2 # Unix SMB/CIFS implementation.
3 # Copyright (C) Stefan Metzmacher 2020
4 # Copyright (C) Catalyst.Net Ltd 2023
6 # This program is free software; you can redistribute it and/or modify
7 # it under the terms of the GNU General Public License as published by
8 # the Free Software Foundation; either version 3 of the License, or
9 # (at your option) any later version.
11 # This program is distributed in the hope that it will be useful,
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU General Public License for more details.
16 # You should have received a copy of the GNU General Public License
17 # along with this program. If not, see <http://www.gnu.org/licenses/>.
23 sys
.path
.insert(0, 'bin/python')
24 os
.environ
['PYTHONUNBUFFERED'] = '1'
30 from samba
import dsdb
, ntstatus
31 from samba
.dcerpc
import netlogon
, security
32 from samba
.ndr
import ndr_pack
34 import samba
.tests
.krb5
.kcrypto
as kcrypto
35 from samba
.tests
.krb5
.kdc_base_test
import GroupType
36 from samba
.tests
.krb5
.kdc_tgs_tests
import KdcTgsBaseTests
37 from samba
.tests
.krb5
.rfc4120_constants
import (
38 FX_FAST_ARMOR_AP_REQUEST
,
46 import samba
.tests
.krb5
.rfc4120_pyasn1
as krb5_asn1
48 global_asn1_print
= False
49 global_hexdump
= False
51 HRES_SEC_E_INVALID_TOKEN
= 0x80090308
52 HRES_SEC_E_LOGON_DENIED
= 0x8009030C
55 class AuthnPolicyTests(KdcTgsBaseTests
):
60 cls
._max
_ticket
_life
= None
61 cls
._max
_renew
_life
= None
65 self
.do_asn1_print
= global_asn1_print
66 self
.do_hexdump
= global_hexdump
68 def get_max_ticket_life(self
):
69 if self
._max
_ticket
_life
is None:
70 self
._fetch
_default
_lifetimes
()
72 return self
._max
_ticket
_life
74 def get_max_renew_life(self
):
75 if self
._max
_renew
_life
is None:
76 self
._fetch
_default
_lifetimes
()
78 return self
._max
_renew
_life
80 def _fetch_default_lifetimes(self
):
81 samdb
= self
.get_samdb()
83 domain_policy_dn
= samdb
.get_default_basedn()
84 domain_policy_dn
.add_child('CN=Default Domain Policy,CN=System')
86 res
= samdb
.search(domain_policy_dn
,
88 attrs
=['maxTicketAge', 'maxRenewAge'])
89 self
.assertEqual(1, len(res
))
91 max_ticket_age
= res
[0].get('maxTicketAge', idx
=0)
92 max_renew_age
= res
[0].get('maxRenewAge', idx
=0)
94 if max_ticket_age
is not None:
95 max_ticket_age
= int(max_ticket_age
.decode('utf-8'))
99 if max_renew_age
is not None:
100 max_renew_age
= int(max_renew_age
.decode('utf-8'))
104 type(self
)._max
_ticket
_life
= max_ticket_age
* 60 * 60
105 type(self
)._max
_renew
_life
= max_renew_age
* 24 * 60 * 60
107 # Get account credentials for testing.
109 account_type
=KdcTgsBaseTests
.AccountType
.USER
,
112 assigned_policy
=None,
119 'kerberos_enabled': not ntlm
,
125 samdb
= self
.get_samdb()
126 protected_users_group
= (f
'<SID={samdb.get_domain_sid()}-'
127 f
'{security.DOMAIN_RID_PROTECTED_USERS}>')
128 members
+= (protected_users_group
,)
129 if member_of
is not None:
130 members
+= (member_of
,)
131 if assigned_policy
is not None:
132 opts
['assigned_policy'] = str(assigned_policy
)
133 cached
= False # Policies are rarely reused between accounts.
134 if assigned_silo
is not None:
135 opts
['assigned_silo'] = str(assigned_silo
)
136 cached
= False # Silos are rarely reused between accounts.
138 opts
['allowed_replication_mock'] = True
139 opts
['revealed_to_mock_rodc'] = True
142 opts
['member_of'] = members
144 return self
.get_cached_creds(account_type
=account_type
,
148 def test_authn_policy_tgt_lifetime_user(self
):
149 # Create an authentication policy with certain TGT lifetimes set.
153 policy_id
= self
.get_new_username()
154 policy
= self
.create_authn_policy(policy_id
,
156 user_tgt_lifetime
=user_life
,
157 computer_tgt_lifetime
=computer_life
,
158 service_tgt_lifetime
=service_life
)
160 # Create a user account with the assigned policy.
161 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
162 assigned_policy
=policy
)
164 # Request a Kerberos ticket with a lifetime of two hours, and assert
165 # that the actual lifetime matches the user lifetime set in the policy.
166 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
167 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
168 self
.check_ticket_times(tgt
, expected_life
=user_life
,
169 expected_renew_life
=user_life
)
171 def test_authn_policy_tgt_lifetime_computer(self
):
175 policy_id
= self
.get_new_username()
176 policy
= self
.create_authn_policy(policy_id
,
178 user_tgt_lifetime
=user_life
,
179 computer_tgt_lifetime
=computer_life
,
180 service_tgt_lifetime
=service_life
)
182 # Create a computer account with the assigned policy.
183 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
184 assigned_policy
=policy
)
186 # Request a Kerberos ticket with a lifetime of two hours, and assert
187 # that the actual lifetime matches the computer lifetime set in the
189 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
190 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
191 self
.check_ticket_times(tgt
, expected_life
=computer_life
,
192 expected_renew_life
=computer_life
)
194 def test_authn_policy_tgt_lifetime_service(self
):
198 policy_id
= self
.get_new_username()
199 policy
= self
.create_authn_policy(policy_id
,
201 user_tgt_lifetime
=user_life
,
202 computer_tgt_lifetime
=computer_life
,
203 service_tgt_lifetime
=service_life
)
205 # Create a managed service account with the assigned policy.
206 client_creds
= self
._get
_creds
(
207 account_type
=self
.AccountType
.MANAGED_SERVICE
,
208 assigned_policy
=policy
)
210 # Request a Kerberos ticket with a lifetime of two hours, and assert
211 # that the actual lifetime matches the service lifetime set in the
213 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
214 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
215 self
.check_ticket_times(tgt
, expected_life
=service_life
,
216 expected_renew_life
=service_life
)
218 def test_authn_silo_tgt_lifetime_user(self
):
219 # Create an authentication policy with certain TGT lifetimes set.
223 policy_id
= self
.get_new_username()
224 policy
= self
.create_authn_policy(policy_id
,
226 user_tgt_lifetime
=user_life
,
227 computer_tgt_lifetime
=computer_life
,
228 service_tgt_lifetime
=service_life
)
230 # Create a second policy with different lifetimes, so we can verify the
231 # correct policy is enforced.
232 wrong_policy_id
= self
.get_new_username()
233 wrong_policy
= self
.create_authn_policy(wrong_policy_id
,
235 user_tgt_lifetime
=444,
236 computer_tgt_lifetime
=555,
237 service_tgt_lifetime
=666)
239 # Create an authentication silo with our existing policies.
240 silo_id
= self
.get_new_username()
241 silo
= self
.create_authn_silo(silo_id
,
242 user_policy
=str(policy
),
243 computer_policy
=str(wrong_policy
),
244 service_policy
=str(wrong_policy
),
247 # Create a user account assigned to the silo.
248 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
250 client_dn_str
= str(client_creds
.get_dn())
252 # Add the user to the silo as a member.
253 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
256 # Request a Kerberos ticket with a lifetime of two hours, and assert
257 # that the actual lifetime matches the user lifetime set in the
258 # appropriate policy.
259 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
260 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
261 self
.check_ticket_times(tgt
, expected_life
=user_life
,
262 expected_renew_life
=user_life
)
264 def test_authn_silo_tgt_lifetime_computer(self
):
268 policy_id
= self
.get_new_username()
269 policy
= self
.create_authn_policy(policy_id
,
271 user_tgt_lifetime
=user_life
,
272 computer_tgt_lifetime
=computer_life
,
273 service_tgt_lifetime
=service_life
)
275 wrong_policy_id
= self
.get_new_username()
276 wrong_policy
= self
.create_authn_policy(wrong_policy_id
,
278 user_tgt_lifetime
=444,
279 computer_tgt_lifetime
=555,
280 service_tgt_lifetime
=666)
282 # Create an authentication silo with our existing policies.
283 silo_id
= self
.get_new_username()
284 silo
= self
.create_authn_silo(silo_id
,
285 user_policy
=str(wrong_policy
),
286 computer_policy
=str(policy
),
287 service_policy
=str(wrong_policy
),
290 # Create a computer account assigned to the silo.
291 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
293 client_dn_str
= str(client_creds
.get_dn())
295 # Add the computer to the silo as a member.
296 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
299 # Request a Kerberos ticket with a lifetime of two hours, and assert
300 # that the actual lifetime matches the computer lifetime set in the
301 # appropriate policy.
302 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
303 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
304 self
.check_ticket_times(tgt
, expected_life
=computer_life
,
305 expected_renew_life
=computer_life
)
307 def test_authn_silo_tgt_lifetime_service(self
):
311 policy_id
= self
.get_new_username()
312 policy
= self
.create_authn_policy(policy_id
,
314 user_tgt_lifetime
=user_life
,
315 computer_tgt_lifetime
=computer_life
,
316 service_tgt_lifetime
=service_life
)
318 wrong_policy_id
= self
.get_new_username()
319 wrong_policy
= self
.create_authn_policy(wrong_policy_id
,
321 user_tgt_lifetime
=444,
322 computer_tgt_lifetime
=555,
323 service_tgt_lifetime
=666)
325 # Create an authentication silo with our existing policies.
326 silo_id
= self
.get_new_username()
327 silo
= self
.create_authn_silo(silo_id
,
328 user_policy
=str(wrong_policy
),
329 computer_policy
=str(wrong_policy
),
330 service_policy
=str(policy
),
333 # Create a managed service account assigned to the silo.
334 client_creds
= self
._get
_creds
(
335 account_type
=self
.AccountType
.MANAGED_SERVICE
,
337 client_dn_str
= str(client_creds
.get_dn())
339 # Add the managed service account to the silo as a member.
340 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
343 # Request a Kerberos ticket with a lifetime of two hours, and assert
344 # that the actual lifetime matches the service lifetime set in the
345 # appropriate policy.
346 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
347 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
348 self
.check_ticket_times(tgt
, expected_life
=service_life
,
349 expected_renew_life
=service_life
)
351 # Test that an authentication silo takes priority over a policy assigned
353 def test_authn_silo_and_policy_tgt_lifetime_user(self
):
354 # Create an authentication policy with certain TGT lifetimes set.
358 policy_id
= self
.get_new_username()
359 policy
= self
.create_authn_policy(policy_id
,
361 user_tgt_lifetime
=user_life
,
362 computer_tgt_lifetime
=computer_life
,
363 service_tgt_lifetime
=service_life
)
365 # Create a second policy with different lifetimes, so we can verify the
366 # correct policy is enforced.
367 wrong_policy_id
= self
.get_new_username()
368 wrong_policy
= self
.create_authn_policy(wrong_policy_id
,
370 user_tgt_lifetime
=444,
371 computer_tgt_lifetime
=555,
372 service_tgt_lifetime
=666)
374 # Create an authentication silo with our existing policies.
375 silo_id
= self
.get_new_username()
376 silo
= self
.create_authn_silo(silo_id
,
377 user_policy
=str(policy
),
378 computer_policy
=str(wrong_policy
),
379 service_policy
=str(wrong_policy
),
382 # Create a user account assigned to the silo, and also to a policy.
383 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
385 assigned_policy
=wrong_policy
)
386 client_dn_str
= str(client_creds
.get_dn())
388 # Add the user to the silo as a member.
389 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
392 # Request a Kerberos ticket with a lifetime of two hours, and assert
393 # that the actual lifetime matches the user lifetime set in the
394 # appropriate policy.
395 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
396 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
397 self
.check_ticket_times(tgt
, expected_life
=user_life
,
398 expected_renew_life
=user_life
)
400 def test_authn_silo_and_policy_tgt_lifetime_computer(self
):
404 policy_id
= self
.get_new_username()
405 policy
= self
.create_authn_policy(policy_id
,
407 user_tgt_lifetime
=user_life
,
408 computer_tgt_lifetime
=computer_life
,
409 service_tgt_lifetime
=service_life
)
411 wrong_policy_id
= self
.get_new_username()
412 wrong_policy
= self
.create_authn_policy(wrong_policy_id
,
414 user_tgt_lifetime
=444,
415 computer_tgt_lifetime
=555,
416 service_tgt_lifetime
=666)
418 # Create an authentication silo with our existing policies.
419 silo_id
= self
.get_new_username()
420 silo
= self
.create_authn_silo(silo_id
,
421 user_policy
=str(wrong_policy
),
422 computer_policy
=str(policy
),
423 service_policy
=str(wrong_policy
),
426 # Create a computer account assigned to the silo, and also to a policy.
427 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
429 assigned_policy
=wrong_policy
)
430 client_dn_str
= str(client_creds
.get_dn())
432 # Add the computer to the silo as a member.
433 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
436 # Request a Kerberos ticket with a lifetime of two hours, and assert
437 # that the actual lifetime matches the computer lifetime set in the
438 # appropriate policy.
439 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
440 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
441 self
.check_ticket_times(tgt
, expected_life
=computer_life
,
442 expected_renew_life
=computer_life
)
444 def test_authn_silo_and_policy_tgt_lifetime_service(self
):
448 policy_id
= self
.get_new_username()
449 policy
= self
.create_authn_policy(policy_id
,
451 user_tgt_lifetime
=user_life
,
452 computer_tgt_lifetime
=computer_life
,
453 service_tgt_lifetime
=service_life
)
455 wrong_policy_id
= self
.get_new_username()
456 wrong_policy
= self
.create_authn_policy(wrong_policy_id
,
458 user_tgt_lifetime
=444,
459 computer_tgt_lifetime
=555,
460 service_tgt_lifetime
=666)
462 # Create an authentication silo with our existing policies.
463 silo_id
= self
.get_new_username()
464 silo
= self
.create_authn_silo(silo_id
,
465 user_policy
=str(wrong_policy
),
466 computer_policy
=str(wrong_policy
),
467 service_policy
=str(policy
),
470 # Create a managed service account assigned to the silo, and also to a
472 client_creds
= self
._get
_creds
(
473 account_type
=self
.AccountType
.MANAGED_SERVICE
,
475 assigned_policy
=wrong_policy
)
476 client_dn_str
= str(client_creds
.get_dn())
478 # Add the managed service account to the silo as a member.
479 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
482 # Request a Kerberos ticket with a lifetime of two hours, and assert
483 # that the actual lifetime matches the service lifetime set in the
484 # appropriate policy.
485 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
486 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
487 self
.check_ticket_times(tgt
, expected_life
=service_life
,
488 expected_renew_life
=service_life
)
490 def test_authn_policy_tgt_lifetime_max(self
):
491 # Create an authentication policy with the maximum allowable TGT
493 INT64_MAX
= 0x7fff_ffff_ffff_ffff
494 max_lifetime
= INT64_MAX
// 10_000_000
495 policy_id
= self
.get_new_username()
496 policy
= self
.create_authn_policy(policy_id
,
498 user_tgt_lifetime
=max_lifetime
)
500 # Create a user account with the assigned policy.
501 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
502 assigned_policy
=policy
)
504 # Request a Kerberos ticket with a ‘till’ time far in the
505 # future, and assert that the actual lifetime is the maximum
506 # allowed by the Default Domain policy.
507 till
= '99991231235959Z'
508 expected_lifetime
= self
.get_max_ticket_life()
509 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
510 self
.check_ticket_times(tgt
, expected_life
=expected_lifetime
,
511 expected_renew_life
=expected_lifetime
)
513 def test_authn_policy_tgt_lifetime_min(self
):
514 # Create an authentication policy with the minimum allowable TGT
516 INT64_MIN
= -0x8000_0000_0000_0000
517 min_lifetime
= round(INT64_MIN
/ 10_000_000)
518 policy_id
= self
.get_new_username()
519 policy
= self
.create_authn_policy(policy_id
,
521 user_tgt_lifetime
=min_lifetime
)
523 # Create a user account with the assigned policy.
524 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
525 assigned_policy
=policy
)
527 # Request a Kerberos ticket with a lifetime of two hours. The request
528 # should fail with a NEVER_VALID error.
529 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
530 self
._get
_tgt
(client_creds
, till
=till
,
531 expected_error
=KDC_ERR_NEVER_VALID
,
533 expected_status
=ntstatus
.NT_STATUS_TIME_DIFFERENCE_AT_DC
)
535 def test_authn_policy_tgt_lifetime_zero(self
):
536 # Create an authentication policy with the TGT lifetime set to zero.
538 policy_id
= self
.get_new_username()
539 policy
= self
.create_authn_policy(policy_id
,
541 user_tgt_lifetime
=lifetime
)
543 # Create a user account with the assigned policy.
544 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
545 assigned_policy
=policy
)
547 # Request a Kerberos ticket with a ‘till’ time far in the
548 # future. Assert that the actual lifetime is the maximum
549 # allowed by the Default Domain Policy
550 till
= '99991231235959Z'
551 expected_lifetime
= self
.get_max_ticket_life()
552 expected_renew_life
= self
.get_max_renew_life()
553 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
554 self
.check_ticket_times(tgt
, expected_life
=expected_lifetime
,
555 expected_renew_life
=expected_renew_life
)
557 def test_authn_policy_tgt_lifetime_one_second(self
):
558 # Create an authentication policy with the TGT lifetime set to one
561 policy_id
= self
.get_new_username()
562 policy
= self
.create_authn_policy(policy_id
,
564 user_tgt_lifetime
=lifetime
)
566 # Create a user account with the assigned policy.
567 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
568 assigned_policy
=policy
)
570 # Request a Kerberos ticket with a lifetime of two hours, and assert
571 # that the actual lifetime matches the user lifetime set in the
572 # appropriate policy.
573 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
574 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
575 self
.check_ticket_times(tgt
, expected_life
=lifetime
,
576 expected_renew_life
=lifetime
)
578 def test_authn_policy_tgt_lifetime_kpasswd_lifetime(self
):
579 # Create an authentication policy with the TGT lifetime set to two
580 # minutes (the lifetime of a kpasswd ticket).
582 policy_id
= self
.get_new_username()
583 policy
= self
.create_authn_policy(policy_id
,
585 user_tgt_lifetime
=lifetime
)
587 # Create a user account with the assigned policy.
588 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
589 assigned_policy
=policy
)
591 # Request a Kerberos ticket with a lifetime of two hours, and assert
592 # that the actual lifetime matches the user lifetime set in the
593 # appropriate policy.
594 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
595 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
596 self
.check_ticket_times(tgt
, expected_life
=lifetime
,
597 expected_renew_life
=lifetime
)
599 def test_authn_policy_tgt_lifetime_short_protected(self
):
600 # Create an authentication policy with a short TGT lifetime set.
602 policy_id
= self
.get_new_username()
603 policy
= self
.create_authn_policy(policy_id
,
605 user_tgt_lifetime
=lifetime
)
607 # Create a user account with the assigned policy, belonging to the
608 # Protected Users group.
609 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
611 assigned_policy
=policy
)
613 # Request a Kerberos ticket with a lifetime of two hours, and assert
614 # that the actual lifetime matches the user lifetime set in the policy.
615 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
616 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
617 self
.check_ticket_times(tgt
, expected_life
=lifetime
,
618 expected_renew_life
=lifetime
)
620 def test_authn_policy_tgt_lifetime_long_protected(self
):
621 # Create an authentication policy with a long TGT lifetime set. This
622 # exceeds the lifetime of four hours enforced by Protected Users.
623 lifetime
= 6 * 60 * 60 # 6 hours
624 policy_id
= self
.get_new_username()
625 policy
= self
.create_authn_policy(policy_id
,
627 user_tgt_lifetime
=lifetime
)
629 # Create a user account with the assigned policy, belonging to the
630 # Protected Users group.
631 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
633 assigned_policy
=policy
)
635 # Request a Kerberos ticket with a lifetime of eight hours, and assert
636 # that the actual lifetime matches the user lifetime set in the policy,
637 # taking precedence over the lifetime enforced by Protected Users.
638 till
= self
.get_KerberosTime(offset
=8 * 60 * 60) # 8 hours
639 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
640 self
.check_ticket_times(tgt
, expected_life
=lifetime
,
641 expected_renew_life
=lifetime
)
643 def test_authn_policy_tgt_lifetime_zero_protected(self
):
644 # Create an authentication policy with the TGT lifetime set to zero.
645 policy_id
= self
.get_new_username()
646 policy
= self
.create_authn_policy(policy_id
,
650 # Create a user account with the assigned policy, belonging to the
651 # Protected Users group.
652 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
654 assigned_policy
=policy
)
656 # Request a Kerberos ticket with a lifetime of six hours, and assert
657 # that the actual lifetime is the four hours enforced by Protected
659 till
= self
.get_KerberosTime(offset
=6 * 60 * 60) # 6 hours
660 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
661 self
.check_ticket_times(tgt
, expected_life
=4 * 60 * 60,
662 expected_renew_life
=4 * 60 * 60)
664 def test_authn_policy_tgt_lifetime_none_protected(self
):
665 # Create an authentication policy with no TGT lifetime set.
666 policy_id
= self
.get_new_username()
667 policy
= self
.create_authn_policy(policy_id
,
670 # Create a user account with the assigned policy, belonging to the
671 # Protected Users group.
672 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
674 assigned_policy
=policy
)
676 # Request a Kerberos ticket with a lifetime of six hours, and assert
677 # that the actual lifetime is the four hours enforced by Protected
679 till
= self
.get_KerberosTime(offset
=6 * 60 * 60) # 6 hours
680 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
681 self
.check_ticket_times(tgt
, expected_life
=4 * 60 * 60,
682 expected_renew_life
=4 * 60 * 60)
684 def test_authn_policy_tgt_lifetime_unenforced_protected(self
):
685 # Create an unenforced authentication policy with a TGT lifetime set.
687 policy_id
= self
.get_new_username()
688 policy
= self
.create_authn_policy(policy_id
,
690 user_tgt_lifetime
=lifetime
)
692 # Create a user account with the assigned policy, belonging to the
693 # Protected Users group.
694 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
696 assigned_policy
=policy
)
698 # Request a Kerberos ticket with a lifetime of six hours, and assert
699 # that the actual lifetime is the four hours enforced by Protected
701 till
= self
.get_KerberosTime(offset
=6 * 60 * 60) # 6 hours
702 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
703 self
.check_ticket_times(tgt
, expected_life
=4 * 60 * 60,
704 expected_renew_life
=4 * 60 * 60)
706 def test_authn_policy_not_enforced(self
):
707 # Create an authentication policy with the TGT lifetime set. The policy
710 policy_id
= self
.get_new_username()
711 policy
= self
.create_authn_policy(policy_id
,
712 user_tgt_lifetime
=lifetime
)
714 # Create a user account with the assigned policy.
715 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
716 assigned_policy
=policy
)
718 # Request a Kerberos ticket with a ‘till’ time far in the
719 # future. Assert that the actual lifetime is the maximum allowed by
720 # the Default Domain Policy.
721 till
= '99991231235959Z'
722 expected_lifetime
= self
.get_max_ticket_life()
723 expected_renew_life
= self
.get_max_renew_life()
724 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
725 self
.check_ticket_times(tgt
, expected_life
=expected_lifetime
,
726 expected_renew_life
=expected_renew_life
)
728 def test_authn_policy_unenforced(self
):
729 # Create an authentication policy with the TGT lifetime set. The policy
730 # is set to be unenforced.
732 policy_id
= self
.get_new_username()
733 policy
= self
.create_authn_policy(policy_id
,
735 user_tgt_lifetime
=lifetime
)
737 # Create a user account with the assigned policy.
738 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
739 assigned_policy
=policy
)
741 # Request a Kerberos ticket with a ‘till’ time far in the
742 # future. Assert that the actual lifetime is the maximum allowed by
743 # the Default Domain Policy.
744 till
= '99991231235959Z'
745 expected_lifetime
= self
.get_max_ticket_life()
746 expected_renew_life
= self
.get_max_renew_life()
747 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
748 self
.check_ticket_times(tgt
, expected_life
=expected_lifetime
,
749 expected_renew_life
=expected_renew_life
)
751 def test_authn_silo_not_enforced(self
):
752 # Create an authentication policy with the TGT lifetime set.
754 policy_id
= self
.get_new_username()
755 policy
= self
.create_authn_policy(policy_id
,
757 user_tgt_lifetime
=lifetime
)
759 # Create an authentication silo with our existing policy. The silo is
761 silo_id
= self
.get_new_username()
762 silo
= self
.create_authn_silo(silo_id
,
763 user_policy
=str(policy
))
765 # Create a user account assigned to the silo.
766 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
768 client_dn_str
= str(client_creds
.get_dn())
770 # Add the user to the silo as a member.
771 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
774 # Request a Kerberos ticket with a ‘till’ time far in the
775 # future. Assert that the actual lifetime is the maximum allowed by
776 # the Default Domain Policy.
777 till
= '99991231235959Z'
778 expected_lifetime
= self
.get_max_ticket_life()
779 expected_renew_life
= self
.get_max_renew_life()
780 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
781 self
.check_ticket_times(tgt
, expected_life
=expected_lifetime
,
782 expected_renew_life
=expected_renew_life
)
784 def test_authn_silo_unenforced(self
):
785 # Create an authentication policy with the TGT lifetime set.
787 policy_id
= self
.get_new_username()
788 policy
= self
.create_authn_policy(policy_id
,
790 user_tgt_lifetime
=lifetime
)
792 # Create an authentication silo with our existing policy. The silo is
793 # set to be unenforced.
794 silo_id
= self
.get_new_username()
795 silo
= self
.create_authn_silo(silo_id
,
796 user_policy
=str(policy
),
799 # Create a user account assigned to the silo.
800 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
802 client_dn_str
= str(client_creds
.get_dn())
804 # Add the user to the silo as a member.
805 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
808 # Request a Kerberos ticket with a ‘till’ time far in the
809 # future. Assert that the actual lifetime is the maximum allowed by
810 # the Default Domain Policy.
811 till
= '99991231235959Z'
812 expected_lifetime
= self
.get_max_ticket_life()
813 expected_renew_life
= self
.get_max_renew_life()
814 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
815 self
.check_ticket_times(tgt
, expected_life
=expected_lifetime
,
816 expected_renew_life
=expected_renew_life
)
818 def test_authn_silo_not_enforced_policy(self
):
819 # Create an authentication policy with the TGT lifetime set. The policy
822 policy_id
= self
.get_new_username()
823 policy
= self
.create_authn_policy(policy_id
,
824 user_tgt_lifetime
=lifetime
)
826 # Create an authentication silo with our existing policy.
827 silo_id
= self
.get_new_username()
828 silo
= self
.create_authn_silo(silo_id
,
829 user_policy
=str(policy
),
832 # Create a user account assigned to the silo.
833 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
835 client_dn_str
= str(client_creds
.get_dn())
837 # Add the user to the silo as a member.
838 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
841 # Request a Kerberos ticket with a lifetime of two hours. Despite the
842 # fact that the policy is unenforced, the actual lifetime matches the
843 # user lifetime set in the appropriate policy.
844 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
845 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
846 self
.check_ticket_times(tgt
, expected_life
=lifetime
,
847 expected_renew_life
=lifetime
)
849 def test_authn_silo_unenforced_policy(self
):
850 # Create an authentication policy with the TGT lifetime set. The policy
851 # is set to be unenforced.
853 policy_id
= self
.get_new_username()
854 policy
= self
.create_authn_policy(policy_id
,
856 user_tgt_lifetime
=lifetime
)
858 # Create an authentication silo with our existing policy.
859 silo_id
= self
.get_new_username()
860 silo
= self
.create_authn_silo(silo_id
,
861 user_policy
=str(policy
),
864 # Create a user account assigned to the silo.
865 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
867 client_dn_str
= str(client_creds
.get_dn())
869 # Add the user to the silo as a member.
870 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
873 # Request a Kerberos ticket with a lifetime of two hours. Despite the
874 # fact that the policy is unenforced, the actual lifetime matches the
875 # user lifetime set in the appropriate policy.
876 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
877 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
878 self
.check_ticket_times(tgt
, expected_life
=lifetime
,
879 expected_renew_life
=lifetime
)
881 def test_authn_silo_not_enforced_and_assigned_policy(self
):
882 # Create an authentication policy with the TGT lifetime set.
884 silo_policy_id
= self
.get_new_username()
885 silo_policy
= self
.create_authn_policy(silo_policy_id
,
887 user_tgt_lifetime
=silo_lifetime
)
889 # Create an authentication silo with our existing policy. The silo is
891 silo_id
= self
.get_new_username()
892 silo
= self
.create_authn_silo(silo_id
,
893 user_policy
=str(silo_policy
))
895 # Create a second policy with a different lifetime, so we can verify
896 # the correct policy is enforced.
898 policy_id
= self
.get_new_username()
899 policy
= self
.create_authn_policy(policy_id
,
901 user_tgt_lifetime
=lifetime
)
903 # Create a user account assigned to the silo, and also to the policy.
904 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
906 assigned_policy
=policy
)
907 client_dn_str
= str(client_creds
.get_dn())
909 # Add the user to the silo as a member.
910 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
913 # Request a Kerberos ticket with a ‘till’ time far in the
914 # future. Assert that the actual lifetime is the maximum
915 # allowed by the Default Domain Policy. The directly-assigned
916 # policy is not enforced.
917 till
= '99991231235959Z'
918 expected_lifetime
= self
.get_max_ticket_life()
919 expected_renew_life
= self
.get_max_renew_life()
920 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
921 self
.check_ticket_times(tgt
, expected_life
=expected_lifetime
,
922 expected_renew_life
=expected_renew_life
)
924 def test_authn_silo_unenforced_and_assigned_policy(self
):
925 # Create an authentication policy with the TGT lifetime set.
927 silo_policy_id
= self
.get_new_username()
928 silo_policy
= self
.create_authn_policy(silo_policy_id
,
930 user_tgt_lifetime
=silo_lifetime
)
932 # Create an authentication silo with our existing policy. The silo is
933 # set to be unenforced.
934 silo_id
= self
.get_new_username()
935 silo
= self
.create_authn_silo(silo_id
,
936 user_policy
=str(silo_policy
),
939 # Create a second policy with a different lifetime, so we can verify
940 # the correct policy is enforced.
942 policy_id
= self
.get_new_username()
943 policy
= self
.create_authn_policy(policy_id
,
945 user_tgt_lifetime
=lifetime
)
947 # Create a user account assigned to the silo, and also to the policy.
948 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
950 assigned_policy
=policy
)
951 client_dn_str
= str(client_creds
.get_dn())
953 # Add the user to the silo as a member.
954 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
957 # Request a Kerberos ticket with a ‘till’ time far in the
958 # future. Assert that the actual lifetime is the maximum
959 # allowed by the Default Domain Policy. The directly-assigned
960 # policy is not enforced.
961 till
= '99991231235959Z'
962 expected_lifetime
= self
.get_max_ticket_life()
963 expected_renew_life
= self
.get_max_renew_life()
964 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
965 self
.check_ticket_times(tgt
, expected_life
=expected_lifetime
,
966 expected_renew_life
=expected_renew_life
)
968 def test_authn_silo_not_enforced_policy_and_assigned_policy(self
):
969 # Create an authentication policy with the TGT lifetime set. The policy
972 silo_policy_id
= self
.get_new_username()
973 silo_policy
= self
.create_authn_policy(silo_policy_id
,
974 user_tgt_lifetime
=silo_lifetime
)
976 # Create an authentication silo with our existing policy.
977 silo_id
= self
.get_new_username()
978 silo
= self
.create_authn_silo(silo_id
,
979 user_policy
=str(silo_policy
),
982 # Create a second policy with a different lifetime, so we can verify
983 # the correct policy is enforced.
985 policy_id
= self
.get_new_username()
986 policy
= self
.create_authn_policy(policy_id
,
988 user_tgt_lifetime
=lifetime
)
990 # Create a user account assigned to the silo, and also to the policy.
991 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
993 assigned_policy
=policy
)
994 client_dn_str
= str(client_creds
.get_dn())
996 # Add the user to the silo as a member.
997 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
1000 # Request a Kerberos ticket with a lifetime of two hours. Despite the
1001 # fact that the policy is unenforced, the actual lifetime matches the
1002 # user lifetime set in the appropriate policy. The directly-assigned
1003 # policy is not enforced.
1004 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
1005 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
1006 self
.check_ticket_times(tgt
, expected_life
=silo_lifetime
,
1007 expected_renew_life
=silo_lifetime
)
1009 def test_authn_silo_unenforced_policy_and_assigned_policy(self
):
1010 # Create an authentication policy with the TGT lifetime set. The policy
1011 # is set to be unenforced.
1013 silo_policy_id
= self
.get_new_username()
1014 silo_policy
= self
.create_authn_policy(silo_policy_id
,
1016 user_tgt_lifetime
=silo_lifetime
)
1018 # Create an authentication silo with our existing policy.
1019 silo_id
= self
.get_new_username()
1020 silo
= self
.create_authn_silo(silo_id
,
1021 user_policy
=str(silo_policy
),
1024 # Create a second policy with a different lifetime, so we can verify
1025 # the correct policy is enforced.
1027 policy_id
= self
.get_new_username()
1028 policy
= self
.create_authn_policy(policy_id
,
1030 user_tgt_lifetime
=lifetime
)
1032 # Create a user account assigned to the silo, and also to the policy.
1033 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1035 assigned_policy
=policy
)
1036 client_dn_str
= str(client_creds
.get_dn())
1038 # Add the user to the silo as a member.
1039 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
1042 # Request a Kerberos ticket with a lifetime of two hours. Despite the
1043 # fact that the policy is unenforced, the actual lifetime matches the
1044 # user lifetime set in the appropriate policy. The directly-assigned
1045 # policy is not enforced.
1046 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
1047 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
1048 self
.check_ticket_times(tgt
, expected_life
=silo_lifetime
,
1049 expected_renew_life
=silo_lifetime
)
1051 def test_authn_silo_not_a_member(self
):
1052 # Create an authentication policy with the TGT lifetime set.
1054 policy_id
= self
.get_new_username()
1055 policy
= self
.create_authn_policy(policy_id
,
1057 user_tgt_lifetime
=lifetime
)
1059 # Create an authentication silo with our existing policy.
1060 silo_id
= self
.get_new_username()
1061 silo
= self
.create_authn_silo(silo_id
,
1062 user_policy
=str(policy
),
1065 # Create a user account assigned to the silo.
1066 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1069 # Do not add the user to the silo as a member.
1071 # Request a Kerberos ticket with a ‘till’ time far in the
1072 # future. Assert that the actual lifetime is the maximum allowed by
1073 # the Default Domain Policy.
1074 till
= '99991231235959Z'
1075 expected_lifetime
= self
.get_max_ticket_life()
1076 expected_renew_life
= self
.get_max_renew_life()
1077 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
1078 self
.check_ticket_times(tgt
, expected_life
=expected_lifetime
,
1079 expected_renew_life
=expected_renew_life
)
1081 def test_authn_silo_not_a_member_and_assigned_policy(self
):
1082 # Create an authentication policy with the TGT lifetime set.
1084 silo_policy_id
= self
.get_new_username()
1085 silo_policy
= self
.create_authn_policy(silo_policy_id
,
1087 user_tgt_lifetime
=silo_lifetime
)
1089 # Create an authentication silo with our existing policy.
1090 silo_id
= self
.get_new_username()
1091 silo
= self
.create_authn_silo(silo_id
,
1092 user_policy
=str(silo_policy
),
1095 # Create a second policy with a different lifetime, so we can verify
1096 # the correct policy is enforced.
1098 policy_id
= self
.get_new_username()
1099 policy
= self
.create_authn_policy(policy_id
,
1101 user_tgt_lifetime
=lifetime
)
1103 # Create a user account assigned to the silo, and also to the policy.
1104 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1106 assigned_policy
=policy
)
1108 # Do not add the user to the silo as a member.
1110 # Request a Kerberos ticket with a lifetime of two hours, and assert
1111 # that the actual lifetime matches the user lifetime set in the
1112 # directly-assigned policy.
1113 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
1114 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
1115 self
.check_ticket_times(tgt
, expected_life
=lifetime
,
1116 expected_renew_life
=lifetime
)
1118 def test_authn_silo_not_assigned(self
):
1119 # Create an authentication policy with the TGT lifetime set.
1121 policy_id
= self
.get_new_username()
1122 policy
= self
.create_authn_policy(policy_id
,
1124 user_tgt_lifetime
=lifetime
)
1126 # Create an authentication silo with our existing policies.
1127 silo_id
= self
.get_new_username()
1128 silo
= self
.create_authn_silo(silo_id
,
1129 user_policy
=str(policy
),
1132 # Create a user account, but don’t assign it to the silo.
1133 client_creds
= self
.get_cached_creds(
1134 account_type
=self
.AccountType
.USER
)
1135 client_dn_str
= str(client_creds
.get_dn())
1137 # Add the user to the silo as a member.
1138 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
1141 # Request a Kerberos ticket with a ‘till’ time far in the
1142 # future. Assert that the actual lifetime is the maximum allowed by
1143 # the Default Domain Policy.
1144 till
= '99991231235959Z'
1145 expected_lifetime
= self
.get_max_ticket_life()
1146 expected_renew_life
= self
.get_max_renew_life()
1147 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
1148 self
.check_ticket_times(tgt
, expected_life
=expected_lifetime
,
1149 expected_renew_life
=expected_renew_life
)
1151 def test_authn_silo_not_assigned_and_assigned_policy(self
):
1152 # Create an authentication policy with the TGT lifetime set.
1154 policy_id
= self
.get_new_username()
1155 policy
= self
.create_authn_policy(policy_id
,
1157 user_tgt_lifetime
=lifetime
)
1159 # Create an authentication silo with our existing policies.
1160 silo_id
= self
.get_new_username()
1161 silo
= self
.create_authn_silo(silo_id
,
1162 user_policy
=str(policy
),
1165 # Create a second policy with a different lifetime, so we can verify
1166 # the correct policy is enforced.
1168 policy_id
= self
.get_new_username()
1169 policy
= self
.create_authn_policy(policy_id
,
1171 user_tgt_lifetime
=lifetime
)
1173 # Create a user account assigned to the policy, but not to the silo.
1174 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1175 assigned_policy
=policy
)
1176 client_dn_str
= str(client_creds
.get_dn())
1178 # Add the user to the silo as a member.
1179 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
1182 # Request a Kerberos ticket with a lifetime of two hours, and assert
1183 # that the actual lifetime matches the user lifetime set in the
1184 # directly-assigned policy.
1185 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
1186 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
1187 self
.check_ticket_times(tgt
, expected_life
=lifetime
,
1188 expected_renew_life
=lifetime
)
1190 def test_authn_silo_no_applicable_policy(self
):
1191 # Create an authentication policy with the TGT lifetime set.
1193 policy_id
= self
.get_new_username()
1194 policy
= self
.create_authn_policy(policy_id
,
1196 user_tgt_lifetime
=user_life
)
1198 # Create an authentication silo containing no policies.
1199 silo_id
= self
.get_new_username()
1200 silo
= self
.create_authn_silo(silo_id
,
1203 # Create a user account assigned to the silo, and also to a policy.
1204 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1206 assigned_policy
=policy
)
1207 client_dn_str
= str(client_creds
.get_dn())
1209 # Add the user to the silo as a member.
1210 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
1213 # Request a Kerberos ticket with a ‘till’ time far in the
1214 # future, and assert that the actual lifetime is the maximum
1215 # allowed by the Default Domain Policy.
1216 till
= '99991231235959Z'
1217 expected_lifetime
= self
.get_max_ticket_life()
1218 expected_renew_life
= self
.get_max_renew_life()
1219 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
1220 self
.check_ticket_times(tgt
, expected_life
=expected_lifetime
,
1221 expected_renew_life
=expected_renew_life
)
1223 def test_authn_silo_no_tgt_lifetime(self
):
1224 # Create an authentication policy with no TGT lifetime set.
1225 silo_policy_id
= self
.get_new_username()
1226 silo_policy
= self
.create_authn_policy(silo_policy_id
,
1229 # Create a second policy with a lifetime set, so we can verify the
1230 # correct policy is enforced.
1231 policy_id
= self
.get_new_username()
1232 policy
= self
.create_authn_policy(policy_id
,
1234 user_tgt_lifetime
=456)
1236 # Create an authentication silo with our existing policy.
1237 silo_id
= self
.get_new_username()
1238 silo
= self
.create_authn_silo(silo_id
,
1239 user_policy
=str(silo_policy
),
1242 # Create a user account assigned to the silo, and also to a policy.
1243 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1245 assigned_policy
=policy
)
1246 client_dn_str
= str(client_creds
.get_dn())
1248 # Add the user to the silo as a member.
1249 self
.add_to_group(client_dn_str
, silo
, 'msDS-AuthNPolicySiloMembers',
1252 # Request a Kerberos ticket with a ‘till’ time far in the
1253 # future, and assert that the actual lifetime is the maximum
1254 # allowed by the Default Domain Policy.
1255 till
= '99991231235959Z'
1256 expected_lifetime
= self
.get_max_ticket_life()
1257 expected_renew_life
= self
.get_max_renew_life()
1258 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
1259 self
.check_ticket_times(tgt
, expected_life
=expected_lifetime
,
1260 expected_renew_life
=expected_renew_life
)
1262 def test_not_a_policy(self
):
1263 # Create a user account with the assigned policy set to something that
1265 samdb
= self
.get_samdb()
1266 client_creds
= self
._get
_creds
(
1267 account_type
=self
.AccountType
.USER
,
1268 assigned_policy
=samdb
.get_default_basedn())
1270 # Request a Kerberos ticket with a ‘till’ time far in the
1271 # future, and assert that the actual lifetime is the maximum
1272 # allowed by the Default Domain Policy.
1273 till
= '99991231235959Z'
1274 expected_lifetime
= self
.get_max_ticket_life()
1275 expected_renew_life
= self
.get_max_renew_life()
1276 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
1277 self
.check_ticket_times(tgt
, expected_life
=expected_lifetime
,
1278 expected_renew_life
=expected_renew_life
)
1280 def test_not_a_silo(self
):
1281 # Create a user account assigned to a silo that isn’t a silo.
1282 samdb
= self
.get_samdb()
1283 client_creds
= self
._get
_creds
(
1284 account_type
=self
.AccountType
.USER
,
1285 assigned_silo
=samdb
.get_default_basedn())
1287 # Request a Kerberos ticket with a ‘till’ time far in the
1288 # future, and assert that the actual lifetime is the maximum
1289 # allowed by the Default Domain Policy.
1290 till
= '99991231235959Z'
1291 expected_lifetime
= self
.get_max_ticket_life()
1292 expected_renew_life
= self
.get_max_renew_life()
1293 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
1294 self
.check_ticket_times(tgt
, expected_life
=expected_lifetime
,
1295 expected_renew_life
=expected_renew_life
)
1297 def test_not_a_silo_and_policy(self
):
1298 # Create an authentication policy with the TGT lifetime set.
1300 policy_id
= self
.get_new_username()
1301 policy
= self
.create_authn_policy(policy_id
,
1303 user_tgt_lifetime
=user_life
)
1305 # Create a user account assigned to a silo that isn’t a silo, and also
1307 samdb
= self
.get_samdb()
1308 client_creds
= self
._get
_creds
(
1309 account_type
=self
.AccountType
.USER
,
1310 assigned_silo
=samdb
.get_default_basedn(),
1311 assigned_policy
=policy
)
1313 # Request a Kerberos ticket with a lifetime of two hours, and assert
1314 # that the actual lifetime matches the user lifetime set in the
1315 # directly-assigned policy.
1316 till
= self
.get_KerberosTime(offset
=2 * 60 * 60) # 2 hours
1317 tgt
= self
._get
_tgt
(client_creds
, till
=till
)
1318 self
.check_ticket_times(tgt
, expected_life
=user_life
,
1319 expected_renew_life
=user_life
)
1321 def test_authn_policy_allowed_from_empty(self
):
1322 # Create a machine account with which to perform FAST.
1323 mach_creds
= self
.get_cached_creds(
1324 account_type
=self
.AccountType
.COMPUTER
)
1325 mach_tgt
= self
.get_tgt(mach_creds
)
1327 # Create an authentication policy with no DACL in the security
1329 allowed_from
= 'O:SY'
1330 policy_id
= self
.get_new_username()
1331 policy
= self
.create_authn_policy(policy_id
,
1333 user_allowed_from
=allowed_from
)
1335 # Create a user account with the assigned policy.
1336 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1337 assigned_policy
=policy
)
1339 # Show that we can authenticate using an armor ticket.
1340 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
1342 def test_authn_policy_allowed_from_user_allow(self
):
1343 samdb
= self
.get_samdb()
1345 # Create a machine account with which to perform FAST.
1346 mach_creds
= self
.get_cached_creds(
1347 account_type
=self
.AccountType
.COMPUTER
)
1348 mach_tgt
= self
.get_tgt(mach_creds
)
1349 mach_sid
= self
.get_objectSid(samdb
, mach_creds
.get_dn())
1351 # Create an authentication policy that explicitly allows the machine
1352 # account for a user. Include some different TGT lifetimes for testing
1354 allowed
= f
'O:SYD:(A;;CR;;;{mach_sid})'
1355 denied
= 'O:SYD:(D;;CR;;;WD)'
1356 policy_id
= self
.get_new_username()
1357 policy
= self
.create_authn_policy(policy_id
,
1359 user_allowed_from
=allowed
,
1360 user_tgt_lifetime
=120,
1361 computer_tgt_lifetime
=240,
1362 service_allowed_from
=denied
,
1363 service_tgt_lifetime
=360)
1365 # Create a user account with the assigned policy.
1366 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1367 assigned_policy
=policy
)
1369 # Show that we can authenticate using an armor ticket.
1370 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
1372 def test_authn_policy_allowed_from_user_deny(self
):
1373 samdb
= self
.get_samdb()
1375 # Create a machine account with which to perform FAST.
1376 mach_creds
= self
.get_cached_creds(
1377 account_type
=self
.AccountType
.COMPUTER
)
1378 mach_tgt
= self
.get_tgt(mach_creds
)
1379 mach_sid
= self
.get_objectSid(samdb
, mach_creds
.get_dn())
1381 # Create an authentication policy that explicitly denies the machine
1382 # account for a user. Include some different TGT lifetimes for testing
1384 allowed
= 'O:SYD:(A;;CR;;;WD)'
1385 denied
= f
'O:SYD:(D;;CR;;;{mach_sid})'
1386 policy_id
= self
.get_new_username()
1387 policy
= self
.create_authn_policy(policy_id
,
1389 user_allowed_from
=denied
,
1390 user_tgt_lifetime
=120,
1391 computer_tgt_lifetime
=240,
1392 service_allowed_from
=allowed
,
1393 service_tgt_lifetime
=360)
1395 # Create a user account with the assigned policy.
1396 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1397 assigned_policy
=policy
)
1399 # Show that we get a policy error when trying to authenticate.
1400 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
,
1401 expected_error
=KDC_ERR_POLICY
)
1403 def test_authn_policy_allowed_from_service_allow(self
):
1404 samdb
= self
.get_samdb()
1406 # Create a machine account with which to perform FAST.
1407 mach_creds
= self
.get_cached_creds(
1408 account_type
=self
.AccountType
.COMPUTER
)
1409 mach_tgt
= self
.get_tgt(mach_creds
)
1410 mach_sid
= self
.get_objectSid(samdb
, mach_creds
.get_dn())
1412 # Create an authentication policy that explicitly allows the machine
1413 # account for a service.
1414 allowed
= f
'O:SYD:(A;;CR;;;{mach_sid})'
1415 denied
= 'O:SYD:(D;;CR;;;WD)'
1416 policy_id
= self
.get_new_username()
1417 policy
= self
.create_authn_policy(policy_id
,
1419 user_allowed_from
=denied
,
1420 service_allowed_from
=allowed
)
1422 # Create a managed service account with the assigned policy.
1423 client_creds
= self
._get
_creds
(
1424 account_type
=self
.AccountType
.MANAGED_SERVICE
,
1425 assigned_policy
=policy
)
1427 # Show that we can authenticate using an armor ticket.
1428 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
1430 def test_authn_policy_allowed_from_service_deny(self
):
1431 samdb
= self
.get_samdb()
1433 # Create a machine account with which to perform FAST.
1434 mach_creds
= self
.get_cached_creds(
1435 account_type
=self
.AccountType
.COMPUTER
)
1436 mach_tgt
= self
.get_tgt(mach_creds
)
1437 mach_sid
= self
.get_objectSid(samdb
, mach_creds
.get_dn())
1439 # Create an authentication policy that explicitly denies the machine
1440 # account for a service.
1441 allowed
= 'O:SYD:(A;;CR;;;WD)'
1442 denied
= f
'O:SYD:(D;;CR;;;{mach_sid})'
1443 policy_id
= self
.get_new_username()
1444 policy
= self
.create_authn_policy(policy_id
,
1446 user_allowed_from
=allowed
,
1447 service_allowed_from
=denied
)
1449 # Create a managed service account with the assigned policy.
1450 client_creds
= self
._get
_creds
(
1451 account_type
=self
.AccountType
.MANAGED_SERVICE
,
1452 assigned_policy
=policy
)
1454 # Show that we get a policy error when trying to authenticate.
1455 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
,
1456 expected_error
=KDC_ERR_POLICY
)
1458 def test_authn_policy_allowed_from_no_owner(self
):
1459 # Create a machine account with which to perform FAST.
1460 mach_creds
= self
.get_cached_creds(
1461 account_type
=self
.AccountType
.COMPUTER
)
1462 mach_tgt
= self
.get_tgt(mach_creds
)
1464 # Create an authentication policy that explicitly allows the machine
1465 # account for a user. Omit the owner (O:SY) from the SDDL.
1466 allowed
= 'D:(A;;CR;;;WD)'
1467 policy_id
= self
.get_new_username()
1468 policy
= self
.create_authn_policy(policy_id
,
1470 user_allowed_from
=allowed
)
1472 # Create a user account with the assigned policy.
1473 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1474 assigned_policy
=policy
)
1476 # Show that we get a generic error if the security descriptor lacks an
1478 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
,
1479 expected_error
=KDC_ERR_GENERIC
)
1481 def test_authn_policy_allowed_from_no_owner_unenforced(self
):
1482 # Create a machine account with which to perform FAST.
1483 mach_creds
= self
.get_cached_creds(
1484 account_type
=self
.AccountType
.COMPUTER
)
1485 mach_tgt
= self
.get_tgt(mach_creds
)
1487 # Create an unenforced authentication policy that explicitly allows the
1488 # machine account for a user. Omit the owner (O:SY) from the SDDL.
1489 allowed
= 'D:(A;;CR;;;WD)'
1490 policy_id
= self
.get_new_username()
1491 policy
= self
.create_authn_policy(policy_id
,
1493 user_allowed_from
=allowed
)
1495 # Create a user account with the assigned policy.
1496 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1497 assigned_policy
=policy
)
1499 # Show that we don’t get an error if the policy is unenforced.
1500 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
1502 def test_authn_policy_allowed_from_owner_self(self
):
1503 samdb
= self
.get_samdb()
1505 # Create a machine account with which to perform FAST.
1506 mach_creds
= self
.get_cached_creds(
1507 account_type
=self
.AccountType
.COMPUTER
)
1508 mach_tgt
= self
.get_tgt(mach_creds
)
1509 mach_sid
= self
.get_objectSid(samdb
, mach_creds
.get_dn())
1511 # Create an authentication policy that explicitly allows the machine
1512 # account for a user. Set the owner to the machine account.
1513 allowed
= f
'O:{mach_sid}D:(A;;CR;;;WD)'
1514 policy_id
= self
.get_new_username()
1515 policy
= self
.create_authn_policy(policy_id
,
1517 user_allowed_from
=allowed
)
1519 # Create a user account with the assigned policy.
1520 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1521 assigned_policy
=policy
)
1523 # Show that we can authenticate using an armor ticket.
1524 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
1526 def test_authn_policy_allowed_from_owner_anon(self
):
1527 # Create a machine account with which to perform FAST.
1528 mach_creds
= self
.get_cached_creds(
1529 account_type
=self
.AccountType
.COMPUTER
)
1530 mach_tgt
= self
.get_tgt(mach_creds
)
1532 # Create an authentication policy that explicitly allows the machine
1533 # account for a user. Set the owner to be anonymous.
1534 allowed
= 'O:AND:(A;;CR;;;WD)'
1535 policy_id
= self
.get_new_username()
1536 policy
= self
.create_authn_policy(policy_id
,
1538 user_allowed_from
=allowed
)
1540 # Create a user account with the assigned policy.
1541 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1542 assigned_policy
=policy
)
1544 # Show that we can authenticate using an armor ticket.
1545 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
1547 def test_authn_policy_allowed_from_no_fast(self
):
1548 # Create an authentication policy that restricts authentication.
1549 # Include some different TGT lifetimes for testing what gets logged.
1550 allowed_from
= 'O:SY'
1551 policy_id
= self
.get_new_username()
1552 policy
= self
.create_authn_policy(policy_id
,
1554 user_allowed_from
=allowed_from
,
1555 user_tgt_lifetime
=115,
1556 computer_tgt_lifetime
=235,
1557 service_tgt_lifetime
=355)
1559 # Create a user account with the assigned policy.
1560 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1561 assigned_policy
=policy
)
1563 # Show that we cannot authenticate without using an armor ticket.
1564 self
._get
_tgt
(client_creds
, expected_error
=KDC_ERR_POLICY
,
1566 expected_status
=ntstatus
.NT_STATUS_INVALID_WORKSTATION
)
1568 def test_authn_policy_allowed_from_user_allow_group_not_a_member(self
):
1569 samdb
= self
.get_samdb()
1571 # Create a new group.
1572 group_name
= self
.get_new_username()
1573 group_dn
= self
.create_group(samdb
, group_name
)
1574 group_sid
= self
.get_objectSid(samdb
, group_dn
)
1576 # Create a machine account with which to perform FAST and which does
1577 # not belong to the group.
1578 mach_creds
= self
.get_cached_creds(
1579 account_type
=self
.AccountType
.COMPUTER
)
1580 mach_tgt
= self
.get_tgt(mach_creds
)
1582 # Create an authentication policy that allows accounts belonging to the
1584 allowed
= f
'O:SYD:(A;;CR;;;{group_sid})'
1585 policy_id
= self
.get_new_username()
1586 policy
= self
.create_authn_policy(policy_id
,
1588 user_allowed_from
=allowed
)
1590 # Create a user account with the assigned policy.
1591 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1592 assigned_policy
=policy
)
1594 # Show that we get a policy error, as the machine account does not
1595 # belong to the group.
1596 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
,
1597 expected_error
=KDC_ERR_POLICY
)
1599 def test_authn_policy_allowed_from_user_allow_group_member(self
):
1600 samdb
= self
.get_samdb()
1602 # Create a new group.
1603 group_name
= self
.get_new_username()
1604 group_dn
= self
.create_group(samdb
, group_name
)
1605 group_sid
= self
.get_objectSid(samdb
, group_dn
)
1607 # Create a machine account with which to perform FAST that belongs to
1609 mach_creds
= self
.get_cached_creds(
1610 account_type
=self
.AccountType
.COMPUTER
,
1611 opts
={'member_of': (group_dn
,)})
1612 mach_tgt
= self
.get_tgt(mach_creds
)
1614 # Create an authentication policy that allows accounts belonging to the
1616 allowed
= f
'O:SYD:(A;;CR;;;{group_sid})'
1617 policy_id
= self
.get_new_username()
1618 policy
= self
.create_authn_policy(policy_id
,
1620 user_allowed_from
=allowed
)
1622 # Create a user account with the assigned policy.
1623 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1624 assigned_policy
=policy
)
1626 # Show that we can authenticate using an armor ticket, since the
1627 # machine account belongs to the group.
1628 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
1630 def test_authn_policy_allowed_from_user_allow_domain_local_group(self
):
1631 samdb
= self
.get_samdb()
1633 # Create a new domain-local group.
1634 group_name
= self
.get_new_username()
1635 group_dn
= self
.create_group(samdb
, group_name
,
1636 gtype
=GroupType
.DOMAIN_LOCAL
.value
)
1637 group_sid
= self
.get_objectSid(samdb
, group_dn
)
1639 # Create a machine account with which to perform FAST that belongs to
1641 mach_creds
= self
.get_cached_creds(
1642 account_type
=self
.AccountType
.COMPUTER
,
1643 opts
={'member_of': (group_dn
,)})
1644 mach_tgt
= self
.get_tgt(mach_creds
)
1646 # Create an authentication policy that allows accounts belonging to the
1648 allowed
= f
'O:SYD:(A;;CR;;;{group_sid})'
1649 policy_id
= self
.get_new_username()
1650 policy
= self
.create_authn_policy(policy_id
,
1652 user_allowed_from
=allowed
)
1654 # Create a user account with the assigned policy.
1655 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1656 assigned_policy
=policy
)
1658 # Show that the groups in the armor ticket are expanded to include the
1659 # domain-local group.
1660 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
1662 def test_authn_policy_allowed_from_user_allow_asserted_identity(self
):
1663 # Create a machine account with which to perform FAST.
1664 mach_creds
= self
.get_cached_creds(
1665 account_type
=self
.AccountType
.COMPUTER
)
1666 mach_tgt
= self
.get_tgt(mach_creds
)
1668 # Create an authentication policy that allows accounts with the
1669 # Authentication Authority Asserted Identity SID.
1672 f
'{security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY})'
1674 policy_id
= self
.get_new_username()
1675 policy
= self
.create_authn_policy(policy_id
,
1677 user_allowed_from
=allowed
)
1679 # Create a user account with the assigned policy.
1680 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1681 assigned_policy
=policy
)
1683 # Show that authentication is allowed.
1684 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
1686 def test_authn_policy_allowed_from_user_allow_claims_valid(self
):
1687 # Create a machine account with which to perform FAST.
1688 mach_creds
= self
.get_cached_creds(
1689 account_type
=self
.AccountType
.COMPUTER
)
1690 mach_tgt
= self
.get_tgt(mach_creds
)
1692 # Create an authentication policy that allows accounts with the
1694 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_CLAIMS_VALID})'
1695 policy_id
= self
.get_new_username()
1696 policy
= self
.create_authn_policy(policy_id
,
1698 user_allowed_from
=allowed
)
1700 # Create a user account with the assigned policy.
1701 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1702 assigned_policy
=policy
)
1704 # Show that authentication is allowed.
1705 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
1707 def test_authn_policy_allowed_from_user_allow_compounded_auth(self
):
1708 # Create a machine account with which to perform FAST.
1709 mach_creds
= self
.get_cached_creds(
1710 account_type
=self
.AccountType
.COMPUTER
)
1711 mach_tgt
= self
.get_tgt(mach_creds
)
1713 # Create an authentication policy that allows accounts with the
1714 # Compounded Authentication SID.
1715 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_COMPOUNDED_AUTHENTICATION})'
1716 policy_id
= self
.get_new_username()
1717 policy
= self
.create_authn_policy(policy_id
,
1719 user_allowed_from
=allowed
)
1721 # Create a user account with the assigned policy.
1722 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1723 assigned_policy
=policy
)
1725 # Show that authentication is denied.
1726 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
,
1727 expected_error
=KDC_ERR_POLICY
)
1729 def test_authn_policy_allowed_from_user_allow_authenticated_users(self
):
1730 # Create a machine account with which to perform FAST.
1731 mach_creds
= self
.get_cached_creds(
1732 account_type
=self
.AccountType
.COMPUTER
)
1733 mach_tgt
= self
.get_tgt(mach_creds
)
1735 # Create an authentication policy that allows accounts with the
1736 # Authenticated Users SID.
1737 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_NT_AUTHENTICATED_USERS})'
1738 policy_id
= self
.get_new_username()
1739 policy
= self
.create_authn_policy(policy_id
,
1741 user_allowed_from
=allowed
)
1743 # Create a user account with the assigned policy.
1744 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1745 assigned_policy
=policy
)
1747 # Show that authentication is allowed.
1748 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
1750 def test_authn_policy_allowed_from_user_allow_ntlm_authn(self
):
1751 # Create a machine account with which to perform FAST.
1752 mach_creds
= self
.get_cached_creds(
1753 account_type
=self
.AccountType
.COMPUTER
)
1754 mach_tgt
= self
.get_tgt(mach_creds
)
1756 # Create an authentication policy that allows accounts with the NTLM
1757 # Authentication SID.
1758 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_NT_NTLM_AUTHENTICATION})'
1759 policy_id
= self
.get_new_username()
1760 policy
= self
.create_authn_policy(policy_id
,
1762 user_allowed_from
=allowed
)
1764 # Create a user account with the assigned policy.
1765 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1766 assigned_policy
=policy
)
1768 # Show that authentication is denied.
1769 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
,
1770 expected_error
=KDC_ERR_POLICY
)
1772 def test_authn_policy_allowed_from_user_allow_from_rodc(self
):
1773 samdb
= self
.get_samdb()
1775 # Create a machine account with which to perform FAST.
1776 mach_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
1778 # Modify the TGT to be issued by an RODC.
1779 mach_tgt
= self
.issued_by_rodc(self
.get_tgt(mach_creds
))
1780 mach_sid
= self
.get_objectSid(samdb
, mach_creds
.get_dn())
1782 # Create an authentication policy that explicitly allows the machine
1783 # account for a user.
1784 allowed
= f
'O:SYD:(A;;CR;;;{mach_sid})'
1785 denied
= 'O:SYD:(D;;CR;;;WD)'
1786 policy_id
= self
.get_new_username()
1787 policy
= self
.create_authn_policy(policy_id
,
1789 user_allowed_from
=allowed
,
1790 service_allowed_from
=denied
)
1792 # Create a user account with the assigned policy.
1793 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1794 assigned_policy
=policy
)
1796 # Show that we can authenticate using an armor ticket.
1797 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
1799 def test_authn_policy_allowed_from_user_deny_from_rodc(self
):
1800 samdb
= self
.get_samdb()
1802 # Create a machine account with which to perform FAST.
1803 mach_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
1805 # Modify the TGT to be issued by an RODC.
1806 mach_tgt
= self
.issued_by_rodc(self
.get_tgt(mach_creds
))
1807 mach_sid
= self
.get_objectSid(samdb
, mach_creds
.get_dn())
1809 # Create an authentication policy that explicitly denies the machine
1810 # account for a user.
1811 allowed
= 'O:SYD:(A;;CR;;;WD)'
1812 denied
= f
'O:SYD:(D;;CR;;;{mach_sid})'
1813 policy_id
= self
.get_new_username()
1814 policy
= self
.create_authn_policy(policy_id
,
1816 user_allowed_from
=denied
,
1817 service_allowed_from
=allowed
)
1819 # Create a user account with the assigned policy.
1820 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1821 assigned_policy
=policy
)
1823 # Show that we get a policy error when trying to authenticate.
1824 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
,
1825 expected_error
=KDC_ERR_POLICY
)
1827 def test_authn_policy_allowed_from_service_allow_from_rodc(self
):
1828 samdb
= self
.get_samdb()
1830 # Create a machine account with which to perform FAST.
1831 mach_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
1833 # Modify the TGT to be issued by an RODC.
1834 mach_tgt
= self
.issued_by_rodc(self
.get_tgt(mach_creds
))
1835 mach_sid
= self
.get_objectSid(samdb
, mach_creds
.get_dn())
1837 # Create an authentication policy that explicitly allows the machine
1838 # account for a service.
1839 allowed
= f
'O:SYD:(A;;CR;;;{mach_sid})'
1840 denied
= 'O:SYD:(D;;CR;;;WD)'
1841 policy_id
= self
.get_new_username()
1842 policy
= self
.create_authn_policy(policy_id
,
1844 user_allowed_from
=denied
,
1845 service_allowed_from
=allowed
)
1847 # Create a managed service account with the assigned policy.
1848 client_creds
= self
._get
_creds
(
1849 account_type
=self
.AccountType
.MANAGED_SERVICE
,
1850 assigned_policy
=policy
)
1852 # Show that we can authenticate using an armor ticket.
1853 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
1855 def test_authn_policy_allowed_from_service_deny_from_rodc(self
):
1856 samdb
= self
.get_samdb()
1858 # Create a machine account with which to perform FAST.
1859 mach_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
1861 # Modify the TGT to be issued by an RODC.
1862 mach_tgt
= self
.issued_by_rodc(self
.get_tgt(mach_creds
))
1863 mach_sid
= self
.get_objectSid(samdb
, mach_creds
.get_dn())
1865 # Create an authentication policy that explicitly denies the machine
1866 # account for a service.
1867 allowed
= 'O:SYD:(A;;CR;;;WD)'
1868 denied
= f
'O:SYD:(D;;CR;;;{mach_sid})'
1869 policy_id
= self
.get_new_username()
1870 policy
= self
.create_authn_policy(policy_id
,
1872 user_allowed_from
=allowed
,
1873 service_allowed_from
=denied
)
1875 # Create a managed service account with the assigned policy.
1876 client_creds
= self
._get
_creds
(
1877 account_type
=self
.AccountType
.MANAGED_SERVICE
,
1878 assigned_policy
=policy
)
1880 # Show that we get a policy error when trying to authenticate.
1881 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
,
1882 expected_error
=KDC_ERR_POLICY
)
1884 def test_authn_policy_allowed_from_user_allow_group_not_a_member_from_rodc(self
):
1885 samdb
= self
.get_samdb()
1887 # Create a new group.
1888 group_name
= self
.get_new_username()
1889 group_dn
= self
.create_group(samdb
, group_name
)
1890 group_sid
= self
.get_objectSid(samdb
, group_dn
)
1892 # Create a machine account with which to perform FAST and which does
1893 # not belong to the group.
1894 mach_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
1896 # Modify the TGT to be issued by an RODC.
1897 mach_tgt
= self
.issued_by_rodc(self
.get_tgt(mach_creds
))
1899 # Create an authentication policy that allows accounts belonging to the
1901 allowed
= f
'O:SYD:(A;;CR;;;{group_sid})'
1902 policy_id
= self
.get_new_username()
1903 policy
= self
.create_authn_policy(policy_id
,
1905 user_allowed_from
=allowed
)
1907 # Create a user account with the assigned policy.
1908 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1909 assigned_policy
=policy
)
1911 # Show that we get a policy error, as the machine account does not
1912 # belong to the group.
1913 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
,
1914 expected_error
=KDC_ERR_POLICY
)
1916 def test_authn_policy_allowed_from_user_allow_group_member_from_rodc(self
):
1917 samdb
= self
.get_samdb()
1919 # Create a new group.
1920 group_name
= self
.get_new_username()
1921 group_dn
= self
.create_group(samdb
, group_name
)
1922 group_sid
= self
.get_objectSid(samdb
, group_dn
)
1924 # Create a machine account with which to perform FAST that belongs to
1926 mach_creds
= self
.get_cached_creds(
1927 account_type
=self
.AccountType
.COMPUTER
,
1928 opts
={'member_of': (group_dn
,),
1929 'allowed_replication_mock': True,
1930 'revealed_to_mock_rodc': True})
1931 # Modify the TGT to be issued by an RODC.
1932 mach_tgt
= self
.issued_by_rodc(self
.get_tgt(mach_creds
))
1934 # Create an authentication policy that allows accounts belonging to the
1936 allowed
= f
'O:SYD:(A;;CR;;;{group_sid})'
1937 policy_id
= self
.get_new_username()
1938 policy
= self
.create_authn_policy(policy_id
,
1940 user_allowed_from
=allowed
)
1942 # Create a user account with the assigned policy.
1943 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1944 assigned_policy
=policy
)
1946 # Show that we can authenticate using an armor ticket, since the
1947 # machine account belongs to the group.
1948 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
1950 def test_authn_policy_allowed_from_user_allow_domain_local_group_from_rodc(self
):
1951 samdb
= self
.get_samdb()
1953 # Create a new domain-local group.
1954 group_name
= self
.get_new_username()
1955 group_dn
= self
.create_group(samdb
, group_name
,
1956 gtype
=GroupType
.DOMAIN_LOCAL
.value
)
1957 group_sid
= self
.get_objectSid(samdb
, group_dn
)
1959 # Create a machine account with which to perform FAST that belongs to
1961 mach_creds
= self
.get_cached_creds(
1962 account_type
=self
.AccountType
.COMPUTER
,
1963 opts
={'member_of': (group_dn
,),
1964 'allowed_replication_mock': True,
1965 'revealed_to_mock_rodc': True})
1966 # Modify the TGT to be issued by an RODC.
1967 mach_tgt
= self
.issued_by_rodc(self
.get_tgt(mach_creds
))
1969 # Create an authentication policy that allows accounts belonging to the
1971 allowed
= f
'O:SYD:(A;;CR;;;{group_sid})'
1972 policy_id
= self
.get_new_username()
1973 policy
= self
.create_authn_policy(policy_id
,
1975 user_allowed_from
=allowed
)
1977 # Create a user account with the assigned policy.
1978 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
1979 assigned_policy
=policy
)
1981 # Show that the groups in the armor ticket are expanded to include the
1982 # domain-local group.
1983 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
1985 def test_authn_policy_allowed_from_user_allow_asserted_identity_from_rodc(self
):
1986 # Create a machine account with which to perform FAST.
1987 mach_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
1989 # Modify the TGT to be issued by an RODC.
1990 mach_tgt
= self
.issued_by_rodc(self
.get_tgt(mach_creds
))
1992 # Create an authentication policy that allows accounts with the
1993 # Authentication Authority Asserted Identity SID.
1996 f
'{security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY})'
1998 policy_id
= self
.get_new_username()
1999 policy
= self
.create_authn_policy(policy_id
,
2001 user_allowed_from
=allowed
)
2003 # Create a user account with the assigned policy.
2004 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
2005 assigned_policy
=policy
)
2007 # Show that authentication is allowed.
2008 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
2010 def test_authn_policy_allowed_from_user_allow_claims_valid_from_rodc(self
):
2011 # Create a machine account with which to perform FAST.
2012 mach_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2014 # Modify the TGT to be issued by an RODC.
2015 mach_tgt
= self
.issued_by_rodc(self
.get_tgt(mach_creds
))
2017 # Create an authentication policy that allows accounts with the
2019 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_CLAIMS_VALID})'
2020 policy_id
= self
.get_new_username()
2021 policy
= self
.create_authn_policy(policy_id
,
2023 user_allowed_from
=allowed
)
2025 # Create a user account with the assigned policy.
2026 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
2027 assigned_policy
=policy
)
2029 # Show that authentication is allowed.
2030 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
2032 def test_authn_policy_allowed_from_user_allow_compounded_authn_from_rodc(self
):
2033 # Create a machine account with which to perform FAST.
2034 mach_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2036 # Modify the TGT to be issued by an RODC.
2037 mach_tgt
= self
.issued_by_rodc(self
.get_tgt(mach_creds
))
2039 # Create an authentication policy that allows accounts with the
2040 # Compounded Authentication SID.
2041 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_COMPOUNDED_AUTHENTICATION})'
2042 policy_id
= self
.get_new_username()
2043 policy
= self
.create_authn_policy(policy_id
,
2045 user_allowed_from
=allowed
)
2047 # Create a user account with the assigned policy.
2048 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
2049 assigned_policy
=policy
)
2051 # Show that authentication is denied.
2052 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
,
2053 expected_error
=KDC_ERR_POLICY
)
2055 def test_authn_policy_allowed_from_user_allow_authenticated_users_from_rodc(self
):
2056 # Create a machine account with which to perform FAST.
2057 mach_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2059 # Modify the TGT to be issued by an RODC.
2060 mach_tgt
= self
.issued_by_rodc(self
.get_tgt(mach_creds
))
2062 # Create an authentication policy that allows accounts with the
2063 # Authenticated Users SID.
2064 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_NT_AUTHENTICATED_USERS})'
2065 policy_id
= self
.get_new_username()
2066 policy
= self
.create_authn_policy(policy_id
,
2068 user_allowed_from
=allowed
)
2070 # Create a user account with the assigned policy.
2071 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
2072 assigned_policy
=policy
)
2074 # Show that authentication is allowed.
2075 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
2077 def test_authn_policy_allowed_from_user_allow_ntlm_authn_from_rodc(self
):
2078 # Create a machine account with which to perform FAST.
2079 mach_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2081 # Modify the TGT to be issued by an RODC.
2082 mach_tgt
= self
.issued_by_rodc(self
.get_tgt(mach_creds
))
2084 # Create an authentication policy that allows accounts with the NTLM
2085 # Authentication SID.
2086 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_NT_NTLM_AUTHENTICATION})'
2087 policy_id
= self
.get_new_username()
2088 policy
= self
.create_authn_policy(policy_id
,
2090 user_allowed_from
=allowed
)
2092 # Create a user account with the assigned policy.
2093 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
2094 assigned_policy
=policy
)
2096 # Show that authentication is denied.
2097 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
,
2098 expected_error
=KDC_ERR_POLICY
)
2100 def test_authn_policy_allowed_from_user_deny_user(self
):
2101 samdb
= self
.get_samdb()
2103 # Create a machine account with which to perform FAST.
2104 mach_creds
= self
.get_cached_creds(
2105 account_type
=self
.AccountType
.COMPUTER
)
2106 mach_tgt
= self
.get_tgt(mach_creds
)
2107 mach_sid
= self
.get_objectSid(samdb
, mach_creds
.get_dn())
2109 # Create a user account.
2110 client_creds
= self
.get_cached_creds(account_type
=self
.AccountType
.USER
,
2112 client_dn
= client_creds
.get_dn()
2113 client_sid
= self
.get_objectSid(samdb
, client_dn
)
2115 # Create an authentication policy that explicitly allows the machine
2116 # account for a user, while denying the user account itself.
2117 allowed
= f
'O:SYD:(A;;CR;;;{mach_sid})(D;;CR;;;{client_sid})'
2118 denied
= 'O:SYD:(D;;CR;;;WD)'
2119 policy_id
= self
.get_new_username()
2120 policy
= self
.create_authn_policy(policy_id
,
2122 user_allowed_from
=allowed
,
2123 service_allowed_from
=denied
)
2125 # Assign the policy to the user account.
2126 self
.add_attribute(samdb
, str(client_dn
),
2127 'msDS-AssignedAuthNPolicy', str(policy
))
2129 # Show that authentication is allowed.
2130 self
._get
_tgt
(client_creds
, armor_tgt
=mach_tgt
)
2132 def test_authn_policy_allowed_to_empty(self
):
2133 # Create a machine account with which to perform FAST.
2134 mach_creds
= self
.get_cached_creds(
2135 account_type
=self
.AccountType
.COMPUTER
)
2136 mach_tgt
= self
.get_tgt(mach_creds
)
2138 # Create a user account.
2139 client_creds
= self
.get_cached_creds(
2140 account_type
=self
.AccountType
.USER
)
2141 tgt
= self
.get_tgt(client_creds
)
2143 # Create an authentication policy with no DACL in the security
2146 policy_id
= self
.get_new_username()
2147 policy
= self
.create_authn_policy(policy_id
,
2149 computer_allowed_to
=allowed_to
)
2151 # Create a computer account with the assigned policy.
2152 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2153 assigned_policy
=policy
)
2155 # Show that authentication is allowed.
2156 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
2159 def test_authn_policy_allowed_to_computer_allow(self
):
2160 samdb
= self
.get_samdb()
2162 # Create a machine account with which to perform FAST.
2163 mach_creds
= self
.get_cached_creds(
2164 account_type
=self
.AccountType
.COMPUTER
)
2165 mach_tgt
= self
.get_tgt(mach_creds
)
2167 # Create a user account.
2168 client_creds
= self
.get_cached_creds(
2169 account_type
=self
.AccountType
.USER
)
2170 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2171 tgt
= self
.get_tgt(client_creds
)
2173 # Create an authentication policy that applies to a computer and
2174 # explicitly allows the user account to obtain a service ticket.
2175 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
2176 denied
= 'O:SYD:(D;;CR;;;WD)'
2177 policy_id
= self
.get_new_username()
2178 policy
= self
.create_authn_policy(policy_id
,
2180 user_allowed_to
=denied
,
2181 computer_allowed_to
=allowed
,
2182 service_allowed_to
=denied
)
2184 # Create a computer account with the assigned policy.
2185 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2186 assigned_policy
=policy
)
2188 # Show that obtaining a service ticket is allowed.
2189 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
2192 def test_authn_policy_allowed_to_computer_deny(self
):
2193 samdb
= self
.get_samdb()
2195 # Create a machine account with which to perform FAST.
2196 mach_creds
= self
.get_cached_creds(
2197 account_type
=self
.AccountType
.COMPUTER
)
2198 mach_tgt
= self
.get_tgt(mach_creds
)
2200 # Create a user account.
2201 client_creds
= self
.get_cached_creds(
2202 account_type
=self
.AccountType
.USER
)
2203 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2204 tgt
= self
.get_tgt(client_creds
)
2206 # Create an authentication policy that applies to a computer and
2207 # explicitly denies the user account to obtain a service ticket.
2208 denied
= f
'O:SYD:(D;;CR;;;{client_sid})'
2209 allowed
= 'O:SYD:(A;;CR;;;WD)'
2210 policy_id
= self
.get_new_username()
2211 policy
= self
.create_authn_policy(policy_id
,
2213 user_allowed_to
=allowed
,
2214 computer_allowed_to
=denied
,
2215 service_allowed_to
=allowed
)
2217 # Create a computer account with the assigned policy.
2218 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2219 assigned_policy
=policy
)
2221 # Show that obtaining a service ticket is denied.
2223 tgt
, KDC_ERR_POLICY
, client_creds
, target_creds
,
2225 expect_edata
=self
.expect_padata_outer
,
2226 # We aren’t particular about whether or not we get an NTSTATUS.
2228 expected_status
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
,
2229 check_patypes
=False)
2231 def test_authn_policy_allowed_to_computer_allow_but_deny_mach(self
):
2232 samdb
= self
.get_samdb()
2234 # Create a machine account with which to perform FAST.
2235 mach_creds
= self
.get_cached_creds(
2236 account_type
=self
.AccountType
.COMPUTER
)
2237 mach_tgt
= self
.get_tgt(mach_creds
)
2238 mach_sid
= self
.get_objectSid(samdb
, mach_creds
.get_dn())
2240 # Create a user account.
2241 client_creds
= self
.get_cached_creds(
2242 account_type
=self
.AccountType
.USER
)
2243 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2244 tgt
= self
.get_tgt(client_creds
)
2246 # Create an authentication policy that applies to a computer and
2247 # explicitly allows the user account to obtain a service ticket, while
2248 # explicitly denying the machine account.
2249 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})(D;;CR;;;{mach_sid})'
2250 denied
= 'O:SYD:(D;;CR;;;WD)'
2251 policy_id
= self
.get_new_username()
2252 policy
= self
.create_authn_policy(policy_id
,
2254 user_allowed_to
=denied
,
2255 computer_allowed_to
=allowed
,
2256 service_allowed_to
=denied
)
2258 # Create a computer account with the assigned policy.
2259 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2260 assigned_policy
=policy
)
2262 # Despite the documentation’s claims that the machine account is also
2263 # access-checked, obtaining a service ticket is allowed.
2264 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
2267 def test_authn_policy_allowed_to_computer_allow_mach(self
):
2268 samdb
= self
.get_samdb()
2270 # Create a machine account with which to perform FAST.
2271 mach_creds
= self
.get_cached_creds(
2272 account_type
=self
.AccountType
.COMPUTER
)
2273 mach_tgt
= self
.get_tgt(mach_creds
)
2274 mach_sid
= self
.get_objectSid(samdb
, mach_creds
.get_dn())
2276 # Create a user account.
2277 client_creds
= self
.get_cached_creds(
2278 account_type
=self
.AccountType
.USER
)
2279 tgt
= self
.get_tgt(client_creds
)
2281 # Create an authentication policy that applies to a computer and
2282 # explicitly allows the machine account to obtain a service ticket.
2283 allowed
= f
'O:SYD:(A;;CR;;;{mach_sid})'
2284 denied
= 'O:SYD:(D;;CR;;;WD)'
2285 policy_id
= self
.get_new_username()
2286 policy
= self
.create_authn_policy(policy_id
,
2288 user_allowed_to
=denied
,
2289 computer_allowed_to
=allowed
,
2290 service_allowed_to
=denied
)
2292 # Create a computer account with the assigned policy.
2293 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2294 assigned_policy
=policy
)
2296 # Show that obtaining a service ticket is denied.
2298 tgt
, KDC_ERR_POLICY
, client_creds
, target_creds
,
2300 expect_edata
=self
.expect_padata_outer
,
2301 # We aren’t particular about whether or not we get an NTSTATUS.
2303 expected_status
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
,
2304 check_patypes
=False)
2306 def test_authn_policy_allowed_no_fast(self
):
2307 samdb
= self
.get_samdb()
2309 # Create a user account.
2310 client_creds
= self
.get_cached_creds(
2311 account_type
=self
.AccountType
.USER
)
2312 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2313 tgt
= self
.get_tgt(client_creds
)
2315 # Create an authentication policy that applies to a computer and
2316 # explicitly allows the user account to obtain a service ticket.
2317 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
2318 denied
= 'O:SYD:(D;;CR;;;WD)'
2319 policy_id
= self
.get_new_username()
2320 policy
= self
.create_authn_policy(policy_id
,
2322 user_allowed_to
=denied
,
2323 computer_allowed_to
=allowed
,
2324 service_allowed_to
=denied
)
2326 # Create a computer account with the assigned policy.
2327 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2328 assigned_policy
=policy
)
2330 # Show that obtaining a service ticket is allowed without an armor TGT.
2331 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
)
2333 def test_authn_policy_denied_no_fast(self
):
2334 samdb
= self
.get_samdb()
2336 # Create a user account.
2337 client_creds
= self
.get_cached_creds(
2338 account_type
=self
.AccountType
.USER
)
2339 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2340 tgt
= self
.get_tgt(client_creds
)
2342 # Create an authentication policy that applies to a computer and
2343 # explicitly disallows the user account to obtain a service ticket.
2344 denied
= f
'O:SYD:(D;;CR;;;{client_sid})'
2345 allowed
= 'O:SYD:(A;;CR;;;WD)'
2346 policy_id
= self
.get_new_username()
2347 policy
= self
.create_authn_policy(policy_id
,
2349 user_allowed_to
=allowed
,
2350 computer_allowed_to
=denied
,
2351 service_allowed_to
=allowed
)
2353 # Create a computer account with the assigned policy.
2354 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2355 assigned_policy
=policy
)
2357 # Show that obtaining a service ticket is not allowed.
2359 tgt
, KDC_ERR_POLICY
, client_creds
, target_creds
,
2360 expect_edata
=self
.expect_padata_outer
,
2362 expected_status
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
2364 def test_authn_policy_allowed_to_computer_allow_asserted_identity(self
):
2365 # Create a machine account with which to perform FAST.
2366 mach_creds
= self
.get_cached_creds(
2367 account_type
=self
.AccountType
.COMPUTER
)
2368 mach_tgt
= self
.get_tgt(mach_creds
)
2370 # Create a user account.
2371 client_creds
= self
.get_cached_creds(
2372 account_type
=self
.AccountType
.USER
)
2373 tgt
= self
.get_tgt(client_creds
)
2375 # Create an authentication policy that allows accounts with the
2376 # Authentication Authority Asserted Identity SID to obtain a service
2380 f
'{security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY})'
2382 denied
= 'O:SYD:(D;;CR;;;WD)'
2383 policy_id
= self
.get_new_username()
2384 policy
= self
.create_authn_policy(policy_id
,
2386 user_allowed_to
=denied
,
2387 computer_allowed_to
=allowed
,
2388 service_allowed_to
=denied
)
2390 # Create a computer account with the assigned policy.
2391 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2392 assigned_policy
=policy
)
2394 # Show that obtaining a service ticket is allowed.
2395 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
2398 def test_authn_policy_allowed_to_computer_allow_claims_valid(self
):
2399 # Create a machine account with which to perform FAST.
2400 mach_creds
= self
.get_cached_creds(
2401 account_type
=self
.AccountType
.COMPUTER
)
2402 mach_tgt
= self
.get_tgt(mach_creds
)
2404 # Create a user account.
2405 client_creds
= self
.get_cached_creds(
2406 account_type
=self
.AccountType
.USER
)
2407 tgt
= self
.get_tgt(client_creds
)
2409 # Create an authentication policy that allows accounts with the Claims
2410 # Valid SID to obtain a service ticket.
2411 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_CLAIMS_VALID})'
2412 denied
= 'O:SYD:(D;;CR;;;WD)'
2413 policy_id
= self
.get_new_username()
2414 policy
= self
.create_authn_policy(policy_id
,
2416 user_allowed_to
=denied
,
2417 computer_allowed_to
=allowed
,
2418 service_allowed_to
=denied
)
2420 # Create a computer account with the assigned policy.
2421 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2422 assigned_policy
=policy
)
2424 # Show that obtaining a service ticket is allowed.
2425 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
2428 def test_authn_policy_allowed_to_computer_allow_compounded_auth(self
):
2429 # Create a machine account with which to perform FAST.
2430 mach_creds
= self
.get_cached_creds(
2431 account_type
=self
.AccountType
.COMPUTER
)
2432 mach_tgt
= self
.get_tgt(mach_creds
)
2434 # Create a user account.
2435 client_creds
= self
.get_cached_creds(
2436 account_type
=self
.AccountType
.USER
)
2437 tgt
= self
.get_tgt(client_creds
)
2439 # Create an authentication policy that allows accounts with the
2440 # Compounded Authentication SID to obtain a service ticket.
2441 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_COMPOUNDED_AUTHENTICATION})'
2442 denied
= 'O:SYD:(D;;CR;;;WD)'
2443 policy_id
= self
.get_new_username()
2444 policy
= self
.create_authn_policy(policy_id
,
2446 user_allowed_to
=denied
,
2447 computer_allowed_to
=allowed
,
2448 service_allowed_to
=denied
)
2450 # Create a computer account with the assigned policy.
2451 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2452 assigned_policy
=policy
)
2454 # Show that obtaining a service ticket is denied.
2456 tgt
, KDC_ERR_POLICY
, client_creds
, target_creds
,
2458 expect_edata
=self
.expect_padata_outer
,
2459 # We aren’t particular about whether or not we get an NTSTATUS.
2461 expected_status
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
,
2462 check_patypes
=False)
2464 def test_authn_policy_allowed_to_computer_allow_authenticated_users(self
):
2465 # Create a machine account with which to perform FAST.
2466 mach_creds
= self
.get_cached_creds(
2467 account_type
=self
.AccountType
.COMPUTER
)
2468 mach_tgt
= self
.get_tgt(mach_creds
)
2470 # Create a user account.
2471 client_creds
= self
.get_cached_creds(
2472 account_type
=self
.AccountType
.USER
)
2473 tgt
= self
.get_tgt(client_creds
)
2475 # Create an authentication policy that allows accounts with the
2476 # Authenticated Users SID to obtain a service ticket.
2477 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_NT_AUTHENTICATED_USERS})'
2478 denied
= 'O:SYD:(D;;CR;;;WD)'
2479 policy_id
= self
.get_new_username()
2480 policy
= self
.create_authn_policy(policy_id
,
2482 user_allowed_to
=denied
,
2483 computer_allowed_to
=allowed
,
2484 service_allowed_to
=denied
)
2486 # Create a computer account with the assigned policy.
2487 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2488 assigned_policy
=policy
)
2490 # Show that obtaining a service ticket is allowed.
2491 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
2494 def test_authn_policy_allowed_to_computer_allow_ntlm_authn(self
):
2495 # Create a machine account with which to perform FAST.
2496 mach_creds
= self
.get_cached_creds(
2497 account_type
=self
.AccountType
.COMPUTER
)
2498 mach_tgt
= self
.get_tgt(mach_creds
)
2500 # Create a user account.
2501 client_creds
= self
.get_cached_creds(
2502 account_type
=self
.AccountType
.USER
)
2503 tgt
= self
.get_tgt(client_creds
)
2505 # Create an authentication policy that allows accounts with the NTLM
2506 # Authentication SID to obtain a service ticket.
2507 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_NT_NTLM_AUTHENTICATION})'
2508 denied
= 'O:SYD:(D;;CR;;;WD)'
2509 policy_id
= self
.get_new_username()
2510 policy
= self
.create_authn_policy(policy_id
,
2512 user_allowed_to
=denied
,
2513 computer_allowed_to
=allowed
,
2514 service_allowed_to
=denied
)
2516 # Create a computer account with the assigned policy.
2517 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2518 assigned_policy
=policy
)
2520 # Show that obtaining a service ticket is denied.
2522 tgt
, KDC_ERR_POLICY
, client_creds
, target_creds
,
2524 expect_edata
=self
.expect_padata_outer
,
2525 # We aren’t particular about whether or not we get an NTSTATUS.
2527 expected_status
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
,
2528 check_patypes
=False)
2530 def test_authn_policy_allowed_to_no_owner(self
):
2531 samdb
= self
.get_samdb()
2533 # Create a machine account with which to perform FAST.
2534 mach_creds
= self
.get_cached_creds(
2535 account_type
=self
.AccountType
.COMPUTER
)
2536 mach_tgt
= self
.get_tgt(mach_creds
)
2538 # Create a user account.
2539 client_creds
= self
.get_cached_creds(
2540 account_type
=self
.AccountType
.USER
)
2541 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2542 tgt
= self
.get_tgt(client_creds
)
2544 # Create an authentication policy that applies to a computer and
2545 # explicitly allows the user account to obtain a service ticket. Omit
2546 # the owner (O:SY) from the SDDL.
2547 allowed
= f
'D:(A;;CR;;;{client_sid})'
2548 policy_id
= self
.get_new_username()
2549 policy
= self
.create_authn_policy(policy_id
,
2551 computer_allowed_to
=allowed
)
2553 # Create a computer account with the assigned policy.
2554 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2555 assigned_policy
=policy
)
2557 # Show that obtaining a service ticket is denied.
2558 self
._tgs
_req
(tgt
, KDC_ERR_POLICY
, client_creds
, target_creds
,
2560 expect_edata
=self
.expect_padata_outer
,
2561 # We aren’t particular about whether or not we get an NTSTATUS.
2563 expected_status
=ntstatus
.NT_STATUS_INVALID_PARAMETER
,
2564 check_patypes
=False)
2566 def test_authn_policy_allowed_to_no_owner_unenforced(self
):
2567 samdb
= self
.get_samdb()
2569 # Create a machine account with which to perform FAST.
2570 mach_creds
= self
.get_cached_creds(
2571 account_type
=self
.AccountType
.COMPUTER
)
2572 mach_tgt
= self
.get_tgt(mach_creds
)
2574 # Create a user account.
2575 client_creds
= self
.get_cached_creds(
2576 account_type
=self
.AccountType
.USER
)
2577 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2578 tgt
= self
.get_tgt(client_creds
)
2580 # Create an unenforced authentication policy that applies to a computer
2581 # and explicitly allows the user account to obtain a service
2582 # ticket. Omit the owner (O:SY) from the SDDL.
2583 allowed
= f
'D:(A;;CR;;;{client_sid})'
2584 policy_id
= self
.get_new_username()
2585 policy
= self
.create_authn_policy(policy_id
,
2587 computer_allowed_to
=allowed
)
2589 # Create a computer account with the assigned policy.
2590 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2591 assigned_policy
=policy
)
2593 # Show that obtaining a service ticket is allowed.
2594 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
2597 def test_authn_policy_allowed_to_owner_self(self
):
2598 samdb
= self
.get_samdb()
2600 # Create a machine account with which to perform FAST.
2601 mach_creds
= self
.get_cached_creds(
2602 account_type
=self
.AccountType
.COMPUTER
)
2603 mach_tgt
= self
.get_tgt(mach_creds
)
2605 # Create a user account.
2606 client_creds
= self
.get_cached_creds(
2607 account_type
=self
.AccountType
.USER
)
2608 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2609 tgt
= self
.get_tgt(client_creds
)
2611 # Create an authentication policy that applies to a computer and
2612 # explicitly allows the user account to obtain a service ticket. Set
2613 # the owner to the user account.
2614 allowed
= f
'O:{client_sid}D:(A;;CR;;;{client_sid})'
2615 policy_id
= self
.get_new_username()
2616 policy
= self
.create_authn_policy(policy_id
,
2618 computer_allowed_to
=allowed
)
2620 # Create a computer account with the assigned policy.
2621 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2622 assigned_policy
=policy
)
2624 # Show that obtaining a service ticket is allowed.
2625 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
2628 def test_authn_policy_allowed_to_owner_anon(self
):
2629 samdb
= self
.get_samdb()
2631 # Create a machine account with which to perform FAST.
2632 mach_creds
= self
.get_cached_creds(
2633 account_type
=self
.AccountType
.COMPUTER
)
2634 mach_tgt
= self
.get_tgt(mach_creds
)
2636 # Create a user account.
2637 client_creds
= self
.get_cached_creds(
2638 account_type
=self
.AccountType
.USER
)
2639 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2640 tgt
= self
.get_tgt(client_creds
)
2642 # Create an authentication policy that applies to a computer and
2643 # explicitly allows the user account to obtain a service ticket. Set
2644 # the owner to be anonymous.
2645 allowed
= f
'O:AND:(A;;CR;;;{client_sid})'
2646 policy_id
= self
.get_new_username()
2647 policy
= self
.create_authn_policy(policy_id
,
2649 computer_allowed_to
=allowed
)
2651 # Create a computer account with the assigned policy.
2652 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2653 assigned_policy
=policy
)
2655 # Show that obtaining a service ticket is allowed.
2656 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
2659 def test_authn_policy_allowed_to_user_allow(self
):
2660 samdb
= self
.get_samdb()
2662 # Create a machine account with which to perform FAST.
2663 mach_creds
= self
.get_cached_creds(
2664 account_type
=self
.AccountType
.COMPUTER
)
2665 mach_tgt
= self
.get_tgt(mach_creds
)
2667 # Create a user account.
2668 client_creds
= self
.get_cached_creds(
2669 account_type
=self
.AccountType
.USER
)
2670 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2671 tgt
= self
.get_tgt(client_creds
)
2673 # Create an authentication policy that applies to a user and explicitly
2674 # allows the user account to obtain a service ticket.
2675 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
2676 denied
= 'O:SYD:(D;;CR;;;WD)'
2677 policy_id
= self
.get_new_username()
2678 policy
= self
.create_authn_policy(policy_id
,
2680 user_allowed_to
=allowed
,
2681 computer_allowed_to
=denied
,
2682 service_allowed_to
=denied
)
2684 # Create a user account with the assigned policy.
2685 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
2686 assigned_policy
=policy
,
2687 spn
='host/{account}')
2689 # Show that obtaining a service ticket is allowed.
2690 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
2693 def test_authn_policy_allowed_to_user_deny(self
):
2694 samdb
= self
.get_samdb()
2696 # Create a machine account with which to perform FAST.
2697 mach_creds
= self
.get_cached_creds(
2698 account_type
=self
.AccountType
.COMPUTER
)
2699 mach_tgt
= self
.get_tgt(mach_creds
)
2701 # Create a user account.
2702 client_creds
= self
.get_cached_creds(
2703 account_type
=self
.AccountType
.USER
)
2704 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2705 tgt
= self
.get_tgt(client_creds
)
2707 # Create an authentication policy that applies to a user and
2708 # explicitly denies the user account to obtain a service ticket.
2709 denied
= f
'O:SYD:(D;;CR;;;{client_sid})'
2710 allowed
= 'O:SYD:(A;;CR;;;WD)'
2711 policy_id
= self
.get_new_username()
2712 policy
= self
.create_authn_policy(policy_id
,
2714 user_allowed_to
=denied
,
2715 computer_allowed_to
=allowed
,
2716 service_allowed_to
=allowed
)
2718 # Create a user account with the assigned policy.
2719 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
2720 assigned_policy
=policy
,
2721 spn
='host/{account}')
2723 # Show that obtaining a service ticket is denied.
2725 tgt
, KDC_ERR_POLICY
, client_creds
, target_creds
,
2727 expect_edata
=self
.expect_padata_outer
,
2728 # We aren’t particular about whether or not we get an NTSTATUS.
2730 expected_status
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
,
2731 check_patypes
=False)
2733 def test_authn_policy_allowed_to_service_allow(self
):
2734 samdb
= self
.get_samdb()
2736 # Create a machine account with which to perform FAST.
2737 mach_creds
= self
.get_cached_creds(
2738 account_type
=self
.AccountType
.COMPUTER
)
2739 mach_tgt
= self
.get_tgt(mach_creds
)
2741 # Create a user account.
2742 client_creds
= self
.get_cached_creds(
2743 account_type
=self
.AccountType
.USER
)
2744 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2745 tgt
= self
.get_tgt(client_creds
)
2747 # Create an authentication policy that applies to a managed service and
2748 # explicitly allows the user account to obtain a service ticket.
2749 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
2750 denied
= 'O:SYD:(D;;CR;;;WD)'
2751 policy_id
= self
.get_new_username()
2752 policy
= self
.create_authn_policy(policy_id
,
2754 user_allowed_to
=denied
,
2755 computer_allowed_to
=denied
,
2756 service_allowed_to
=allowed
)
2758 # Create a managed service account with the assigned policy.
2759 target_creds
= self
._get
_creds
(
2760 account_type
=self
.AccountType
.MANAGED_SERVICE
,
2761 assigned_policy
=policy
)
2763 # Show that obtaining a service ticket is allowed.
2764 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
2767 def test_authn_policy_allowed_to_service_deny(self
):
2768 samdb
= self
.get_samdb()
2770 # Create a machine account with which to perform FAST.
2771 mach_creds
= self
.get_cached_creds(
2772 account_type
=self
.AccountType
.COMPUTER
)
2773 mach_tgt
= self
.get_tgt(mach_creds
)
2775 # Create a user account.
2776 client_creds
= self
.get_cached_creds(
2777 account_type
=self
.AccountType
.USER
)
2778 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2779 tgt
= self
.get_tgt(client_creds
)
2781 # Create an authentication policy that applies to a managed service and
2782 # explicitly denies the user account to obtain a service ticket.
2783 denied
= f
'O:SYD:(D;;CR;;;{client_sid})'
2784 allowed
= 'O:SYD:(A;;CR;;;WD)'
2785 policy_id
= self
.get_new_username()
2786 policy
= self
.create_authn_policy(policy_id
,
2788 user_allowed_to
=allowed
,
2789 computer_allowed_to
=allowed
,
2790 service_allowed_to
=denied
)
2792 # Create a managed service account with the assigned policy.
2793 target_creds
= self
._get
_creds
(
2794 account_type
=self
.AccountType
.MANAGED_SERVICE
,
2795 assigned_policy
=policy
)
2797 # Show that obtaining a service ticket is denied.
2799 tgt
, KDC_ERR_POLICY
, client_creds
, target_creds
,
2801 expect_edata
=self
.expect_padata_outer
,
2802 # We aren’t particular about whether or not we get an NTSTATUS.
2804 expected_status
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
,
2805 check_patypes
=False)
2807 def test_authn_policy_allowed_to_user_allow_from_rodc(self
):
2808 samdb
= self
.get_samdb()
2810 # Create a machine account with which to perform FAST.
2811 mach_creds
= self
.get_cached_creds(
2812 account_type
=self
.AccountType
.COMPUTER
)
2813 mach_tgt
= self
.get_tgt(mach_creds
)
2815 # Create a user account.
2816 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
2818 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2819 # Modify the TGT to be issued by an RODC.
2820 tgt
= self
.issued_by_rodc(self
.get_tgt(client_creds
))
2822 # Create an authentication policy that applies to a user and explicitly
2823 # allows the user account to obtain a service ticket.
2824 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
2825 denied
= 'O:SYD:(D;;CR;;;WD)'
2826 policy_id
= self
.get_new_username()
2827 policy
= self
.create_authn_policy(policy_id
,
2829 user_allowed_to
=allowed
,
2830 computer_allowed_to
=denied
,
2831 service_allowed_to
=denied
)
2833 # Create a user account with the assigned policy.
2834 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
2835 assigned_policy
=policy
,
2836 spn
='host/{account}')
2838 # Show that obtaining a service ticket is allowed.
2839 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
2842 def test_authn_policy_allowed_to_user_deny_from_rodc(self
):
2843 samdb
= self
.get_samdb()
2845 # Create a machine account with which to perform FAST.
2846 mach_creds
= self
.get_cached_creds(
2847 account_type
=self
.AccountType
.COMPUTER
)
2848 mach_tgt
= self
.get_tgt(mach_creds
)
2850 # Create a user account.
2851 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
2853 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2854 # Modify the TGT to be issued by an RODC.
2855 tgt
= self
.issued_by_rodc(self
.get_tgt(client_creds
))
2857 # Create an authentication policy that applies to a user and
2858 # explicitly denies the user account to obtain a service ticket.
2859 denied
= f
'O:SYD:(D;;CR;;;{client_sid})'
2860 allowed
= 'O:SYD:(A;;CR;;;WD)'
2861 policy_id
= self
.get_new_username()
2862 policy
= self
.create_authn_policy(policy_id
,
2864 user_allowed_to
=denied
,
2865 computer_allowed_to
=allowed
,
2866 service_allowed_to
=allowed
)
2868 # Create a user account with the assigned policy.
2869 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
2870 assigned_policy
=policy
,
2871 spn
='host/{account}')
2873 # Show that obtaining a service ticket is denied.
2875 tgt
, KDC_ERR_POLICY
, client_creds
, target_creds
,
2877 expect_edata
=self
.expect_padata_outer
,
2878 # We aren’t particular about whether or not we get an NTSTATUS.
2880 expected_status
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
2882 def test_authn_policy_allowed_to_computer_allow_from_rodc(self
):
2883 samdb
= self
.get_samdb()
2885 # Create a machine account with which to perform FAST.
2886 mach_creds
= self
.get_cached_creds(
2887 account_type
=self
.AccountType
.COMPUTER
)
2888 mach_tgt
= self
.get_tgt(mach_creds
)
2890 # Create a user account.
2891 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
2893 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2894 # Modify the TGT to be issued by an RODC.
2895 tgt
= self
.issued_by_rodc(self
.get_tgt(client_creds
))
2897 # Create an authentication policy that applies to a computer and
2898 # explicitly allows the user account to obtain a service ticket.
2899 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
2900 denied
= 'O:SYD:(D;;CR;;;WD)'
2901 policy_id
= self
.get_new_username()
2902 policy
= self
.create_authn_policy(policy_id
,
2904 user_allowed_to
=denied
,
2905 computer_allowed_to
=allowed
,
2906 service_allowed_to
=denied
)
2908 # Create a computer account with the assigned policy.
2909 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2910 assigned_policy
=policy
)
2912 # Show that obtaining a service ticket is allowed.
2913 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
2916 def test_authn_policy_allowed_to_computer_deny_from_rodc(self
):
2917 samdb
= self
.get_samdb()
2919 # Create a machine account with which to perform FAST.
2920 mach_creds
= self
.get_cached_creds(
2921 account_type
=self
.AccountType
.COMPUTER
)
2922 mach_tgt
= self
.get_tgt(mach_creds
)
2924 # Create a user account.
2925 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
2927 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2928 # Modify the TGT to be issued by an RODC.
2929 tgt
= self
.issued_by_rodc(self
.get_tgt(client_creds
))
2931 # Create an authentication policy that applies to a computer and
2932 # explicitly denies the user account to obtain a service ticket.
2933 denied
= f
'O:SYD:(D;;CR;;;{client_sid})'
2934 allowed
= 'O:SYD:(A;;CR;;;WD)'
2935 policy_id
= self
.get_new_username()
2936 policy
= self
.create_authn_policy(policy_id
,
2938 user_allowed_to
=allowed
,
2939 computer_allowed_to
=denied
,
2940 service_allowed_to
=allowed
)
2942 # Create a computer account with the assigned policy.
2943 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
2944 assigned_policy
=policy
)
2946 # Show that obtaining a service ticket is denied.
2948 tgt
, KDC_ERR_POLICY
, client_creds
, target_creds
,
2950 expect_edata
=self
.expect_padata_outer
,
2951 # We aren’t particular about whether or not we get an NTSTATUS.
2953 expected_status
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
,)
2955 def test_authn_policy_allowed_to_service_allow_from_rodc(self
):
2956 samdb
= self
.get_samdb()
2958 # Create a machine account with which to perform FAST.
2959 mach_creds
= self
.get_cached_creds(
2960 account_type
=self
.AccountType
.COMPUTER
)
2961 mach_tgt
= self
.get_tgt(mach_creds
)
2963 # Create a user account.
2964 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
2966 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
2967 # Modify the TGT to be issued by an RODC.
2968 tgt
= self
.issued_by_rodc(self
.get_tgt(client_creds
))
2970 # Create an authentication policy that applies to a managed service and
2971 # explicitly allows the user account to obtain a service ticket.
2972 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
2973 denied
= 'O:SYD:(D;;CR;;;WD)'
2974 policy_id
= self
.get_new_username()
2975 policy
= self
.create_authn_policy(policy_id
,
2977 user_allowed_to
=denied
,
2978 computer_allowed_to
=denied
,
2979 service_allowed_to
=allowed
)
2981 # Create a managed service account with the assigned policy.
2982 target_creds
= self
._get
_creds
(
2983 account_type
=self
.AccountType
.MANAGED_SERVICE
,
2984 assigned_policy
=policy
)
2986 # Show that obtaining a service ticket is allowed.
2987 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
2990 def test_authn_policy_allowed_to_service_deny_from_rodc(self
):
2991 samdb
= self
.get_samdb()
2993 # Create a machine account with which to perform FAST.
2994 mach_creds
= self
.get_cached_creds(
2995 account_type
=self
.AccountType
.COMPUTER
)
2996 mach_tgt
= self
.get_tgt(mach_creds
)
2998 # Create a user account.
2999 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
3001 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
3002 # Modify the TGT to be issued by an RODC.
3003 tgt
= self
.issued_by_rodc(self
.get_tgt(client_creds
))
3005 # Create an authentication policy that applies to a managed service and
3006 # explicitly denies the user account to obtain a service ticket.
3007 denied
= f
'O:SYD:(D;;CR;;;{client_sid})'
3008 allowed
= 'O:SYD:(A;;CR;;;WD)'
3009 policy_id
= self
.get_new_username()
3010 policy
= self
.create_authn_policy(policy_id
,
3012 user_allowed_to
=allowed
,
3013 computer_allowed_to
=allowed
,
3014 service_allowed_to
=denied
)
3016 # Create a managed service account with the assigned policy.
3017 target_creds
= self
._get
_creds
(
3018 account_type
=self
.AccountType
.MANAGED_SERVICE
,
3019 assigned_policy
=policy
)
3021 # Show that obtaining a service ticket is denied.
3023 tgt
, KDC_ERR_POLICY
, client_creds
, target_creds
,
3025 expect_edata
=self
.expect_padata_outer
,
3026 # We aren’t particular about whether or not we get an NTSTATUS.
3028 expected_status
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
3030 def test_authn_policy_allowed_to_user_allow_group_not_a_member(self
):
3031 samdb
= self
.get_samdb()
3033 # Create a machine account with which to perform FAST.
3034 mach_creds
= self
.get_cached_creds(
3035 account_type
=self
.AccountType
.COMPUTER
)
3036 mach_tgt
= self
.get_tgt(mach_creds
)
3038 # Create a new group.
3039 group_name
= self
.get_new_username()
3040 group_dn
= self
.create_group(samdb
, group_name
)
3041 group_sid
= self
.get_objectSid(samdb
, group_dn
)
3043 # Create a user account which does not belong to the group.
3044 client_creds
= self
.get_cached_creds(
3045 account_type
=self
.AccountType
.USER
)
3046 tgt
= self
.get_tgt(client_creds
)
3048 # Create an authentication policy that allows accounts belonging to the
3050 allowed
= f
'O:SYD:(A;;CR;;;{group_sid})'
3051 policy_id
= self
.get_new_username()
3052 policy
= self
.create_authn_policy(policy_id
,
3054 user_allowed_to
=allowed
)
3056 # Create a user account with the assigned policy.
3057 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
3058 assigned_policy
=policy
,
3059 spn
='host/{account}')
3061 # Show that we get a policy error, as the user account does not belong
3064 tgt
, KDC_ERR_POLICY
, client_creds
, target_creds
,
3066 expect_edata
=self
.expect_padata_outer
,
3067 # We aren’t particular about whether or not we get an NTSTATUS.
3069 expected_status
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
,
3070 check_patypes
=False)
3072 def test_authn_policy_allowed_to_user_allow_group_member(self
):
3073 samdb
= self
.get_samdb()
3075 # Create a machine account with which to perform FAST.
3076 mach_creds
= self
.get_cached_creds(
3077 account_type
=self
.AccountType
.COMPUTER
)
3078 mach_tgt
= self
.get_tgt(mach_creds
)
3080 # Create a new group.
3081 group_name
= self
.get_new_username()
3082 group_dn
= self
.create_group(samdb
, group_name
)
3083 group_sid
= self
.get_objectSid(samdb
, group_dn
)
3085 # Create a user account that belongs to the group.
3086 client_creds
= self
.get_cached_creds(
3087 account_type
=self
.AccountType
.USER
,
3088 opts
={'member_of': (group_dn
,)})
3089 tgt
= self
.get_tgt(client_creds
)
3091 # Create an authentication policy that allows accounts belonging to the
3093 allowed
= f
'O:SYD:(A;;CR;;;{group_sid})'
3094 policy_id
= self
.get_new_username()
3095 policy
= self
.create_authn_policy(policy_id
,
3097 user_allowed_to
=allowed
)
3099 # Create a user account with the assigned policy.
3100 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
3101 assigned_policy
=policy
,
3102 spn
='host/{account}')
3104 # Show that we can get a service ticket, since the user account belongs
3106 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
3109 def test_authn_policy_allowed_to_user_allow_domain_local_group(self
):
3110 samdb
= self
.get_samdb()
3112 # Create a machine account with which to perform FAST.
3113 mach_creds
= self
.get_cached_creds(
3114 account_type
=self
.AccountType
.COMPUTER
)
3115 mach_tgt
= self
.get_tgt(mach_creds
)
3117 # Create a new domain-local group.
3118 group_name
= self
.get_new_username()
3119 group_dn
= self
.create_group(samdb
, group_name
,
3120 gtype
=GroupType
.DOMAIN_LOCAL
.value
)
3121 group_sid
= self
.get_objectSid(samdb
, group_dn
)
3123 # Create a user account that belongs to the group.
3124 client_creds
= self
.get_cached_creds(
3125 account_type
=self
.AccountType
.USER
,
3126 opts
={'member_of': (group_dn
,)})
3127 tgt
= self
.get_tgt(client_creds
)
3129 # Create an authentication policy that allows accounts belonging to the
3131 allowed
= f
'O:SYD:(A;;CR;;;{group_sid})'
3132 policy_id
= self
.get_new_username()
3133 policy
= self
.create_authn_policy(policy_id
,
3135 user_allowed_to
=allowed
)
3137 # Create a user account with the assigned policy.
3138 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
3139 assigned_policy
=policy
,
3140 spn
='host/{account}')
3142 # Show that the groups in the TGT are expanded to include the
3143 # domain-local group.
3144 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
3147 def test_authn_policy_allowed_to_computer_allow_asserted_identity_from_rodc(self
):
3148 # Create a machine account with which to perform FAST.
3149 mach_creds
= self
.get_cached_creds(
3150 account_type
=self
.AccountType
.COMPUTER
)
3151 mach_tgt
= self
.get_tgt(mach_creds
)
3153 # Create a user account.
3154 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
3156 # Modify the TGT to be issued by an RODC.
3157 tgt
= self
.issued_by_rodc(self
.get_tgt(client_creds
))
3159 # Create an authentication policy that allows accounts with the
3160 # Authentication Authority Asserted Identity SID to obtain a service
3164 f
'{security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY})'
3166 denied
= 'O:SYD:(D;;CR;;;WD)'
3167 policy_id
= self
.get_new_username()
3168 policy
= self
.create_authn_policy(policy_id
,
3170 user_allowed_to
=denied
,
3171 computer_allowed_to
=allowed
,
3172 service_allowed_to
=denied
)
3174 # Create a computer account with the assigned policy.
3175 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
3176 assigned_policy
=policy
)
3178 # Show that obtaining a service ticket is allowed.
3179 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
3182 def test_authn_policy_allowed_to_computer_allow_claims_valid_from_rodc(self
):
3183 # Create a machine account with which to perform FAST.
3184 mach_creds
= self
.get_cached_creds(
3185 account_type
=self
.AccountType
.COMPUTER
)
3186 mach_tgt
= self
.get_tgt(mach_creds
)
3188 # Create a user account.
3189 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
3191 # Modify the TGT to be issued by an RODC.
3192 tgt
= self
.issued_by_rodc(self
.get_tgt(client_creds
))
3194 # Create an authentication policy that allows accounts with the Claims
3195 # Valid SID to obtain a service ticket.
3196 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_CLAIMS_VALID})'
3197 denied
= 'O:SYD:(D;;CR;;;WD)'
3198 policy_id
= self
.get_new_username()
3199 policy
= self
.create_authn_policy(policy_id
,
3201 user_allowed_to
=denied
,
3202 computer_allowed_to
=allowed
,
3203 service_allowed_to
=denied
)
3205 # Create a computer account with the assigned policy.
3206 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
3207 assigned_policy
=policy
)
3209 # Show that obtaining a service ticket is not allowed.
3210 self
._tgs
_req
(tgt
, KDC_ERR_POLICY
, client_creds
, target_creds
,
3213 def test_authn_policy_allowed_to_computer_allow_compounded_authn_from_rodc(self
):
3214 # Create a machine account with which to perform FAST.
3215 mach_creds
= self
.get_cached_creds(
3216 account_type
=self
.AccountType
.COMPUTER
)
3217 mach_tgt
= self
.get_tgt(mach_creds
)
3219 # Create a user account.
3220 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
3222 # Modify the TGT to be issued by an RODC.
3223 tgt
= self
.issued_by_rodc(self
.get_tgt(client_creds
))
3225 # Create an authentication policy that allows accounts with the
3226 # Compounded Authentication SID to obtain a service ticket.
3227 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_COMPOUNDED_AUTHENTICATION})'
3228 denied
= 'O:SYD:(D;;CR;;;WD)'
3229 policy_id
= self
.get_new_username()
3230 policy
= self
.create_authn_policy(policy_id
,
3232 user_allowed_to
=denied
,
3233 computer_allowed_to
=allowed
,
3234 service_allowed_to
=denied
)
3236 # Create a computer account with the assigned policy.
3237 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
3238 assigned_policy
=policy
)
3240 # Show that obtaining a service ticket is denied.
3242 tgt
, KDC_ERR_POLICY
, client_creds
, target_creds
,
3244 expect_edata
=self
.expect_padata_outer
,
3245 # We aren’t particular about whether or not we get an NTSTATUS.
3247 expected_status
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
3249 def test_authn_policy_allowed_to_computer_allow_authenticated_users_from_rodc(self
):
3250 # Create a machine account with which to perform FAST.
3251 mach_creds
= self
.get_cached_creds(
3252 account_type
=self
.AccountType
.COMPUTER
)
3253 mach_tgt
= self
.get_tgt(mach_creds
)
3255 # Create a user account.
3256 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
3258 # Modify the TGT to be issued by an RODC.
3259 tgt
= self
.issued_by_rodc(self
.get_tgt(client_creds
))
3261 # Create an authentication policy that allows accounts with the
3262 # Authenticated Users SID to obtain a service ticket.
3263 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_NT_AUTHENTICATED_USERS})'
3264 denied
= 'O:SYD:(D;;CR;;;WD)'
3265 policy_id
= self
.get_new_username()
3266 policy
= self
.create_authn_policy(policy_id
,
3268 user_allowed_to
=denied
,
3269 computer_allowed_to
=allowed
,
3270 service_allowed_to
=denied
)
3272 # Create a computer account with the assigned policy.
3273 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
3274 assigned_policy
=policy
)
3276 # Show that obtaining a service ticket is allowed.
3277 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
3280 def test_authn_policy_allowed_to_computer_allow_ntlm_authn_from_rodc(self
):
3281 # Create a machine account with which to perform FAST.
3282 mach_creds
= self
.get_cached_creds(
3283 account_type
=self
.AccountType
.COMPUTER
)
3284 mach_tgt
= self
.get_tgt(mach_creds
)
3286 # Create a user account.
3287 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
3289 # Modify the TGT to be issued by an RODC.
3290 tgt
= self
.issued_by_rodc(self
.get_tgt(client_creds
))
3292 # Create an authentication policy that allows accounts with the NTLM
3293 # Authentication SID to obtain a service ticket.
3294 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_NT_NTLM_AUTHENTICATION})'
3295 denied
= 'O:SYD:(D;;CR;;;WD)'
3296 policy_id
= self
.get_new_username()
3297 policy
= self
.create_authn_policy(policy_id
,
3299 user_allowed_to
=denied
,
3300 computer_allowed_to
=allowed
,
3301 service_allowed_to
=denied
)
3303 # Create a computer account with the assigned policy.
3304 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
3305 assigned_policy
=policy
)
3307 # Show that obtaining a service ticket is denied.
3309 tgt
, KDC_ERR_POLICY
, client_creds
, target_creds
,
3311 expect_edata
=self
.expect_padata_outer
,
3312 # We aren’t particular about whether or not we get an NTSTATUS.
3314 expected_status
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
3316 def test_authn_policy_allowed_to_user_allow_group_not_a_member_from_rodc(self
):
3317 samdb
= self
.get_samdb()
3319 # Create a machine account with which to perform FAST.
3320 mach_creds
= self
.get_cached_creds(
3321 account_type
=self
.AccountType
.COMPUTER
)
3322 mach_tgt
= self
.get_tgt(mach_creds
)
3324 # Create a new group.
3325 group_name
= self
.get_new_username()
3326 group_dn
= self
.create_group(samdb
, group_name
)
3327 group_sid
= self
.get_objectSid(samdb
, group_dn
)
3329 # Create a user account which does not belong to the group.
3330 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
3332 # Modify the TGT to be issued by an RODC.
3333 tgt
= self
.issued_by_rodc(self
.get_tgt(client_creds
))
3335 # Create an authentication policy that allows accounts belonging to the
3337 allowed
= f
'O:SYD:(A;;CR;;;{group_sid})'
3338 policy_id
= self
.get_new_username()
3339 policy
= self
.create_authn_policy(policy_id
,
3341 user_allowed_to
=allowed
)
3343 # Create a user account with the assigned policy.
3344 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
3345 assigned_policy
=policy
,
3346 spn
='host/{account}')
3348 # Show that we get a policy error, as the user account does not belong
3351 tgt
, KDC_ERR_POLICY
, client_creds
, target_creds
,
3353 expect_edata
=self
.expect_padata_outer
,
3354 # We aren’t particular about whether or not we get an NTSTATUS.
3356 expected_status
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
3358 def test_authn_policy_allowed_to_user_allow_group_member_from_rodc(self
):
3359 samdb
= self
.get_samdb()
3361 # Create a machine account with which to perform FAST.
3362 mach_creds
= self
.get_cached_creds(
3363 account_type
=self
.AccountType
.COMPUTER
)
3364 mach_tgt
= self
.get_tgt(mach_creds
)
3366 # Create a new group.
3367 group_name
= self
.get_new_username()
3368 group_dn
= self
.create_group(samdb
, group_name
)
3369 group_sid
= self
.get_objectSid(samdb
, group_dn
)
3371 # Create a user account that belongs to the group.
3372 client_creds
= self
.get_cached_creds(
3373 account_type
=self
.AccountType
.USER
,
3374 opts
={'member_of': (group_dn
,),
3375 'allowed_replication_mock': True,
3376 'revealed_to_mock_rodc': True})
3377 # Modify the TGT to be issued by an RODC.
3378 tgt
= self
.issued_by_rodc(self
.get_tgt(client_creds
))
3380 # Create an authentication policy that allows accounts belonging to the
3382 allowed
= f
'O:SYD:(A;;CR;;;{group_sid})'
3383 policy_id
= self
.get_new_username()
3384 policy
= self
.create_authn_policy(policy_id
,
3386 user_allowed_to
=allowed
)
3388 # Create a user account with the assigned policy.
3389 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
3390 assigned_policy
=policy
,
3391 spn
='host/{account}')
3393 # Show that we can get a service ticket, since the user account belongs
3395 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
3398 def test_authn_policy_allowed_to_user_allow_domain_local_group_from_rodc(self
):
3399 samdb
= self
.get_samdb()
3401 # Create a machine account with which to perform FAST.
3402 mach_creds
= self
.get_cached_creds(
3403 account_type
=self
.AccountType
.COMPUTER
)
3404 mach_tgt
= self
.get_tgt(mach_creds
)
3406 # Create a new domain-local group.
3407 group_name
= self
.get_new_username()
3408 group_dn
= self
.create_group(samdb
, group_name
,
3409 gtype
=GroupType
.DOMAIN_LOCAL
.value
)
3410 group_sid
= self
.get_objectSid(samdb
, group_dn
)
3412 # Create a user account that belongs to the group.
3413 client_creds
= self
.get_cached_creds(
3414 account_type
=self
.AccountType
.USER
,
3415 opts
={'member_of': (group_dn
,),
3416 'allowed_replication_mock': True,
3417 'revealed_to_mock_rodc': True})
3418 # Modify the TGT to be issued by an RODC.
3419 tgt
= self
.issued_by_rodc(self
.get_tgt(client_creds
))
3421 # Create an authentication policy that allows accounts belonging to the
3423 allowed
= f
'O:SYD:(A;;CR;;;{group_sid})'
3424 policy_id
= self
.get_new_username()
3425 policy
= self
.create_authn_policy(policy_id
,
3427 user_allowed_to
=allowed
)
3429 # Create a user account with the assigned policy.
3430 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
3431 assigned_policy
=policy
,
3432 spn
='host/{account}')
3434 # Show that the groups in the TGT are expanded to include the
3435 # domain-local group.
3436 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
3439 def test_authn_policy_allowed_to_computer_allow_to_self(self
):
3440 samdb
= self
.get_samdb()
3442 # Create a machine account with which to perform FAST.
3443 mach_creds
= self
.get_cached_creds(
3444 account_type
=self
.AccountType
.COMPUTER
)
3445 mach_tgt
= self
.get_tgt(mach_creds
)
3447 # Create a computer account.
3448 client_creds
= self
.get_cached_creds(
3449 account_type
=self
.AccountType
.COMPUTER
,
3452 client_dn
= client_creds
.get_dn()
3453 client_sid
= self
.get_objectSid(samdb
, client_dn
)
3454 tgt
= self
.get_tgt(client_creds
)
3456 # Create an authentication policy that applies to a computer and
3457 # explicitly allows the user account to obtain a service ticket.
3458 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
3459 denied
= 'O:SYD:(D;;CR;;;WD)'
3460 policy_id
= self
.get_new_username()
3461 policy
= self
.create_authn_policy(policy_id
,
3463 user_allowed_to
=denied
,
3464 computer_allowed_to
=allowed
,
3465 service_allowed_to
=denied
)
3467 # Assign the policy to the account.
3468 self
.add_attribute(samdb
, str(client_dn
),
3469 'msDS-AssignedAuthNPolicy', str(policy
))
3471 # Show that obtaining a service ticket to ourselves is allowed.
3472 self
._tgs
_req
(tgt
, 0, client_creds
, client_creds
,
3475 def test_authn_policy_allowed_to_computer_deny_to_self(self
):
3476 samdb
= self
.get_samdb()
3478 # Create a machine account with which to perform FAST.
3479 mach_creds
= self
.get_cached_creds(
3480 account_type
=self
.AccountType
.COMPUTER
)
3481 mach_tgt
= self
.get_tgt(mach_creds
)
3483 # Create a computer account.
3484 client_creds
= self
.get_cached_creds(
3485 account_type
=self
.AccountType
.COMPUTER
,
3488 client_dn
= client_creds
.get_dn()
3489 client_sid
= self
.get_objectSid(samdb
, client_dn
)
3490 tgt
= self
.get_tgt(client_creds
)
3492 # Create an authentication policy that applies to a computer and
3493 # explicitly denies the user account to obtain a service ticket.
3494 denied
= f
'O:SYD:(D;;CR;;;{client_sid})'
3495 allowed
= 'O:SYD:(A;;CR;;;WD)'
3496 policy_id
= self
.get_new_username()
3497 policy
= self
.create_authn_policy(policy_id
,
3499 user_allowed_to
=allowed
,
3500 computer_allowed_to
=denied
,
3501 service_allowed_to
=allowed
)
3503 # Assign the policy to the account.
3504 self
.add_attribute(samdb
, str(client_dn
),
3505 'msDS-AssignedAuthNPolicy', str(policy
))
3507 # Show that obtaining a service ticket to ourselves is allowed, despite
3508 # the policy disallowing it.
3509 self
._tgs
_req
(tgt
, 0, client_creds
, client_creds
,
3512 def test_authn_policy_allowed_to_computer_allow_to_self_with_self(self
):
3513 samdb
= self
.get_samdb()
3515 # Create a computer account.
3516 client_creds
= self
.get_cached_creds(
3517 account_type
=self
.AccountType
.COMPUTER
,
3519 client_dn
= client_creds
.get_dn()
3520 client_sid
= self
.get_objectSid(samdb
, client_dn
)
3521 tgt
= self
.get_tgt(client_creds
)
3523 # Create an authentication policy that applies to a computer and
3524 # explicitly allows the account to obtain a service ticket.
3525 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
3526 denied
= 'O:SYD:(D;;CR;;;WD)'
3527 policy_id
= self
.get_new_username()
3528 policy
= self
.create_authn_policy(policy_id
,
3530 user_allowed_to
=denied
,
3531 computer_allowed_to
=allowed
,
3532 service_allowed_to
=denied
)
3534 # Assign the policy to the account.
3535 self
.add_attribute(samdb
, str(client_dn
),
3536 'msDS-AssignedAuthNPolicy', str(policy
))
3538 # Show that obtaining a service ticket to ourselves armored with our
3539 # own TGT is allowed.
3540 self
._tgs
_req
(tgt
, 0, client_creds
, client_creds
,
3543 def test_authn_policy_allowed_to_computer_deny_to_self_with_self(self
):
3544 samdb
= self
.get_samdb()
3546 # Create a computer account.
3547 client_creds
= self
.get_cached_creds(
3548 account_type
=self
.AccountType
.COMPUTER
,
3550 client_dn
= client_creds
.get_dn()
3551 client_sid
= self
.get_objectSid(samdb
, client_dn
)
3552 tgt
= self
.get_tgt(client_creds
)
3554 # Create an authentication policy that applies to a computer and
3555 # explicitly denies the account to obtain a service ticket.
3556 denied
= f
'O:SYD:(D;;CR;;;{client_sid})'
3557 allowed
= 'O:SYD:(A;;CR;;;WD)'
3558 policy_id
= self
.get_new_username()
3559 policy
= self
.create_authn_policy(policy_id
,
3561 user_allowed_to
=allowed
,
3562 computer_allowed_to
=denied
,
3563 service_allowed_to
=allowed
)
3565 # Assign the policy to the account.
3566 self
.add_attribute(samdb
, str(client_dn
),
3567 'msDS-AssignedAuthNPolicy', str(policy
))
3569 # Show that obtaining a service ticket to ourselves armored with our
3570 # own TGT is allowed, despite the policy’s disallowing it.
3571 self
._tgs
_req
(tgt
, 0, client_creds
, client_creds
,
3574 def test_authn_policy_allowed_to_user_allow_s4u2self(self
):
3575 samdb
= self
.get_samdb()
3577 # Create a machine account with which to perform FAST.
3578 mach_creds
= self
.get_cached_creds(
3579 account_type
=self
.AccountType
.COMPUTER
)
3580 mach_tgt
= self
.get_tgt(mach_creds
)
3582 # Create a user account.
3583 client_creds
= self
.get_cached_creds(
3584 account_type
=self
.AccountType
.USER
)
3585 client_cname
= self
.PrincipalName_create(
3586 name_type
=NT_PRINCIPAL
,
3587 names
=[client_creds
.get_username()])
3588 client_realm
= client_creds
.get_realm()
3589 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
3591 # Create an authentication policy that applies to a computer and
3592 # explicitly allows the user account to obtain a service ticket.
3593 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
3594 policy_id
= self
.get_new_username()
3595 policy
= self
.create_authn_policy(policy_id
,
3597 computer_allowed_to
=allowed
)
3599 # Create a computer account with the assigned policy.
3600 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
3601 assigned_policy
=policy
)
3602 target_tgt
= self
.get_tgt(target_creds
)
3604 def generate_s4u2self_padata(_kdc_exchange_dict
,
3607 padata
= self
.PA_S4U2Self_create(
3610 tgt_session_key
=target_tgt
.session_key
,
3613 return [padata
], req_body
3615 # Show that obtaining a service ticket with S4U2Self is allowed.
3616 self
._tgs
_req
(target_tgt
, 0, target_creds
, target_creds
,
3617 expected_cname
=client_cname
,
3618 generate_fast_padata_fn
=generate_s4u2self_padata
,
3621 def test_authn_policy_allowed_to_user_deny_s4u2self(self
):
3622 samdb
= self
.get_samdb()
3624 # Create a machine account with which to perform FAST.
3625 mach_creds
= self
.get_cached_creds(
3626 account_type
=self
.AccountType
.COMPUTER
)
3627 mach_tgt
= self
.get_tgt(mach_creds
)
3629 # Create a user account.
3630 client_creds
= self
.get_cached_creds(
3631 account_type
=self
.AccountType
.USER
)
3632 client_cname
= self
.PrincipalName_create(
3633 name_type
=NT_PRINCIPAL
,
3634 names
=[client_creds
.get_username()])
3635 client_realm
= client_creds
.get_realm()
3636 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
3638 # Create an authentication policy that applies to a computer and
3639 # explicitly denies the user account to obtain a service ticket.
3640 denied
= f
'O:SYD:(D;;CR;;;{client_sid})'
3641 policy_id
= self
.get_new_username()
3642 policy
= self
.create_authn_policy(policy_id
,
3644 computer_allowed_to
=denied
)
3646 # Create a computer account with the assigned policy.
3647 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
3648 assigned_policy
=policy
)
3649 target_tgt
= self
.get_tgt(target_creds
)
3651 def generate_s4u2self_padata(_kdc_exchange_dict
,
3654 padata
= self
.PA_S4U2Self_create(
3657 tgt_session_key
=target_tgt
.session_key
,
3660 return [padata
], req_body
3662 # Show that obtaining a service ticket with S4U2Self is allowed,
3663 # despite the policy.
3664 self
._tgs
_req
(target_tgt
, 0, target_creds
, target_creds
,
3665 expected_cname
=client_cname
,
3666 generate_fast_padata_fn
=generate_s4u2self_padata
,
3669 def test_authn_policy_allowed_to_user_allow_constrained_delegation(self
):
3670 samdb
= self
.get_samdb()
3672 client_creds
= self
.get_cached_creds(
3673 account_type
=self
.AccountType
.USER
)
3674 client_dn
= client_creds
.get_dn()
3675 client_sid
= self
.get_objectSid(samdb
, client_dn
)
3677 client_username
= client_creds
.get_username()
3678 client_cname
= self
.PrincipalName_create(name_type
=NT_PRINCIPAL
,
3679 names
=[client_username
])
3681 client_tkt_options
= 'forwardable'
3682 expected_flags
= krb5_asn1
.TicketFlags(client_tkt_options
)
3684 client_tgt
= self
.get_tgt(client_creds
,
3685 kdc_options
=client_tkt_options
,
3686 expected_flags
=expected_flags
)
3688 # Create a machine account with which to perform FAST.
3689 mach_creds
= self
.get_cached_creds(
3690 account_type
=self
.AccountType
.COMPUTER
)
3691 mach_tgt
= self
.get_tgt(mach_creds
)
3693 # Create a target account.
3694 target_creds
= self
.get_cached_creds(
3695 account_type
=self
.AccountType
.COMPUTER
,
3698 target_spn
= target_creds
.get_spn()
3700 service_creds
= self
.get_cached_creds(
3701 account_type
=self
.AccountType
.COMPUTER
,
3703 'delegation_to_spn': target_spn
,
3705 service_sid
= self
.get_objectSid(samdb
, service_creds
.get_dn())
3706 service_tgt
= self
.get_tgt(service_creds
)
3708 # Create an authentication policy that applies to a computer and
3709 # explicitly allows the service account to obtain a service ticket,
3710 # while denying the user.
3711 allowed
= f
'O:SYD:(A;;CR;;;{service_sid})(D;;CR;;;{client_sid})'
3712 policy_id
= self
.get_new_username()
3713 policy
= self
.create_authn_policy(policy_id
,
3715 computer_allowed_to
=allowed
)
3717 # Assign the policy to the target account.
3718 self
.add_attribute(samdb
, str(target_creds
.get_dn()),
3719 'msDS-AssignedAuthNPolicy', str(policy
))
3721 client_service_tkt
= self
.get_service_ticket(
3724 kdc_options
=client_tkt_options
,
3725 expected_flags
=expected_flags
)
3727 kdc_options
= str(krb5_asn1
.KDCOptions('cname-in-addl-tkt'))
3729 target_decryption_key
= self
.TicketDecryptionKey_from_creds(
3731 target_etypes
= target_creds
.tgs_supported_enctypes
3733 service_name
= service_creds
.get_username()
3734 if service_name
[-1] == '$':
3735 service_name
= service_name
[:-1]
3736 expected_transited_services
= [
3737 f
'host/{service_name}@{service_creds.get_realm()}'
3740 # Show that obtaining a service ticket with constrained delegation is
3742 self
._tgs
_req
(service_tgt
, 0, service_creds
, target_creds
,
3744 kdc_options
=kdc_options
,
3745 expected_cname
=client_cname
,
3746 expected_account_name
=client_username
,
3747 additional_ticket
=client_service_tkt
,
3748 decryption_key
=target_decryption_key
,
3749 expected_sid
=client_sid
,
3750 expected_supported_etypes
=target_etypes
,
3751 expected_proxy_target
=target_spn
,
3752 expected_transited_services
=expected_transited_services
)
3754 def test_authn_policy_allowed_to_user_deny_constrained_delegation(self
):
3755 samdb
= self
.get_samdb()
3757 client_creds
= self
.get_cached_creds(
3758 account_type
=self
.AccountType
.USER
)
3759 client_dn
= client_creds
.get_dn()
3760 client_sid
= self
.get_objectSid(samdb
, client_dn
)
3762 client_tkt_options
= 'forwardable'
3763 expected_flags
= krb5_asn1
.TicketFlags(client_tkt_options
)
3765 client_tgt
= self
.get_tgt(client_creds
,
3766 kdc_options
=client_tkt_options
,
3767 expected_flags
=expected_flags
)
3769 # Create a machine account with which to perform FAST.
3770 mach_creds
= self
.get_cached_creds(
3771 account_type
=self
.AccountType
.COMPUTER
)
3772 mach_tgt
= self
.get_tgt(mach_creds
)
3774 # Create a target account.
3775 target_creds
= self
.get_cached_creds(
3776 account_type
=self
.AccountType
.COMPUTER
,
3779 target_spn
= target_creds
.get_spn()
3781 service_creds
= self
.get_cached_creds(
3782 account_type
=self
.AccountType
.COMPUTER
,
3784 'delegation_to_spn': target_spn
,
3786 service_sid
= self
.get_objectSid(samdb
, service_creds
.get_dn())
3787 service_tgt
= self
.get_tgt(service_creds
)
3789 # Create an authentication policy that applies to a computer and
3790 # explicitly denies the service account to obtain a service ticket,
3791 # while allowing the user.
3792 denied
= f
'O:SYD:(D;;CR;;;{service_sid})(A;;CR;;;{client_sid})'
3793 policy_id
= self
.get_new_username()
3794 policy
= self
.create_authn_policy(policy_id
,
3796 computer_allowed_to
=denied
)
3798 # Assign the policy to the target account.
3799 self
.add_attribute(samdb
, str(target_creds
.get_dn()),
3800 'msDS-AssignedAuthNPolicy', str(policy
))
3802 client_service_tkt
= self
.get_service_ticket(
3805 kdc_options
=client_tkt_options
,
3806 expected_flags
=expected_flags
)
3808 kdc_options
= str(krb5_asn1
.KDCOptions('cname-in-addl-tkt'))
3810 target_decryption_key
= self
.TicketDecryptionKey_from_creds(
3813 # Show that obtaining a service ticket with constrained delegation is
3816 service_tgt
, KDC_ERR_POLICY
, service_creds
, target_creds
,
3818 kdc_options
=kdc_options
,
3819 additional_ticket
=client_service_tkt
,
3820 decryption_key
=target_decryption_key
,
3821 expect_edata
=self
.expect_padata_outer
,
3822 # We aren’t particular about whether or not we get an NTSTATUS.
3824 expected_status
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
,
3825 check_patypes
=False)
3827 def test_authn_policy_allowed_to_user_allow_constrained_delegation_wrong_sname(self
):
3828 client_creds
= self
.get_cached_creds(
3829 account_type
=self
.AccountType
.USER
,
3832 client_tkt_options
= 'forwardable'
3833 expected_flags
= krb5_asn1
.TicketFlags(client_tkt_options
)
3835 client_tgt
= self
.get_tgt(client_creds
,
3836 kdc_options
=client_tkt_options
,
3837 expected_flags
=expected_flags
)
3839 # Create a machine account with which to perform FAST.
3840 mach_creds
= self
.get_cached_creds(
3841 account_type
=self
.AccountType
.COMPUTER
)
3842 mach_tgt
= self
.get_tgt(mach_creds
)
3844 # Create a target account.
3845 target_creds
= self
.get_cached_creds(
3846 account_type
=self
.AccountType
.COMPUTER
,
3848 target_spn
= target_creds
.get_spn()
3850 service_creds
= self
.get_cached_creds(
3851 account_type
=self
.AccountType
.COMPUTER
,
3852 opts
={'delegation_to_spn': target_spn
})
3853 service_tgt
= self
.get_tgt(service_creds
)
3855 client_service_tkt
= self
.get_service_ticket(
3858 kdc_options
=client_tkt_options
,
3859 expected_flags
=expected_flags
,
3861 # Change the ‘sname’ of the ticket to an incorrect value.
3862 client_service_tkt
.set_sname(self
.get_krbtgt_sname())
3864 kdc_options
= str(krb5_asn1
.KDCOptions('cname-in-addl-tkt'))
3866 target_decryption_key
= self
.TicketDecryptionKey_from_creds(
3869 # Show that obtaining a service ticket with constrained delegation
3870 # fails if the sname doesn’t match.
3871 self
._tgs
_req
(service_tgt
, KDC_ERR_BADOPTION
,
3872 service_creds
, target_creds
,
3874 kdc_options
=kdc_options
,
3875 additional_ticket
=client_service_tkt
,
3876 decryption_key
=target_decryption_key
,
3877 expect_edata
=self
.expect_padata_outer
,
3878 check_patypes
=False)
3880 def test_authn_policy_allowed_to_user_allow_rbcd(self
):
3881 samdb
= self
.get_samdb()
3882 functional_level
= self
.get_domain_functional_level(samdb
)
3884 if functional_level
< dsdb
.DS_DOMAIN_FUNCTION_2008
:
3885 self
.skipTest('RBCD requires FL2008')
3887 client_creds
= self
.get_cached_creds(
3888 account_type
=self
.AccountType
.USER
)
3889 client_dn
= client_creds
.get_dn()
3890 client_sid
= self
.get_objectSid(samdb
, client_dn
)
3892 client_username
= client_creds
.get_username()
3893 client_cname
= self
.PrincipalName_create(name_type
=NT_PRINCIPAL
,
3894 names
=[client_username
])
3896 client_tkt_options
= 'forwardable'
3897 expected_flags
= krb5_asn1
.TicketFlags(client_tkt_options
)
3899 client_tgt
= self
.get_tgt(client_creds
,
3900 kdc_options
=client_tkt_options
,
3901 expected_flags
=expected_flags
)
3903 # Create a machine account with which to perform FAST.
3904 mach_creds
= self
.get_cached_creds(
3905 account_type
=self
.AccountType
.COMPUTER
)
3906 mach_tgt
= self
.get_tgt(mach_creds
)
3908 service_creds
= self
.get_cached_creds(
3909 account_type
=self
.AccountType
.COMPUTER
,
3911 service_sid
= self
.get_objectSid(samdb
, service_creds
.get_dn())
3912 service_tgt
= self
.get_tgt(service_creds
)
3914 # Create an authentication policy that applies to a computer and
3915 # explicitly allows the service account to obtain a service ticket,
3916 # while denying the user.
3917 allowed
= f
'O:SYD:(A;;CR;;;{service_sid})(D;;CR;;;{client_sid})'
3918 policy_id
= self
.get_new_username()
3919 policy
= self
.create_authn_policy(policy_id
,
3921 computer_allowed_to
=allowed
)
3923 # Create a target account with the assigned policy.
3924 target_creds
= self
.get_cached_creds(
3925 account_type
=self
.AccountType
.COMPUTER
,
3927 'assigned_policy': str(policy
),
3928 'delegation_from_dn': str(service_creds
.get_dn()),
3931 client_service_tkt
= self
.get_service_ticket(
3934 kdc_options
=client_tkt_options
,
3935 expected_flags
=expected_flags
)
3937 kdc_options
= str(krb5_asn1
.KDCOptions('cname-in-addl-tkt'))
3939 target_decryption_key
= self
.TicketDecryptionKey_from_creds(
3941 target_etypes
= target_creds
.tgs_supported_enctypes
3943 service_name
= service_creds
.get_username()
3944 if service_name
[-1] == '$':
3945 service_name
= service_name
[:-1]
3946 expected_transited_services
= [
3947 f
'host/{service_name}@{service_creds.get_realm()}'
3950 # Show that obtaining a service ticket with RBCD is allowed.
3951 self
._tgs
_req
(service_tgt
, 0, service_creds
, target_creds
,
3953 kdc_options
=kdc_options
,
3954 pac_options
='1001', # supports claims, RBCD
3955 expected_cname
=client_cname
,
3956 expected_account_name
=client_username
,
3957 additional_ticket
=client_service_tkt
,
3958 decryption_key
=target_decryption_key
,
3959 expected_sid
=client_sid
,
3960 expected_supported_etypes
=target_etypes
,
3961 expected_proxy_target
=target_creds
.get_spn(),
3962 expected_transited_services
=expected_transited_services
)
3964 def test_authn_policy_allowed_to_user_deny_rbcd(self
):
3965 samdb
= self
.get_samdb()
3966 functional_level
= self
.get_domain_functional_level(samdb
)
3968 if functional_level
< dsdb
.DS_DOMAIN_FUNCTION_2008
:
3969 self
.skipTest('RBCD requires FL2008')
3971 client_creds
= self
.get_cached_creds(
3972 account_type
=self
.AccountType
.USER
)
3973 client_dn
= client_creds
.get_dn()
3974 client_sid
= self
.get_objectSid(samdb
, client_dn
)
3976 client_tkt_options
= 'forwardable'
3977 expected_flags
= krb5_asn1
.TicketFlags(client_tkt_options
)
3979 client_tgt
= self
.get_tgt(client_creds
,
3980 kdc_options
=client_tkt_options
,
3981 expected_flags
=expected_flags
)
3983 # Create a machine account with which to perform FAST.
3984 mach_creds
= self
.get_cached_creds(
3985 account_type
=self
.AccountType
.COMPUTER
)
3986 mach_tgt
= self
.get_tgt(mach_creds
)
3988 service_creds
= self
.get_cached_creds(
3989 account_type
=self
.AccountType
.COMPUTER
,
3991 service_sid
= self
.get_objectSid(samdb
, service_creds
.get_dn())
3992 service_tgt
= self
.get_tgt(service_creds
)
3994 # Create an authentication policy that applies to a computer and
3995 # explicitly denies the service account to obtain a service ticket,
3996 # while allowing the user.
3997 denied
= f
'O:SYD:(D;;CR;;;{service_sid})(A;;CR;;;{client_sid})'
3998 policy_id
= self
.get_new_username()
3999 policy
= self
.create_authn_policy(policy_id
,
4001 computer_allowed_to
=denied
)
4003 # Create a target account with the assigned policy.
4004 target_creds
= self
.get_cached_creds(
4005 account_type
=self
.AccountType
.COMPUTER
,
4007 'assigned_policy': str(policy
),
4008 'delegation_from_dn': str(service_creds
.get_dn()),
4011 client_service_tkt
= self
.get_service_ticket(
4014 kdc_options
=client_tkt_options
,
4015 expected_flags
=expected_flags
)
4017 kdc_options
= str(krb5_asn1
.KDCOptions('cname-in-addl-tkt'))
4019 target_decryption_key
= self
.TicketDecryptionKey_from_creds(
4022 # Show that obtaining a service ticket with RBCD is not allowed.
4023 self
._tgs
_req
(service_tgt
, KDC_ERR_POLICY
, service_creds
, target_creds
,
4025 kdc_options
=kdc_options
,
4026 pac_options
='1001', # supports claims, RBCD
4027 additional_ticket
=client_service_tkt
,
4028 decryption_key
=target_decryption_key
,
4029 expect_edata
=self
.expect_padata_outer
,
4030 check_patypes
=False)
4032 def test_authn_policy_allowed_to_user_allow_rbcd_wrong_sname(self
):
4033 samdb
= self
.get_samdb()
4034 functional_level
= self
.get_domain_functional_level(samdb
)
4036 if functional_level
< dsdb
.DS_DOMAIN_FUNCTION_2008
:
4037 self
.skipTest('RBCD requires FL2008')
4039 client_creds
= self
.get_cached_creds(
4040 account_type
=self
.AccountType
.USER
,
4043 client_tkt_options
= 'forwardable'
4044 expected_flags
= krb5_asn1
.TicketFlags(client_tkt_options
)
4046 client_tgt
= self
.get_tgt(client_creds
,
4047 kdc_options
=client_tkt_options
,
4048 expected_flags
=expected_flags
)
4050 # Create a machine account with which to perform FAST.
4051 mach_creds
= self
.get_cached_creds(
4052 account_type
=self
.AccountType
.COMPUTER
)
4053 mach_tgt
= self
.get_tgt(mach_creds
)
4055 service_creds
= self
.get_cached_creds(
4056 account_type
=self
.AccountType
.COMPUTER
,
4058 service_tgt
= self
.get_tgt(service_creds
)
4060 # Create a target account with the assigned policy.
4061 target_creds
= self
.get_cached_creds(
4062 account_type
=self
.AccountType
.COMPUTER
,
4064 'delegation_from_dn': str(service_creds
.get_dn()),
4067 client_service_tkt
= self
.get_service_ticket(
4070 kdc_options
=client_tkt_options
,
4071 expected_flags
=expected_flags
,
4073 # Change the ‘sname’ of the ticket to an incorrect value.
4074 client_service_tkt
.set_sname(self
.get_krbtgt_sname())
4076 kdc_options
= str(krb5_asn1
.KDCOptions('cname-in-addl-tkt'))
4078 target_decryption_key
= self
.TicketDecryptionKey_from_creds(
4081 # Show that obtaining a service ticket with RBCD fails if the sname
4083 self
._tgs
_req
(service_tgt
, KDC_ERR_BADOPTION
,
4084 service_creds
, target_creds
,
4086 kdc_options
=kdc_options
,
4087 pac_options
='1001', # supports claims, RBCD
4088 additional_ticket
=client_service_tkt
,
4089 decryption_key
=target_decryption_key
,
4090 expect_edata
=self
.expect_padata_outer
,
4091 check_patypes
=False)
4093 def test_authn_policy_allowed_to_user_allow_constrained_delegation_to_self(self
):
4094 samdb
= self
.get_samdb()
4096 client_creds
= self
.get_cached_creds(
4097 account_type
=self
.AccountType
.USER
)
4098 client_dn
= client_creds
.get_dn()
4099 client_sid
= self
.get_objectSid(samdb
, client_dn
)
4101 client_username
= client_creds
.get_username()
4102 client_cname
= self
.PrincipalName_create(name_type
=NT_PRINCIPAL
,
4103 names
=[client_username
])
4105 client_tkt_options
= 'forwardable'
4106 expected_flags
= krb5_asn1
.TicketFlags(client_tkt_options
)
4108 client_tgt
= self
.get_tgt(client_creds
,
4109 kdc_options
=client_tkt_options
,
4110 expected_flags
=expected_flags
)
4112 # Create a machine account with which to perform FAST.
4113 mach_creds
= self
.get_cached_creds(
4114 account_type
=self
.AccountType
.COMPUTER
)
4115 mach_tgt
= self
.get_tgt(mach_creds
)
4117 # Create a service account.
4118 service_creds
= self
.get_cached_creds(
4119 account_type
=self
.AccountType
.COMPUTER
,
4122 service_dn_str
= str(service_creds
.get_dn())
4123 service_spn
= service_creds
.get_spn()
4124 service_sid
= self
.get_objectSid(samdb
, service_creds
.get_dn())
4125 service_tgt
= self
.get_tgt(service_creds
)
4127 # Allow delegation to ourselves.
4128 self
.add_attribute(samdb
, service_dn_str
,
4129 'msDS-AllowedToDelegateTo', service_spn
)
4131 # Create an authentication policy that applies to a computer and
4132 # explicitly allows the client account to obtain a service ticket,
4133 # while denying the service.
4134 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})(D;;CR;;;{service_sid})'
4135 policy_id
= self
.get_new_username()
4136 policy
= self
.create_authn_policy(policy_id
,
4138 computer_allowed_to
=allowed
)
4140 # Assign the policy to the service account.
4141 self
.add_attribute(samdb
, service_dn_str
,
4142 'msDS-AssignedAuthNPolicy', str(policy
))
4144 client_service_tkt
= self
.get_service_ticket(
4147 kdc_options
=client_tkt_options
,
4148 expected_flags
=expected_flags
)
4150 kdc_options
= str(krb5_asn1
.KDCOptions('cname-in-addl-tkt'))
4152 target_decryption_key
= self
.TicketDecryptionKey_from_creds(
4154 target_etypes
= service_creds
.tgs_supported_enctypes
4156 service_name
= service_creds
.get_username()
4157 if service_name
[-1] == '$':
4158 service_name
= service_name
[:-1]
4159 expected_transited_services
= [
4160 f
'host/{service_name}@{service_creds.get_realm()}'
4163 # Show that obtaining a service ticket to ourselves with constrained
4164 # delegation is allowed.
4165 self
._tgs
_req
(service_tgt
, 0, service_creds
, service_creds
,
4167 kdc_options
=kdc_options
,
4168 expected_cname
=client_cname
,
4169 expected_account_name
=client_username
,
4170 additional_ticket
=client_service_tkt
,
4171 decryption_key
=target_decryption_key
,
4172 expected_sid
=client_sid
,
4173 expected_supported_etypes
=target_etypes
,
4174 expected_proxy_target
=service_spn
,
4175 expected_transited_services
=expected_transited_services
)
4177 def test_authn_policy_allowed_to_user_deny_constrained_delegation_to_self(self
):
4178 samdb
= self
.get_samdb()
4180 client_creds
= self
.get_cached_creds(
4181 account_type
=self
.AccountType
.USER
)
4182 client_dn
= client_creds
.get_dn()
4183 client_sid
= self
.get_objectSid(samdb
, client_dn
)
4185 client_username
= client_creds
.get_username()
4186 client_cname
= self
.PrincipalName_create(name_type
=NT_PRINCIPAL
,
4187 names
=[client_username
])
4189 client_tkt_options
= 'forwardable'
4190 expected_flags
= krb5_asn1
.TicketFlags(client_tkt_options
)
4192 client_tgt
= self
.get_tgt(client_creds
,
4193 kdc_options
=client_tkt_options
,
4194 expected_flags
=expected_flags
)
4196 # Create a machine account with which to perform FAST.
4197 mach_creds
= self
.get_cached_creds(
4198 account_type
=self
.AccountType
.COMPUTER
)
4199 mach_tgt
= self
.get_tgt(mach_creds
)
4201 # Create a service account.
4202 service_creds
= self
.get_cached_creds(
4203 account_type
=self
.AccountType
.COMPUTER
,
4206 service_dn_str
= str(service_creds
.get_dn())
4207 service_spn
= service_creds
.get_spn()
4208 service_sid
= self
.get_objectSid(samdb
, service_creds
.get_dn())
4209 service_tgt
= self
.get_tgt(service_creds
)
4211 # Allow delegation to ourselves.
4212 self
.add_attribute(samdb
, service_dn_str
,
4213 'msDS-AllowedToDelegateTo', service_spn
)
4215 client_service_tkt
= self
.get_service_ticket(
4218 kdc_options
=client_tkt_options
,
4219 expected_flags
=expected_flags
)
4221 # Create an authentication policy that applies to a computer and
4222 # explicitly denies the client account to obtain a service ticket,
4223 # while allowing the service.
4224 allowed
= f
'O:SYD:(D;;CR;;;{client_sid})(A;;CR;;;{service_sid})'
4225 policy_id
= self
.get_new_username()
4226 policy
= self
.create_authn_policy(policy_id
,
4228 computer_allowed_to
=allowed
)
4230 # Assign the policy to the service account.
4231 self
.add_attribute(samdb
, service_dn_str
,
4232 'msDS-AssignedAuthNPolicy', str(policy
))
4234 kdc_options
= str(krb5_asn1
.KDCOptions('cname-in-addl-tkt'))
4236 target_decryption_key
= self
.TicketDecryptionKey_from_creds(
4238 target_etypes
= service_creds
.tgs_supported_enctypes
4240 service_name
= service_creds
.get_username()
4241 if service_name
[-1] == '$':
4242 service_name
= service_name
[:-1]
4243 expected_transited_services
= [
4244 f
'host/{service_name}@{service_creds.get_realm()}'
4247 # Show that obtaining a service ticket to ourselves with constrained
4248 # delegation is allowed, despite the policy’s disallowing it.
4249 self
._tgs
_req
(service_tgt
, 0, service_creds
, service_creds
,
4251 kdc_options
=kdc_options
,
4252 expected_cname
=client_cname
,
4253 expected_account_name
=client_username
,
4254 additional_ticket
=client_service_tkt
,
4255 decryption_key
=target_decryption_key
,
4256 expected_sid
=client_sid
,
4257 expected_supported_etypes
=target_etypes
,
4258 expected_proxy_target
=service_spn
,
4259 expected_transited_services
=expected_transited_services
)
4261 def test_authn_policy_allowed_to_user_not_allowed_constrained_delegation_to_self(self
):
4262 samdb
= self
.get_samdb()
4264 client_creds
= self
.get_cached_creds(
4265 account_type
=self
.AccountType
.USER
)
4266 client_dn
= client_creds
.get_dn()
4267 client_sid
= self
.get_objectSid(samdb
, client_dn
)
4269 client_tkt_options
= 'forwardable'
4270 expected_flags
= krb5_asn1
.TicketFlags(client_tkt_options
)
4272 client_tgt
= self
.get_tgt(client_creds
,
4273 kdc_options
=client_tkt_options
,
4274 expected_flags
=expected_flags
)
4276 # Create a machine account with which to perform FAST.
4277 mach_creds
= self
.get_cached_creds(
4278 account_type
=self
.AccountType
.COMPUTER
)
4279 mach_tgt
= self
.get_tgt(mach_creds
)
4281 # Create a service account.
4282 service_creds
= self
.get_cached_creds(
4283 account_type
=self
.AccountType
.COMPUTER
,
4286 service_dn_str
= str(service_creds
.get_dn())
4287 service_sid
= self
.get_objectSid(samdb
, service_creds
.get_dn())
4288 service_tgt
= self
.get_tgt(service_creds
)
4290 # Don’t set msDS-AllowedToDelegateTo.
4292 # Create an authentication policy that applies to a computer and
4293 # explicitly allows the client account to obtain a service ticket,
4294 # while denying the service.
4295 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})(D;;CR;;;{service_sid})'
4296 policy_id
= self
.get_new_username()
4297 policy
= self
.create_authn_policy(policy_id
,
4299 computer_allowed_to
=allowed
)
4301 # Assign the policy to the service account.
4302 self
.add_attribute(samdb
, service_dn_str
,
4303 'msDS-AssignedAuthNPolicy', str(policy
))
4305 client_service_tkt
= self
.get_service_ticket(
4308 kdc_options
=client_tkt_options
,
4309 expected_flags
=expected_flags
)
4311 kdc_options
= str(krb5_asn1
.KDCOptions('cname-in-addl-tkt'))
4313 target_decryption_key
= self
.TicketDecryptionKey_from_creds(
4316 # Show that obtaining a service ticket to ourselves with constrained
4317 # delegation is not allowed without msDS-AllowedToDelegateTo.
4318 self
._tgs
_req
(service_tgt
, KDC_ERR_BADOPTION
,
4319 service_creds
, service_creds
,
4321 kdc_options
=kdc_options
,
4322 additional_ticket
=client_service_tkt
,
4323 decryption_key
=target_decryption_key
,
4324 expect_edata
=self
.expect_padata_outer
,
4325 check_patypes
=False)
4327 def test_authn_policy_allowed_to_user_allow_rbcd_to_self(self
):
4328 samdb
= self
.get_samdb()
4329 functional_level
= self
.get_domain_functional_level(samdb
)
4331 if functional_level
< dsdb
.DS_DOMAIN_FUNCTION_2008
:
4332 self
.skipTest('RBCD requires FL2008')
4334 client_creds
= self
.get_cached_creds(
4335 account_type
=self
.AccountType
.USER
)
4336 client_dn
= client_creds
.get_dn()
4337 client_sid
= self
.get_objectSid(samdb
, client_dn
)
4339 client_username
= client_creds
.get_username()
4340 client_cname
= self
.PrincipalName_create(name_type
=NT_PRINCIPAL
,
4341 names
=[client_username
])
4343 client_tkt_options
= 'forwardable'
4344 expected_flags
= krb5_asn1
.TicketFlags(client_tkt_options
)
4346 client_tgt
= self
.get_tgt(client_creds
,
4347 kdc_options
=client_tkt_options
,
4348 expected_flags
=expected_flags
)
4350 # Create a machine account with which to perform FAST.
4351 mach_creds
= self
.get_cached_creds(
4352 account_type
=self
.AccountType
.COMPUTER
)
4353 mach_tgt
= self
.get_tgt(mach_creds
)
4355 # Create a service account allowed to delegate to itself. We can’t use
4356 # a more specific ACE containing the account’s SID (obtained
4357 # post-creation) as Samba (unlike Windows) won’t let us modify
4358 # msDS-AllowedToActOnBehalfOfOtherIdentity without being System.
4359 domain_sid
= security
.dom_sid(samdb
.get_domain_sid())
4360 security_descriptor
= security
.descriptor
.from_sddl(
4361 'O:BAD:(A;;CR;;;WD)', domain_sid
)
4362 service_creds
= self
.get_cached_creds(
4363 account_type
=self
.AccountType
.COMPUTER
,
4364 opts
={'delegation_from_dn': ndr_pack(security_descriptor
)},
4366 service_dn_str
= str(service_creds
.get_dn())
4367 service_sid
= self
.get_objectSid(samdb
, service_creds
.get_dn())
4368 service_tgt
= self
.get_tgt(service_creds
)
4370 # Create an authentication policy that applies to a computer and
4371 # explicitly allows the client account to obtain a service ticket,
4372 # while denying the service.
4373 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})(D;;CR;;;{service_sid})'
4374 policy_id
= self
.get_new_username()
4375 policy
= self
.create_authn_policy(policy_id
,
4377 computer_allowed_to
=allowed
)
4379 # Assign the policy to the service account.
4380 self
.add_attribute(samdb
, service_dn_str
,
4381 'msDS-AssignedAuthNPolicy', str(policy
))
4383 client_service_tkt
= self
.get_service_ticket(
4386 kdc_options
=client_tkt_options
,
4387 expected_flags
=expected_flags
)
4389 kdc_options
= str(krb5_asn1
.KDCOptions('cname-in-addl-tkt'))
4391 service_decryption_key
= self
.TicketDecryptionKey_from_creds(
4393 service_etypes
= service_creds
.tgs_supported_enctypes
4395 service_name
= service_creds
.get_username()
4396 if service_name
[-1] == '$':
4397 service_name
= service_name
[:-1]
4398 expected_transited_services
= [
4399 f
'host/{service_name}@{service_creds.get_realm()}'
4402 # Show that obtaining a service ticket to ourselves with RBCD is
4404 self
._tgs
_req
(service_tgt
, 0, service_creds
, service_creds
,
4406 kdc_options
=kdc_options
,
4407 pac_options
='1001', # supports claims, RBCD
4408 expected_cname
=client_cname
,
4409 expected_account_name
=client_username
,
4410 additional_ticket
=client_service_tkt
,
4411 decryption_key
=service_decryption_key
,
4412 expected_sid
=client_sid
,
4413 expected_supported_etypes
=service_etypes
,
4414 expected_proxy_target
=service_creds
.get_spn(),
4415 expected_transited_services
=expected_transited_services
)
4417 def test_authn_policy_allowed_to_user_deny_rbcd_to_self(self
):
4418 samdb
= self
.get_samdb()
4419 functional_level
= self
.get_domain_functional_level(samdb
)
4421 if functional_level
< dsdb
.DS_DOMAIN_FUNCTION_2008
:
4422 self
.skipTest('RBCD requires FL2008')
4424 client_creds
= self
.get_cached_creds(
4425 account_type
=self
.AccountType
.USER
)
4426 client_dn
= client_creds
.get_dn()
4427 client_sid
= self
.get_objectSid(samdb
, client_dn
)
4429 client_username
= client_creds
.get_username()
4430 client_cname
= self
.PrincipalName_create(name_type
=NT_PRINCIPAL
,
4431 names
=[client_username
])
4433 client_tkt_options
= 'forwardable'
4434 expected_flags
= krb5_asn1
.TicketFlags(client_tkt_options
)
4436 client_tgt
= self
.get_tgt(client_creds
,
4437 kdc_options
=client_tkt_options
,
4438 expected_flags
=expected_flags
)
4440 # Create a machine account with which to perform FAST.
4441 mach_creds
= self
.get_cached_creds(
4442 account_type
=self
.AccountType
.COMPUTER
)
4443 mach_tgt
= self
.get_tgt(mach_creds
)
4445 # Create a service account allowed to delegate to itself. We can’t use
4446 # a more specific ACE containing the account’s SID (obtained
4447 # post-creation) as Samba (unlike Windows) won’t let us modify
4448 # msDS-AllowedToActOnBehalfOfOtherIdentity without being System.
4449 domain_sid
= security
.dom_sid(samdb
.get_domain_sid())
4450 security_descriptor
= security
.descriptor
.from_sddl(
4451 'O:BAD:(A;;CR;;;WD)', domain_sid
)
4452 service_creds
= self
.get_cached_creds(
4453 account_type
=self
.AccountType
.COMPUTER
,
4454 opts
={'delegation_from_dn': ndr_pack(security_descriptor
)},
4456 service_dn_str
= str(service_creds
.get_dn())
4457 service_sid
= self
.get_objectSid(samdb
, service_creds
.get_dn())
4458 service_tgt
= self
.get_tgt(service_creds
)
4460 client_service_tkt
= self
.get_service_ticket(
4463 kdc_options
=client_tkt_options
,
4464 expected_flags
=expected_flags
)
4466 # Create an authentication policy that applies to a computer and
4467 # explicitly denies the client account to obtain a service ticket,
4468 # while allowing the service.
4469 allowed
= f
'O:SYD:(D;;CR;;;{client_sid})(A;;CR;;;{service_sid})'
4470 policy_id
= self
.get_new_username()
4471 policy
= self
.create_authn_policy(policy_id
,
4473 computer_allowed_to
=allowed
)
4475 # Assign the policy to the service account.
4476 self
.add_attribute(samdb
, service_dn_str
,
4477 'msDS-AssignedAuthNPolicy', str(policy
))
4479 kdc_options
= str(krb5_asn1
.KDCOptions('cname-in-addl-tkt'))
4481 service_decryption_key
= self
.TicketDecryptionKey_from_creds(
4483 service_etypes
= service_creds
.tgs_supported_enctypes
4485 service_name
= service_creds
.get_username()
4486 if service_name
[-1] == '$':
4487 service_name
= service_name
[:-1]
4488 expected_transited_services
= [
4489 f
'host/{service_name}@{service_creds.get_realm()}'
4492 # Show that obtaining a service ticket to ourselves with RBCD is
4493 # allowed, despite the policy’s disallowing it.
4494 self
._tgs
_req
(service_tgt
, 0, service_creds
, service_creds
,
4496 kdc_options
=kdc_options
,
4497 pac_options
='1001', # supports claims, RBCD
4498 expected_cname
=client_cname
,
4499 expected_account_name
=client_username
,
4500 additional_ticket
=client_service_tkt
,
4501 decryption_key
=service_decryption_key
,
4502 expected_sid
=client_sid
,
4503 expected_supported_etypes
=service_etypes
,
4504 expected_proxy_target
=service_creds
.get_spn(),
4505 expected_transited_services
=expected_transited_services
)
4507 def test_authn_policy_allowed_to_user_not_allowed_rbcd_to_self(self
):
4508 samdb
= self
.get_samdb()
4509 functional_level
= self
.get_domain_functional_level(samdb
)
4511 if functional_level
< dsdb
.DS_DOMAIN_FUNCTION_2008
:
4512 self
.skipTest('RBCD requires FL2008')
4514 client_creds
= self
.get_cached_creds(
4515 account_type
=self
.AccountType
.USER
)
4516 client_dn
= client_creds
.get_dn()
4517 client_sid
= self
.get_objectSid(samdb
, client_dn
)
4519 client_tkt_options
= 'forwardable'
4520 expected_flags
= krb5_asn1
.TicketFlags(client_tkt_options
)
4522 client_tgt
= self
.get_tgt(client_creds
,
4523 kdc_options
=client_tkt_options
,
4524 expected_flags
=expected_flags
)
4526 # Create a machine account with which to perform FAST.
4527 mach_creds
= self
.get_cached_creds(
4528 account_type
=self
.AccountType
.COMPUTER
)
4529 mach_tgt
= self
.get_tgt(mach_creds
)
4531 # Create a service account.
4532 service_creds
= self
.get_cached_creds(
4533 account_type
=self
.AccountType
.COMPUTER
,
4536 service_dn_str
= str(service_creds
.get_dn())
4537 service_sid
= self
.get_objectSid(samdb
, service_creds
.get_dn())
4538 service_tgt
= self
.get_tgt(service_creds
)
4540 # Don’t set msDS-AllowedToActOnBehalfOfOtherIdentity.
4542 # Create an authentication policy that applies to a computer and
4543 # explicitly allows the client account to obtain a service ticket,
4544 # while denying the service.
4545 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})(D;;CR;;;{service_sid})'
4546 policy_id
= self
.get_new_username()
4547 policy
= self
.create_authn_policy(policy_id
,
4549 computer_allowed_to
=allowed
)
4551 # Assign the policy to the service account.
4552 self
.add_attribute(samdb
, service_dn_str
,
4553 'msDS-AssignedAuthNPolicy', str(policy
))
4555 client_service_tkt
= self
.get_service_ticket(
4558 kdc_options
=client_tkt_options
,
4559 expected_flags
=expected_flags
)
4561 kdc_options
= str(krb5_asn1
.KDCOptions('cname-in-addl-tkt'))
4563 service_decryption_key
= self
.TicketDecryptionKey_from_creds(
4566 # Show that obtaining a service ticket to ourselves with RBCD
4567 # is not allowed without msDS-AllowedToActOnBehalfOfOtherIdentity.
4568 self
._tgs
_req
(service_tgt
, KDC_ERR_BADOPTION
,
4569 service_creds
, service_creds
,
4571 kdc_options
=kdc_options
,
4572 pac_options
='1001', # supports claims, RBCD
4573 additional_ticket
=client_service_tkt
,
4574 decryption_key
=service_decryption_key
,
4575 expect_edata
=self
.expect_padata_outer
,
4576 check_patypes
=False)
4578 def test_authn_policy_allowed_to_computer_allow_user2user(self
):
4579 samdb
= self
.get_samdb()
4581 # Create a machine account with which to perform FAST.
4582 mach_creds
= self
.get_cached_creds(
4583 account_type
=self
.AccountType
.COMPUTER
)
4584 mach_tgt
= self
.get_tgt(mach_creds
)
4586 client_creds
= self
.get_mach_creds()
4587 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
4588 client_tgt
= self
.get_tgt(client_creds
)
4590 # Create an authentication policy that applies to a computer and
4591 # explicitly allows the user account to obtain a service ticket.
4592 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
4593 policy_id
= self
.get_new_username()
4594 policy
= self
.create_authn_policy(policy_id
,
4596 computer_allowed_to
=allowed
)
4598 # Create a computer account with the assigned policy.
4599 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
4600 assigned_policy
=policy
)
4601 target_tgt
= self
._get
_tgt
(target_creds
)
4603 kdc_options
= str(krb5_asn1
.KDCOptions('enc-tkt-in-skey'))
4605 # Show that obtaining a service ticket with user-to-user is allowed.
4606 self
._tgs
_req
(client_tgt
, 0, client_creds
, target_creds
,
4608 kdc_options
=kdc_options
,
4609 additional_ticket
=target_tgt
)
4611 def test_authn_policy_allowed_to_computer_deny_user2user(self
):
4612 samdb
= self
.get_samdb()
4614 # Create a machine account with which to perform FAST.
4615 mach_creds
= self
.get_cached_creds(
4616 account_type
=self
.AccountType
.COMPUTER
)
4617 mach_tgt
= self
.get_tgt(mach_creds
)
4619 client_creds
= self
.get_mach_creds()
4620 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
4621 client_tgt
= self
.get_tgt(client_creds
)
4623 # Create an authentication policy that applies to a computer and
4624 # explicitly denies the user account to obtain a service ticket.
4625 denied
= f
'O:SYD:(D;;CR;;;{client_sid})'
4626 policy_id
= self
.get_new_username()
4627 policy
= self
.create_authn_policy(policy_id
,
4629 computer_allowed_to
=denied
)
4631 # Create a computer account with the assigned policy.
4632 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
4633 assigned_policy
=policy
)
4634 target_tgt
= self
._get
_tgt
(target_creds
)
4636 kdc_options
= str(krb5_asn1
.KDCOptions('enc-tkt-in-skey'))
4638 # Show that obtaining a service ticket with user-to-user is not
4641 client_tgt
, KDC_ERR_POLICY
, client_creds
, target_creds
,
4643 kdc_options
=kdc_options
,
4644 additional_ticket
=target_tgt
,
4645 expect_edata
=self
.expect_padata_outer
,
4646 # We aren’t particular about whether or not we get an NTSTATUS.
4648 expected_status
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
,
4649 check_patypes
=False)
4651 def test_authn_policy_allowed_to_user_derived_class_allow(self
):
4652 samdb
= self
.get_samdb()
4654 # Create a machine account with which to perform FAST.
4655 mach_creds
= self
.get_cached_creds(
4656 account_type
=self
.AccountType
.COMPUTER
)
4657 mach_tgt
= self
.get_tgt(mach_creds
)
4659 # Create a user account.
4660 client_creds
= self
.get_cached_creds(
4661 account_type
=self
.AccountType
.USER
)
4662 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
4663 tgt
= self
.get_tgt(client_creds
)
4665 # Create an authentication policy that applies to a user and explicitly
4666 # allows the user account to obtain a service ticket.
4667 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
4668 denied
= 'O:SYD:(D;;CR;;;WD)'
4669 policy_id
= self
.get_new_username()
4670 policy
= self
.create_authn_policy(policy_id
,
4672 user_allowed_to
=allowed
,
4673 computer_allowed_to
=denied
,
4674 service_allowed_to
=denied
)
4676 # Create a schema class derived from ‘user’.
4677 class_id
= random
.randint(0, 100000000)
4678 user_class_cn
= f
'my-User-Class-{class_id}'
4679 user_class
= user_class_cn
.replace('-', '')
4680 class_dn
= samdb
.get_schema_basedn()
4681 class_dn
.add_child(f
'CN={user_class_cn}')
4682 governs_id
= f
'1.3.6.1.4.1.7165.4.6.2.9.{class_id}'
4686 'objectClass': 'classSchema',
4687 'subClassOf': 'user',
4688 'governsId': governs_id
,
4689 'lDAPDisplayName': user_class
,
4692 # Create an account derived from ‘user’ with the assigned policy.
4693 target_name
= self
.get_new_username()
4694 target_creds
, target_dn
= self
.create_account(
4696 account_type
=self
.AccountType
.USER
,
4697 spn
='host/{account}',
4698 additional_details
={
4699 'msDS-AssignedAuthNPolicy': str(policy
),
4700 'objectClass': user_class
,
4703 keys
= self
.get_keys(target_creds
)
4704 self
.creds_set_keys(target_creds
, keys
)
4706 # Show that obtaining a service ticket is allowed.
4707 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
4710 def test_authn_policy_allowed_to_computer_derived_class_allow(self
):
4711 samdb
= self
.get_samdb()
4713 # Create a machine account with which to perform FAST.
4714 mach_creds
= self
.get_cached_creds(
4715 account_type
=self
.AccountType
.COMPUTER
)
4716 mach_tgt
= self
.get_tgt(mach_creds
)
4718 # Create a user account.
4719 client_creds
= self
.get_cached_creds(
4720 account_type
=self
.AccountType
.USER
)
4721 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
4722 tgt
= self
.get_tgt(client_creds
)
4724 # Create an authentication policy that applies to a computer and
4725 # explicitly allows the user account to obtain a service ticket.
4726 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
4727 denied
= 'O:SYD:(D;;CR;;;WD)'
4728 policy_id
= self
.get_new_username()
4729 policy
= self
.create_authn_policy(policy_id
,
4731 user_allowed_to
=denied
,
4732 computer_allowed_to
=allowed
,
4733 service_allowed_to
=denied
)
4735 # Create a schema class derived from ‘computer’.
4736 class_id
= random
.randint(0, 100000000)
4737 computer_class_cn
= f
'my-Computer-Class-{class_id}'
4738 computer_class
= computer_class_cn
.replace('-', '')
4739 class_dn
= samdb
.get_schema_basedn()
4740 class_dn
.add_child(f
'CN={computer_class_cn}')
4741 governs_id
= f
'1.3.6.1.4.1.7165.4.6.2.9.{class_id}'
4745 'objectClass': 'classSchema',
4746 'subClassOf': 'computer',
4747 'governsId': governs_id
,
4748 'lDAPDisplayName': computer_class
,
4751 # Create an account derived from ‘computer’ with the assigned policy.
4752 target_name
= self
.get_new_username()
4753 target_creds
, target_dn
= self
.create_account(
4755 account_type
=self
.AccountType
.COMPUTER
,
4756 spn
=f
'host/{target_name}',
4757 additional_details
={
4758 'msDS-AssignedAuthNPolicy': str(policy
),
4759 'objectClass': computer_class
,
4762 keys
= self
.get_keys(target_creds
)
4763 self
.creds_set_keys(target_creds
, keys
)
4765 # Show that obtaining a service ticket is allowed.
4766 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
4769 def test_authn_policy_allowed_to_service_derived_class_allow(self
):
4770 samdb
= self
.get_samdb()
4772 # Create a machine account with which to perform FAST.
4773 mach_creds
= self
.get_cached_creds(
4774 account_type
=self
.AccountType
.COMPUTER
)
4775 mach_tgt
= self
.get_tgt(mach_creds
)
4777 # Create a user account.
4778 client_creds
= self
.get_cached_creds(
4779 account_type
=self
.AccountType
.USER
)
4780 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
4781 tgt
= self
.get_tgt(client_creds
)
4783 # Create an authentication policy that applies to a managed service and
4784 # explicitly allows the user account to obtain a service ticket.
4785 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
4786 denied
= 'O:SYD:(D;;CR;;;WD)'
4787 policy_id
= self
.get_new_username()
4788 policy
= self
.create_authn_policy(policy_id
,
4790 user_allowed_to
=denied
,
4791 computer_allowed_to
=denied
,
4792 service_allowed_to
=allowed
)
4794 # Create a schema class derived from ‘msDS-ManagedServiceAccount’.
4795 class_id
= random
.randint(0, 100000000)
4796 service_class_cn
= f
'my-Managed-Service-Class-{class_id}'
4797 service_class
= service_class_cn
.replace('-', '')
4798 class_dn
= samdb
.get_schema_basedn()
4799 class_dn
.add_child(f
'CN={service_class_cn}')
4800 governs_id
= f
'1.3.6.1.4.1.7165.4.6.2.9.{class_id}'
4804 'objectClass': 'classSchema',
4805 'subClassOf': 'msDS-ManagedServiceAccount',
4806 'governsId': governs_id
,
4807 'lDAPDisplayName': service_class
,
4810 # Create an account derived from ‘msDS-ManagedServiceAccount’ with the
4812 target_name
= self
.get_new_username()
4813 target_creds
, target_dn
= self
.create_account(
4815 account_type
=self
.AccountType
.MANAGED_SERVICE
,
4816 spn
=f
'host/{target_name}',
4817 additional_details
={
4818 'msDS-AssignedAuthNPolicy': str(policy
),
4819 'objectClass': service_class
,
4822 # Show that obtaining a service ticket is allowed.
4823 self
._tgs
_req
(tgt
, 0, client_creds
, target_creds
,
4826 def test_authn_policy_ntlm_allow_user(self
):
4827 # Create an authentication policy allowing NTLM authentication for
4829 allowed
= 'O:SYD:(A;;CR;;;WD)'
4830 policy_id
= self
.get_new_username()
4831 policy
= self
.create_authn_policy(policy_id
,
4833 user_allowed_ntlm
=True,
4834 user_allowed_from
=allowed
,
4835 service_allowed_ntlm
=False,
4836 service_allowed_from
=allowed
)
4838 # Create a user account with the assigned policy.
4839 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
4840 assigned_policy
=policy
,
4843 # Show that NTLM authentication succeeds.
4844 self
._connect
(client_creds
, simple_bind
=False)
4846 def test_authn_policy_ntlm_deny_user(self
):
4847 # Create an authentication policy denying NTLM authentication for
4849 allowed
= 'O:SYD:(A;;CR;;;WD)'
4850 policy_id
= self
.get_new_username()
4851 policy
= self
.create_authn_policy(policy_id
,
4853 user_allowed_ntlm
=False,
4854 user_allowed_from
=allowed
,
4855 service_allowed_ntlm
=True,
4856 service_allowed_from
=allowed
)
4858 # Create a user account with the assigned policy.
4859 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
4860 assigned_policy
=policy
,
4863 # Show that NTLM authentication fails.
4864 self
._connect
(client_creds
, simple_bind
=False,
4865 expect_error
=f
'{HRES_SEC_E_LOGON_DENIED:08X}')
4867 def test_authn_policy_ntlm_computer(self
):
4868 # Create an authentication policy denying NTLM authentication.
4869 denied
= 'O:SYD:(D;;CR;;;WD)'
4870 policy_id
= self
.get_new_username()
4871 policy
= self
.create_authn_policy(policy_id
,
4873 user_allowed_ntlm
=False,
4874 user_allowed_from
=denied
,
4875 service_allowed_ntlm
=False,
4876 service_allowed_from
=denied
)
4878 # Create a computer account with the assigned policy.
4879 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
4880 assigned_policy
=policy
,
4883 # Show that NTLM authentication succeeds.
4884 self
._connect
(client_creds
, simple_bind
=False)
4886 def test_authn_policy_ntlm_allow_service(self
):
4887 # Create an authentication policy allowing NTLM authentication for
4889 allowed
= 'O:SYD:(A;;CR;;;WD)'
4890 policy_id
= self
.get_new_username()
4891 policy
= self
.create_authn_policy(policy_id
,
4893 user_allowed_ntlm
=False,
4894 user_allowed_from
=allowed
,
4895 service_allowed_ntlm
=True,
4896 service_allowed_from
=allowed
)
4898 # Create a managed service account with the assigned policy.
4899 client_creds
= self
._get
_creds
(
4900 account_type
=self
.AccountType
.MANAGED_SERVICE
,
4901 assigned_policy
=policy
,
4904 # Show that NTLM authentication succeeds.
4905 self
._connect
(client_creds
, simple_bind
=False)
4907 def test_authn_policy_ntlm_deny_service(self
):
4908 # Create an authentication policy denying NTLM authentication for
4910 allowed
= 'O:SYD:(A;;CR;;;WD)'
4911 policy_id
= self
.get_new_username()
4912 policy
= self
.create_authn_policy(policy_id
,
4914 user_allowed_ntlm
=True,
4915 user_allowed_from
=allowed
,
4916 service_allowed_ntlm
=False,
4917 service_allowed_from
=allowed
)
4919 # Create a managed service account with the assigned policy.
4920 client_creds
= self
._get
_creds
(
4921 account_type
=self
.AccountType
.MANAGED_SERVICE
,
4922 assigned_policy
=policy
,
4925 # Show that NTLM authentication fails.
4926 self
._connect
(client_creds
, simple_bind
=False,
4927 expect_error
=f
'{HRES_SEC_E_LOGON_DENIED:08X}')
4929 def test_authn_policy_ntlm_deny_no_device_restrictions(self
):
4930 # Create an authentication policy denying NTLM authentication for
4932 policy_id
= self
.get_new_username()
4933 policy
= self
.create_authn_policy(policy_id
,
4935 user_allowed_ntlm
=False,
4936 service_allowed_ntlm
=True)
4938 # Create a user account with the assigned policy.
4939 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
4940 assigned_policy
=policy
,
4943 # Show that without AllowedToAuthenticateFrom set in the policy, NTLM
4944 # authentication succeeds.
4945 self
._connect
(client_creds
, simple_bind
=False)
4947 def test_authn_policy_simple_bind_allow_user(self
):
4948 # Create an authentication policy allowing NTLM authentication for
4950 allowed
= 'O:SYD:(A;;CR;;;WD)'
4951 policy_id
= self
.get_new_username()
4952 policy
= self
.create_authn_policy(policy_id
,
4954 user_allowed_ntlm
=True,
4955 user_allowed_from
=allowed
,
4956 service_allowed_ntlm
=False,
4957 service_allowed_from
=allowed
)
4959 # Create a user account with the assigned policy.
4960 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
4961 assigned_policy
=policy
,
4964 # Show that a simple bind succeeds.
4965 self
._connect
(client_creds
, simple_bind
=True)
4967 def test_authn_policy_simple_bind_deny_user(self
):
4968 # Create an authentication policy denying NTLM authentication for
4970 allowed
= 'O:SYD:(A;;CR;;;WD)'
4971 policy_id
= self
.get_new_username()
4972 policy
= self
.create_authn_policy(policy_id
,
4974 user_allowed_ntlm
=False,
4975 user_allowed_from
=allowed
,
4976 service_allowed_ntlm
=True,
4977 service_allowed_from
=allowed
)
4979 # Create a user account with the assigned policy.
4980 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
4981 assigned_policy
=policy
,
4984 # Show that a simple bind fails.
4985 self
._connect
(client_creds
, simple_bind
=True,
4986 expect_error
=f
'{HRES_SEC_E_INVALID_TOKEN:08X}')
4988 def test_authn_policy_simple_bind_deny_no_device_restrictions(self
):
4989 # Create an authentication policy denying NTLM authentication for
4991 policy_id
= self
.get_new_username()
4992 policy
= self
.create_authn_policy(policy_id
,
4994 user_allowed_ntlm
=False,
4995 service_allowed_ntlm
=True)
4997 # Create a user account with the assigned policy.
4998 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
4999 assigned_policy
=policy
,
5002 # Show that without AllowedToAuthenticateFrom set in the policy, a
5003 # simple bind succeeds.
5004 self
._connect
(client_creds
, simple_bind
=True)
5006 def test_authn_policy_samr_pwd_change_allow_service_allowed_from(self
):
5007 # Create an authentication policy allowing NTLM authentication for
5008 # managed service accounts.
5009 allowed
= 'O:SYD:(A;;CR;;;WD)'
5010 policy_id
= self
.get_new_username()
5011 policy
= self
.create_authn_policy(policy_id
,
5013 service_allowed_ntlm
=True,
5014 service_allowed_from
=allowed
)
5016 # Create a managed service account with the assigned policy.
5017 client_creds
= self
._get
_creds
(
5018 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5019 assigned_policy
=policy
,
5022 # Show that a SAMR password change is allowed.
5023 self
._test
_samr
_change
_password
(client_creds
, expect_error
=None)
5025 def test_authn_policy_samr_pwd_change_allow_service_not_allowed_from(self
):
5026 # Create an authentication policy allowing NTLM authentication for
5027 # managed service accounts.
5028 denied
= 'O:SYD:(D;;CR;;;WD)'
5029 policy_id
= self
.get_new_username()
5030 policy
= self
.create_authn_policy(policy_id
,
5032 service_allowed_ntlm
=True,
5033 service_allowed_from
=denied
)
5035 # Create a managed service account with the assigned policy.
5036 client_creds
= self
._get
_creds
(
5037 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5038 assigned_policy
=policy
,
5041 # Show that a SAMR password change is allowed.
5042 self
._test
_samr
_change
_password
(client_creds
, expect_error
=None)
5044 def test_authn_policy_samr_pwd_change_allow_service_no_allowed_from(self
):
5045 # Create an authentication policy allowing NTLM authentication for
5046 # managed service accounts.
5047 policy_id
= self
.get_new_username()
5048 policy
= self
.create_authn_policy(policy_id
,
5050 service_allowed_ntlm
=True)
5052 # Create a managed service account with the assigned policy.
5053 client_creds
= self
._get
_creds
(
5054 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5055 assigned_policy
=policy
,
5058 # Show that a SAMR password change is allowed.
5059 self
._test
_samr
_change
_password
(client_creds
, expect_error
=None)
5061 def test_authn_policy_samr_pwd_change_deny_service_allowed_from(self
):
5062 # Create an authentication policy denying NTLM authentication for
5063 # managed service accounts.
5064 allowed
= 'O:SYD:(A;;CR;;;WD)'
5065 policy_id
= self
.get_new_username()
5066 policy
= self
.create_authn_policy(policy_id
,
5068 service_allowed_ntlm
=False,
5069 service_allowed_from
=allowed
)
5071 # Create a managed service account with the assigned policy.
5072 client_creds
= self
._get
_creds
(
5073 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5074 assigned_policy
=policy
,
5077 # Show that the SAMR connection fails.
5078 self
._test
_samr
_change
_password
(
5079 client_creds
, expect_error
=None,
5080 connect_error
=ntstatus
.NT_STATUS_ACCOUNT_RESTRICTION
)
5082 def test_authn_policy_samr_pwd_change_deny_service_not_allowed_from(self
):
5083 # Create an authentication policy denying NTLM authentication for
5084 # managed service accounts.
5085 denied
= 'O:SYD:(D;;CR;;;WD)'
5086 policy_id
= self
.get_new_username()
5087 policy
= self
.create_authn_policy(policy_id
,
5089 service_allowed_ntlm
=False,
5090 service_allowed_from
=denied
)
5092 # Create a managed service account with the assigned policy.
5093 client_creds
= self
._get
_creds
(
5094 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5095 assigned_policy
=policy
,
5098 # Show that the SAMR connection fails.
5099 self
._test
_samr
_change
_password
(
5100 client_creds
, expect_error
=None,
5101 connect_error
=ntstatus
.NT_STATUS_ACCOUNT_RESTRICTION
)
5103 def test_authn_policy_samr_pwd_change_deny_service_no_allowed_from(self
):
5104 # Create an authentication policy denying NTLM authentication for
5105 # managed service accounts.
5106 policy_id
= self
.get_new_username()
5107 policy
= self
.create_authn_policy(policy_id
,
5109 service_allowed_ntlm
=False)
5111 # Create a managed service account with the assigned policy.
5112 client_creds
= self
._get
_creds
(
5113 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5114 assigned_policy
=policy
,
5117 # Show that a SAMR password change is allowed.
5118 self
._test
_samr
_change
_password
(client_creds
, expect_error
=None)
5120 def test_authn_policy_samlogon_allow_user(self
):
5121 # Create an authentication policy allowing NTLM authentication for
5123 allowed
= 'O:SYD:(A;;CR;;;WD)'
5124 policy_id
= self
.get_new_username()
5125 policy
= self
.create_authn_policy(policy_id
,
5127 user_allowed_ntlm
=True,
5128 user_allowed_from
=allowed
,
5129 service_allowed_ntlm
=False,
5130 service_allowed_from
=allowed
)
5132 # Create a user account with the assigned policy.
5133 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5134 assigned_policy
=policy
,
5137 # Show that a network SamLogon succeeds.
5138 self
._test
_samlogon
(creds
=client_creds
,
5139 logon_type
=netlogon
.NetlogonNetworkInformation
)
5141 # Show that an interactive SamLogon succeeds. Although MS-APDS doesn’t
5142 # state it, AllowedNTLMNetworkAuthentication applies to interactive
5144 self
._test
_samlogon
(creds
=client_creds
,
5145 logon_type
=netlogon
.NetlogonInteractiveInformation
)
5147 def test_authn_policy_samlogon_deny_user(self
):
5148 # Create an authentication policy denying NTLM authentication for
5150 allowed
= 'O:SYD:(A;;CR;;;WD)'
5151 policy_id
= self
.get_new_username()
5152 policy
= self
.create_authn_policy(policy_id
,
5154 user_allowed_ntlm
=False,
5155 user_allowed_from
=allowed
,
5156 service_allowed_ntlm
=True,
5157 service_allowed_from
=allowed
)
5159 # Create a user account with the assigned policy.
5160 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5161 assigned_policy
=policy
,
5164 # Show that a network SamLogon fails.
5165 self
._test
_samlogon
(
5167 logon_type
=netlogon
.NetlogonNetworkInformation
,
5168 expect_error
=ntstatus
.NT_STATUS_ACCOUNT_RESTRICTION
)
5170 # Show that an interactive SamLogon fails.
5171 self
._test
_samlogon
(
5173 logon_type
=netlogon
.NetlogonInteractiveInformation
,
5174 expect_error
=ntstatus
.NT_STATUS_ACCOUNT_RESTRICTION
)
5176 def test_authn_policy_samlogon_network_computer(self
):
5177 # Create an authentication policy denying NTLM authentication.
5178 denied
= 'O:SYD:(D;;CR;;;WD)'
5179 policy_id
= self
.get_new_username()
5180 policy
= self
.create_authn_policy(policy_id
,
5182 user_allowed_ntlm
=False,
5183 user_allowed_from
=denied
,
5184 service_allowed_ntlm
=False,
5185 service_allowed_from
=denied
)
5187 # Create a computer account with the assigned policy.
5188 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
5189 assigned_policy
=policy
,
5192 # Show that a network SamLogon succeeds.
5193 self
._test
_samlogon
(
5195 logon_type
=netlogon
.NetlogonNetworkInformation
)
5197 def test_authn_policy_samlogon_interactive_allow_user_allowed_from(self
):
5198 # Create an authentication policy allowing NTLM authentication for
5200 allowed
= 'O:SYD:(A;;CR;;;WD)'
5201 policy_id
= self
.get_new_username()
5202 policy
= self
.create_authn_policy(policy_id
,
5204 user_allowed_ntlm
=True,
5205 user_allowed_from
=allowed
)
5207 # Create a user account with the assigned policy.
5208 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5209 assigned_policy
=policy
,
5213 # Show that an interactive SamLogon succeeds. Although MS-APDS doesn’t
5214 # state it, AllowedNTLMNetworkAuthentication applies to interactive
5216 self
._test
_samlogon
(creds
=client_creds
,
5217 logon_type
=netlogon
.NetlogonInteractiveInformation
)
5219 def test_authn_policy_samlogon_interactive_allow_user_not_allowed_from(self
):
5220 # Create an authentication policy allowing NTLM authentication for
5222 denied
= 'O:SYD:(D;;CR;;;WD)'
5223 policy_id
= self
.get_new_username()
5224 policy
= self
.create_authn_policy(policy_id
,
5226 user_allowed_ntlm
=True,
5227 user_allowed_from
=denied
)
5229 # Create a user account with the assigned policy.
5230 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5231 assigned_policy
=policy
,
5235 # Show that an interactive SamLogon succeeds. Although MS-APDS doesn’t
5236 # state it, AllowedNTLMNetworkAuthentication applies to interactive
5238 self
._test
_samlogon
(creds
=client_creds
,
5239 logon_type
=netlogon
.NetlogonInteractiveInformation
)
5241 def test_authn_policy_samlogon_interactive_allow_user_no_allowed_from(self
):
5242 # Create an authentication policy allowing NTLM authentication for
5244 policy_id
= self
.get_new_username()
5245 policy
= self
.create_authn_policy(policy_id
,
5247 user_allowed_ntlm
=True)
5249 # Create a user account with the assigned policy.
5250 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5251 assigned_policy
=policy
,
5255 # Show that an interactive SamLogon succeeds.
5256 self
._test
_samlogon
(creds
=client_creds
,
5257 logon_type
=netlogon
.NetlogonInteractiveInformation
)
5259 def test_authn_policy_samlogon_interactive_deny_user_allowed_from(self
):
5260 # Create an authentication policy disallowing NTLM authentication for
5262 allowed
= 'O:SYD:(A;;CR;;;WD)'
5263 policy_id
= self
.get_new_username()
5264 policy
= self
.create_authn_policy(policy_id
,
5266 user_allowed_ntlm
=False,
5267 user_allowed_from
=allowed
)
5269 # Create a user account with the assigned policy.
5270 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5271 assigned_policy
=policy
,
5275 # Show that an interactive SamLogon fails.
5276 self
._test
_samlogon
(
5278 logon_type
=netlogon
.NetlogonInteractiveInformation
,
5279 expect_error
=ntstatus
.NT_STATUS_ACCOUNT_RESTRICTION
)
5281 def test_authn_policy_samlogon_interactive_deny_user_not_allowed_from(self
):
5282 # Create an authentication policy disallowing NTLM authentication for
5284 denied
= 'O:SYD:(D;;CR;;;WD)'
5285 policy_id
= self
.get_new_username()
5286 policy
= self
.create_authn_policy(policy_id
,
5288 user_allowed_ntlm
=False,
5289 user_allowed_from
=denied
)
5291 # Create a user account with the assigned policy.
5292 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5293 assigned_policy
=policy
,
5297 # Show that an interactive SamLogon fails.
5298 self
._test
_samlogon
(
5300 logon_type
=netlogon
.NetlogonInteractiveInformation
,
5301 expect_error
=ntstatus
.NT_STATUS_ACCOUNT_RESTRICTION
)
5303 def test_authn_policy_samlogon_interactive_deny_user_no_allowed_from(self
):
5304 # Create an authentication policy disallowing NTLM authentication for
5306 policy_id
= self
.get_new_username()
5307 policy
= self
.create_authn_policy(policy_id
,
5309 user_allowed_ntlm
=False)
5311 # Create a user account with the assigned policy.
5312 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5313 assigned_policy
=policy
,
5317 # Show that an interactive SamLogon succeeds.
5318 self
._test
_samlogon
(creds
=client_creds
,
5319 logon_type
=netlogon
.NetlogonInteractiveInformation
)
5321 def test_authn_policy_samlogon_interactive_user_allowed_from(self
):
5322 # Create an authentication policy not specifying whether NTLM
5323 # authentication is allowed or not.
5324 allowed
= 'O:SYD:(A;;CR;;;WD)'
5325 policy_id
= self
.get_new_username()
5326 policy
= self
.create_authn_policy(policy_id
,
5328 user_allowed_from
=allowed
)
5330 # Create a user account with the assigned policy.
5331 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5332 assigned_policy
=policy
,
5336 # Show that an interactive SamLogon fails.
5337 self
._test
_samlogon
(
5339 logon_type
=netlogon
.NetlogonInteractiveInformation
,
5340 expect_error
=ntstatus
.NT_STATUS_ACCOUNT_RESTRICTION
)
5342 def test_authn_policy_samlogon_network_user_allowed_from(self
):
5343 # Create an authentication policy not specifying whether NTLM
5344 # authentication is allowed or not.
5345 allowed
= 'O:SYD:(A;;CR;;;WD)'
5346 policy_id
= self
.get_new_username()
5347 policy
= self
.create_authn_policy(policy_id
,
5349 user_allowed_from
=allowed
)
5351 # Create a user account with the assigned policy.
5352 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5353 assigned_policy
=policy
,
5357 # Show that a network SamLogon fails.
5358 self
._test
_samlogon
(
5360 logon_type
=netlogon
.NetlogonNetworkInformation
,
5361 expect_error
=ntstatus
.NT_STATUS_ACCOUNT_RESTRICTION
)
5363 def test_authn_policy_samlogon_network_allow_service_allowed_from(self
):
5364 # Create an authentication policy allowing NTLM authentication for
5366 allowed
= 'O:SYD:(A;;CR;;;WD)'
5367 policy_id
= self
.get_new_username()
5368 policy
= self
.create_authn_policy(policy_id
,
5370 service_allowed_ntlm
=True,
5371 service_allowed_from
=allowed
)
5373 # Create a managed service account with the assigned policy.
5374 client_creds
= self
._get
_creds
(
5375 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5376 assigned_policy
=policy
,
5380 # Show that a network SamLogon succeeds.
5381 self
._test
_samlogon
(creds
=client_creds
,
5382 logon_type
=netlogon
.NetlogonNetworkInformation
)
5384 def test_authn_policy_samlogon_network_allow_service_not_allowed_from(self
):
5385 # Create an authentication policy allowing NTLM authentication for
5387 denied
= 'O:SYD:(D;;CR;;;WD)'
5388 policy_id
= self
.get_new_username()
5389 policy
= self
.create_authn_policy(policy_id
,
5391 service_allowed_ntlm
=True,
5392 service_allowed_from
=denied
)
5394 # Create a managed service account with the assigned policy.
5395 client_creds
= self
._get
_creds
(
5396 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5397 assigned_policy
=policy
,
5401 # Show that a network SamLogon succeeds.
5402 self
._test
_samlogon
(creds
=client_creds
,
5403 logon_type
=netlogon
.NetlogonNetworkInformation
)
5405 def test_authn_policy_samlogon_network_allow_service_no_allowed_from(self
):
5406 # Create an authentication policy allowing NTLM authentication for
5408 policy_id
= self
.get_new_username()
5409 policy
= self
.create_authn_policy(policy_id
,
5411 service_allowed_ntlm
=True)
5413 # Create a managed service account with the assigned policy.
5414 client_creds
= self
._get
_creds
(
5415 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5416 assigned_policy
=policy
,
5420 # Show that a network SamLogon succeeds.
5421 self
._test
_samlogon
(creds
=client_creds
,
5422 logon_type
=netlogon
.NetlogonNetworkInformation
)
5424 def test_authn_policy_samlogon_network_deny_service_allowed_from(self
):
5425 # Create an authentication policy disallowing NTLM authentication for
5427 allowed
= 'O:SYD:(A;;CR;;;WD)'
5428 policy_id
= self
.get_new_username()
5429 policy
= self
.create_authn_policy(policy_id
,
5431 service_allowed_ntlm
=False,
5432 service_allowed_from
=allowed
)
5434 # Create a managed service account with the assigned policy.
5435 client_creds
= self
._get
_creds
(
5436 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5437 assigned_policy
=policy
,
5441 # Show that a network SamLogon fails.
5442 self
._test
_samlogon
(
5444 logon_type
=netlogon
.NetlogonNetworkInformation
,
5445 expect_error
=ntstatus
.NT_STATUS_ACCOUNT_RESTRICTION
)
5447 def test_authn_policy_samlogon_network_deny_service_not_allowed_from(self
):
5448 # Create an authentication policy disallowing NTLM authentication for
5450 denied
= 'O:SYD:(D;;CR;;;WD)'
5451 policy_id
= self
.get_new_username()
5452 policy
= self
.create_authn_policy(policy_id
,
5454 service_allowed_ntlm
=False,
5455 service_allowed_from
=denied
)
5457 # Create a managed service account with the assigned policy.
5458 client_creds
= self
._get
_creds
(
5459 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5460 assigned_policy
=policy
,
5464 # Show that a network SamLogon fails.
5465 self
._test
_samlogon
(
5467 logon_type
=netlogon
.NetlogonNetworkInformation
,
5468 expect_error
=ntstatus
.NT_STATUS_ACCOUNT_RESTRICTION
)
5470 def test_authn_policy_samlogon_network_deny_service_no_allowed_from(self
):
5471 # Create an authentication policy disallowing NTLM authentication for
5473 policy_id
= self
.get_new_username()
5474 policy
= self
.create_authn_policy(policy_id
,
5476 service_allowed_ntlm
=False)
5478 # Create a managed service account with the assigned policy.
5479 client_creds
= self
._get
_creds
(
5480 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5481 assigned_policy
=policy
,
5485 # Show that a network SamLogon succeeds.
5486 self
._test
_samlogon
(creds
=client_creds
,
5487 logon_type
=netlogon
.NetlogonNetworkInformation
)
5489 def test_authn_policy_samlogon_network_allow_service_allowed_from_to_self(self
):
5490 # Create an authentication policy allowing NTLM authentication for
5492 allowed
= 'O:SYD:(A;;CR;;;WD)'
5493 policy_id
= self
.get_new_username()
5494 policy
= self
.create_authn_policy(policy_id
,
5496 service_allowed_ntlm
=True,
5497 service_allowed_from
=allowed
)
5499 # Create a managed service account with the assigned policy.
5500 client_creds
= self
._get
_creds
(
5501 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5502 assigned_policy
=policy
,
5506 # Show that a network SamLogon to ourselves succeeds.
5507 self
._test
_samlogon
(creds
=client_creds
,
5508 domain_joined_mach_creds
=client_creds
,
5509 logon_type
=netlogon
.NetlogonNetworkInformation
)
5511 def test_authn_policy_samlogon_network_allow_service_not_allowed_from_to_self(self
):
5512 # Create an authentication policy allowing NTLM authentication for
5514 denied
= 'O:SYD:(D;;CR;;;WD)'
5515 policy_id
= self
.get_new_username()
5516 policy
= self
.create_authn_policy(policy_id
,
5518 service_allowed_ntlm
=True,
5519 service_allowed_from
=denied
)
5521 # Create a managed service account with the assigned policy.
5522 client_creds
= self
._get
_creds
(
5523 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5524 assigned_policy
=policy
,
5528 # Show that a network SamLogon to ourselves succeeds.
5529 self
._test
_samlogon
(creds
=client_creds
,
5530 domain_joined_mach_creds
=client_creds
,
5531 logon_type
=netlogon
.NetlogonNetworkInformation
)
5533 def test_authn_policy_samlogon_network_allow_service_no_allowed_from_to_self(self
):
5534 # Create an authentication policy allowing NTLM authentication for
5536 policy_id
= self
.get_new_username()
5537 policy
= self
.create_authn_policy(policy_id
,
5539 service_allowed_ntlm
=True)
5541 # Create a managed service account with the assigned policy.
5542 client_creds
= self
._get
_creds
(
5543 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5544 assigned_policy
=policy
,
5548 # Show that a network SamLogon to ourselves succeeds.
5549 self
._test
_samlogon
(creds
=client_creds
,
5550 domain_joined_mach_creds
=client_creds
,
5551 logon_type
=netlogon
.NetlogonNetworkInformation
)
5553 def test_authn_policy_samlogon_network_deny_service_allowed_from_to_self(self
):
5554 # Create an authentication policy disallowing NTLM authentication for
5556 allowed
= 'O:SYD:(A;;CR;;;WD)'
5557 policy_id
= self
.get_new_username()
5558 policy
= self
.create_authn_policy(policy_id
,
5560 service_allowed_ntlm
=False,
5561 service_allowed_from
=allowed
)
5563 # Create a managed service account with the assigned policy.
5564 client_creds
= self
._get
_creds
(
5565 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5566 assigned_policy
=policy
,
5570 # Show that a network SamLogon to ourselves fails.
5571 self
._test
_samlogon
(
5573 domain_joined_mach_creds
=client_creds
,
5574 logon_type
=netlogon
.NetlogonNetworkInformation
,
5575 expect_error
=ntstatus
.NT_STATUS_ACCOUNT_RESTRICTION
)
5577 def test_authn_policy_samlogon_network_deny_service_not_allowed_from_to_self(self
):
5578 # Create an authentication policy disallowing NTLM authentication for
5580 denied
= 'O:SYD:(D;;CR;;;WD)'
5581 policy_id
= self
.get_new_username()
5582 policy
= self
.create_authn_policy(policy_id
,
5584 service_allowed_ntlm
=False,
5585 service_allowed_from
=denied
)
5587 # Create a managed service account with the assigned policy.
5588 client_creds
= self
._get
_creds
(
5589 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5590 assigned_policy
=policy
,
5594 # Show that a network SamLogon to ourselves fails.
5595 self
._test
_samlogon
(
5597 domain_joined_mach_creds
=client_creds
,
5598 logon_type
=netlogon
.NetlogonNetworkInformation
,
5599 expect_error
=ntstatus
.NT_STATUS_ACCOUNT_RESTRICTION
)
5601 def test_authn_policy_samlogon_network_deny_service_no_allowed_from_to_self(self
):
5602 # Create an authentication policy disallowing NTLM authentication for
5604 policy_id
= self
.get_new_username()
5605 policy
= self
.create_authn_policy(policy_id
,
5607 service_allowed_ntlm
=False)
5609 # Create a managed service account with the assigned policy.
5610 client_creds
= self
._get
_creds
(
5611 account_type
=self
.AccountType
.MANAGED_SERVICE
,
5612 assigned_policy
=policy
,
5616 # Show that a network SamLogon to ourselves succeeds.
5617 self
._test
_samlogon
(creds
=client_creds
,
5618 domain_joined_mach_creds
=client_creds
,
5619 logon_type
=netlogon
.NetlogonNetworkInformation
)
5621 def test_authn_policy_samlogon_interactive_deny_no_device_restrictions(self
):
5622 # Create an authentication policy denying NTLM authentication for
5624 policy_id
= self
.get_new_username()
5625 policy
= self
.create_authn_policy(policy_id
,
5627 user_allowed_ntlm
=False,
5628 service_allowed_ntlm
=True)
5630 # Create a user account with the assigned policy.
5631 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5632 assigned_policy
=policy
,
5635 # Show that without AllowedToAuthenticateFrom set in the policy, an
5636 # interactive SamLogon succeeds.
5637 self
._test
_samlogon
(creds
=client_creds
,
5638 logon_type
=netlogon
.NetlogonInteractiveInformation
)
5640 def test_authn_policy_samlogon_network_deny_no_device_restrictions(self
):
5641 # Create an authentication policy denying NTLM authentication for
5643 policy_id
= self
.get_new_username()
5644 policy
= self
.create_authn_policy(policy_id
,
5646 user_allowed_ntlm
=False,
5647 service_allowed_ntlm
=True)
5649 # Create a user account with the assigned policy.
5650 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5651 assigned_policy
=policy
,
5654 # Show that without AllowedToAuthenticateFrom set in the policy, a
5655 # network SamLogon succeeds.
5656 self
._test
_samlogon
(creds
=client_creds
,
5657 logon_type
=netlogon
.NetlogonNetworkInformation
)
5659 def test_samlogon_allowed_to_computer_allow(self
):
5660 samdb
= self
.get_samdb()
5662 # Create a user account.
5663 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5665 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
5667 # Create an authentication policy that applies to a computer and
5668 # explicitly allows the user account to obtain a service ticket.
5669 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
5670 denied
= 'O:SYD:(D;;CR;;;WD)'
5671 policy_id
= self
.get_new_username()
5672 policy
= self
.create_authn_policy(policy_id
,
5674 user_allowed_to
=denied
,
5675 computer_allowed_to
=allowed
,
5676 service_allowed_to
=denied
)
5678 # Create a computer account with the assigned policy.
5679 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
5680 assigned_policy
=policy
)
5682 # Show that a network SamLogon succeeds.
5683 self
._test
_samlogon
(creds
=client_creds
,
5684 domain_joined_mach_creds
=target_creds
,
5685 logon_type
=netlogon
.NetlogonNetworkInformation
)
5687 # Show that an interactive SamLogon succeeds.
5688 self
._test
_samlogon
(creds
=client_creds
,
5689 domain_joined_mach_creds
=target_creds
,
5690 logon_type
=netlogon
.NetlogonInteractiveInformation
)
5692 def test_samlogon_allowed_to_computer_deny(self
):
5693 samdb
= self
.get_samdb()
5695 # Create a user account.
5696 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5698 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
5700 # Create an authentication policy that applies to a computer and
5701 # explicitly denies the user account to obtain a service ticket.
5702 denied
= f
'O:SYD:(D;;CR;;;{client_sid})'
5703 allowed
= 'O:SYD:(A;;CR;;;WD)'
5704 policy_id
= self
.get_new_username()
5705 policy
= self
.create_authn_policy(policy_id
,
5707 user_allowed_to
=allowed
,
5708 computer_allowed_to
=denied
,
5709 service_allowed_to
=allowed
)
5711 # Create a computer account with the assigned policy.
5712 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
5713 assigned_policy
=policy
)
5715 # Show that a network SamLogon fails.
5716 self
._test
_samlogon
(
5718 domain_joined_mach_creds
=target_creds
,
5719 logon_type
=netlogon
.NetlogonNetworkInformation
,
5720 expect_error
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
5722 # Show that an interactive SamLogon fails.
5723 self
._test
_samlogon
(
5725 domain_joined_mach_creds
=target_creds
,
5726 logon_type
=netlogon
.NetlogonInteractiveInformation
,
5727 expect_error
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
5729 def test_samlogon_allowed_to_computer_deny_protected(self
):
5730 samdb
= self
.get_samdb()
5732 # Create a protected user account.
5733 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5736 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
5738 # Create an authentication policy that applies to a computer and
5739 # explicitly denies the user account to obtain a service ticket.
5740 denied
= f
'O:SYD:(D;;CR;;;{client_sid})'
5741 allowed
= 'O:SYD:(A;;CR;;;WD)'
5742 policy_id
= self
.get_new_username()
5743 policy
= self
.create_authn_policy(policy_id
,
5745 user_allowed_to
=allowed
,
5746 computer_allowed_to
=denied
,
5747 service_allowed_to
=allowed
)
5749 # Create a computer account with the assigned policy.
5750 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
5751 assigned_policy
=policy
)
5753 # Show that a network SamLogon fails.
5754 self
._test
_samlogon
(
5756 domain_joined_mach_creds
=target_creds
,
5757 logon_type
=netlogon
.NetlogonNetworkInformation
,
5758 expect_error
=ntstatus
.NT_STATUS_ACCOUNT_RESTRICTION
)
5760 # Show that an interactive SamLogon fails.
5761 self
._test
_samlogon
(
5763 domain_joined_mach_creds
=target_creds
,
5764 logon_type
=netlogon
.NetlogonInteractiveInformation
,
5765 expect_error
=ntstatus
.NT_STATUS_ACCOUNT_RESTRICTION
)
5767 def test_samlogon_allowed_to_computer_allow_asserted_identity(self
):
5768 # Create a user account.
5769 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5772 # Create an authentication policy that allows accounts with the
5773 # Authentication Authority Asserted Identity SID to obtain a service
5777 f
'{security.SID_AUTHENTICATION_AUTHORITY_ASSERTED_IDENTITY})'
5779 denied
= 'O:SYD:(D;;CR;;;WD)'
5780 policy_id
= self
.get_new_username()
5781 policy
= self
.create_authn_policy(policy_id
,
5783 user_allowed_to
=denied
,
5784 computer_allowed_to
=allowed
,
5785 service_allowed_to
=denied
)
5787 # Create a computer account with the assigned policy.
5788 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
5789 assigned_policy
=policy
)
5791 # Show that a network SamLogon fails.
5792 self
._test
_samlogon
(
5794 domain_joined_mach_creds
=target_creds
,
5795 logon_type
=netlogon
.NetlogonNetworkInformation
,
5796 expect_error
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
5798 # Show that an interactive SamLogon fails.
5799 self
._test
_samlogon
(
5801 domain_joined_mach_creds
=target_creds
,
5802 logon_type
=netlogon
.NetlogonInteractiveInformation
,
5803 expect_error
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
5805 def test_samlogon_allowed_to_computer_allow_claims_valid(self
):
5806 # Create a user account.
5807 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5810 # Create an authentication policy that allows accounts with the Claims
5811 # Valid SID to obtain a service ticket.
5812 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_CLAIMS_VALID})'
5813 denied
= 'O:SYD:(D;;CR;;;WD)'
5814 policy_id
= self
.get_new_username()
5815 policy
= self
.create_authn_policy(policy_id
,
5817 user_allowed_to
=denied
,
5818 computer_allowed_to
=allowed
,
5819 service_allowed_to
=denied
)
5821 # Create a computer account with the assigned policy.
5822 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
5823 assigned_policy
=policy
)
5825 # Show that a network SamLogon fails.
5826 self
._test
_samlogon
(
5828 domain_joined_mach_creds
=target_creds
,
5829 logon_type
=netlogon
.NetlogonNetworkInformation
,
5830 expect_error
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
5832 # Show that an interactive SamLogon fails.
5833 self
._test
_samlogon
(
5835 domain_joined_mach_creds
=target_creds
,
5836 logon_type
=netlogon
.NetlogonInteractiveInformation
,
5837 expect_error
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
5839 def test_samlogon_allowed_to_computer_allow_compounded_auth(self
):
5840 # Create a user account.
5841 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5844 # Create an authentication policy that allows accounts with the
5845 # Compounded Authentication SID to obtain a service ticket.
5846 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_COMPOUNDED_AUTHENTICATION})'
5847 denied
= 'O:SYD:(D;;CR;;;WD)'
5848 policy_id
= self
.get_new_username()
5849 policy
= self
.create_authn_policy(policy_id
,
5851 user_allowed_to
=denied
,
5852 computer_allowed_to
=allowed
,
5853 service_allowed_to
=denied
)
5855 # Create a computer account with the assigned policy.
5856 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
5857 assigned_policy
=policy
)
5859 # Show that a network SamLogon fails.
5860 self
._test
_samlogon
(
5862 domain_joined_mach_creds
=target_creds
,
5863 logon_type
=netlogon
.NetlogonNetworkInformation
,
5864 expect_error
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
5866 # Show that an interactive SamLogon fails.
5867 self
._test
_samlogon
(
5869 domain_joined_mach_creds
=target_creds
,
5870 logon_type
=netlogon
.NetlogonInteractiveInformation
,
5871 expect_error
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
5873 def test_samlogon_allowed_to_computer_allow_authenticated_users(self
):
5874 # Create a user account.
5875 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5878 # Create an authentication policy that allows accounts with the
5879 # Authenticated Users SID to obtain a service ticket.
5880 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_NT_AUTHENTICATED_USERS})'
5881 denied
= 'O:SYD:(D;;CR;;;WD)'
5882 policy_id
= self
.get_new_username()
5883 policy
= self
.create_authn_policy(policy_id
,
5885 user_allowed_to
=denied
,
5886 computer_allowed_to
=allowed
,
5887 service_allowed_to
=denied
)
5889 # Create a computer account with the assigned policy.
5890 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
5891 assigned_policy
=policy
)
5893 # Show that a network SamLogon succeeds.
5894 self
._test
_samlogon
(creds
=client_creds
,
5895 domain_joined_mach_creds
=target_creds
,
5896 logon_type
=netlogon
.NetlogonNetworkInformation
)
5898 # Show that an interactive SamLogon succeeds.
5899 self
._test
_samlogon
(creds
=client_creds
,
5900 domain_joined_mach_creds
=target_creds
,
5901 logon_type
=netlogon
.NetlogonInteractiveInformation
)
5903 def test_samlogon_allowed_to_computer_allow_ntlm_authn(self
):
5904 # Create a user account.
5905 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5908 # Create an authentication policy that allows accounts with the NTLM
5909 # Authentication SID to obtain a service ticket.
5910 allowed
= f
'O:SYD:(A;;CR;;;{security.SID_NT_NTLM_AUTHENTICATION})'
5911 denied
= 'O:SYD:(D;;CR;;;WD)'
5912 policy_id
= self
.get_new_username()
5913 policy
= self
.create_authn_policy(policy_id
,
5915 user_allowed_to
=denied
,
5916 computer_allowed_to
=allowed
,
5917 service_allowed_to
=denied
)
5919 # Create a computer account with the assigned policy.
5920 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
5921 assigned_policy
=policy
)
5923 # Show that a network SamLogon fails.
5924 self
._test
_samlogon
(
5926 domain_joined_mach_creds
=target_creds
,
5927 logon_type
=netlogon
.NetlogonNetworkInformation
,
5928 expect_error
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
5930 # Show that an interactive SamLogon fails.
5931 self
._test
_samlogon
(
5933 domain_joined_mach_creds
=target_creds
,
5934 logon_type
=netlogon
.NetlogonInteractiveInformation
,
5935 expect_error
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
5937 def test_samlogon_allowed_to_no_owner(self
):
5938 samdb
= self
.get_samdb()
5940 # Create a user account.
5941 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5943 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
5945 # Create an authentication policy that applies to a computer and
5946 # explicitly allows the user account to obtain a service ticket. Omit
5947 # the owner (O:SY) from the SDDL.
5948 allowed
= f
'D:(A;;CR;;;{client_sid})'
5949 policy_id
= self
.get_new_username()
5950 policy
= self
.create_authn_policy(policy_id
,
5952 computer_allowed_to
=allowed
)
5954 # Create a computer account with the assigned policy.
5955 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
5956 assigned_policy
=policy
)
5958 # Show that a network SamLogon fails.
5959 self
._test
_samlogon
(
5961 domain_joined_mach_creds
=target_creds
,
5962 logon_type
=netlogon
.NetlogonNetworkInformation
,
5963 expect_error
=ntstatus
.NT_STATUS_INVALID_PARAMETER
)
5965 # Show that an interactive SamLogon fails.
5966 self
._test
_samlogon
(
5968 domain_joined_mach_creds
=target_creds
,
5969 logon_type
=netlogon
.NetlogonInteractiveInformation
,
5970 expect_error
=ntstatus
.NT_STATUS_INVALID_PARAMETER
)
5972 def test_samlogon_allowed_to_no_owner_unenforced(self
):
5973 samdb
= self
.get_samdb()
5975 # Create a user account.
5976 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
5978 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
5980 # Create an unenforced authentication policy that applies to a computer
5981 # and explicitly allows the user account to obtain a service
5982 # ticket. Omit the owner (O:SY) from the SDDL.
5983 allowed
= f
'D:(A;;CR;;;{client_sid})'
5984 policy_id
= self
.get_new_username()
5985 policy
= self
.create_authn_policy(policy_id
,
5987 computer_allowed_to
=allowed
)
5989 # Create a computer account with the assigned policy.
5990 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
5991 assigned_policy
=policy
)
5993 # Show that a network SamLogon succeeds.
5994 self
._test
_samlogon
(creds
=client_creds
,
5995 domain_joined_mach_creds
=target_creds
,
5996 logon_type
=netlogon
.NetlogonNetworkInformation
)
5998 # Show that an interactive SamLogon succeeds.
5999 self
._test
_samlogon
(creds
=client_creds
,
6000 domain_joined_mach_creds
=target_creds
,
6001 logon_type
=netlogon
.NetlogonInteractiveInformation
)
6003 def test_samlogon_allowed_to_service_allow(self
):
6004 samdb
= self
.get_samdb()
6006 # Create a user account.
6007 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
6009 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
6011 # Create an authentication policy that applies to a managed service and
6012 # explicitly allows the user account to obtain a service ticket.
6013 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
6014 denied
= 'O:SYD:(D;;CR;;;WD)'
6015 policy_id
= self
.get_new_username()
6016 policy
= self
.create_authn_policy(policy_id
,
6018 user_allowed_to
=denied
,
6019 computer_allowed_to
=denied
,
6020 service_allowed_to
=allowed
)
6022 # Create a managed service account with the assigned policy.
6023 target_creds
= self
._get
_creds
(
6024 account_type
=self
.AccountType
.MANAGED_SERVICE
,
6025 assigned_policy
=policy
)
6027 # Show that a network SamLogon succeeds.
6028 self
._test
_samlogon
(creds
=client_creds
,
6029 domain_joined_mach_creds
=target_creds
,
6030 logon_type
=netlogon
.NetlogonNetworkInformation
)
6032 # Show that an interactive SamLogon succeeds.
6033 self
._test
_samlogon
(creds
=client_creds
,
6034 domain_joined_mach_creds
=target_creds
,
6035 logon_type
=netlogon
.NetlogonInteractiveInformation
)
6037 def test_samlogon_allowed_to_service_deny(self
):
6038 samdb
= self
.get_samdb()
6040 # Create a user account.
6041 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
6043 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
6045 # Create an authentication policy that applies to a managed service and
6046 # explicitly denies the user account to obtain a service ticket.
6047 denied
= f
'O:SYD:(D;;CR;;;{client_sid})'
6048 allowed
= 'O:SYD:(A;;CR;;;WD)'
6049 policy_id
= self
.get_new_username()
6050 policy
= self
.create_authn_policy(policy_id
,
6052 user_allowed_to
=allowed
,
6053 computer_allowed_to
=allowed
,
6054 service_allowed_to
=denied
)
6056 # Create a managed service account with the assigned policy.
6057 target_creds
= self
._get
_creds
(
6058 account_type
=self
.AccountType
.MANAGED_SERVICE
,
6059 assigned_policy
=policy
)
6061 # Show that a network SamLogon fails.
6062 self
._test
_samlogon
(
6064 domain_joined_mach_creds
=target_creds
,
6065 logon_type
=netlogon
.NetlogonNetworkInformation
,
6066 expect_error
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
6068 # Show that an interactive SamLogon fails.
6069 self
._test
_samlogon
(
6071 domain_joined_mach_creds
=target_creds
,
6072 logon_type
=netlogon
.NetlogonInteractiveInformation
,
6073 expect_error
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
6075 def test_samlogon_allowed_to_computer_allow_group_not_a_member(self
):
6076 samdb
= self
.get_samdb()
6078 # Create a new group.
6079 group_name
= self
.get_new_username()
6080 group_dn
= self
.create_group(samdb
, group_name
)
6081 group_sid
= self
.get_objectSid(samdb
, group_dn
)
6083 # Create a user account which does not belong to the group.
6084 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
6087 # Create an authentication policy that allows accounts belonging to the
6089 allowed
= f
'O:SYD:(A;;CR;;;{group_sid})'
6090 policy_id
= self
.get_new_username()
6091 policy
= self
.create_authn_policy(policy_id
,
6093 computer_allowed_to
=allowed
)
6095 # Create a computer account with the assigned policy.
6096 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
6097 assigned_policy
=policy
)
6099 # Show that a network SamLogon fails, as the user account does not
6100 # belong to the group.
6101 self
._test
_samlogon
(
6103 domain_joined_mach_creds
=target_creds
,
6104 logon_type
=netlogon
.NetlogonNetworkInformation
,
6105 expect_error
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
6107 # Show that an interactive SamLogon fails, as the user account does not
6108 # belong to the group.
6109 self
._test
_samlogon
(
6111 domain_joined_mach_creds
=target_creds
,
6112 logon_type
=netlogon
.NetlogonInteractiveInformation
,
6113 expect_error
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
6115 def test_samlogon_allowed_to_computer_allow_group_member(self
):
6116 samdb
= self
.get_samdb()
6118 # Create a new group.
6119 group_name
= self
.get_new_username()
6120 group_dn
= self
.create_group(samdb
, group_name
)
6121 group_sid
= self
.get_objectSid(samdb
, group_dn
)
6123 # Create a user account that belongs to the group.
6124 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
6128 # Create an authentication policy that allows accounts belonging to the
6130 allowed
= f
'O:SYD:(A;;CR;;;{group_sid})'
6131 policy_id
= self
.get_new_username()
6132 policy
= self
.create_authn_policy(policy_id
,
6134 computer_allowed_to
=allowed
)
6136 # Create a computer account with the assigned policy.
6137 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
6138 assigned_policy
=policy
)
6140 # Show that a network SamLogon succeeds, since the user account belongs
6142 self
._test
_samlogon
(creds
=client_creds
,
6143 domain_joined_mach_creds
=target_creds
,
6144 logon_type
=netlogon
.NetlogonNetworkInformation
)
6146 # Show that an interactive SamLogon succeeds, since the user account
6147 # belongs to the group.
6148 self
._test
_samlogon
(creds
=client_creds
,
6149 domain_joined_mach_creds
=target_creds
,
6150 logon_type
=netlogon
.NetlogonInteractiveInformation
)
6152 def test_samlogon_allowed_to_computer_allow_domain_local_group(self
):
6153 samdb
= self
.get_samdb()
6155 # Create a new domain-local group.
6156 group_name
= self
.get_new_username()
6157 group_dn
= self
.create_group(samdb
, group_name
,
6158 gtype
=GroupType
.DOMAIN_LOCAL
.value
)
6159 group_sid
= self
.get_objectSid(samdb
, group_dn
)
6161 # Create a user account that belongs to the group.
6162 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
6166 # Create an authentication policy that allows accounts belonging to the
6168 allowed
= f
'O:SYD:(A;;CR;;;{group_sid})'
6169 policy_id
= self
.get_new_username()
6170 policy
= self
.create_authn_policy(policy_id
,
6172 computer_allowed_to
=allowed
)
6174 # Create a computer account with the assigned policy.
6175 target_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
6176 assigned_policy
=policy
)
6178 # Show that a network SamLogon succeeds, since the user account belongs
6180 self
._test
_samlogon
(creds
=client_creds
,
6181 domain_joined_mach_creds
=target_creds
,
6182 logon_type
=netlogon
.NetlogonNetworkInformation
)
6184 # Show that an interactive SamLogon succeeds, since the user account
6185 # belongs to the group.
6186 self
._test
_samlogon
(creds
=client_creds
,
6187 domain_joined_mach_creds
=target_creds
,
6188 logon_type
=netlogon
.NetlogonInteractiveInformation
)
6190 def test_samlogon_allowed_to_computer_allow_to_self(self
):
6191 samdb
= self
.get_samdb()
6193 # Create a computer account.
6194 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
6197 client_dn
= client_creds
.get_dn()
6198 client_sid
= self
.get_objectSid(samdb
, client_dn
)
6200 # Create an authentication policy that applies to a computer and
6201 # explicitly allows the user account to obtain a service ticket.
6202 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
6203 denied
= 'O:SYD:(D;;CR;;;WD)'
6204 policy_id
= self
.get_new_username()
6205 policy
= self
.create_authn_policy(policy_id
,
6207 user_allowed_to
=denied
,
6208 computer_allowed_to
=allowed
,
6209 service_allowed_to
=denied
)
6211 # Assign the policy to the account.
6212 self
.add_attribute(samdb
, str(client_dn
),
6213 'msDS-AssignedAuthNPolicy', str(policy
))
6215 # Show that a network SamLogon to ourselves succeeds.
6216 self
._test
_samlogon
(creds
=client_creds
,
6217 domain_joined_mach_creds
=client_creds
,
6218 logon_type
=netlogon
.NetlogonNetworkInformation
)
6220 def test_samlogon_allowed_to_computer_deny_to_self(self
):
6221 samdb
= self
.get_samdb()
6223 # Create a computer account.
6224 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.COMPUTER
,
6227 client_dn
= client_creds
.get_dn()
6228 client_sid
= self
.get_objectSid(samdb
, client_dn
)
6230 # Create an authentication policy that applies to a computer and
6231 # explicitly denies the user account to obtain a service ticket.
6232 denied
= f
'O:SYD:(D;;CR;;;{client_sid})'
6233 allowed
= 'O:SYD:(A;;CR;;;WD)'
6234 policy_id
= self
.get_new_username()
6235 policy
= self
.create_authn_policy(policy_id
,
6237 user_allowed_to
=allowed
,
6238 computer_allowed_to
=denied
,
6239 service_allowed_to
=allowed
)
6241 # Assign the policy to the account.
6242 self
.add_attribute(samdb
, str(client_dn
),
6243 'msDS-AssignedAuthNPolicy', str(policy
))
6245 # Show that a network SamLogon to ourselves fails, despite
6246 # authentication being allowed in the Kerberos case.
6247 self
._test
_samlogon
(
6249 domain_joined_mach_creds
=client_creds
,
6250 logon_type
=netlogon
.NetlogonNetworkInformation
,
6251 expect_error
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
6253 def test_samlogon_allowed_to_service_allow_to_self(self
):
6254 samdb
= self
.get_samdb()
6256 # Create a managed service account.
6257 client_creds
= self
._get
_creds
(
6258 account_type
=self
.AccountType
.MANAGED_SERVICE
,
6261 client_dn
= client_creds
.get_dn()
6262 client_sid
= self
.get_objectSid(samdb
, client_dn
)
6264 # Create an authentication policy that applies to a managed service and
6265 # explicitly allows the user account to obtain a service ticket.
6266 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
6267 denied
= 'O:SYD:(D;;CR;;;WD)'
6268 policy_id
= self
.get_new_username()
6269 policy
= self
.create_authn_policy(policy_id
,
6271 user_allowed_to
=denied
,
6272 computer_allowed_to
=denied
,
6273 service_allowed_to
=allowed
)
6275 # Assign the policy to the account.
6276 self
.add_attribute(samdb
, str(client_dn
),
6277 'msDS-AssignedAuthNPolicy', str(policy
))
6279 # Show that a network SamLogon to ourselves succeeds.
6280 self
._test
_samlogon
(creds
=client_creds
,
6281 domain_joined_mach_creds
=client_creds
,
6282 logon_type
=netlogon
.NetlogonNetworkInformation
)
6284 def test_samlogon_allowed_to_service_deny_to_self(self
):
6285 samdb
= self
.get_samdb()
6287 # Create a managed service account.
6288 client_creds
= self
._get
_creds
(
6289 account_type
=self
.AccountType
.MANAGED_SERVICE
,
6292 client_dn
= client_creds
.get_dn()
6293 client_sid
= self
.get_objectSid(samdb
, client_dn
)
6295 # Create an authentication policy that applies to a managed service and
6296 # explicitly denies the user account to obtain a service ticket.
6297 denied
= f
'O:SYD:(D;;CR;;;{client_sid})'
6298 allowed
= 'O:SYD:(A;;CR;;;WD)'
6299 policy_id
= self
.get_new_username()
6300 policy
= self
.create_authn_policy(policy_id
,
6302 user_allowed_to
=allowed
,
6303 computer_allowed_to
=allowed
,
6304 service_allowed_to
=denied
)
6306 # Assign the policy to the account.
6307 self
.add_attribute(samdb
, str(client_dn
),
6308 'msDS-AssignedAuthNPolicy', str(policy
))
6310 # Show that a network SamLogon to ourselves fails, despite
6311 # authentication being allowed in the Kerberos case.
6312 self
._test
_samlogon
(
6314 domain_joined_mach_creds
=client_creds
,
6315 logon_type
=netlogon
.NetlogonNetworkInformation
,
6316 expect_error
=ntstatus
.NT_STATUS_AUTHENTICATION_FIREWALL_FAILED
)
6318 def test_samlogon_allowed_to_computer_derived_class_allow(self
):
6319 samdb
= self
.get_samdb()
6321 # Create a user account.
6322 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
6324 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
6326 # Create an authentication policy that applies to a computer and
6327 # explicitly allows the user account to obtain a service ticket.
6328 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
6329 denied
= 'O:SYD:(D;;CR;;;WD)'
6330 policy_id
= self
.get_new_username()
6331 policy
= self
.create_authn_policy(policy_id
,
6333 user_allowed_to
=denied
,
6334 computer_allowed_to
=allowed
,
6335 service_allowed_to
=denied
)
6337 # Create a schema class derived from ‘computer’.
6338 class_id
= random
.randint(0, 100000000)
6339 computer_class_cn
= f
'my-Computer-Class-{class_id}'
6340 computer_class
= computer_class_cn
.replace('-', '')
6341 class_dn
= samdb
.get_schema_basedn()
6342 class_dn
.add_child(f
'CN={computer_class_cn}')
6343 governs_id
= f
'1.3.6.1.4.1.7165.4.6.2.9.{class_id}'
6347 'objectClass': 'classSchema',
6348 'subClassOf': 'computer',
6349 'governsId': governs_id
,
6350 'lDAPDisplayName': computer_class
,
6353 # Create an account derived from ‘computer’ with the assigned policy.
6354 target_name
= self
.get_new_username()
6355 target_creds
, target_dn
= self
.create_account(
6357 account_type
=self
.AccountType
.COMPUTER
,
6358 spn
=f
'host/{target_name}',
6359 additional_details
={
6360 'msDS-AssignedAuthNPolicy': str(policy
),
6361 'objectClass': computer_class
,
6364 keys
= self
.get_keys(target_creds
)
6365 self
.creds_set_keys(target_creds
, keys
)
6367 # Show that a network SamLogon succeeds.
6368 self
._test
_samlogon
(creds
=client_creds
,
6369 domain_joined_mach_creds
=target_creds
,
6370 logon_type
=netlogon
.NetlogonNetworkInformation
)
6372 # Show that an interactive SamLogon succeeds.
6373 self
._test
_samlogon
(creds
=client_creds
,
6374 domain_joined_mach_creds
=target_creds
,
6375 logon_type
=netlogon
.NetlogonInteractiveInformation
)
6377 def test_samlogon_allowed_to_service_derived_class_allow(self
):
6378 samdb
= self
.get_samdb()
6380 # Create a user account.
6381 client_creds
= self
._get
_creds
(account_type
=self
.AccountType
.USER
,
6383 client_sid
= self
.get_objectSid(samdb
, client_creds
.get_dn())
6385 # Create an authentication policy that applies to a managed service and
6386 # explicitly allows the user account to obtain a service ticket.
6387 allowed
= f
'O:SYD:(A;;CR;;;{client_sid})'
6388 denied
= 'O:SYD:(D;;CR;;;WD)'
6389 policy_id
= self
.get_new_username()
6390 policy
= self
.create_authn_policy(policy_id
,
6392 user_allowed_to
=denied
,
6393 computer_allowed_to
=denied
,
6394 service_allowed_to
=allowed
)
6396 # Create a schema class derived from ‘msDS-ManagedServiceAccount’.
6397 class_id
= random
.randint(0, 100000000)
6398 service_class_cn
= f
'my-Managed-Service-Class-{class_id}'
6399 service_class
= service_class_cn
.replace('-', '')
6400 class_dn
= samdb
.get_schema_basedn()
6401 class_dn
.add_child(f
'CN={service_class_cn}')
6402 governs_id
= f
'1.3.6.1.4.1.7165.4.6.2.9.{class_id}'
6406 'objectClass': 'classSchema',
6407 'subClassOf': 'msDS-ManagedServiceAccount',
6408 'governsId': governs_id
,
6409 'lDAPDisplayName': service_class
,
6412 # Create an account derived from ‘msDS-ManagedServiceAccount’ with the
6414 target_name
= self
.get_new_username()
6415 target_creds
, target_dn
= self
.create_account(
6417 account_type
=self
.AccountType
.MANAGED_SERVICE
,
6418 spn
=f
'host/{target_name}',
6419 additional_details
={
6420 'msDS-AssignedAuthNPolicy': str(policy
),
6421 'objectClass': service_class
,
6424 # Show that a network SamLogon succeeds.
6425 self
._test
_samlogon
(creds
=client_creds
,
6426 domain_joined_mach_creds
=target_creds
,
6427 logon_type
=netlogon
.NetlogonNetworkInformation
)
6429 # Show that an interactive SamLogon succeeds.
6430 self
._test
_samlogon
(creds
=client_creds
,
6431 domain_joined_mach_creds
=target_creds
,
6432 logon_type
=netlogon
.NetlogonInteractiveInformation
)
6434 def check_ticket_times(self
,
6437 expected_renew_life
=None):
6438 ticket
= ticket_creds
.ticket_private
6440 authtime
= ticket
['authtime']
6441 starttime
= ticket
.get('starttime', authtime
)
6442 endtime
= ticket
['endtime']
6443 renew_till
= ticket
.get('renew-till', None)
6445 starttime
= self
.get_EpochFromKerberosTime(starttime
)
6447 if expected_life
is not None:
6448 actual_end
= self
.get_EpochFromKerberosTime(
6449 endtime
.decode('ascii'))
6450 actual_lifetime
= actual_end
- starttime
6452 self
.assertEqual(expected_life
, actual_lifetime
)
6454 if renew_till
is None:
6455 self
.assertIsNone(expected_renew_life
)
6457 if expected_renew_life
is not None:
6458 actual_renew_till
= self
.get_EpochFromKerberosTime(
6459 renew_till
.decode('ascii'))
6460 actual_renew_life
= actual_renew_till
- starttime
6462 self
.assertEqual(expected_renew_life
, actual_renew_life
)
6464 def _get_tgt(self
, creds
, *,
6469 expected_status
=None):
6470 user_name
= creds
.get_username()
6471 realm
= creds
.get_realm()
6472 salt
= creds
.get_salt()
6474 cname
= self
.PrincipalName_create(name_type
=NT_PRINCIPAL
,
6475 names
=user_name
.split('/'))
6476 sname
= self
.PrincipalName_create(name_type
=NT_SRV_INST
,
6477 names
=['krbtgt', realm
])
6478 expected_sname
= self
.PrincipalName_create(
6479 name_type
=NT_SRV_INST
, names
=['krbtgt', realm
.upper()])
6481 expected_cname
= cname
6484 till
= self
.get_KerberosTime(offset
=36000)
6488 krbtgt_creds
= self
.get_krbtgt_creds()
6489 ticket_decryption_key
= (
6490 self
.TicketDecryptionKey_from_creds(krbtgt_creds
))
6492 expected_etypes
= krbtgt_creds
.tgs_supported_enctypes
6494 kdc_options
= str(krb5_asn1
.KDCOptions('renewable'))
6495 # Contrary to Microsoft’s documentation, the returned ticket is
6497 expected_flags
= krb5_asn1
.TicketFlags('renewable')
6499 preauth_key
= self
.PasswordKey_from_creds(creds
,
6500 kcrypto
.Enctype
.AES256
)
6502 expected_realm
= realm
.upper()
6504 etypes
= kcrypto
.Enctype
.AES256
, kcrypto
.Enctype
.RC4
6506 if armor_tgt
is not None:
6507 authenticator_subkey
= self
.RandomKey(kcrypto
.Enctype
.AES256
)
6508 armor_key
= self
.generate_armor_key(authenticator_subkey
,
6509 armor_tgt
.session_key
)
6510 armor_subkey
= authenticator_subkey
6512 client_challenge_key
= self
.generate_client_challenge_key(
6513 armor_key
, preauth_key
)
6514 enc_challenge_padata
= self
.get_challenge_pa_data(
6515 client_challenge_key
)
6517 def generate_fast_padata_fn(kdc_exchange_dict
,
6520 return [enc_challenge_padata
], req_body
6522 generate_fast_fn
= self
.generate_simple_fast
6523 generate_fast_armor_fn
= self
.generate_ap_req
6524 generate_padata_fn
= None
6526 fast_armor_type
= FX_FAST_ARMOR_AP_REQUEST
6528 ts_enc_padata
= self
.get_enc_timestamp_pa_data_from_key(
6531 def generate_padata_fn(kdc_exchange_dict
,
6534 return [ts_enc_padata
], req_body
6536 generate_fast_fn
= None
6537 generate_fast_padata_fn
= None
6538 generate_fast_armor_fn
= None
6543 fast_armor_type
= None
6545 if not expected_error
:
6546 check_error_fn
= None
6547 check_rep_fn
= self
.generic_check_kdc_rep
6549 check_error_fn
= self
.generic_check_kdc_error
6552 kdc_exchange_dict
= self
.as_exchange_dict(
6554 expected_error_mode
=expected_error
,
6555 expect_status
=expect_status
,
6556 expected_status
=expected_status
,
6557 expected_crealm
=expected_realm
,
6558 expected_cname
=expected_cname
,
6559 expected_srealm
=expected_realm
,
6560 expected_sname
=expected_sname
,
6562 expected_flags
=expected_flags
,
6563 expected_supported_etypes
=expected_etypes
,
6564 generate_padata_fn
=generate_padata_fn
,
6565 generate_fast_padata_fn
=generate_fast_padata_fn
,
6566 generate_fast_fn
=generate_fast_fn
,
6567 generate_fast_armor_fn
=generate_fast_armor_fn
,
6568 fast_armor_type
=fast_armor_type
,
6569 check_error_fn
=check_error_fn
,
6570 check_rep_fn
=check_rep_fn
,
6571 check_kdc_private_fn
=self
.generic_check_kdc_private
,
6572 armor_key
=armor_key
,
6573 armor_tgt
=armor_tgt
,
6574 armor_subkey
=armor_subkey
,
6575 kdc_options
=kdc_options
,
6576 preauth_key
=preauth_key
,
6577 ticket_decryption_key
=ticket_decryption_key
,
6578 # PA-DATA types are not important for these tests.
6579 check_patypes
=False)
6581 rep
= self
._generic
_kdc
_exchange
(kdc_exchange_dict
,
6586 renew_time
=renew_time
,
6589 self
.check_error_rep(rep
, expected_error
)
6593 self
.check_as_reply(rep
)
6595 ticket_creds
= kdc_exchange_dict
['rep_ticket_creds']
6599 if __name__
== '__main__':
6600 global_asn1_print
= False
6601 global_hexdump
= False