Volker Lendecke [Sat, 7 Aug 2021 08:26:03 +0000 (10:26 +0200)]
rpc_client: Adapt rpc_write_send() to tevent_req conventions
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 10 Aug 2021 13:56:57 +0000 (15:56 +0200)]
rpc_client: Adapt rpc_api_pipe_send() to recent coding conventions
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 10 Aug 2021 14:12:19 +0000 (16:12 +0200)]
rpc_client: Use ndr_syntax_id_equal() in check_bind_response()
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 10 Aug 2021 14:13:09 +0000 (16:13 +0200)]
rpc_client: Use struct init/assignment
Don't leave structures/unions partially uninitialized
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 13 Aug 2021 13:51:07 +0000 (15:51 +0200)]
rpc_client: Adapt rpc_pipe_bind_send() to talloc_req conventions
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 13 Aug 2021 14:05:00 +0000 (16:05 +0200)]
rpc_client: Avoid ZERO_STRUCTP in prepare_verification_trailer()
Direct struct assignments are easier to read for me, but YMMV.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Fri, 13 Aug 2021 14:15:16 +0000 (16:15 +0200)]
rpc_client: Adapt rpc_api_pipe_req_send() to talloc_req conventions
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 17 Aug 2021 05:42:48 +0000 (07:42 +0200)]
rpc_client: Slightly simplify rpc_api_pipe_req_send()
tevent_req_create() zero-initializes "state"
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 17 Aug 2021 05:49:27 +0000 (07:49 +0200)]
rpc_client: Early TALLOC_FREE() in prepare_verification_trailer()
We don't need "t" from here on anymore
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 3 Aug 2021 07:09:28 +0000 (09:09 +0200)]
rpc_client: Fix a small memleak
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 17 Aug 2021 14:28:31 +0000 (16:28 +0200)]
libsmb: Fix a typo
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 17 Aug 2021 14:52:24 +0000 (16:52 +0200)]
rpc_client: Slightly simplify rpc_transport_np_init_pipe_open()
Avoid an unnecessary else, use tevent_req_nterror() in if-clause
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 17 Aug 2021 15:10:17 +0000 (17:10 +0200)]
lib: Improve comment wording
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 17 Aug 2021 15:20:03 +0000 (17:20 +0200)]
rpc_server: Fix a comment
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 17 Aug 2021 15:20:21 +0000 (17:20 +0200)]
rpc_server: Simplify _samr_CreateUser2()
Use a variable that we just set a line before, don't duplicate the
priv name.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 17 Aug 2021 15:24:45 +0000 (17:24 +0200)]
rpc_server: Align integer types
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 17 Aug 2021 15:59:49 +0000 (17:59 +0200)]
rpc_server: Remove an unused function declaration
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 17 Aug 2021 18:18:45 +0000 (20:18 +0200)]
rpc_server: Slightly simplify set_user_info_18()
Instead of adding the NULL check to data_blob_talloc_zero() put "out"
on the stack.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 17 Aug 2021 18:18:45 +0000 (20:18 +0200)]
rpc_server: Slightly simplify set_user_info_21()
Instead of adding the NULL check to data_blob_talloc_zero() put "out"
on the stack.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Tue, 17 Aug 2021 18:37:04 +0000 (20:37 +0200)]
rpc_server: Simplify open_np_file()
No need to go via a string to create the SID describing the SMB3
encryption, we can directly use sid_append_rid().
This by the way fixes a bug: SID_MAX_SIZE is the maximum length of the
binary SID, not the maximum string length for a SID.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 18 Aug 2021 04:21:52 +0000 (06:21 +0200)]
librpc: Simplify GUID_hexstring()
A temporary talloc context seems unnecessary to me.
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 18 Aug 2021 04:25:00 +0000 (06:25 +0200)]
librpc: Simplify GUID_string2() by using GUID_buf_string()
Avoid unnecessary talloc
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Volker Lendecke [Wed, 18 Aug 2021 04:27:52 +0000 (06:27 +0200)]
librpc: Simplify GUID_zero() with a direct struct return
Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Andrew Bartlett [Mon, 23 Aug 2021 08:45:50 +0000 (20:45 +1200)]
samba-tool domain backup: Use tdbbackup on metadata.tdb
metadata.tdb is inside sam.ldb.d/ but should be backed up with tdbbackup.
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Autobuild-User(master): Andreas Schneider <asn@cryptomilk.org>
Autobuild-Date(master): Tue Aug 24 13:22:04 UTC 2021 on sn-devel-184
Andrew Bartlett [Mon, 23 Aug 2021 06:14:16 +0000 (18:14 +1200)]
samba-tool: Rework transations/locks to hold a lock during mdb backup
We now also get sidForRestore under that lock, rather than
after the backup.
This avoids using the database again after the backup process
While not entirely clear how/why this matters with LMDB
as seen in Fedora 34, likely due to the same issues
seen with 0.9.26 or later fixed by commmit
bb3dcd403ced922574a89011dd3814c4fe87dd76.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andrew Bartlett [Mon, 23 Aug 2021 07:41:15 +0000 (19:41 +1200)]
samba-tool domain backup offline: Use passed in samdb when backing up sam.ldb
This avoids opening the database again by having the caller pass in
the DB open
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14676
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Andreas Schneider [Tue, 24 Aug 2021 08:14:14 +0000 (10:14 +0200)]
selftest: Add python path for compiled python modules like ldb
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Jeremy Allison [Thu, 19 Aug 2021 22:43:52 +0000 (15:43 -0700)]
s3: smbd: Ensure all returns from OpenDir() correctly set errno.
Complex code paths inside open_internal_dirfsp() can return an
NTSTATUS, but trample on the matching errno. We need to make
sure if open_internal_dirfsp() fails, errno matches the NTSTATUS
return.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14805
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <npower@samba.org>
Autobuild-User(master): Noel Power <npower@samba.org>
Autobuild-Date(master): Fri Aug 20 09:56:49 UTC 2021 on sn-devel-184
Jeremy Allison [Mon, 19 Jul 2021 22:10:41 +0000 (15:10 -0700)]
s3: VFS: streams_depot: Allow "streams directory" outside of share path to work again.
As we're dealing with absolute paths here, we just need
to temporarily replace the connectpath whilst enumerating
streams.
Remove knownfail file.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14760
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Thu Aug 19 17:04:44 UTC 2021 on sn-devel-184
Jeremy Allison [Mon, 19 Jul 2021 21:52:32 +0000 (14:52 -0700)]
s3: VFS: vfs_streams_depot: Factor out the code that gets the absolute stream rootdir into a function.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14760
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Jeremy Allison [Wed, 21 Jul 2021 00:50:49 +0000 (17:50 -0700)]
s3: selftest: Add a test for vfs_streams_depot with the target path outside of the share.
Mark as knownfail.d/simpleserver_streams
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14760
Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Noel Power <noel.power@suse.com>
Noel Power [Thu, 19 Aug 2021 11:13:27 +0000 (12:13 +0100)]
s4: torture: CHECK ret value and fail if false
If we reach 'done' with ret == false without setting
the torture result we get unexpected results e.g.
Exception: Exception: Unknown error/failure. Missing torture_fail() or torture_assert_*() call?
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14760
Signed-off-by: Noel Power <noel.power@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Joseph Sutton [Wed, 28 Jul 2021 22:58:44 +0000 (10:58 +1200)]
tests/krb5: Add FAST tests
Example command:
SERVER=addc STRICT_CHECKING=0 SMB_CONF_PATH=/dev/null \
KRB5_CONFIG=krb5.conf DOMAIN=ADDOMAIN REALM=ADDOM.SAMBA.EXAMPLE.COM \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=locDCpass1 \
PYTHONPATH=bin/python python/samba/tests/krb5/fast_tests.py
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Wed Aug 18 23:20:14 UTC 2021 on sn-devel-184
Gary Lockyer [Wed, 9 Jun 2021 21:56:58 +0000 (09:56 +1200)]
initial FAST tests
Currently incomplete, and tested only against MIT Kerberos.
[abartlet@samba.org
Originally "WIP inital FAST tests"
Samba's general policy that we don't push WIP patches, we polish
into a 'perfect' patch stream.
However, I think there are good reasons to keep this patch distinct
in this particular case.
Gary is being modest in titling this WIP (now removed from the title
to avoid confusion). They are not WIP in the normal sense of
partially or untested code or random unfinished thoughts. The primary
issue is that at that point where Gary had to finish up he had
trouble getting FAST support enabled on Windows, so couldn't test
against our standard reference. They are instead good, working
initial tests written against the RFC and tested against Samba's AD DC
in the mode backed by MIT Kerberos.
This preserves clear authorship for the two distinct bodies of work,
as in the next patch Joseph was able to extend and improve the tests
significantly. ]
Signed-off-by: Gary Lockyer <gary@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 02:49:58 +0000 (14:49 +1200)]
tests/krb5: Check PADATA-FX-ERROR in reply
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Wed, 28 Jul 2021 23:50:16 +0000 (11:50 +1200)]
tests/krb5: Allow generic_check_kdc_error() to check inner FAST errors
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 02:50:20 +0000 (14:50 +1200)]
tests/krb5: Check PADATA-PAC-OPTIONS in reply
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 04:29:39 +0000 (16:29 +1200)]
tests/krb5: Make generic_check_kdc_error() also work for checking TGS replies
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Wed, 28 Jul 2021 08:49:25 +0000 (20:49 +1200)]
tests/krb5: Make check_rep_padata() also work for checking TGS replies
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 02:49:12 +0000 (14:49 +1200)]
tests/krb5: Check PADATA-FX-COOKIE in reply
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 02:36:56 +0000 (14:36 +1200)]
tests/krb5: Check PADATA-ENCRYPTED-CHALLENGE in reply
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 04:42:26 +0000 (16:42 +1200)]
tests/krb5: Adjust reply padata checking depending on whether FAST was sent
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 04:31:39 +0000 (16:31 +1200)]
tests/krb5: Check reply FAST padata if request included FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 04:25:39 +0000 (16:25 +1200)]
tests/krb5: Check sname is krbtgt for FAST generic error
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 26 Jul 2021 23:15:00 +0000 (11:15 +1200)]
tests/krb5: Add get_krbtgt_sname() method
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 04:26:06 +0000 (16:26 +1200)]
tests/krb5: Remove unused variables
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 04:35:32 +0000 (16:35 +1200)]
tests/krb5: Don't expect RC4 in ETYPE-INFO2 for a non-error reply
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 04:21:14 +0000 (16:21 +1200)]
tests/krb5: Add check_rep_padata() method to check padata in reply
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 03:20:09 +0000 (15:20 +1200)]
tests/krb5: Add generate_simple_fast() method to generate FX-FAST padata
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 02:18:29 +0000 (14:18 +1200)]
tests/krb5: Include authdata in kdc_exchange_dict
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 02:05:59 +0000 (14:05 +1200)]
tests/krb5: Add expected_cname_private parameter to kdc_exchange_dict
This is useful for testing the 'hide client names' FAST option.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 02:34:49 +0000 (14:34 +1200)]
tests/krb5: Check encrypted-pa-data
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 03:21:01 +0000 (15:21 +1200)]
tests/krb5: Add methods to determine whether elements were included in the request
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 03:20:44 +0000 (15:20 +1200)]
tests/krb5: Add functions to get dicts of request padata
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 02:42:57 +0000 (14:42 +1200)]
tests/krb5: Check FAST response
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 02:10:13 +0000 (14:10 +1200)]
tests/krb5: Add method to verify ticket checksum for FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 02:04:37 +0000 (14:04 +1200)]
tests/krb5: Add method to check PA-FX-FAST-REPLY
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 02:01:36 +0000 (14:01 +1200)]
tests/krb5: Allow specifying parameters specific to the outer request body
This is useful for testing FAST.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Wed, 28 Jul 2021 22:33:24 +0000 (10:33 +1200)]
tests/krb5: Add FAST armor generation to _generic_kdc_exchange()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Wed, 28 Jul 2021 22:33:10 +0000 (10:33 +1200)]
tests/krb5: Modify generate_ap_req() to also generate FAST armor AP-REQ
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Wed, 28 Jul 2021 22:19:46 +0000 (10:19 +1200)]
tests/krb5: Include authenticator_subkey in AS-REQ exchange dict
This is needed for FAST.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Wed, 28 Jul 2021 08:49:12 +0000 (20:49 +1200)]
tests/krb5: Rename generic_check_as_error() to generic_check_kdc_error()
This method will also be useful in checking TGS-REP error replies.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 6 Jul 2021 00:49:05 +0000 (12:49 +1200)]
tests/krb5: Add methods to calculate keys for FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 6 Jul 2021 00:47:18 +0000 (12:47 +1200)]
tests/krb5: Add method to generate FAST encrypted challenge padata
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 5 Jul 2021 22:23:26 +0000 (10:23 +1200)]
tests/krb5: Add more methods to create ASN1 objects for FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 5 Jul 2021 22:21:07 +0000 (10:21 +1200)]
tests/krb5: Add more ASN1 definitions for FAST
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 01:59:36 +0000 (13:59 +1200)]
tests/krb5: Generate AP-REQ for TGS request in _generic_kdc_exchange()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 26 Jul 2021 23:06:35 +0000 (11:06 +1200)]
tests/krb5: Ensure generated padata is not None
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Wed, 28 Jul 2021 07:27:02 +0000 (19:27 +1200)]
tests/krb5: Add generate_ap_req() method
This method will be useful to generate an AP-REQ for use as FAST armor.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 00:52:42 +0000 (12:52 +1200)]
tests/krb5: Check nonce in EncKDCRepPart
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 26 Jul 2021 23:39:37 +0000 (11:39 +1200)]
tests/krb5: Make checking less strict
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 26 Jul 2021 23:34:19 +0000 (11:34 +1200)]
tests/krb5: Check version number of obtained ticket
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 02:39:42 +0000 (14:39 +1200)]
tests/krb5: Assert that more variables are not None
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 26 Jul 2021 22:37:48 +0000 (10:37 +1200)]
tests/krb5: Ensure in assertElementPresent() that container elements are not empty
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 26 Jul 2021 23:06:15 +0000 (11:06 +1200)]
tests/krb5: Only allow specifying one of check_rep_fn and check_error_fn
This means that there can no longer be surprises where a test receives a
reply when it was expecting an error, or vice versa.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 26 Jul 2021 22:35:40 +0000 (10:35 +1200)]
tests/krb5: Include kdc_options in kdc_exchange_dict
Make kdc_options an element of kdc_exchange_dict instead of a parameter
to _generic_kdc_exchange(). This allows testing code to adjust the reply
checking based on the options that were specified in the request.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 26 Jul 2021 22:32:52 +0000 (10:32 +1200)]
tests/krb5: Always specify expected error code
Now the expected error code is always determined by the test code itself
rather than by generic_check_as_error().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 26 Jul 2021 05:19:04 +0000 (17:19 +1200)]
tests/krb5: Add check_reply() method to check for AS or TGS reply
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Thu, 22 Jul 2021 04:22:09 +0000 (16:22 +1200)]
tests/krb5: Add method to calculate account salt
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 5 Jul 2021 22:19:57 +0000 (10:19 +1200)]
tests/krb5: Add more methods for obtaining machine and service credentials
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 5 Jul 2021 23:25:55 +0000 (11:25 +1200)]
tests/krb5: Allow specifying additional details when creating an account
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 3 Aug 2021 03:58:19 +0000 (15:58 +1200)]
tests/krb5: Use encryption with admin credentials
This ensures that account creation using admin credentials succeeds.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Thu, 22 Jul 2021 04:27:17 +0000 (16:27 +1200)]
tests/krb5: Add get_EpochFromKerberosTime()
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 02:27:47 +0000 (14:27 +1200)]
tests/krb5: Make _test_as_exchange() return value more consistent
Always return the reply and the kdc_exchange_dict so that the caller has
more potentially useful information.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 6 Jul 2021 00:51:54 +0000 (12:51 +1200)]
tests/krb5: Add method to return dict containing padata elements
This makes checking multiple padata elements easier.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 26 Jul 2021 05:18:38 +0000 (17:18 +1200)]
tests/krb5: Add get_enc_timestamp_pa_data_from_key()
This makes it easier to create encrypted timestamp padata when the key
has already been obtained.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 5 Jul 2021 22:16:01 +0000 (10:16 +1200)]
tests/krb5: Refactor get_pa_data()
The function now returns a single padata object rather than a list,
making it easier to combine multiple padata elements into a request. The
new name 'get_enc_timestamp_pa_data' also makes it clearer as to what
the method generates.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 5 Jul 2021 22:24:52 +0000 (10:24 +1200)]
tests/krb5: Allow cf2 to automatically use the enctype of the first key
RFC6113 states: "Unless otherwise specified, the resulting enctype of
KRB-FX-CF2 is the enctype of k1." This change means the enctype no
longer has to be specified manually.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 5 Jul 2021 23:28:37 +0000 (11:28 +1200)]
tests/krb5: Use credentials kvno when creating password key
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 03:07:59 +0000 (15:07 +1200)]
tests/krb5: Check Kerberos protocol version number
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Wed, 28 Jul 2021 05:00:09 +0000 (17:00 +1200)]
tests/krb5: Expect e-data except when the error code is KDC_ERR_GENERIC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 02:06:29 +0000 (14:06 +1200)]
tests/krb5: Fix encpart_decryption_key with MIT KDC
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 26 Jul 2021 23:12:34 +0000 (11:12 +1200)]
tests/krb5: Fix callback_dict parameter
Items contained in a default-created callback_dict should not be carried
over between unrelated calls to {as,tgs}_as_exchange_dict().
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 26 Jul 2021 05:14:08 +0000 (17:14 +1200)]
tests/krb5: Fix including enc-authorization-data
Remove the EncAuthorizationData parameters from AS_REQ_create(), since
it should only be present in the TGS-REQ form. Also, fix a call to
EncryptedData_create() to supply the key usage when creating
enc-authorization-data.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 27 Jul 2021 01:49:27 +0000 (13:49 +1200)]
tests/krb5: Remove magic constants
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Tue, 3 Aug 2021 03:03:00 +0000 (15:03 +1200)]
tests/krb5: Simplify Python syntax
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 2 Aug 2021 05:10:32 +0000 (17:10 +1200)]
tests/krb5: Use more compact dict lookup
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 2 Aug 2021 05:01:39 +0000 (17:01 +1200)]
tests/krb5: Remove unneeded statements
A return statement is redundant as the last statement in a method, as
methods will otherwise return None. Also, code blocks consisting of a
single 'pass' statement can be safely omitted.
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 2 Aug 2021 05:00:09 +0000 (17:00 +1200)]
tests/krb5: formatting
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Joseph Sutton [Mon, 5 Jul 2021 22:17:52 +0000 (10:17 +1200)]
tests/krb5: Fix method name typo
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>