tests/krb5: Add tests for constrained delegation to NO_AUTH_DATA_REQUIRED service

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14871

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Wed Oct 20 09:22:43 UTC 2021 on sn-devel-184

diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py
index 9a25256081a13457396e283b4599fc3c4dc7d267..bbb7135b55b38fa6467dac78a52055e8cfe9d00d 100755 (executable)
--- a/python/samba/tests/krb5/s4u_tests.py
+++ b/python/samba/tests/krb5/s4u_tests.py
@@ -538,6 +538,8 @@ class S4UKerberosTests(KDCBaseTest):
         transited_service = f'host/{service1_name}@{service1_realm}'
         expected_transited_services.append(transited_service)
 
+        expect_pac = kdc_dict.pop('expect_pac', True)
+
         kdc_exchange_dict = self.tgs_exchange_dict(
             expected_crealm=client_realm,
             expected_cname=client_cname,
@@ -557,7 +559,8 @@ class S4UKerberosTests(KDCBaseTest):
             pac_options=pac_options,
             expect_edata=expect_edata,
             expected_proxy_target=expected_proxy_target,
-            expected_transited_services=expected_transited_services)
+            expected_transited_services=expected_transited_services,
+            expect_pac=expect_pac)
 
         self._generic_kdc_exchange(kdc_exchange_dict,
                                    cname=None,
@@ -577,6 +580,18 @@ class S4UKerberosTests(KDCBaseTest):
                 'allow_delegation': True
             })
 
+    def test_constrained_delegation_no_auth_data_required(self):
+        # Test constrained delegation.
+        self._run_delegation_test(
+            {
+                'expected_error_mode': 0,
+                'allow_delegation': True,
+                'service2_opts': {
+                    'no_auth_data_required': True
+                },
+                'expect_pac': False
+            })
+
     def test_constrained_delegation_existing_delegation_info(self):
         # Test constrained delegation with an existing S4U_DELEGATION_INFO
         # structure in the PAC.
@@ -624,6 +639,35 @@ class S4UKerberosTests(KDCBaseTest):
                 'modify_service_tgt_fn': self.remove_ticket_pac
             })
 
+    def test_constrained_delegation_no_client_pac_no_auth_data_required(self):
+        # Test constrained delegation when the client service ticket does not
+        # contain a PAC.
+        self._run_delegation_test(
+            {
+                'expected_error_mode': (KDC_ERR_BADOPTION,
+                                        KDC_ERR_MODIFIED),
+                'allow_delegation': True,
+                'modify_client_tkt_fn': self.remove_ticket_pac,
+                'expect_edata': False,
+                'service2_opts': {
+                    'no_auth_data_required': True
+                }
+            })
+
+    def test_constrained_delegation_no_service_pac_no_auth_data_required(self):
+        # Test constrained delegation when the service TGT does not contain a
+        # PAC.
+        self._run_delegation_test(
+            {
+                'expected_error_mode': (KDC_ERR_BADOPTION,
+                                        KDC_ERR_MODIFIED),
+                'allow_delegation': True,
+                'modify_service_tgt_fn': self.remove_ticket_pac,
+                'service2_opts': {
+                    'no_auth_data_required': True
+                }
+            })
+
     def test_constrained_delegation_non_forwardable(self):
         # Test constrained delegation with a non-forwardable ticket.
         self._run_delegation_test(
@@ -645,6 +689,18 @@ class S4UKerberosTests(KDCBaseTest):
                 'allow_delegation': True
             })
 
+    def test_rbcd_no_auth_data_required(self):
+        self._run_delegation_test(
+            {
+                'expected_error_mode': 0,
+                'allow_rbcd': True,
+                'pac_options': '0001',  # supports RBCD
+                'service2_opts': {
+                    'no_auth_data_required': True
+                },
+                'expect_pac': False
+            })
+
     def test_rbcd_existing_delegation_info(self):
         # Test constrained delegation with an existing S4U_DELEGATION_INFO
         # structure in the PAC.
@@ -712,6 +768,55 @@ class S4UKerberosTests(KDCBaseTest):
                 'modify_service_tgt_fn': self.remove_ticket_pac
             })
 
+    def test_rbcd_no_client_pac_no_auth_data_required_a(self):
+        # Test constrained delegation when the client service ticket does not
+        # contain a PAC, and an empty msDS-AllowedToDelegateTo attribute.
+        self._run_delegation_test(
+            {
+                'expected_error_mode': KDC_ERR_MODIFIED,
+                'expected_status': ntstatus.NT_STATUS_NOT_SUPPORTED,
+                'allow_rbcd': True,
+                'pac_options': '0001',  # supports RBCD
+                'modify_client_tkt_fn': self.remove_ticket_pac,
+                'service2_opts': {
+                    'no_auth_data_required': True
+                }
+            })
+
+    def test_rbcd_no_client_pac_no_auth_data_required_b(self):
+        # Test constrained delegation when the client service ticket does not
+        # contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute.
+        self._run_delegation_test(
+            {
+                'expected_error_mode': KDC_ERR_MODIFIED,
+                'expected_status': ntstatus.NT_STATUS_NO_MATCH,
+                'allow_rbcd': True,
+                'pac_options': '0001',  # supports RBCD
+                'modify_client_tkt_fn': self.remove_ticket_pac,
+                'service1_opts': {
+                    'delegation_to_spn': ('host/test')
+                },
+                'service2_opts': {
+                    'no_auth_data_required': True
+                }
+            })
+
+    def test_rbcd_no_service_pac_no_auth_data_required(self):
+        # Test constrained delegation when the service TGT does not contain a
+        # PAC.
+        self._run_delegation_test(
+            {
+                'expected_error_mode': KDC_ERR_BADOPTION,
+                'expected_status':
+                    ntstatus.NT_STATUS_NOT_FOUND,
+                'allow_rbcd': True,
+                'pac_options': '0001',  # supports RBCD
+                'modify_service_tgt_fn': self.remove_ticket_pac,
+                'service2_opts': {
+                    'no_auth_data_required': True
+                }
+            })
+
     def test_rbcd_non_forwardable(self):
         # Test resource-based constrained delegation with a non-forwardable
         # ticket.

diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 05e9a19220ff4863f99dd78d48451863e5fa9d63..5e0ee77ff6a2c4b6d9ce565d492e396f3a0f76e7 100644 (file)
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -71,7 +71,7 @@
 # S4U tests
 #
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_bronze_bit_rbcd_old_checksum
-^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_service_pac\(.*\)$
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_existing_delegation_info
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_missing_client_checksum
 ^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_a
@@ -87,3 +87,9 @@
 # KRB5KRB_ERR_RESPONSE_TOO_BIG in this specific case
 #
 ^samba4.krb5.kdc with machine account.as-req-pac-request.fl2000dc:local
+#
+#
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_a
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_client_pac_no_auth_data_required_b