2 # Unix SMB/CIFS implementation.
3 # Copyright (C) Stefan Metzmacher 2020
5 # This program is free software; you can redistribute it and/or modify
6 # it under the terms of the GNU General Public License as published by
7 # the Free Software Foundation; either version 3 of the License, or
8 # (at your option) any later version.
10 # This program is distributed in the hope that it will be useful,
11 # but WITHOUT ANY WARRANTY; without even the implied warranty of
12 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13 # GNU General Public License for more details.
15 # You should have received a copy of the GNU General Public License
16 # along with this program. If not, see <http://www.gnu.org/licenses/>.
22 from samba
.tests
.krb5
.kdc_base_test
import KDCBaseTest
24 sys
.path
.insert(0, "bin/python")
25 os
.environ
["PYTHONUNBUFFERED"] = "1"
27 global_asn1_print
= False
28 global_hexdump
= False
31 class RodcKerberosTests(KDCBaseTest
):
35 self
.do_asn1_print
= global_asn1_print
36 self
.do_hexdump
= global_hexdump
38 # Ensure that an RODC correctly issues tickets signed with its krbtgt key
39 # and including the RODCIdentifier.
40 def test_rodc_ticket_signature(self
):
41 user_creds
= self
.get_cached_creds(
42 account_type
=self
.AccountType
.USER
,
44 'allowed_replication': True,
45 'revealed_to_rodc': True
47 target_creds
= self
.get_cached_creds(
48 account_type
=self
.AccountType
.COMPUTER
,
50 'allowed_replication': True,
51 'revealed_to_rodc': True
54 krbtgt_creds
= self
.get_rodc_krbtgt_creds()
55 rodc_key
= self
.TicketDecryptionKey_from_creds(krbtgt_creds
)
57 # Get a TGT from the RODC.
58 tgt
= self
.get_tgt(user_creds
, to_rodc
=True)
60 # Ensure the PAC contains the expected checksums.
61 self
.verify_ticket(tgt
, rodc_key
, service_ticket
=False)
63 # Get a service ticket from the RODC.
64 service_ticket
= self
.get_service_ticket(tgt
, target_creds
,
67 # Ensure the PAC contains the expected checksums.
68 self
.verify_ticket(service_ticket
, rodc_key
, service_ticket
=True)
71 if __name__
== "__main__":
72 global_asn1_print
= False
73 global_hexdump
= False