tgt(creds, from_rodc=True)
1453 self._remove_rodc_partial_secrets()
1454 self._fast(tgt, creds, expected_error=KDC_ERR_POLICY,
1455 expected_sname=self.get_krbtgt_sname())
1457 # Test with an RODC-issued ticket where the RODC account does not have an
1459 def test_tgs_rodc_no_krbtgt_link(self):
1460 creds = self._get_creds(replication_allowed=True,
1461 revealed_to_rodc=True)
1462 tgt = self._get_tgt(creds, from_rodc=True)
1463 self._remove_rodc_krbtgt_link()
1464 self._run_tgs(tgt, creds, expected_error=KDC_ERR_POLICY)
1466 def test_renew_rodc_no_krbtgt_link(self):
1467 creds = self._get_creds(replication_allowed=True,
1468 revealed_to_rodc=True)
1469 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1470 self._remove_rodc_krbtgt_link()
1471 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_POLICY)
1473 def test_validate_rodc_no_krbtgt_link(self):
1474 creds = self._get_creds(replication_allowed=True,
1475 revealed_to_rodc=True)
1476 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1477 self._remove_rodc_krbtgt_link()
1478 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_POLICY)
1480 def test_s4u2self_rodc_no_krbtgt_link(self):
1481 creds = self._get_creds(replication_allowed=True,
1482 revealed_to_rodc=True)
1483 tgt = self._get_tgt(creds, from_rodc=True)
1484 self._remove_rodc_krbtgt_link()
1485 self._s4u2self(tgt, creds, expected_error=KDC_ERR_POLICY)
1487 def test_user2user_rodc_no_krbtgt_link(self):
1488 creds = self._get_creds(replication_allowed=True,
1489 revealed_to_rodc=True)
1490 tgt = self._get_tgt(creds, from_rodc=True)
1491 self._remove_rodc_krbtgt_link()
1492 self._user2user(tgt, creds, expected_error=KDC_ERR_POLICY)
1494 def test_fast_rodc_no_krbtgt_link(self):
1495 creds = self._get_creds(replication_allowed=True,
1496 revealed_to_rodc=True)
1497 tgt = self._get_tgt(creds, from_rodc=True)
1498 self._remove_rodc_krbtgt_link()
1499 self._fast(tgt, creds, expected_error=KDC_ERR_POLICY,
1500 expected_sname=self.get_krbtgt_sname())
1502 # Test with an RODC-issued ticket where the client is not allowed to
1503 # replicate to the RODC.
1504 def test_tgs_rodc_not_allowed(self):
1505 creds = self._get_creds(revealed_to_rodc=True)
1506 tgt = self._get_tgt(creds, from_rodc=True)
1507 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1509 def test_renew_rodc_not_allowed(self):
1510 creds = self._get_creds(revealed_to_rodc=True)
1511 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1512 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1514 def test_validate_rodc_not_allowed(self):
1515 creds = self._get_creds(revealed_to_rodc=True)
1516 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1517 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1519 def test_s4u2self_rodc_not_allowed(self):
1520 creds = self._get_creds(revealed_to_rodc=True)
1521 tgt = self._get_tgt(creds, from_rodc=True)
1522 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1524 def test_user2user_rodc_not_allowed(self):
1525 creds = self._get_creds(revealed_to_rodc=True)
1526 tgt = self._get_tgt(creds, from_rodc=True)
1527 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1529 def test_fast_rodc_not_allowed(self):
1530 creds = self._get_creds(revealed_to_rodc=True)
1531 tgt = self._get_tgt(creds, from_rodc=True)
1532 self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
1533 expected_sname=self.get_krbtgt_sname())
1535 # Test with an RODC-issued ticket where the client is denied from
1536 # replicating to the RODC.
1537 def test_tgs_rodc_denied(self):
1538 creds = self._get_creds(replication_denied=True,
1539 revealed_to_rodc=True)
1540 tgt = self._get_tgt(creds, from_rodc=True)
1541 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1543 def test_renew_rodc_denied(self):
1544 creds = self._get_creds(replication_denied=True,
1545 revealed_to_rodc=True)
1546 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1547 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1549 def test_validate_rodc_denied(self):
1550 creds = self._get_creds(replication_denied=True,
1551 revealed_to_rodc=True)
1552 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1553 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1555 def test_s4u2self_rodc_denied(self):
1556 creds = self._get_creds(replication_denied=True,
1557 revealed_to_rodc=True)
1558 tgt = self._get_tgt(creds, from_rodc=True)
1559 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1561 def test_user2user_rodc_denied(self):
1562 creds = self._get_creds(replication_denied=True,
1563 revealed_to_rodc=True)
1564 tgt = self._get_tgt(creds, from_rodc=True)
1565 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1567 def test_fast_rodc_denied(self):
1568 creds = self._get_creds(replication_denied=True,
1569 revealed_to_rodc=True)
1570 tgt = self._get_tgt(creds, from_rodc=True)
1571 self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
1572 expected_sname=self.get_krbtgt_sname())
1574 # Test with an RODC-issued ticket where the client is both allowed and
1575 # denied replicating to the RODC.
1576 def test_tgs_rodc_allowed_denied(self):
1577 creds = self._get_creds(replication_allowed=True,
1578 replication_denied=True,
1579 revealed_to_rodc=True)
1580 tgt = self._get_tgt(creds, from_rodc=True)
1581 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1583 def test_renew_rodc_allowed_denied(self):
1584 creds = self._get_creds(replication_allowed=True,
1585 replication_denied=True,
1586 revealed_to_rodc=True)
1587 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1588 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1590 def test_validate_rodc_allowed_denied(self):
1591 creds = self._get_creds(replication_allowed=True,
1592 replication_denied=True,
1593 revealed_to_rodc=True)
1594 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1595 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1597 def test_s4u2self_rodc_allowed_denied(self):
1598 creds = self._get_creds(replication_allowed=True,
1599 replication_denied=True,
1600 revealed_to_rodc=True)
1601 tgt = self._get_tgt(creds, from_rodc=True)
1602 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1604 def test_user2user_rodc_allowed_denied(self):
1605 creds = self._get_creds(replication_allowed=True,
1606 replication_denied=True,
1607 revealed_to_rodc=True)
1608 tgt = self._get_tgt(creds, from_rodc=True)
1609 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1611 def test_fast_rodc_allowed_denied(self):
1612 creds = self._get_creds(replication_allowed=True,
1613 replication_denied=True,
1614 revealed_to_rodc=True)
1615 tgt = self._get_tgt(creds, from_rodc=True)
1616 self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
1617 expected_sname=self.get_krbtgt_sname())
1619 # Test making a TGS request with an RC4-encrypted TGT.
1620 def test_tgs_rc4(self):
1621 creds = self._get_creds()
1622 tgt = self._get_tgt(creds, etype=kcrypto.Enctype.RC4)
1623 self._run_tgs(tgt, creds, expected_error=(KDC_ERR_GENERIC,
1626 # We aren’t particular about whether or not we get an
1629 expected_status=ntstatus.NT_STATUS_INSUFFICIENT_RESOURCES)
1631 def test_renew_rc4(self):
1632 creds = self._get_creds()
1633 tgt = self._get_tgt(creds, renewable=True, etype=kcrypto.Enctype.RC4)
1634 self._renew_tgt(tgt, creds, expected_error=(KDC_ERR_GENERIC,
1636 expect_pac_attrs=True,
1637 expect_pac_attrs_pac_request=True,
1638 expect_requester_sid=True)
1640 def test_validate_rc4(self):
1641 creds = self._get_creds()
1642 tgt = self._get_tgt(creds, invalid=True, etype=kcrypto.Enctype.RC4)
1643 self._validate_tgt(tgt, creds, expected_error=(KDC_ERR_GENERIC,
1645 expect_pac_attrs=True,
1646 expect_pac_attrs_pac_request=True,
1647 expect_requester_sid=True)
1649 def test_s4u2self_rc4(self):
1650 creds = self._get_creds()
1651 tgt = self._get_tgt(creds, etype=kcrypto.Enctype.RC4)
1652 self._s4u2self(tgt, creds, expected_error=(KDC_ERR_GENERIC,
1655 # We aren’t particular about whether or not we get an
1658 expected_status=ntstatus.NT_STATUS_INSUFFICIENT_RESOURCES)
1660 def test_user2user_rc4(self):
1661 creds = self._get_creds()
1662 tgt = self._get_tgt(creds, etype=kcrypto.Enctype.RC4)
1663 self._user2user(tgt, creds, expected_error=KDC_ERR_ETYPE_NOSUPP)
1665 def test_fast_rc4(self):
1666 creds = self._get_creds()
1667 tgt = self._get_tgt(creds, etype=kcrypto.Enctype.RC4)
1668 self._fast(tgt, creds, expected_error=KDC_ERR_GENERIC,
1669 expect_edata=self.expect_padata_outer)
1671 # Test user-to-user with incorrect service principal names.
1672 def test_user2user_matching_sname_host(self):
1673 creds = self._get_creds()
1674 tgt = self._get_tgt(creds)
1676 user_name = creds.get_username()
1677 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1678 names=['host', user_name])
1680 self._user2user(tgt, creds, sname=sname,
1681 expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
1683 def test_user2user_matching_sname_no_host(self):
1684 creds = self._get_creds()
1685 tgt = self._get_tgt(creds)
1687 user_name = creds.get_username()
1688 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1691 self._user2user(tgt, creds, sname=sname, expected_error=0)
1693 def test_user2user_wrong_sname(self):
1694 creds = self._get_creds()
1695 tgt = self._get_tgt(creds)
1697 other_creds = self._get_mach_creds()
1698 user_name = other_creds.get_username()
1699 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1702 self._user2user(tgt, creds, sname=sname,
1703 expected_error=KDC_ERR_BADMATCH)
1705 def test_user2user_other_sname(self):
1706 other_name = self.get_new_username()
1707 spn = f'host/{other_name}'
1708 creds = self.get_cached_creds(
1709 account_type=self.AccountType.COMPUTER,
1711 tgt = self._get_tgt(creds)
1713 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1714 names=['host', other_name])
1716 self._user2user(tgt, creds, sname=sname, expected_error=0)
1718 def test_user2user_wrong_sname_krbtgt(self):
1719 creds = self._get_creds()
1720 tgt = self._get_tgt(creds)
1722 sname = self.get_krbtgt_sname()
1724 self._user2user(tgt, creds, sname=sname,
1725 expected_error=KDC_ERR_BADMATCH)
1727 def test_user2user_wrong_srealm(self):
1728 creds = self._get_creds()
1729 tgt = self._get_tgt(creds)
1731 self._user2user(tgt, creds, srealm='OTHER.REALM',
1732 expected_error=(KDC_ERR_WRONG_REALM,
1733 KDC_ERR_S_PRINCIPAL_UNKNOWN))
1735 def test_user2user_tgt_correct_realm(self):
1736 creds = self._get_creds()
1737 tgt = self._get_tgt(creds)
1739 realm = creds.get_realm().encode('utf-8')
1740 tgt = self._modify_tgt(tgt, realm)
1742 self._user2user(tgt, creds,
1745 def test_user2user_tgt_wrong_realm(self):
1746 creds = self._get_creds()
1747 tgt = self._get_tgt(creds)
1749 tgt = self._modify_tgt(tgt, b'OTHER.REALM')
1751 self._user2user(tgt, creds,
1754 def test_user2user_tgt_correct_cname(self):
1755 creds = self._get_creds()
1756 tgt = self._get_tgt(creds)
1758 user_name = creds.get_username()
1759 user_name = user_name.encode('utf-8')
1760 cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1763 tgt = self._modify_tgt(tgt, cname=cname)
1765 self._user2user(tgt, creds, expected_error=0)
1767 def test_user2user_tgt_other_cname(self):
1768 samdb = self.get_samdb()
1770 other_name = self.get_new_username()
1771 upn = f'{other_name}@{samdb.domain_dns_name()}'
1773 creds = self.get_cached_creds(
1774 account_type=self.AccountType.COMPUTER,
1776 tgt = self._get_tgt(creds)
1778 cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1779 names=[other_name.encode('utf-8')])
1781 tgt = self._modify_tgt(tgt, cname=cname)
1783 self._user2user(tgt, creds, expected_error=0)
1785 def test_user2user_tgt_cname_host(self):
1786 creds = self._get_creds()
1787 tgt = self._get_tgt(creds)
1789 user_name = creds.get_username()
1790 user_name = user_name.encode('utf-8')
1791 cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1792 names=[b'host', user_name])
1794 tgt = self._modify_tgt(tgt, cname=cname)
1796 self._user2user(tgt, creds,
1797 expected_error=(KDC_ERR_TGT_REVOKED,
1798 KDC_ERR_C_PRINCIPAL_UNKNOWN))
1800 def test_user2user_non_existent_sname(self):
1801 creds = self._get_creds()
1802 tgt = self._get_tgt(creds)
1804 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1805 names=['host', 'non_existent_user'])
1807 self._user2user(tgt, creds, sname=sname,
1808 expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
1810 def test_user2user_no_sname(self):
1811 creds = self._get_creds()
1812 tgt = self._get_tgt(creds)
1814 self._user2user(tgt, creds, sname=False,
1815 expected_error=(KDC_ERR_GENERIC,
1816 KDC_ERR_S_PRINCIPAL_UNKNOWN))
1818 def test_tgs_service_ticket(self):
1819 creds = self._get_creds()
1820 tgt = self._get_tgt(creds)
1822 service_creds = self.get_service_creds()
1823 service_ticket = self.get_service_ticket(tgt, service_creds)
1825 self._run_tgs(service_ticket, creds,
1826 expected_error=(KDC_ERR_NOT_US, KDC_ERR_POLICY))
1828 def test_renew_service_ticket(self):
1829 creds = self._get_creds()
1830 tgt = self._get_tgt(creds)
1832 service_creds = self.get_service_creds()
1833 service_ticket = self.get_service_ticket(tgt, service_creds)
1835 service_ticket = self.modified_ticket(
1837 modify_fn=self._modify_renewable,
1838 checksum_keys=self.get_krbtgt_checksum_key())
1840 self._renew_tgt(service_ticket, creds,
1841 expected_error=KDC_ERR_POLICY)
1843 def test_validate_service_ticket(self):
1844 creds = self._get_creds()
1845 tgt = self._get_tgt(creds)
1847 service_creds = self.get_service_creds()
1848 service_ticket = self.get_service_ticket(tgt, service_creds)
1850 service_ticket = self.modified_ticket(
1852 modify_fn=self._modify_invalid,
1853 checksum_keys=self.get_krbtgt_checksum_key())
1855 self._validate_tgt(service_ticket, creds,
1856 expected_error=KDC_ERR_POLICY)
1858 def test_s4u2self_service_ticket(self):
1859 creds = self._get_creds()
1860 tgt = self._get_tgt(creds)
1862 service_creds = self.get_service_creds()
1863 service_ticket = self.get_service_ticket(tgt, service_creds)
1865 self._s4u2self(service_ticket, creds,
1866 expected_error=(KDC_ERR_NOT_US, KDC_ERR_POLICY))
1868 def test_user2user_service_ticket(self):
1869 creds = self._get_creds()
1870 tgt = self._get_tgt(creds)
1872 service_creds = self.get_service_creds()
1873 service_ticket = self.get_service_ticket(tgt, service_creds)
1875 self._user2user(service_ticket, creds,
1876 expected_error=(KDC_ERR_MODIFIED, KDC_ERR_POLICY))
1878 # Expected to fail against Windows, which does not produce an error.
1879 def test_fast_service_ticket(self):
1880 creds = self._get_creds()
1881 tgt = self._get_tgt(creds)
1883 service_creds = self.get_service_creds()
1884 service_ticket = self.get_service_ticket(tgt, service_creds)
1886 self._fast(service_ticket, creds,
1887 expected_error=(KDC_ERR_POLICY,
1888 KDC_ERR_S_PRINCIPAL_UNKNOWN))
1890 def test_pac_attrs_none(self):
1891 creds = self._get_creds()
1892 self.get_tgt(creds, pac_request=None,
1894 expect_pac_attrs=True,
1895 expect_pac_attrs_pac_request=None)
1897 def test_pac_attrs_false(self):
1898 creds = self._get_creds()
1899 self.get_tgt(creds, pac_request=False,
1901 expect_pac_attrs=True,
1902 expect_pac_attrs_pac_request=False)
1904 def test_pac_attrs_true(self):
1905 creds = self._get_creds()
1906 self.get_tgt(creds, pac_request=True,
1908 expect_pac_attrs=True,
1909 expect_pac_attrs_pac_request=True)
1911 def test_pac_attrs_renew_none(self):
1912 creds = self._get_creds()
1913 tgt = self.get_tgt(creds, pac_request=None,
1915 expect_pac_attrs=True,
1916 expect_pac_attrs_pac_request=None)
1917 tgt = self._modify_tgt(tgt, renewable=True)
1919 self._renew_tgt(tgt, creds, expected_error=0,
1921 expect_pac_attrs=True,
1922 expect_pac_attrs_pac_request=None,
1923 expect_requester_sid=True)
1925 def test_pac_attrs_renew_false(self):
1926 creds = self._get_creds()
1927 tgt = self.get_tgt(creds, pac_request=False,
1929 expect_pac_attrs=True,
1930 expect_pac_attrs_pac_request=False)
1931 tgt = self._modify_tgt(tgt, renewable=True)
1933 self._renew_tgt(tgt, creds, expected_error=0,
1935 expect_pac_attrs=True,
1936 expect_pac_attrs_pac_request=False,
1937 expect_requester_sid=True)
1939 def test_pac_attrs_renew_true(self):
1940 creds = self._get_creds()
1941 tgt = self.get_tgt(creds, pac_request=True,
1943 expect_pac_attrs=True,
1944 expect_pac_attrs_pac_request=True)
1945 tgt = self._modify_tgt(tgt, renewable=True)
1947 self._renew_tgt(tgt, creds, expected_error=0,
1949 expect_pac_attrs=True,
1950 expect_pac_attrs_pac_request=True,
1951 expect_requester_sid=True)
1953 def test_pac_attrs_rodc_renew_none(self):
1954 creds = self._get_creds(replication_allowed=True,
1955 revealed_to_rodc=True)
1956 tgt = self.get_tgt(creds, pac_request=None,
1958 expect_pac_attrs=True,
1959 expect_pac_attrs_pac_request=None)
1960 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True)
1962 self._renew_tgt(tgt, creds, expected_error=0,
1964 expect_pac_attrs=False,
1965 expect_requester_sid=True)
1967 def test_pac_attrs_rodc_renew_false(self):
1968 creds = self._get_creds(replication_allowed=True,
1969 revealed_to_rodc=True)
1970 tgt = self.get_tgt(creds, pac_request=False,
1972 expect_pac_attrs=True,
1973 expect_pac_attrs_pac_request=False)
1974 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True)
1976 self._renew_tgt(tgt, creds, expected_error=0,
1978 expect_pac_attrs=False,
1979 expect_requester_sid=True)
1981 def test_pac_attrs_rodc_renew_true(self):
1982 creds = self._get_creds(replication_allowed=True,
1983 revealed_to_rodc=True)
1984 tgt = self.get_tgt(creds, pac_request=True,
1986 expect_pac_attrs=True,
1987 expect_pac_attrs_pac_request=True)
1988 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True)
1990 self._renew_tgt(tgt, creds, expected_error=0,
1992 expect_pac_attrs=False,
1993 expect_requester_sid=True)
1995 def test_pac_attrs_missing_renew_none(self):
1996 creds = self._get_creds()
1997 tgt = self.get_tgt(creds, pac_request=None,
1999 expect_pac_attrs=True,
2000 expect_pac_attrs_pac_request=None)
2001 tgt = self._modify_tgt(tgt, renewable=True,
2002 remove_pac_attrs=True)
2004 self._renew_tgt(tgt, creds, expected_error=0,
2006 expect_pac_attrs=False,
2007 expect_requester_sid=True)
2009 def test_pac_attrs_missing_renew_false(self):
2010 creds = self._get_creds()
2011 tgt = self.get_tgt(creds, pac_request=False,
2013 expect_pac_attrs=True,
2014 expect_pac_attrs_pac_request=False)
2015 tgt = self._modify_tgt(tgt, renewable=True,
2016 remove_pac_attrs=True)
2018 self._renew_tgt(tgt, creds, expected_error=0,
2020 expect_pac_attrs=False,
2021 expect_requester_sid=True)
2023 def test_pac_attrs_missing_renew_true(self):
2024 creds = self._get_creds()
2025 tgt = self.get_tgt(creds, pac_request=True,
2027 expect_pac_attrs=True,
2028 expect_pac_attrs_pac_request=True)
2029 tgt = self._modify_tgt(tgt, renewable=True,
2030 remove_pac_attrs=True)
2032 self._renew_tgt(tgt, creds, expected_error=0,
2034 expect_pac_attrs=False,
2035 expect_requester_sid=True)
2037 def test_pac_attrs_missing_rodc_renew_none(self):
2038 creds = self._get_creds(replication_allowed=True,
2039 revealed_to_rodc=True)
2040 tgt = self.get_tgt(creds, pac_request=None,
2042 expect_pac_attrs=True,
2043 expect_pac_attrs_pac_request=None)
2044 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True,
2045 remove_pac_attrs=True)
2047 self._renew_tgt(tgt, creds, expected_error=0,
2049 expect_pac_attrs=False,
2050 expect_requester_sid=True)
2052 def test_pac_attrs_missing_rodc_renew_false(self):
2053 creds = self._get_creds(replication_allowed=True,
2054 revealed_to_rodc=True)
2055 tgt = self.get_tgt(creds, pac_request=False,
2057 expect_pac_attrs=True,
2058 expect_pac_attrs_pac_request=False)
2059 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True,
2060 remove_pac_attrs=True)
2062 self._renew_tgt(tgt, creds, expected_error=0,
2064 expect_pac_attrs=False,
2065 expect_requester_sid=True)
2067 def test_pac_attrs_missing_rodc_renew_true(self):
2068 creds = self._get_creds(replication_allowed=True,
2069 revealed_to_rodc=True)
2070 tgt = self.get_tgt(creds, pac_request=True,
2072 expect_pac_attrs=True,
2073 expect_pac_attrs_pac_request=True)
2074 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True,
2075 remove_pac_attrs=True)
2077 self._renew_tgt(tgt, creds, expected_error=0,
2079 expect_pac_attrs=False,
2080 expect_requester_sid=True)
2082 def test_tgs_pac_attrs_none(self):
2083 creds = self._get_creds()
2084 tgt = self.get_tgt(creds, pac_request=None,
2086 expect_pac_attrs=True,
2087 expect_pac_attrs_pac_request=None)
2089 self._run_tgs(tgt, creds, expected_error=0, expect_pac=True,
2090 expect_pac_attrs=False)
2092 def test_tgs_pac_attrs_false(self):
2093 creds = self._get_creds()
2094 tgt = self.get_tgt(creds, pac_request=False,
2096 expect_pac_attrs=True,
2097 expect_pac_attrs_pac_request=False)
2099 self._run_tgs(tgt, creds, expected_error=0, expect_pac=False,
2100 expect_pac_attrs=False)
2102 def test_tgs_pac_attrs_true(self):
2103 creds = self._get_creds()
2104 tgt = self.get_tgt(creds, pac_request=True,
2106 expect_pac_attrs=True,
2107 expect_pac_attrs_pac_request=True)
2109 self._run_tgs(tgt, creds, expected_error=0, expect_pac=True,
2110 expect_pac_attrs=False)
2112 def test_as_requester_sid(self):
2113 creds = self._get_creds()
2115 samdb = self.get_samdb()
2116 sid = self.get_objectSid(samdb, creds.get_dn())
2118 self.get_tgt(creds, pac_request=None,
2121 expect_requester_sid=True)
2123 def test_tgs_requester_sid(self):
2124 creds = self._get_creds()
2126 samdb = self.get_samdb()
2127 sid = self.get_objectSid(samdb, creds.get_dn())
2129 tgt = self.get_tgt(creds, pac_request=None,
2132 expect_requester_sid=True)
2134 self._run_tgs(tgt, creds, expected_error=0, expect_pac=True,
2135 expect_requester_sid=False)
2137 def test_tgs_requester_sid_renew(self):
2138 creds = self._get_creds()
2140 samdb = self.get_samdb()
2141 sid = self.get_objectSid(samdb, creds.get_dn())
2143 tgt = self.get_tgt(creds, pac_request=None,
2146 expect_requester_sid=True)
2147 tgt = self._modify_tgt(tgt, renewable=True)
2149 self._renew_tgt(tgt, creds, expected_error=0, expect_pac=True,
2150 expect_pac_attrs=True,
2151 expect_pac_attrs_pac_request=None,
2153 expect_requester_sid=True)
2155 def test_tgs_requester_sid_rodc_renew(self):
2156 creds = self._get_creds(replication_allowed=True,
2157 revealed_to_rodc=True)
2159 samdb = self.get_samdb()
2160 sid = self.get_objectSid(samdb, creds.get_dn())
2162 tgt = self.get_tgt(creds, pac_request=None,
2165 expect_requester_sid=True)
2166 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True)
2168 self._renew_tgt(tgt, creds, expected_error=0, expect_pac=True,
2169 expect_pac_attrs=False,
2171 expect_requester_sid=True)
2173 def test_tgs_requester_sid_missing_renew(self):
2174 creds = self._get_creds()
2176 samdb = self.get_samdb()
2177 sid = self.get_objectSid(samdb, creds.get_dn())
2179 tgt = self.get_tgt(creds, pac_request=None,
2182 expect_requester_sid=True)
2183 tgt = self._modify_tgt(tgt, renewable=True,
2184 remove_requester_sid=True)
2186 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
2188 def test_tgs_requester_sid_missing_rodc_renew(self):
2189 creds = self._get_creds(replication_allowed=True,
2190 revealed_to_rodc=True)
2192 samdb = self.get_samdb()
2193 sid = self.get_objectSid(samdb, creds.get_dn())
2195 tgt = self.get_tgt(creds, pac_request=None,
2198 expect_requester_sid=True)
2199 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True,
2200 remove_requester_sid=True)
2202 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
2204 def test_tgs_requester_sid_validate(self):
2205 creds = self._get_creds()
2207 samdb = self.get_samdb()
2208 sid = self.get_objectSid(samdb, creds.get_dn())
2210 tgt = self.get_tgt(creds, pac_request=None,
2213 expect_requester_sid=True)
2214 tgt = self._modify_tgt(tgt, invalid=True)
2216 self._validate_tgt(tgt, creds, expected_error=0, expect_pac=True,
2217 expect_pac_attrs=True,
2218 expect_pac_attrs_pac_request=None,
2220 expect_requester_sid=True)
2222 def test_tgs_requester_sid_rodc_validate(self):
2223 creds = self._get_creds(replication_allowed=True,
2224 revealed_to_rodc=True)
2226 samdb = self.get_samdb()
2227 sid = self.get_objectSid(samdb, creds.get_dn())
2229 tgt = self.get_tgt(creds, pac_request=None,
2232 expect_requester_sid=True)
2233 tgt = self._modify_tgt(tgt, from_rodc=True, invalid=True)
2235 self._validate_tgt(tgt, creds, expected_error=0, expect_pac=True,
2236 expect_pac_attrs=False,
2238 expect_requester_sid=True)
2240 def test_tgs_requester_sid_missing_validate(self):
2241 creds = self._get_creds()
2243 samdb = self.get_samdb()
2244 sid = self.get_objectSid(samdb, creds.get_dn())
2246 tgt = self.get_tgt(creds, pac_request=None,
2249 expect_requester_sid=True)
2250 tgt = self._modify_tgt(tgt, invalid=True,
2251 remove_requester_sid=True)
2253 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
2255 def test_tgs_requester_sid_missing_rodc_validate(self):
2256 creds = self._get_creds(replication_allowed=True,
2257 revealed_to_rodc=True)
2259 samdb = self.get_samdb()
2260 sid = self.get_objectSid(samdb, creds.get_dn())
2262 tgt = self.get_tgt(creds, pac_request=None,
2265 expect_requester_sid=True)
2266 tgt = self._modify_tgt(tgt, from_rodc=True, invalid=True,
2267 remove_requester_sid=True)
2269 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
2271 def test_tgs_pac_request_none(self):
2272 creds = self._get_creds()
2273 tgt = self.get_tgt(creds, pac_request=None)
2275 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2277 pac = self.get_ticket_pac(ticket)
2278 self.assertIsNotNone(pac)
2280 def test_tgs_pac_request_false(self):
2281 creds = self._get_creds()
2282 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2284 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False)
2286 pac = self.get_ticket_pac(ticket, expect_pac=False)
2287 self.assertIsNone(pac)
2289 def test_tgs_pac_request_true(self):
2290 creds = self._get_creds()
2291 tgt = self.get_tgt(creds, pac_request=True)
2293 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2295 pac = self.get_ticket_pac(ticket)
2296 self.assertIsNotNone(pac)
2298 def test_renew_pac_request_none(self):
2299 creds = self._get_creds()
2300 tgt = self.get_tgt(creds, pac_request=None)
2301 tgt = self._modify_tgt(tgt, renewable=True)
2303 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2304 expect_pac_attrs=True,
2305 expect_pac_attrs_pac_request=None,
2306 expect_requester_sid=True)
2308 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2310 pac = self.get_ticket_pac(ticket)
2311 self.assertIsNotNone(pac)
2313 def test_renew_pac_request_false(self):
2314 creds = self._get_creds()
2315 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2316 tgt = self._modify_tgt(tgt, renewable=True)
2318 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2319 expect_pac_attrs=True,
2320 expect_pac_attrs_pac_request=False,
2321 expect_requester_sid=True)
2323 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False)
2325 pac = self.get_ticket_pac(ticket, expect_pac=False)
2326 self.assertIsNone(pac)
2328 def test_renew_pac_request_true(self):
2329 creds = self._get_creds()
2330 tgt = self.get_tgt(creds, pac_request=True)
2331 tgt = self._modify_tgt(tgt, renewable=True)
2333 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2334 expect_pac_attrs=True,
2335 expect_pac_attrs_pac_request=True,
2336 expect_requester_sid=True)
2338 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2340 pac = self.get_ticket_pac(ticket)
2341 self.assertIsNotNone(pac)
2343 def test_rodc_renew_pac_request_none(self):
2344 creds = self._get_creds(replication_allowed=True,
2345 revealed_to_rodc=True)
2346 tgt = self.get_tgt(creds, pac_request=None)
2347 tgt = self._modify_tgt(tgt, renewable=True, from_rodc=True)
2349 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2350 expect_pac_attrs=False,
2351 expect_requester_sid=True)
2353 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2355 pac = self.get_ticket_pac(ticket)
2356 self.assertIsNotNone(pac)
2358 def test_rodc_renew_pac_request_false(self):
2359 creds = self._get_creds(replication_allowed=True,
2360 revealed_to_rodc=True)
2361 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2362 tgt = self._modify_tgt(tgt, renewable=True, from_rodc=True)
2364 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2365 expect_pac_attrs=False,
2366 expect_requester_sid=True)
2368 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2370 pac = self.get_ticket_pac(ticket)
2371 self.assertIsNotNone(pac)
2373 def test_rodc_renew_pac_request_true(self):
2374 creds = self._get_creds(replication_allowed=True,
2375 revealed_to_rodc=True)
2376 tgt = self.get_tgt(creds, pac_request=True)
2377 tgt = self._modify_tgt(tgt, renewable=True, from_rodc=True)
2379 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2380 expect_pac_attrs=False,
2381 expect_requester_sid=True)
2383 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2385 pac = self.get_ticket_pac(ticket)
2386 self.assertIsNotNone(pac)
2388 def test_validate_pac_request_none(self):
2389 creds = self._get_creds()
2390 tgt = self.get_tgt(creds, pac_request=None)
2391 tgt = self._modify_tgt(tgt, invalid=True)
2393 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2394 expect_pac_attrs=True,
2395 expect_pac_attrs_pac_request=None,
2396 expect_requester_sid=True)
2398 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2400 pac = self.get_ticket_pac(ticket)
2401 self.assertIsNotNone(pac)
2403 def test_validate_pac_request_false(self):
2404 creds = self._get_creds()
2405 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2406 tgt = self._modify_tgt(tgt, invalid=True)
2408 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2409 expect_pac_attrs=True,
2410 expect_pac_attrs_pac_request=False,
2411 expect_requester_sid=True)
2413 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False)
2415 pac = self.get_ticket_pac(ticket, expect_pac=False)
2416 self.assertIsNone(pac)
2418 def test_validate_pac_request_true(self):
2419 creds = self._get_creds()
2420 tgt = self.get_tgt(creds, pac_request=True)
2421 tgt = self._modify_tgt(tgt, invalid=True)
2423 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2424 expect_pac_attrs=True,
2425 expect_pac_attrs_pac_request=True,
2426 expect_requester_sid=True)
2428 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2430 pac = self.get_ticket_pac(ticket)
2431 self.assertIsNotNone(pac)
2433 def test_rodc_validate_pac_request_none(self):
2434 creds = self._get_creds(replication_allowed=True,
2435 revealed_to_rodc=True)
2436 tgt = self.get_tgt(creds, pac_request=None)
2437 tgt = self._modify_tgt(tgt, invalid=True, from_rodc=True)
2439 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2440 expect_pac_attrs=False,
2441 expect_requester_sid=True)
2443 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2445 pac = self.get_ticket_pac(ticket)
2446 self.assertIsNotNone(pac)
2448 def test_rodc_validate_pac_request_false(self):
2449 creds = self._get_creds(replication_allowed=True,
2450 revealed_to_rodc=True)
2451 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2452 tgt = self._modify_tgt(tgt, invalid=True, from_rodc=True)
2454 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2455 expect_pac_attrs=False,
2456 expect_requester_sid=True)
2458 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2460 pac = self.get_ticket_pac(ticket)
2461 self.assertIsNotNone(pac)
2463 def test_rodc_validate_pac_request_true(self):
2464 creds = self._get_creds(replication_allowed=True,
2465 revealed_to_rodc=True)
2466 tgt = self.get_tgt(creds, pac_request=True)
2467 tgt = self._modify_tgt(tgt, invalid=True, from_rodc=True)
2469 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2470 expect_pac_attrs=False,
2471 expect_requester_sid=True)
2473 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2475 pac = self.get_ticket_pac(ticket)
2476 self.assertIsNotNone(pac)
2478 def test_s4u2self_pac_request_none(self):
2479 creds = self._get_creds()
2480 tgt = self.get_tgt(creds, pac_request=None)
2482 ticket = self._s4u2self(tgt, creds, expected_error=0, expect_pac=True)
2484 pac = self.get_ticket_pac(ticket)
2485 self.assertIsNotNone(pac)
2487 def test_s4u2self_pac_request_false(self):
2488 creds = self._get_creds()
2489 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2491 ticket = self._s4u2self(tgt, creds, expected_error=0, expect_pac=True)
2493 pac = self.get_ticket_pac(ticket)
2494 self.assertIsNotNone(pac)
2496 def test_s4u2self_pac_request_true(self):
2497 creds = self._get_creds()
2498 tgt = self.get_tgt(creds, pac_request=True)
2500 ticket = self._s4u2self(tgt, creds, expected_error=0, expect_pac=True)
2502 pac = self.get_ticket_pac(ticket)
2503 self.assertIsNotNone(pac)
2505 def test_user2user_pac_request_none(self):
2506 creds = self._get_creds()
2507 tgt = self.get_tgt(creds, pac_request=None)
2509 ticket = self._user2user(tgt, creds, expected_error=0, expect_pac=True)
2511 pac = self.get_ticket_pac(ticket)
2512 self.assertIsNotNone(pac)
2514 def test_user2user_pac_request_false(self):
2515 creds = self._get_creds()
2516 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2518 ticket = self._user2user(tgt, creds, expected_error=0,
2521 pac = self.get_ticket_pac(ticket, expect_pac=True)
2522 self.assertIsNotNone(pac)
2524 def test_user2user_pac_request_true(self):
2525 creds = self._get_creds()
2526 tgt = self.get_tgt(creds, pac_request=True)
2528 ticket = self._user2user(tgt, creds, expected_error=0, expect_pac=True)
2530 pac = self.get_ticket_pac(ticket)
2531 self.assertIsNotNone(pac)
2533 def test_user2user_user_pac_request_none(self):
2534 creds = self._get_creds()
2535 tgt = self.get_tgt(creds)
2537 user_creds = self._get_mach_creds()
2538 user_tgt = self.get_tgt(user_creds, pac_request=None)
2540 ticket = self._user2user(tgt, creds, expected_error=0,
2541 user_tgt=user_tgt, user_creds=user_creds,
2544 pac = self.get_ticket_pac(ticket)
2545 self.assertIsNotNone(pac)
2547 def test_user2user_user_pac_request_false(self):
2548 creds = self._get_creds()
2549 tgt = self.get_tgt(creds)
2551 user_creds = self._get_mach_creds()
2552 user_tgt = self.get_tgt(user_creds, pac_request=False, expect_pac=None)
2554 ticket = self._user2user(tgt, creds, expected_error=0,
2555 user_tgt=user_tgt, user_creds=user_creds,
2558 pac = self.get_ticket_pac(ticket, expect_pac=False)
2559 self.assertIsNone(pac)
2561 def test_user2user_user_pac_request_true(self):
2562 creds = self._get_creds()
2563 tgt = self.get_tgt(creds)
2565 user_creds = self._get_mach_creds()
2566 user_tgt = self.get_tgt(user_creds, pac_request=True)
2568 ticket = self._user2user(tgt, creds, expected_error=0,
2569 user_tgt=user_tgt, user_creds=user_creds,
2572 pac = self.get_ticket_pac(ticket)
2573 self.assertIsNotNone(pac)
2575 def test_fast_pac_request_none(self):
2576 creds = self._get_creds()
2577 tgt = self.get_tgt(creds, pac_request=None)
2579 ticket = self._fast(tgt, creds, expected_error=0, expect_pac=True)
2581 pac = self.get_ticket_pac(ticket)
2582 self.assertIsNotNone(pac)
2584 def test_fast_pac_request_false(self):
2585 creds = self._get_creds()
2586 tgt = self.get_tgt(creds, pac_request=False)
2588 ticket = self._fast(tgt, creds, expected_error=0,
2591 pac = self.get_ticket_pac(ticket, expect_pac=True)
2592 self.assertIsNotNone(pac)
2594 def test_fast_pac_request_true(self):
2595 creds = self._get_creds()
2596 tgt = self.get_tgt(creds, pac_request=True)
2598 ticket = self._fast(tgt, creds, expected_error=0, expect_pac=True)
2600 pac = self.get_ticket_pac(ticket)
2601 self.assertIsNotNone(pac)
2603 def test_tgs_rodc_pac_request_none(self):
2604 creds = self._get_creds(replication_allowed=True,
2605 revealed_to_rodc=True)
2606 tgt = self.get_tgt(creds, pac_request=None)
2607 tgt = self._modify_tgt(tgt, from_rodc=True)
2609 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2611 pac = self.get_ticket_pac(ticket)
2612 self.assertIsNotNone(pac)
2614 def test_tgs_rodc_pac_request_false(self):
2615 creds = self._get_creds(replication_allowed=True,
2616 revealed_to_rodc=True)
2617 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2618 tgt = self._modify_tgt(tgt, from_rodc=True)
2620 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2622 pac = self.get_ticket_pac(ticket)
2623 self.assertIsNotNone(pac)
2625 def test_tgs_rodc_pac_request_true(self):
2626 creds = self._get_creds(replication_allowed=True,
2627 revealed_to_rodc=True)
2628 tgt = self.get_tgt(creds, pac_request=True)
2629 tgt = self._modify_tgt(tgt, from_rodc=True)
2631 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2633 pac = self.get_ticket_pac(ticket)
2634 self.assertIsNotNone(pac)
2636 def test_tgs_rename(self):
2637 creds = self.get_cached_creds(account_type=self.AccountType.USER,
2639 tgt = self.get_tgt(creds)
2641 # Rename the account.
2642 new_name = self.get_new_username()
2644 samdb = self.get_samdb()
2645 msg = ldb.Message(creds.get_dn())
2646 msg['sAMAccountName'] = ldb.MessageElement(new_name,
2647 ldb.FLAG_MOD_REPLACE,
2651 self._run_tgs(tgt, creds, expected_error=(KDC_ERR_TGT_REVOKED,
2652 KDC_ERR_C_PRINCIPAL_UNKNOWN))
2654 # Test making a TGS request for a ticket expiring post-2038.
2655 def test_tgs_req_future_till(self):
2656 creds = self._get_creds()
2657 tgt = self._get_tgt(creds)
2659 target_creds = self.get_service_creds()
2664 target_creds=target_creds,
2665 till='99990913024805Z')
2667 def _modify_renewable(self, enc_part):
2668 # Set the renewable flag.
2669 enc_part = self.modify_ticket_flag(enc_part, 'renewable', value=True)
2671 # Set the renew-till time to be in the future.
2672 renew_till = self.get_KerberosTime(offset=100 * 60 * 60)
2673 enc_part['renew-till'] = renew_till
2677 def _modify_invalid(self, enc_part):
2678 # Set the invalid flag.
2679 enc_part = self.modify_ticket_flag(enc_part, 'invalid', value=True)
2681 # Set the ticket start time to be in the past.
2682 past_time = self.get_KerberosTime(offset=-100 * 60 * 60)
2683 enc_part['starttime'] = past_time
2694 allow_empty_authdata=False,
2695 can_modify_logon_info=True,
2696 can_modify_requester_sid=True,
2697 remove_pac_attrs=False,
2698 remove_requester_sid=False,
2701 self.assertFalse(renewable and invalid)
2704 self.assertIsNone(new_rid)
2706 tgt = self.get_tgt(client_creds)
2708 return self._modify_tgt(
2710 renewable=renewable,
2712 from_rodc=from_rodc,
2714 remove_pac=remove_pac,
2715 allow_empty_authdata=allow_empty_authdata,
2716 can_modify_logon_info=can_modify_logon_info,
2717 can_modify_requester_sid=can_modify_requester_sid,
2718 remove_pac_attrs=remove_pac_attrs,
2719 remove_requester_sid=remove_requester_sid,
2721 cksum_etype=cksum_etype)
2723 def _modify_tgt(self,
2730 allow_empty_authdata=False,
2733 can_modify_logon_info=True,
2734 can_modify_requester_sid=True,
2735 remove_pac_attrs=False,
2736 remove_requester_sid=False,
2740 krbtgt_creds = self.get_mock_rodc_krbtgt_creds()
2742 krbtgt_creds = self.get_krbtgt_creds()
2744 if new_rid is not None or remove_requester_sid or remove_pac_attrs:
2745 def change_sid_fn(pac):
2746 pac_buffers = pac.buffers
2747 for pac_buffer in pac_buffers:
2748 if pac_buffer.type == krb5pac.PAC_TYPE_LOGON_INFO:
2749 if new_rid is not None and can_modify_logon_info:
2750 logon_info = pac_buffer.info.info
2752 logon_info.info3.base.rid = new_rid
2753 elif pac_buffer.type == krb5pac.PAC_TYPE_REQUESTER_SID:
2754 if remove_requester_sid:
2755 pac.num_buffers -= 1
2756 pac_buffers.remove(pac_buffer)
2757 elif new_rid is not None and can_modify_requester_sid:
2758 requester_sid = pac_buffer.info
2760 samdb = self.get_samdb()
2761 domain_sid = samdb.get_domain_sid()
2763 new_sid = f'{domain_sid}-{new_rid}'
2765 requester_sid.sid = security.dom_sid(new_sid)
2766 elif pac_buffer.type == krb5pac.PAC_TYPE_ATTRIBUTES_INFO:
2767 if remove_pac_attrs:
2768 pac.num_buffers -= 1
2769 pac_buffers.remove(pac_buffer)
2771 pac.buffers = pac_buffers
2775 change_sid_fn = None
2777 krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds,
2781 checksum_keys = None
2783 if etype == cksum_etype:
2784 cksum_key = krbtgt_key
2786 cksum_key = self.TicketDecryptionKey_from_creds(krbtgt_creds,
2789 krb5pac.PAC_TYPE_KDC_CHECKSUM: cksum_key
2793 flags_modify_fn = self._modify_renewable
2795 flags_modify_fn = self._modify_invalid
2797 flags_modify_fn = None
2799 if cname is not None or crealm is not None:
2800 def modify_fn(enc_part):
2801 if flags_modify_fn is not None:
2802 enc_part = flags_modify_fn(enc_part)
2804 if cname is not None:
2805 enc_part['cname'] = cname
2807 if crealm is not None:
2808 enc_part['crealm'] = crealm
2812 modify_fn = flags_modify_fn
2814 if cname is not None:
2815 def modify_pac_fn(pac):
2816 if change_sid_fn is not None:
2817 pac = change_sid_fn(pac)
2819 for pac_buffer in pac.buffers:
2820 if pac_buffer.type == krb5pac.PAC_TYPE_LOGON_NAME:
2821 logon_info = pac_buffer.info
2823 logon_info.account_name = (
2824 cname['name-string'][0].decode('utf-8'))
2828 modify_pac_fn = change_sid_fn
2830 return self.modified_ticket(
2832 new_ticket_key=krbtgt_key,
2833 modify_fn=modify_fn,
2834 modify_pac_fn=modify_pac_fn,
2835 exclude_pac=remove_pac,
2836 allow_empty_authdata=allow_empty_authdata,
2837 update_pac_checksums=not remove_pac,
2838 checksum_keys=checksum_keys)
2840 def _remove_rodc_partial_secrets(self):
2841 samdb = self.get_samdb()
2843 rodc_ctx = self.get_mock_rodc_ctx()
2844 rodc_dn = ldb.Dn(samdb, rodc_ctx.acct_dn)
2846 def add_rodc_partial_secrets():
2849 msg['userAccountControl'] = ldb.MessageElement(
2850 str(rodc_ctx.userAccountControl),
2851 ldb.FLAG_MOD_REPLACE,
2852 'userAccountControl')
2855 self.addCleanup(add_rodc_partial_secrets)
2857 uac = rodc_ctx.userAccountControl & ~dsdb.UF_PARTIAL_SECRETS_ACCOUNT
2861 msg['userAccountControl'] = ldb.MessageElement(
2863 ldb.FLAG_MOD_REPLACE,
2864 'userAccountControl')
2867 def _remove_rodc_krbtgt_link(self):
2868 samdb = self.get_samdb()
2870 rodc_ctx = self.get_mock_rodc_ctx()
2871 rodc_dn = ldb.Dn(samdb, rodc_ctx.acct_dn)
2873 def add_rodc_krbtgt_link():
2876 msg['msDS-KrbTgtLink'] = ldb.MessageElement(
2877 rodc_ctx.new_krbtgt_dn,
2882 self.addCleanup(add_rodc_krbtgt_link)
2886 msg['msDS-KrbTgtLink'] = ldb.MessageElement(
2888 ldb.FLAG_MOD_DELETE,
2892 def _get_creds(self,
2893 replication_allowed=False,
2894 replication_denied=False,
2895 revealed_to_rodc=False):
2896 return self.get_cached_creds(
2897 account_type=self.AccountType.COMPUTER,
2899 'allowed_replication_mock': replication_allowed,
2900 'denied_replication_mock': replication_denied,
2901 'revealed_to_mock_rodc': revealed_to_rodc,
2905 def _get_existing_rid(self,
2906 replication_allowed=False,
2907 replication_denied=False,
2908 revealed_to_rodc=False):
2909 other_creds = self.get_cached_creds(
2910 account_type=self.AccountType.COMPUTER,
2912 'allowed_replication_mock': replication_allowed,
2913 'denied_replication_mock': replication_denied,
2914 'revealed_to_mock_rodc': revealed_to_rodc,
2918 samdb = self.get_samdb()
2920 other_dn = other_creds.get_dn()
2921 other_sid = self.get_objectSid(samdb, other_dn)
2923 other_rid = int(other_sid.rsplit('-', 1)[1])
2927 def _get_mach_creds(self):
2928 return self.get_cached_creds(
2929 account_type=self.AccountType.COMPUTER,
2931 'allowed_replication_mock': True,
2932 'denied_replication_mock': False,
2933 'revealed_to_mock_rodc': True,
2937 def _get_non_existent_rid(self):
2938 return (1 << 30) - 1
2940 def _run_tgs(self, tgt, creds, expected_error, *, expect_pac=True,
2941 expect_pac_attrs=None, expect_pac_attrs_pac_request=None,
2942 expect_requester_sid=None, expected_sid=None,
2943 expect_edata=False, expect_status=None, expected_status=None):
2944 target_creds = self.get_service_creds()
2945 return self._tgs_req(
2946 tgt, expected_error, creds, target_creds,
2947 expect_pac=expect_pac,
2948 expect_pac_attrs=expect_pac_attrs,
2949 expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
2950 expect_requester_sid=expect_requester_sid,
2951 expected_sid=expected_sid,
2952 expect_edata=expect_edata,
2953 expect_status=expect_status,
2954 expected_status=expected_status)
2956 # These tests fail against Windows, which does not implement ticket
2958 def _renew_tgt(self, tgt, creds, expected_error, *, expect_pac=True,
2959 expect_pac_attrs=None, expect_pac_attrs_pac_request=None,
2960 expect_requester_sid=None, expected_sid=None):
2961 krbtgt_creds = self.get_krbtgt_creds()
2962 kdc_options = str(krb5_asn1.KDCOptions('renew'))
2963 return self._tgs_req(
2964 tgt, expected_error, creds, krbtgt_creds,
2965 kdc_options=kdc_options,
2966 expect_pac=expect_pac,
2967 expect_pac_attrs=expect_pac_attrs,
2968 expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
2969 expect_requester_sid=expect_requester_sid,
2970 expected_sid=expected_sid)
2972 # These tests fail against Windows, which does not implement ticket
2974 def _validate_tgt(self, tgt, creds, expected_error, *, expect_pac=True,
2975 expect_pac_attrs=None,
2976 expect_pac_attrs_pac_request=None,
2977 expect_requester_sid=None,
2979 krbtgt_creds = self.get_krbtgt_creds()
2980 kdc_options = str(krb5_asn1.KDCOptions('validate'))
2981 return self._tgs_req(
2982 tgt, expected_error, creds, krbtgt_creds,
2983 kdc_options=kdc_options,
2984 expect_pac=expect_pac,
2985 expect_pac_attrs=expect_pac_attrs,
2986 expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
2987 expect_requester_sid=expect_requester_sid,
2988 expected_sid=expected_sid)
2990 def _s4u2self(self, tgt, tgt_creds, expected_error, *, expect_pac=True,
2991 expect_edata=False, expect_status=None,
2992 expected_status=None):
2993 user_creds = self._get_mach_creds()
2995 user_name = user_creds.get_username()
2996 user_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
2998 user_realm = user_creds.get_realm()
3000 def generate_s4u2self_padata(_kdc_exchange_dict,
3003 padata = self.PA_S4U2Self_create(
3006 tgt_session_key=tgt.session_key,
3009 return [padata], req_body
3011 return self._tgs_req(tgt, expected_error, tgt_creds, tgt_creds,
3012 expected_cname=user_cname,
3013 generate_padata_fn=generate_s4u2self_padata,
3014 expect_edata=expect_edata,
3015 expect_status=expect_status,
3016 expected_status=expected_status,
3017 expect_pac=expect_pac)
3019 def _user2user(self, tgt, tgt_creds, expected_error, *,
3021 srealm=None, user_tgt=None, user_creds=None,
3022 expect_pac=True, expected_status=None):
3023 if user_tgt is None:
3024 user_creds = self._get_mach_creds()
3025 user_tgt = self.get_tgt(user_creds)
3027 self.assertIsNotNone(user_creds,
3028 'if supplying user_tgt, user_creds should be '
3031 kdc_options = str(krb5_asn1.KDCOptions('enc-tkt-in-skey'))
3032 return self._tgs_req(user_tgt, expected_error, user_creds, tgt_creds,
3033 kdc_options=kdc_options,
3034 additional_ticket=tgt,
3037 expect_pac=expect_pac,
3038 expected_status=expected_status)
3040 def _fast(self, armor_tgt, armor_tgt_creds, expected_error,
3041 expected_sname=None, expect_pac=True, expect_edata=False):
3042 user_creds = self._get_mach_creds()
3043 user_tgt = self.get_tgt(user_creds)
3045 target_creds = self.get_service_creds()
3047 return self._tgs_req(user_tgt, expected_error,
3048 user_creds, target_creds,
3049 armor_tgt=armor_tgt,
3050 expected_sname=expected_sname,
3051 expect_pac=expect_pac,
3052 expect_edata=expect_edata)
3055 if __name__ == "__main__":
3056 global_asn1_print = False
3057 global_hexdump = False