tests/krb5: Add test for authenticating with disabled account and wrong password

This shows us that the client’s access is checked prior to passwords
being checked.

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index e8712b5bf8aad62b1b712fa3e067b3c8992c721b..eb5e16e539eacc5acd5bf208656693d74c606486 100755 (executable)
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -22,11 +22,13 @@ import os
 sys.path.insert(0, "bin/python")
 os.environ["PYTHONUNBUFFERED"] = "1"
 
+from samba import ntstatus
 from samba.tests import DynamicTestCase
 from samba.tests.krb5.kdc_base_test import KDCBaseTest
 import samba.tests.krb5.kcrypto as kcrypto
 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
 from samba.tests.krb5.rfc4120_constants import (
+    KDC_ERR_CLIENT_REVOKED,
     KDC_ERR_C_PRINCIPAL_UNKNOWN,
     KDC_ERR_S_PRINCIPAL_UNKNOWN,
     KDC_ERR_ETYPE_NOSUPP,
@@ -48,6 +50,8 @@ class AsReqBaseTest(KDCBaseTest):
                                   name_type=NT_PRINCIPAL, etypes=None,
                                   expected_error=None, expect_edata=None,
                                   expected_pa_error=None, expect_pa_edata=None,
+                                  expect_status=None,
+                                  expect_pa_status=None,
                                   kdc_options=None, till=None):
         user_name = client_creds.get_username()
         if client_account is None:
@@ -101,9 +105,10 @@ class AsReqBaseTest(KDCBaseTest):
             expected_supported_etypes=krbtgt_supported_etypes,
             expected_account_name=user_name,
             pac_request=True,
-            expect_edata=expect_edata)
+            expect_edata=expect_edata,
+            expected_status=expect_status)
 
-        if expected_error is not None:
+        if rep['error-code'] != KDC_ERR_PREAUTH_REQUIRED:
             return None
 
         etype_info2 = kdc_exchange_dict['preauth_etype_info2']
@@ -148,6 +153,7 @@ class AsReqBaseTest(KDCBaseTest):
             expected_supported_etypes=krbtgt_supported_etypes,
             expected_account_name=user_name,
             expect_edata=expect_pa_edata,
+            expected_status=expect_pa_status,
             preauth_key=preauth_key,
             ticket_decryption_key=krbtgt_decryption_key,
             pac_request=True)
@@ -531,6 +537,43 @@ class AsReqKerberosTests(AsReqBaseTest):
             client_creds,
             till='99990913024805Z')
 
+    def test_logon_hours(self):
+        """Test making an AS-REQ with a logonHours attribute that disallows
+        logging in."""
+
+        client_creds = self.get_cached_creds(
+            account_type=self.AccountType.USER,
+            opts={'logon_hours': bytes(21)})
+
+        # Expect to get a CLIENT_REVOKED error.
+        self._run_as_req_enc_timestamp(
+            client_creds,
+            expected_error=(KDC_ERR_CLIENT_REVOKED, KDC_ERR_PREAUTH_REQUIRED),
+            expect_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS,
+            expected_pa_error=KDC_ERR_CLIENT_REVOKED,
+            expect_pa_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS)
+
+    def test_logon_hours_wrong_password(self):
+        """Test making an AS-REQ with a wrong password and a logonHours
+        attribute that disallows logging in."""
+
+        # Use a non-cached account so that it is not locked out for other
+        # tests.
+        client_creds = self.get_cached_creds(
+            account_type=self.AccountType.USER,
+            opts={'logon_hours': bytes(21)},
+            use_cache=False)
+
+        client_creds.set_password('wrong password')
+
+        # Expect to get a CLIENT_REVOKED error.
+        self._run_as_req_enc_timestamp(
+            client_creds,
+            expected_error=(KDC_ERR_CLIENT_REVOKED, KDC_ERR_PREAUTH_REQUIRED),
+            expect_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS,
+            expected_pa_error=KDC_ERR_CLIENT_REVOKED,
+            expect_pa_status=ntstatus.NT_STATUS_INVALID_LOGON_HOURS)
+
 
 if __name__ == "__main__":
     global_asn1_print = False

diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 276fc089a6daa1953783227a65a9b8af5b51fb0e..96ae43a0937bdc30de4764008eaa085dc52f9c7e 100644 (file)
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -1709,6 +1709,7 @@ class KDCBaseTest(TestCaseInTempDir, RawKerberosTest):
             'force_nt4_hash': False,
             'assigned_policy': None,
             'assigned_silo': None,
+            'logon_hours': None,
         }
 
         account_opts = {
@@ -1760,7 +1761,8 @@ class KDCBaseTest(TestCaseInTempDir, RawKerberosTest):
                             id,
                             force_nt4_hash,
                             assigned_policy,
-                            assigned_silo):
+                            assigned_silo,
+                            logon_hours):
         if account_type is self.AccountType.USER:
             self.assertIsNone(delegation_to_spn)
             self.assertIsNone(delegation_from_dn)
@@ -1825,6 +1827,9 @@ class KDCBaseTest(TestCaseInTempDir, RawKerberosTest):
         if assigned_silo is not None:
             details['msDS-AssignedAuthNPolicySilo'] = assigned_silo
 
+        if logon_hours is not None:
+            details['logonHours'] = logon_hours
+
         creds, dn = self.create_account(samdb, user_name,
                                         account_type=account_type,
                                         upn=upn,

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 7e30c83bd4697b1f729df8ee1878fdb75f23b62b..2fbf7f72284ad3abccceb3109e515f6d9d22a921 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -3,6 +3,11 @@
 # kerberos
 ^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_
 #
+# AS-REQ tests
+#
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_logon_hours_wrong_password.fl2003dc
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_logon_hours_wrong_password.fl2008r2dc
+#
 # Heimdal currently fails the following MS-KILE client principal lookup
 # tests
 ^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_6_a

diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 8196f4f4d6bd4472767c3c6e69af15a3988df25f..7c3b91e2c6a51a3e79ad4082c337b550edb05b85 100644 (file)
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -3,6 +3,13 @@
 # kerberos
 ^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_heimdal_
 #
+# AS-REQ tests
+#
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_logon_hours.fl2003dc
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_logon_hours.fl2008r2dc
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_logon_hours_wrong_password.fl2003dc
+^samba.tests.krb5.as_req_tests.samba.tests.krb5.as_req_tests.AsReqKerberosTests.test_logon_hours_wrong_password.fl2008r2dc
+#
 # Currently MOST but not quite all the Canonicalization tests fail on the
 # MIT KDC
 #