search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
tests/krb5/kdc_tgs_tests: add user2user tests using a normal user account
[samba.git] / python / samba / tests / krb5 / kdc_tgs_tests.py
blobf6d8921635a3fdd6192f933b07a0e0df9391b9d3
1 #!/usr/bin/env python3
2 # Unix SMB/CIFS implementation.
3 # Copyright (C) Stefan Metzmacher 2020
4 # Copyright (C) 2020 Catalyst.Net Ltd
5 #
6 # This program is free software; you can redistribute it and/or modify
7 # it under the terms of the GNU General Public License as published by
8 # the Free Software Foundation; either version 3 of the License, or
9 # (at your option) any later version.
10 #
11 # This program is distributed in the hope that it will be useful,
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU General Public License for more details.
15 #
16 # You should have received a copy of the GNU General Public License
17 # along with this program. If not, see <http://www.gnu.org/licenses/>.
18 #
19
20 import sys
21 import os
22
23 sys.path.insert(0, "bin/python")
24 os.environ["PYTHONUNBUFFERED"] = "1"
25
26 import ldb
27
28 from samba import dsdb, ntstatus
29
30 from samba.dcerpc import krb5pac, security
31
32
33 import samba.tests.krb5.kcrypto as kcrypto
34 from samba.tests.krb5.kdc_base_test import KDCBaseTest
35 from samba.tests.krb5.raw_testcase import Krb5EncryptionKey
36 from samba.tests.krb5.rfc4120_constants import (
37 AES256_CTS_HMAC_SHA1_96,
38 ARCFOUR_HMAC_MD5,
39 FX_FAST_ARMOR_AP_REQUEST,
40 KRB_ERROR,
41 KDC_ERR_BADKEYVER,
42 KDC_ERR_BADMATCH,
43 KDC_ERR_ETYPE_NOSUPP,
44 KDC_ERR_GENERIC,
45 KDC_ERR_MODIFIED,
46 KDC_ERR_NOT_US,
47 KDC_ERR_POLICY,
48 KDC_ERR_PREAUTH_REQUIRED,
49 KDC_ERR_C_PRINCIPAL_UNKNOWN,
50 KDC_ERR_S_PRINCIPAL_UNKNOWN,
51 KDC_ERR_TKT_EXPIRED,
52 KDC_ERR_TGT_REVOKED,
53 KRB_ERR_TKT_NYV,
54 KDC_ERR_WRONG_REALM,
55 NT_ENTERPRISE_PRINCIPAL,
56 NT_PRINCIPAL,
57 NT_SRV_INST,
58 )
59 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
60
61 global_asn1_print = False
62 global_hexdump = False
63
64
65 class KdcTgsBaseTests(KDCBaseTest):
66 def _as_req(self,
67 creds,
68 expected_error,
69 target_creds,
70 etype,
71 expected_ticket_etype=None):
72 user_name = creds.get_username()
73 cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
74 names=user_name.split('/'))
75
76 target_name = target_creds.get_username()
77 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
78 names=['host', target_name[:-1]])
79
80 if expected_error:
81 expected_sname = sname
82 else:
83 expected_sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
84 names=[target_name])
85
86 realm = creds.get_realm()
87 salt = creds.get_salt()
88
89 till = self.get_KerberosTime(offset=36000)
90
91 ticket_decryption_key = (
92 self.TicketDecryptionKey_from_creds(target_creds,
93 etype=expected_ticket_etype))
94 expected_etypes = target_creds.tgs_supported_enctypes
95
96 kdc_options = ('forwardable,'
97 'renewable,'
98 'canonicalize,'
99 'renewable-ok')
100 kdc_options = krb5_asn1.KDCOptions(kdc_options)
101
102 if expected_error:
103 initial_error = (KDC_ERR_PREAUTH_REQUIRED, expected_error)
104 else:
105 initial_error = KDC_ERR_PREAUTH_REQUIRED
106
107 rep, kdc_exchange_dict = self._test_as_exchange(
108 creds=creds,
109 cname=cname,
110 realm=realm,
111 sname=sname,
112 till=till,
113 expected_error_mode=initial_error,
114 expected_crealm=realm,
115 expected_cname=cname,
116 expected_srealm=realm,
117 expected_sname=sname,
118 expected_salt=salt,
119 expected_supported_etypes=expected_etypes,
120 etypes=etype,
121 padata=None,
122 kdc_options=kdc_options,
123 preauth_key=None,
124 ticket_decryption_key=ticket_decryption_key)
125 self.assertIsNotNone(rep)
126 self.assertEqual(KRB_ERROR, rep['msg-type'])
127 error_code = rep['error-code']
128 if expected_error:
129 self.assertIn(error_code, initial_error)
130 if error_code == expected_error:
131 return
132 else:
133 self.assertEqual(initial_error, error_code)
134
135 etype_info2 = kdc_exchange_dict['preauth_etype_info2']
136
137 preauth_key = self.PasswordKey_from_etype_info2(creds,
138 etype_info2[0],
139 creds.get_kvno())
140
141 ts_enc_padata = self.get_enc_timestamp_pa_data_from_key(preauth_key)
142
143 padata = [ts_enc_padata]
144
145 expected_realm = realm.upper()
146
147 rep, kdc_exchange_dict = self._test_as_exchange(
148 creds=creds,
149 cname=cname,
150 realm=realm,
151 sname=sname,
152 till=till,
153 expected_error_mode=expected_error,
154 expected_crealm=expected_realm,
155 expected_cname=cname,
156 expected_srealm=expected_realm,
157 expected_sname=expected_sname,
158 expected_salt=salt,
159 expected_supported_etypes=expected_etypes,
160 etypes=etype,
161 padata=padata,
162 kdc_options=kdc_options,
163 preauth_key=preauth_key,
164 ticket_decryption_key=ticket_decryption_key,
165 expect_edata=False)
166 if expected_error:
167 self.check_error_rep(rep, expected_error)
168 return None
169
170 self.check_as_reply(rep)
171 return kdc_exchange_dict['rep_ticket_creds']
172
173 def _armored_as_req(self,
174 client_creds,
175 target_creds,
176 armor_tgt,
177 *,
178 expected_error=0,
179 expected_sname=None,
180 expect_edata=None,
181 expect_status=None,
182 expected_status=None,
183 expected_groups=None,
184 expect_device_info=None,
185 expected_device_groups=None,
186 expect_device_claims=None,
187 expected_device_claims=None):
188 client_username = client_creds.get_username()
189 client_realm = client_creds.get_realm()
190 client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
191 names=[client_username])
192
193 target_name = target_creds.get_username()
194 target_sname = self.PrincipalName_create(
195 name_type=NT_PRINCIPAL, names=[target_name])
196 target_realm = target_creds.get_realm()
197 target_decryption_key = self.TicketDecryptionKey_from_creds(
198 target_creds)
199 target_etypes = target_creds.tgs_supported_enctypes
200
201 authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256)
202 armor_key = self.generate_armor_key(authenticator_subkey,
203 armor_tgt.session_key)
204
205 preauth_key = self.PasswordKey_from_creds(client_creds,
206 kcrypto.Enctype.AES256)
207
208 client_challenge_key = (
209 self.generate_client_challenge_key(armor_key, preauth_key))
210 fast_padata = [self.get_challenge_pa_data(client_challenge_key)]
211
212 def _generate_fast_padata(kdc_exchange_dict,
213 _callback_dict,
214 req_body):
215 return list(fast_padata), req_body
216
217 etypes = kcrypto.Enctype.AES256, kcrypto.Enctype.RC4
218
219 if expected_error:
220 check_error_fn = self.generic_check_kdc_error
221 check_rep_fn = None
222 else:
223 check_error_fn = None
224 check_rep_fn = self.generic_check_kdc_rep
225
226 pac_options = '1' # claims support
227
228 samdb = self.get_samdb()
229 domain_sid_str = samdb.get_domain_sid()
230
231 if expected_groups is not None:
232 expected_groups = self.map_sids(expected_groups, None, domain_sid_str)
233
234 if expected_device_groups is not None:
235 expected_device_groups = self.map_sids(expected_device_groups, None, domain_sid_str)
236
237 if expected_sname is None:
238 expected_sname = target_sname
239
240 kdc_exchange_dict = self.as_exchange_dict(
241 creds=client_creds,
242 expected_crealm=client_realm,
243 expected_cname=client_cname,
244 expected_srealm=target_realm,
245 expected_sname=expected_sname,
246 expected_supported_etypes=target_etypes,
247 ticket_decryption_key=target_decryption_key,
248 generate_fast_fn=self.generate_simple_fast,
249 generate_fast_armor_fn=self.generate_ap_req,
250 generate_fast_padata_fn=_generate_fast_padata,
251 fast_armor_type=FX_FAST_ARMOR_AP_REQUEST,
252 check_error_fn=check_error_fn,
253 check_rep_fn=check_rep_fn,
254 check_kdc_private_fn=self.generic_check_kdc_private,
255 expected_error_mode=expected_error,
256 expected_salt=client_creds.get_salt(),
257 expect_edata=expect_edata,
258 expect_status=expect_status,
259 expected_status=expected_status,
260 expected_groups=expected_groups,
261 expect_device_info=expect_device_info,
262 expected_device_domain_sid=domain_sid_str,
263 expected_device_groups=expected_device_groups,
264 expect_device_claims=expect_device_claims,
265 expected_device_claims=expected_device_claims,
266 authenticator_subkey=authenticator_subkey,
267 preauth_key=preauth_key,
268 armor_key=armor_key,
269 armor_tgt=armor_tgt,
270 armor_subkey=authenticator_subkey,
271 kdc_options='0',
272 pac_options=pac_options,
273 # PA-DATA types are not important for these tests.
274 check_patypes=False)
275
276 rep = self._generic_kdc_exchange(
277 kdc_exchange_dict,
278 cname=client_cname,
279 realm=client_realm,
280 sname=target_sname,
281 etypes=etypes)
282 if expected_error:
283 self.check_error_rep(rep, expected_error)
284 return None
285 else:
286 self.check_as_reply(rep)
287 return kdc_exchange_dict['rep_ticket_creds']
288
289 def _tgs_req(self, tgt, expected_error, creds, target_creds, *,
290 armor_tgt=None,
291 kdc_options='0',
292 pac_options=None,
293 expected_cname=None,
294 expected_sname=None,
295 expected_account_name=None,
296 expected_flags=None,
297 additional_ticket=None,
298 decryption_key=None,
299 generate_padata_fn=None,
300 generate_fast_padata_fn=None,
301 sname=None,
302 srealm=None,
303 till=None,
304 etypes=None,
305 expected_ticket_etype=None,
306 expected_supported_etypes=None,
307 expect_pac=True,
308 expect_pac_attrs=None,
309 expect_pac_attrs_pac_request=None,
310 expect_requester_sid=None,
311 expect_edata=False,
312 expected_sid=None,
313 expected_groups=None,
314 unexpected_groups=None,
315 expect_device_info=None,
316 expected_device_domain_sid=None,
317 expected_device_groups=None,
318 expect_client_claims=None,
319 expected_client_claims=None,
320 unexpected_client_claims=None,
321 expect_device_claims=None,
322 expected_device_claims=None,
323 expect_status=None,
324 expected_status=None,
325 expected_proxy_target=None,
326 expected_transited_services=None,
327 check_patypes=True):
328 if srealm is False:
329 srealm = None
330 elif srealm is None:
331 srealm = target_creds.get_realm()
332
333 if sname is False:
334 sname = None
335 if expected_sname is None:
336 expected_sname = self.get_krbtgt_sname()
337 else:
338 if sname is None:
339 target_name = target_creds.get_username()
340 if target_name == 'krbtgt':
341 sname = self.PrincipalName_create(
342 name_type=NT_SRV_INST,
343 names=[target_name, srealm])
344 else:
345 if target_name[-1] == '$':
346 target_name = target_name[:-1]
347 sname = self.PrincipalName_create(
348 name_type=NT_PRINCIPAL,
349 names=['host', target_name])
350
351 if expected_sname is None:
352 expected_sname = sname
353
354 if additional_ticket is not None:
355 additional_tickets = [additional_ticket.ticket]
356 if decryption_key is None:
357 decryption_key = additional_ticket.session_key
358 else:
359 additional_tickets = None
360 if decryption_key is None:
361 decryption_key = self.TicketDecryptionKey_from_creds(
362 target_creds, etype=expected_ticket_etype)
363
364 subkey = self.RandomKey(tgt.session_key.etype)
365
366 if armor_tgt is not None:
367 armor_subkey = self.RandomKey(subkey.etype)
368 explicit_armor_key = self.generate_armor_key(armor_subkey,
369 armor_tgt.session_key)
370 armor_key = kcrypto.cf2(explicit_armor_key.key,
371 subkey.key,
372 b'explicitarmor',
373 b'tgsarmor')
374 armor_key = Krb5EncryptionKey(armor_key, None)
375
376 generate_fast_fn = self.generate_simple_fast
377 generate_fast_armor_fn = self.generate_ap_req
378
379 if pac_options is None:
380 pac_options = '1' # claims support
381 else:
382 armor_subkey = None
383 armor_key = None
384 generate_fast_fn = None
385 generate_fast_armor_fn = None
386
387 if etypes is None:
388 etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
389
390 if expected_error:
391 check_error_fn = self.generic_check_kdc_error
392 check_rep_fn = None
393 else:
394 check_error_fn = None
395 check_rep_fn = self.generic_check_kdc_rep
396
397 if expected_cname is None:
398 expected_cname = tgt.cname
399
400 kdc_exchange_dict = self.tgs_exchange_dict(
401 creds=creds,
402 expected_crealm=tgt.crealm,
403 expected_cname=expected_cname,
404 expected_srealm=srealm,
405 expected_sname=expected_sname,
406 expected_account_name=expected_account_name,
407 expected_flags=expected_flags,
408 ticket_decryption_key=decryption_key,
409 generate_padata_fn=generate_padata_fn,
410 generate_fast_padata_fn=generate_fast_padata_fn,
411 generate_fast_fn=generate_fast_fn,
412 generate_fast_armor_fn=generate_fast_armor_fn,
413 check_error_fn=check_error_fn,
414 check_rep_fn=check_rep_fn,
415 check_kdc_private_fn=self.generic_check_kdc_private,
416 expected_error_mode=expected_error,
417 expect_status=expect_status,
418 expected_status=expected_status,
419 tgt=tgt,
420 armor_key=armor_key,
421 armor_tgt=armor_tgt,
422 armor_subkey=armor_subkey,
423 pac_options=pac_options,
424 authenticator_subkey=subkey,
425 kdc_options=kdc_options,
426 expected_supported_etypes=expected_supported_etypes,
427 expect_edata=expect_edata,
428 expect_pac=expect_pac,
429 expect_pac_attrs=expect_pac_attrs,
430 expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
431 expect_requester_sid=expect_requester_sid,
432 expected_sid=expected_sid,
433 expected_groups=expected_groups,
434 unexpected_groups=unexpected_groups,
435 expect_device_info=expect_device_info,
436 expected_device_domain_sid=expected_device_domain_sid,
437 expected_device_groups=expected_device_groups,
438 expect_client_claims=expect_client_claims,
439 expected_client_claims=expected_client_claims,
440 unexpected_client_claims=unexpected_client_claims,
441 expect_device_claims=expect_device_claims,
442 expected_device_claims=expected_device_claims,
443 expected_proxy_target=expected_proxy_target,
444 expected_transited_services=expected_transited_services,
445 check_patypes=check_patypes)
446
447 rep = self._generic_kdc_exchange(kdc_exchange_dict,
448 cname=None,
449 realm=srealm,
450 sname=sname,
451 till_time=till,
452 etypes=etypes,
453 additional_tickets=additional_tickets)
454 if expected_error:
455 self.check_error_rep(rep, expected_error)
456 return None
457 else:
458 self.check_tgs_reply(rep)
459 return kdc_exchange_dict['rep_ticket_creds']
460
461
462 class KdcTgsTests(KdcTgsBaseTests):
463
464 def setUp(self):
465 super().setUp()
466 self.do_asn1_print = global_asn1_print
467 self.do_hexdump = global_hexdump
468
469 def test_tgs_req_cname_does_not_not_match_authenticator_cname(self):
470 ''' Try and obtain a ticket from the TGS, but supply a cname
471 that differs from that provided to the krbtgt
472 '''
473 # Create the user account
474 samdb = self.get_samdb()
475 user_name = "tsttktusr"
476 (uc, _) = self.create_account(samdb, user_name)
477 realm = uc.get_realm().lower()
478
479 # Do the initial AS-REQ, should get a pre-authentication required
480 # response
481 etype = (AES256_CTS_HMAC_SHA1_96,)
482 cname = self.PrincipalName_create(
483 name_type=NT_PRINCIPAL, names=[user_name])
484 sname = self.PrincipalName_create(
485 name_type=NT_SRV_INST, names=["krbtgt", realm])
486
487 rep = self.as_req(cname, sname, realm, etype)
488 self.check_pre_authentication(rep)
489
490 # Do the next AS-REQ
491 padata = self.get_enc_timestamp_pa_data(uc, rep)
492 key = self.get_as_rep_key(uc, rep)
493 rep = self.as_req(cname, sname, realm, etype, padata=[padata])
494 self.check_as_reply(rep)
495
496 # Request a service ticket, but use a cname that does not match
497 # that in the original AS-REQ
498 enc_part2 = self.get_as_rep_enc_data(key, rep)
499 key = self.EncryptionKey_import(enc_part2['key'])
500 ticket = rep['ticket']
501
502 cname = self.PrincipalName_create(
503 name_type=NT_PRINCIPAL,
504 names=["Administrator"])
505 sname = self.PrincipalName_create(
506 name_type=NT_PRINCIPAL,
507 names=["host", samdb.host_dns_name()])
508
509 (rep, enc_part) = self.tgs_req(cname, sname, realm, ticket, key, etype,
510 creds=uc,
511 expected_error_mode=KDC_ERR_BADMATCH,
512 expect_edata=False)
513
514 self.assertIsNone(
515 enc_part,
516 "rep = {%s}, enc_part = {%s}" % (rep, enc_part))
517 self.assertEqual(KRB_ERROR, rep['msg-type'], "rep = {%s}" % rep)
518 self.assertEqual(
519 KDC_ERR_BADMATCH,
520 rep['error-code'],
521 "rep = {%s}" % rep)
522
523 def test_ldap_service_ticket(self):
524 '''Get a ticket to the ldap service
525 '''
526 # Create the user account
527 samdb = self.get_samdb()
528 user_name = "tsttktusr"
529 (uc, _) = self.create_account(samdb, user_name)
530 realm = uc.get_realm().lower()
531
532 # Do the initial AS-REQ, should get a pre-authentication required
533 # response
534 etype = (AES256_CTS_HMAC_SHA1_96,)
535 cname = self.PrincipalName_create(
536 name_type=NT_PRINCIPAL, names=[user_name])
537 sname = self.PrincipalName_create(
538 name_type=NT_SRV_INST, names=["krbtgt", realm])
539
540 rep = self.as_req(cname, sname, realm, etype)
541 self.check_pre_authentication(rep)
542
543 # Do the next AS-REQ
544 padata = self.get_enc_timestamp_pa_data(uc, rep)
545 key = self.get_as_rep_key(uc, rep)
546 rep = self.as_req(cname, sname, realm, etype, padata=[padata])
547 self.check_as_reply(rep)
548
549 enc_part2 = self.get_as_rep_enc_data(key, rep)
550 key = self.EncryptionKey_import(enc_part2['key'])
551 ticket = rep['ticket']
552
553 # Request a ticket to the ldap service
554 sname = self.PrincipalName_create(
555 name_type=NT_SRV_INST,
556 names=["ldap", samdb.host_dns_name()])
557
558 (rep, _) = self.tgs_req(
559 cname, sname, uc.get_realm(), ticket, key, etype,
560 service_creds=self.get_dc_creds())
561
562 self.check_tgs_reply(rep)
563
564 def test_get_ticket_for_host_service_of_machine_account(self):
565
566 # Create a user and machine account for the test.
567 #
568 samdb = self.get_samdb()
569 user_name = "tsttktusr"
570 (uc, dn) = self.create_account(samdb, user_name)
571 (mc, _) = self.create_account(samdb, "tsttktmac",
572 account_type=self.AccountType.COMPUTER)
573 realm = uc.get_realm().lower()
574
575 # Do the initial AS-REQ, should get a pre-authentication required
576 # response
577 etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
578 cname = self.PrincipalName_create(
579 name_type=NT_PRINCIPAL, names=[user_name])
580 sname = self.PrincipalName_create(
581 name_type=NT_SRV_INST, names=["krbtgt", realm])
582
583 rep = self.as_req(cname, sname, realm, etype)
584 self.check_pre_authentication(rep)
585
586 # Do the next AS-REQ
587 padata = self.get_enc_timestamp_pa_data(uc, rep)
588 key = self.get_as_rep_key(uc, rep)
589 rep = self.as_req(cname, sname, realm, etype, padata=[padata])
590 self.check_as_reply(rep)
591
592 # Request a ticket to the host service on the machine account
593 ticket = rep['ticket']
594 enc_part2 = self.get_as_rep_enc_data(key, rep)
595 key = self.EncryptionKey_import(enc_part2['key'])
596 cname = self.PrincipalName_create(
597 name_type=NT_PRINCIPAL,
598 names=[user_name])
599 sname = self.PrincipalName_create(
600 name_type=NT_PRINCIPAL,
601 names=[mc.get_username()])
602
603 (rep, enc_part) = self.tgs_req(
604 cname, sname, uc.get_realm(), ticket, key, etype,
605 service_creds=mc)
606 self.check_tgs_reply(rep)
607
608 # Check the contents of the service ticket
609 ticket = rep['ticket']
610 enc_part = self.decode_service_ticket(mc, ticket)
611
612 pac_data = self.get_pac_data(enc_part['authorization-data'])
613 sid = uc.get_sid()
614 upn = "%s@%s" % (uc.get_username(), realm)
615 self.assertEqual(
616 uc.get_username(),
617 str(pac_data.account_name),
618 "rep = {%s},%s" % (rep, pac_data))
619 self.assertEqual(
620 uc.get_username(),
621 pac_data.logon_name,
622 "rep = {%s},%s" % (rep, pac_data))
623 self.assertEqual(
624 uc.get_realm(),
625 pac_data.domain_name,
626 "rep = {%s},%s" % (rep, pac_data))
627 self.assertEqual(
628 upn,
629 pac_data.upn,
630 "rep = {%s},%s" % (rep, pac_data))
631 self.assertEqual(
632 sid,
633 pac_data.account_sid,
634 "rep = {%s},%s" % (rep, pac_data))
635
636 def test_request(self):
637 client_creds = self.get_client_creds()
638 service_creds = self.get_service_creds()
639
640 tgt = self.get_tgt(client_creds)
641
642 pac = self.get_ticket_pac(tgt)
643 self.assertIsNotNone(pac)
644
645 ticket = self._make_tgs_request(client_creds, service_creds, tgt)
646
647 pac = self.get_ticket_pac(ticket)
648 self.assertIsNotNone(pac)
649
650 def test_request_no_pac(self):
651 client_creds = self.get_client_creds()
652 service_creds = self.get_service_creds()
653
654 tgt = self.get_tgt(client_creds, pac_request=False)
655
656 pac = self.get_ticket_pac(tgt)
657 self.assertIsNotNone(pac)
658
659 ticket = self._make_tgs_request(client_creds, service_creds, tgt,
660 pac_request=False, expect_pac=False)
661
662 pac = self.get_ticket_pac(ticket, expect_pac=False)
663 self.assertIsNone(pac)
664
665 def test_request_enterprise_canon(self):
666 upn = self.get_new_username()
667 client_creds = self.get_cached_creds(
668 account_type=self.AccountType.USER,
669 opts={'upn': upn})
670 service_creds = self.get_service_creds()
671
672 user_name = client_creds.get_username()
673 realm = client_creds.get_realm()
674 client_account = f'{user_name}@{realm}'
675
676 expected_cname = self.PrincipalName_create(
677 name_type=NT_PRINCIPAL,
678 names=[user_name])
679
680 kdc_options = 'canonicalize'
681
682 tgt = self.get_tgt(client_creds,
683 client_account=client_account,
684 client_name_type=NT_ENTERPRISE_PRINCIPAL,
685 expected_cname=expected_cname,
686 expected_account_name=user_name,
687 kdc_options=kdc_options)
688
689 self._make_tgs_request(
690 client_creds, service_creds, tgt,
691 client_account=client_account,
692 client_name_type=NT_ENTERPRISE_PRINCIPAL,
693 expected_cname=expected_cname,
694 expected_account_name=user_name,
695 kdc_options=kdc_options)
696
697 def test_request_enterprise_canon_case(self):
698 upn = self.get_new_username()
699 client_creds = self.get_cached_creds(
700 account_type=self.AccountType.USER,
701 opts={'upn': upn})
702 service_creds = self.get_service_creds()
703
704 user_name = client_creds.get_username()
705 realm = client_creds.get_realm().lower()
706 client_account = f'{user_name}@{realm}'
707
708 expected_cname = self.PrincipalName_create(
709 name_type=NT_PRINCIPAL,
710 names=[user_name])
711
712 kdc_options = 'canonicalize'
713
714 tgt = self.get_tgt(client_creds,
715 client_account=client_account,
716 client_name_type=NT_ENTERPRISE_PRINCIPAL,
717 expected_cname=expected_cname,
718 expected_account_name=user_name,
719 kdc_options=kdc_options)
720
721 self._make_tgs_request(
722 client_creds, service_creds, tgt,
723 client_account=client_account,
724 client_name_type=NT_ENTERPRISE_PRINCIPAL,
725 expected_cname=expected_cname,
726 expected_account_name=user_name,
727 kdc_options=kdc_options)
728
729 def test_request_enterprise_canon_mac(self):
730 upn = self.get_new_username()
731 client_creds = self.get_cached_creds(
732 account_type=self.AccountType.COMPUTER,
733 opts={'upn': upn})
734 service_creds = self.get_service_creds()
735
736 user_name = client_creds.get_username()
737 realm = client_creds.get_realm()
738 client_account = f'{user_name}@{realm}'
739
740 expected_cname = self.PrincipalName_create(
741 name_type=NT_PRINCIPAL,
742 names=[user_name])
743
744 kdc_options = 'canonicalize'
745
746 tgt = self.get_tgt(client_creds,
747 client_account=client_account,
748 client_name_type=NT_ENTERPRISE_PRINCIPAL,
749 expected_cname=expected_cname,
750 expected_account_name=user_name,
751 kdc_options=kdc_options)
752
753 self._make_tgs_request(
754 client_creds, service_creds, tgt,
755 client_account=client_account,
756 client_name_type=NT_ENTERPRISE_PRINCIPAL,
757 expected_cname=expected_cname,
758 expected_account_name=user_name,
759 kdc_options=kdc_options)
760
761 def test_request_enterprise_canon_case_mac(self):
762 upn = self.get_new_username()
763 client_creds = self.get_cached_creds(
764 account_type=self.AccountType.COMPUTER,
765 opts={'upn': upn})
766 service_creds = self.get_service_creds()
767
768 user_name = client_creds.get_username()
769 realm = client_creds.get_realm().lower()
770 client_account = f'{user_name}@{realm}'
771
772 expected_cname = self.PrincipalName_create(
773 name_type=NT_PRINCIPAL,
774 names=[user_name])
775
776 kdc_options = 'canonicalize'
777
778 tgt = self.get_tgt(client_creds,
779 client_account=client_account,
780 client_name_type=NT_ENTERPRISE_PRINCIPAL,
781 expected_cname=expected_cname,
782 expected_account_name=user_name,
783 kdc_options=kdc_options)
784
785 self._make_tgs_request(
786 client_creds, service_creds, tgt,
787 client_account=client_account,
788 client_name_type=NT_ENTERPRISE_PRINCIPAL,
789 expected_cname=expected_cname,
790 expected_account_name=user_name,
791 kdc_options=kdc_options)
792
793 def test_request_enterprise_no_canon(self):
794 upn = self.get_new_username()
795 client_creds = self.get_cached_creds(
796 account_type=self.AccountType.USER,
797 opts={'upn': upn})
798 service_creds = self.get_service_creds()
799
800 user_name = client_creds.get_username()
801 realm = client_creds.get_realm()
802 client_account = f'{user_name}@{realm}'
803
804 kdc_options = '0'
805
806 tgt = self.get_tgt(client_creds,
807 client_account=client_account,
808 client_name_type=NT_ENTERPRISE_PRINCIPAL,
809 expected_account_name=user_name,
810 kdc_options=kdc_options)
811
812 self._make_tgs_request(
813 client_creds, service_creds, tgt,
814 client_account=client_account,
815 client_name_type=NT_ENTERPRISE_PRINCIPAL,
816 expected_account_name=user_name,
817 kdc_options=kdc_options)
818
819 def test_request_enterprise_no_canon_case(self):
820 upn = self.get_new_username()
821 client_creds = self.get_cached_creds(
822 account_type=self.AccountType.USER,
823 opts={'upn': upn})
824 service_creds = self.get_service_creds()
825
826 user_name = client_creds.get_username()
827 realm = client_creds.get_realm().lower()
828 client_account = f'{user_name}@{realm}'
829
830 kdc_options = '0'
831
832 tgt = self.get_tgt(client_creds,
833 client_account=client_account,
834 client_name_type=NT_ENTERPRISE_PRINCIPAL,
835 expected_account_name=user_name,
836 kdc_options=kdc_options)
837
838 self._make_tgs_request(
839 client_creds, service_creds, tgt,
840 client_account=client_account,
841 client_name_type=NT_ENTERPRISE_PRINCIPAL,
842 expected_account_name=user_name,
843 kdc_options=kdc_options)
844
845 def test_request_enterprise_no_canon_mac(self):
846 upn = self.get_new_username()
847 client_creds = self.get_cached_creds(
848 account_type=self.AccountType.COMPUTER,
849 opts={'upn': upn})
850 service_creds = self.get_service_creds()
851
852 user_name = client_creds.get_username()
853 realm = client_creds.get_realm()
854 client_account = f'{user_name}@{realm}'
855
856 kdc_options = '0'
857
858 tgt = self.get_tgt(client_creds,
859 client_account=client_account,
860 client_name_type=NT_ENTERPRISE_PRINCIPAL,
861 expected_account_name=user_name,
862 kdc_options=kdc_options)
863
864 self._make_tgs_request(
865 client_creds, service_creds, tgt,
866 client_account=client_account,
867 client_name_type=NT_ENTERPRISE_PRINCIPAL,
868 expected_account_name=user_name,
869 kdc_options=kdc_options)
870
871 def test_request_enterprise_no_canon_case_mac(self):
872 upn = self.get_new_username()
873 client_creds = self.get_cached_creds(
874 account_type=self.AccountType.COMPUTER,
875 opts={'upn': upn})
876 service_creds = self.get_service_creds()
877
878 user_name = client_creds.get_username()
879 realm = client_creds.get_realm().lower()
880 client_account = f'{user_name}@{realm}'
881
882 kdc_options = '0'
883
884 tgt = self.get_tgt(client_creds,
885 client_account=client_account,
886 client_name_type=NT_ENTERPRISE_PRINCIPAL,
887 expected_account_name=user_name,
888 kdc_options=kdc_options)
889
890 self._make_tgs_request(
891 client_creds, service_creds, tgt,
892 client_account=client_account,
893 client_name_type=NT_ENTERPRISE_PRINCIPAL,
894 expected_account_name=user_name,
895 kdc_options=kdc_options)
896
897 def test_client_no_auth_data_required(self):
898 client_creds = self.get_cached_creds(
899 account_type=self.AccountType.USER,
900 opts={'no_auth_data_required': True})
901 service_creds = self.get_service_creds()
902
903 tgt = self.get_tgt(client_creds)
904
905 pac = self.get_ticket_pac(tgt)
906 self.assertIsNotNone(pac)
907
908 ticket = self._make_tgs_request(client_creds, service_creds, tgt)
909
910 pac = self.get_ticket_pac(ticket)
911 self.assertIsNotNone(pac)
912
913 def test_no_pac_client_no_auth_data_required(self):
914 client_creds = self.get_cached_creds(
915 account_type=self.AccountType.USER,
916 opts={'no_auth_data_required': True})
917 service_creds = self.get_service_creds()
918
919 tgt = self.get_tgt(client_creds)
920
921 pac = self.get_ticket_pac(tgt)
922 self.assertIsNotNone(pac)
923
924 ticket = self._make_tgs_request(client_creds, service_creds, tgt,
925 pac_request=False, expect_pac=True)
926
927 pac = self.get_ticket_pac(ticket)
928 self.assertIsNotNone(pac)
929
930 def test_service_no_auth_data_required(self):
931 client_creds = self.get_client_creds()
932 service_creds = self.get_cached_creds(
933 account_type=self.AccountType.COMPUTER,
934 opts={'no_auth_data_required': True})
935
936 tgt = self.get_tgt(client_creds)
937
938 pac = self.get_ticket_pac(tgt)
939 self.assertIsNotNone(pac)
940
941 ticket = self._make_tgs_request(client_creds, service_creds, tgt,
942 expect_pac=False)
943
944 pac = self.get_ticket_pac(ticket, expect_pac=False)
945 self.assertIsNone(pac)
946
947 def test_no_pac_service_no_auth_data_required(self):
948 client_creds = self.get_client_creds()
949 service_creds = self.get_cached_creds(
950 account_type=self.AccountType.COMPUTER,
951 opts={'no_auth_data_required': True})
952
953 tgt = self.get_tgt(client_creds, pac_request=False)
954
955 pac = self.get_ticket_pac(tgt)
956 self.assertIsNotNone(pac)
957
958 ticket = self._make_tgs_request(client_creds, service_creds, tgt,
959 pac_request=False, expect_pac=False)
960
961 pac = self.get_ticket_pac(ticket, expect_pac=False)
962 self.assertIsNone(pac)
963
964 def test_remove_pac_service_no_auth_data_required(self):
965 client_creds = self.get_client_creds()
966 service_creds = self.get_cached_creds(
967 account_type=self.AccountType.COMPUTER,
968 opts={'no_auth_data_required': True})
969
970 tgt = self.modified_ticket(self.get_tgt(client_creds),
971 exclude_pac=True)
972
973 pac = self.get_ticket_pac(tgt, expect_pac=False)
974 self.assertIsNone(pac)
975
976 self._make_tgs_request(client_creds, service_creds, tgt,
977 expect_error=True)
978
979 def test_remove_pac_client_no_auth_data_required(self):
980 client_creds = self.get_cached_creds(
981 account_type=self.AccountType.USER,
982 opts={'no_auth_data_required': True})
983 service_creds = self.get_service_creds()
984
985 tgt = self.modified_ticket(self.get_tgt(client_creds),
986 exclude_pac=True)
987
988 pac = self.get_ticket_pac(tgt, expect_pac=False)
989 self.assertIsNone(pac)
990
991 self._make_tgs_request(client_creds, service_creds, tgt,
992 expect_error=True)
993
994 def test_remove_pac(self):
995 client_creds = self.get_client_creds()
996 service_creds = self.get_service_creds()
997
998 tgt = self.modified_ticket(self.get_tgt(client_creds),
999 exclude_pac=True)
1000
1001 pac = self.get_ticket_pac(tgt, expect_pac=False)
1002 self.assertIsNone(pac)
1003
1004 self._make_tgs_request(client_creds, service_creds, tgt,
1005 expect_error=True)
1006
1007 def test_upn_dns_info_ex_user(self):
1008 client_creds = self.get_client_creds()
1009 self._run_upn_dns_info_ex_test(client_creds)
1010
1011 def test_upn_dns_info_ex_mac(self):
1012 mach_creds = self.get_mach_creds()
1013 self._run_upn_dns_info_ex_test(mach_creds)
1014
1015 def test_upn_dns_info_ex_upn_user(self):
1016 client_creds = self.get_cached_creds(
1017 account_type=self.AccountType.USER,
1018 opts={'upn': 'upn_dns_info_test_upn0@bar'})
1019 self._run_upn_dns_info_ex_test(client_creds)
1020
1021 def test_upn_dns_info_ex_upn_mac(self):
1022 mach_creds = self.get_cached_creds(
1023 account_type=self.AccountType.COMPUTER,
1024 opts={'upn': 'upn_dns_info_test_upn1@bar'})
1025 self._run_upn_dns_info_ex_test(mach_creds)
1026
1027 def _run_upn_dns_info_ex_test(self, client_creds):
1028 service_creds = self.get_service_creds()
1029
1030 account_name = client_creds.get_username()
1031 upn_name = client_creds.get_upn()
1032 if upn_name is None:
1033 realm = client_creds.get_realm().lower()
1034 upn_name = f'{account_name}@{realm}'
1035 sid = client_creds.get_sid()
1036
1037 tgt = self.get_tgt(client_creds,
1038 expected_account_name=account_name,
1039 expected_upn_name=upn_name,
1040 expected_sid=sid)
1041
1042 self._make_tgs_request(client_creds, service_creds, tgt,
1043 expected_account_name=account_name,
1044 expected_upn_name=upn_name,
1045 expected_sid=sid)
1046
1047 # Test making a TGS request.
1048 def test_tgs_req(self):
1049 creds = self._get_creds()
1050 tgt = self._get_tgt(creds)
1051 self._run_tgs(tgt, creds, expected_error=0)
1052
1053 def test_renew_req(self):
1054 creds = self._get_creds()
1055 tgt = self._get_tgt(creds, renewable=True)
1056 self._renew_tgt(tgt, creds, expected_error=0,
1057 expect_pac_attrs=True,
1058 expect_pac_attrs_pac_request=True,
1059 expect_requester_sid=True)
1060
1061 def test_validate_req(self):
1062 creds = self._get_creds()
1063 tgt = self._get_tgt(creds, invalid=True)
1064 self._validate_tgt(tgt, creds, expected_error=0,
1065 expect_pac_attrs=True,
1066 expect_pac_attrs_pac_request=True,
1067 expect_requester_sid=True)
1068
1069 def test_s4u2self_req(self):
1070 creds = self._get_creds()
1071 tgt = self._get_tgt(creds)
1072 self._s4u2self(tgt, creds, expected_error=0)
1073
1074 def test_user2user_req(self):
1075 creds = self._get_creds()
1076 tgt = self._get_tgt(creds)
1077 self._user2user(tgt, creds, expected_error=0)
1078
1079 def test_user2user_user_self_req(self):
1080 creds = self._get_user_creds()
1081 tgt = self._get_tgt(creds)
1082 username = creds.get_username()
1083 sname = self.PrincipalName_create(
1084 name_type=NT_PRINCIPAL,
1085 names=[username])
1086 self._user2user(tgt, creds, sname=sname, user_tgt=tgt, user_creds=creds, expected_error=0)
1087
1088 def test_user2user_computer_self_princ1_req(self):
1089 creds = self._get_creds()
1090 tgt = self._get_tgt(creds)
1091 username = creds.get_username()
1092 sname = self.PrincipalName_create(
1093 name_type=NT_PRINCIPAL,
1094 names=[username])
1095 self._user2user(tgt, creds, sname=sname, user_tgt=tgt, user_creds=creds, expected_error=0)
1096
1097 def test_user2user_computer_self_princ2_req(self):
1098 creds = self._get_creds()
1099 tgt = self._get_tgt(creds)
1100 self._user2user(tgt, creds, user_tgt=tgt, user_creds=creds, expected_error=0)
1101
1102 def test_fast_req(self):
1103 creds = self._get_creds()
1104 tgt = self._get_tgt(creds)
1105 self._fast(tgt, creds, expected_error=0)
1106
1107 def test_tgs_req_invalid(self):
1108 creds = self._get_creds()
1109 tgt = self._get_tgt(creds, invalid=True)
1110 self._run_tgs(tgt, creds, expected_error=KRB_ERR_TKT_NYV)
1111
1112 def test_s4u2self_req_invalid(self):
1113 creds = self._get_creds()
1114 tgt = self._get_tgt(creds, invalid=True)
1115 self._s4u2self(tgt, creds, expected_error=KRB_ERR_TKT_NYV)
1116
1117 def test_user2user_req_invalid(self):
1118 creds = self._get_creds()
1119 tgt = self._get_tgt(creds, invalid=True)
1120 self._user2user(tgt, creds, expected_error=KRB_ERR_TKT_NYV)
1121
1122 def test_fast_req_invalid(self):
1123 creds = self._get_creds()
1124 tgt = self._get_tgt(creds, invalid=True)
1125 self._fast(tgt, creds, expected_error=KRB_ERR_TKT_NYV,
1126 expected_sname=self.get_krbtgt_sname())
1127
1128 def test_tgs_req_no_requester_sid(self):
1129 creds = self._get_creds()
1130 tgt = self._get_tgt(creds, remove_requester_sid=True)
1131
1132 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1133
1134 def test_tgs_req_no_pac_attrs(self):
1135 creds = self._get_creds()
1136 tgt = self._get_tgt(creds, remove_pac_attrs=True)
1137
1138 self._run_tgs(tgt, creds, expected_error=0, expect_pac=True,
1139 expect_pac_attrs=False)
1140
1141 def test_tgs_req_from_rodc_no_requester_sid(self):
1142 creds = self._get_creds(replication_allowed=True,
1143 revealed_to_rodc=True)
1144 tgt = self._get_tgt(creds, from_rodc=True, remove_requester_sid=True)
1145
1146 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1147
1148 def test_tgs_req_from_rodc_no_pac_attrs(self):
1149 creds = self._get_creds(replication_allowed=True,
1150 revealed_to_rodc=True)
1151 tgt = self._get_tgt(creds, from_rodc=True, remove_pac_attrs=True)
1152 self._run_tgs(tgt, creds, expected_error=0, expect_pac=True,
1153 expect_pac_attrs=False)
1154
1155 # Test making a request without a PAC.
1156 def test_tgs_no_pac(self):
1157 creds = self._get_creds()
1158 tgt = self._get_tgt(creds, remove_pac=True)
1159 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1160
1161 def test_renew_no_pac(self):
1162 creds = self._get_creds()
1163 tgt = self._get_tgt(creds, renewable=True, remove_pac=True)
1164 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1165
1166 def test_validate_no_pac(self):
1167 creds = self._get_creds()
1168 tgt = self._get_tgt(creds, invalid=True, remove_pac=True)
1169 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1170
1171 def test_s4u2self_no_pac(self):
1172 creds = self._get_creds()
1173 tgt = self._get_tgt(creds, remove_pac=True)
1174 self._s4u2self(tgt, creds,
1175 expected_error=KDC_ERR_TGT_REVOKED,
1176 expect_edata=False)
1177
1178 def test_user2user_no_pac(self):
1179 creds = self._get_creds()
1180 tgt = self._get_tgt(creds, remove_pac=True)
1181 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1182
1183 def test_fast_no_pac(self):
1184 creds = self._get_creds()
1185 tgt = self._get_tgt(creds, remove_pac=True)
1186 self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
1187 expected_sname=self.get_krbtgt_sname())
1188
1189 def test_fast_as_req_no_pac(self):
1190 creds = self._get_creds()
1191 tgt = self._get_tgt(creds, remove_pac=True)
1192 self._fast_as_req(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1193
1194 # Test making a request with authdata and without a PAC.
1195 def test_tgs_authdata_no_pac(self):
1196 creds = self._get_creds()
1197 tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
1198 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1199
1200 def test_renew_authdata_no_pac(self):
1201 creds = self._get_creds()
1202 tgt = self._get_tgt(creds, renewable=True, remove_pac=True,
1203 allow_empty_authdata=True)
1204 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1205
1206 def test_validate_authdata_no_pac(self):
1207 creds = self._get_creds()
1208 tgt = self._get_tgt(creds, invalid=True, remove_pac=True,
1209 allow_empty_authdata=True)
1210 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1211
1212 def test_s4u2self_authdata_no_pac(self):
1213 creds = self._get_creds()
1214 tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
1215 self._s4u2self(tgt, creds,
1216 expected_error=KDC_ERR_TGT_REVOKED,
1217 expect_edata=False)
1218
1219 def test_user2user_authdata_no_pac(self):
1220 creds = self._get_creds()
1221 tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
1222 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1223
1224 def test_fast_authdata_no_pac(self):
1225 creds = self._get_creds()
1226 tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
1227 self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
1228 expected_sname=self.get_krbtgt_sname())
1229
1230 def test_fast_as_req_authdata_no_pac(self):
1231 creds = self._get_creds()
1232 tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
1233 self._fast_as_req(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1234
1235 # Test changing the SID in the PAC to that of another account.
1236 def test_tgs_sid_mismatch_existing(self):
1237 creds = self._get_creds()
1238 existing_rid = self._get_existing_rid()
1239 tgt = self._get_tgt(creds, new_rid=existing_rid)
1240 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1241
1242 def test_renew_sid_mismatch_existing(self):
1243 creds = self._get_creds()
1244 existing_rid = self._get_existing_rid()
1245 tgt = self._get_tgt(creds, renewable=True, new_rid=existing_rid)
1246 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1247
1248 def test_validate_sid_mismatch_existing(self):
1249 creds = self._get_creds()
1250 existing_rid = self._get_existing_rid()
1251 tgt = self._get_tgt(creds, invalid=True, new_rid=existing_rid)
1252 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1253
1254 def test_s4u2self_sid_mismatch_existing(self):
1255 creds = self._get_creds()
1256 existing_rid = self._get_existing_rid()
1257 tgt = self._get_tgt(creds, new_rid=existing_rid)
1258 self._s4u2self(tgt, creds,
1259 expected_error=KDC_ERR_TGT_REVOKED)
1260
1261 def test_user2user_sid_mismatch_existing(self):
1262 creds = self._get_creds()
1263 existing_rid = self._get_existing_rid()
1264 tgt = self._get_tgt(creds, new_rid=existing_rid)
1265 self._user2user(tgt, creds,
1266 expected_error=KDC_ERR_TGT_REVOKED)
1267
1268 def test_fast_sid_mismatch_existing(self):
1269 creds = self._get_creds()
1270 existing_rid = self._get_existing_rid()
1271 tgt = self._get_tgt(creds, new_rid=existing_rid)
1272 self._fast(tgt, creds,
1273 expected_error=KDC_ERR_TGT_REVOKED,
1274 expected_sname=self.get_krbtgt_sname())
1275
1276 def test_fast_as_req_sid_mismatch_existing(self):
1277 creds = self._get_creds()
1278 existing_rid = self._get_existing_rid()
1279 tgt = self._get_tgt(creds, new_rid=existing_rid)
1280 self._fast_as_req(tgt, creds,
1281 expected_error=KDC_ERR_TGT_REVOKED)
1282
1283 def test_requester_sid_mismatch_existing(self):
1284 creds = self._get_creds()
1285 existing_rid = self._get_existing_rid()
1286 tgt = self._get_tgt(creds, new_rid=existing_rid,
1287 can_modify_logon_info=False)
1288 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1289
1290 def test_logon_info_sid_mismatch_existing(self):
1291 creds = self._get_creds()
1292 existing_rid = self._get_existing_rid()
1293 tgt = self._get_tgt(creds, new_rid=existing_rid,
1294 can_modify_requester_sid=False)
1295 self._run_tgs(tgt, creds, expected_error=0)
1296
1297 def test_logon_info_only_sid_mismatch_existing(self):
1298 creds = self._get_creds()
1299 existing_rid = self._get_existing_rid()
1300 tgt = self._get_tgt(creds, new_rid=existing_rid,
1301 remove_requester_sid=True)
1302 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1303
1304 # Test changing the SID in the PAC to a non-existent one.
1305 def test_tgs_sid_mismatch_nonexisting(self):
1306 creds = self._get_creds()
1307 nonexistent_rid = self._get_non_existent_rid()
1308 tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
1309 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1310
1311 def test_renew_sid_mismatch_nonexisting(self):
1312 creds = self._get_creds()
1313 nonexistent_rid = self._get_non_existent_rid()
1314 tgt = self._get_tgt(creds, renewable=True,
1315 new_rid=nonexistent_rid)
1316 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1317
1318 def test_validate_sid_mismatch_nonexisting(self):
1319 creds = self._get_creds()
1320 nonexistent_rid = self._get_non_existent_rid()
1321 tgt = self._get_tgt(creds, invalid=True,
1322 new_rid=nonexistent_rid)
1323 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1324
1325 def test_s4u2self_sid_mismatch_nonexisting(self):
1326 creds = self._get_creds()
1327 nonexistent_rid = self._get_non_existent_rid()
1328 tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
1329 self._s4u2self(tgt, creds,
1330 expected_error=KDC_ERR_TGT_REVOKED)
1331
1332 def test_user2user_sid_mismatch_nonexisting(self):
1333 creds = self._get_creds()
1334 nonexistent_rid = self._get_non_existent_rid()
1335 tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
1336 self._user2user(tgt, creds,
1337 expected_error=KDC_ERR_TGT_REVOKED)
1338
1339 def test_fast_sid_mismatch_nonexisting(self):
1340 creds = self._get_creds()
1341 nonexistent_rid = self._get_non_existent_rid()
1342 tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
1343 self._fast(tgt, creds,
1344 expected_error=KDC_ERR_TGT_REVOKED,
1345 expected_sname=self.get_krbtgt_sname())
1346
1347 def test_fast_as_req_sid_mismatch_nonexisting(self):
1348 creds = self._get_creds()
1349 nonexistent_rid = self._get_non_existent_rid()
1350 tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
1351 self._fast_as_req(tgt, creds,
1352 expected_error=KDC_ERR_TGT_REVOKED)
1353
1354 def test_requester_sid_mismatch_nonexisting(self):
1355 creds = self._get_creds()
1356 nonexistent_rid = self._get_non_existent_rid()
1357 tgt = self._get_tgt(creds, new_rid=nonexistent_rid,
1358 can_modify_logon_info=False)
1359 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1360
1361 def test_logon_info_sid_mismatch_nonexisting(self):
1362 creds = self._get_creds()
1363 nonexistent_rid = self._get_non_existent_rid()
1364 tgt = self._get_tgt(creds, new_rid=nonexistent_rid,
1365 can_modify_requester_sid=False)
1366 self._run_tgs(tgt, creds, expected_error=0)
1367
1368 def test_logon_info_only_sid_mismatch_nonexisting(self):
1369 creds = self._get_creds()
1370 nonexistent_rid = self._get_non_existent_rid()
1371 tgt = self._get_tgt(creds, new_rid=nonexistent_rid,
1372 remove_requester_sid=True)
1373 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1374
1375 # Test with an RODC-issued ticket where the client is revealed to the RODC.
1376 def test_tgs_rodc_revealed(self):
1377 creds = self._get_creds(replication_allowed=True,
1378 revealed_to_rodc=True)
1379 tgt = self._get_tgt(creds, from_rodc=True)
1380 self._run_tgs(tgt, creds, expected_error=0)
1381
1382 def test_renew_rodc_revealed(self):
1383 creds = self._get_creds(replication_allowed=True,
1384 revealed_to_rodc=True)
1385 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1386 self._renew_tgt(tgt, creds, expected_error=0,
1387 expect_pac_attrs=False,
1388 expect_requester_sid=True)
1389
1390 def test_validate_rodc_revealed(self):
1391 creds = self._get_creds(replication_allowed=True,
1392 revealed_to_rodc=True)
1393 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1394 self._validate_tgt(tgt, creds, expected_error=0,
1395 expect_pac_attrs=False,
1396 expect_requester_sid=True)
1397
1398 # This test fails on Windows, which gives KDC_ERR_C_PRINCIPAL_UNKNOWN when
1399 # attempting to use S4U2Self with a TGT from an RODC.
1400 def test_s4u2self_rodc_revealed(self):
1401 creds = self._get_creds(replication_allowed=True,
1402 revealed_to_rodc=True)
1403 tgt = self._get_tgt(creds, from_rodc=True)
1404 self._s4u2self(tgt, creds,
1405 expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN)
1406
1407 def test_user2user_rodc_revealed(self):
1408 creds = self._get_creds(replication_allowed=True,
1409 revealed_to_rodc=True)
1410 tgt = self._get_tgt(creds, from_rodc=True)
1411 self._user2user(tgt, creds, expected_error=0)
1412
1413 # Test with an RODC-issued ticket where the SID in the PAC is changed to
1414 # that of another account.
1415 def test_tgs_rodc_sid_mismatch_existing(self):
1416 creds = self._get_creds(replication_allowed=True,
1417 revealed_to_rodc=True)
1418 existing_rid = self._get_existing_rid(replication_allowed=True,
1419 revealed_to_rodc=True)
1420 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid)
1421 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1422
1423 def test_renew_rodc_sid_mismatch_existing(self):
1424 creds = self._get_creds(replication_allowed=True,
1425 revealed_to_rodc=True)
1426 existing_rid = self._get_existing_rid(replication_allowed=True,
1427 revealed_to_rodc=True)
1428 tgt = self._get_tgt(creds, renewable=True, from_rodc=True,
1429 new_rid=existing_rid)
1430 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1431
1432 def test_validate_rodc_sid_mismatch_existing(self):
1433 creds = self._get_creds(replication_allowed=True,
1434 revealed_to_rodc=True)
1435 existing_rid = self._get_existing_rid(replication_allowed=True,
1436 revealed_to_rodc=True)
1437 tgt = self._get_tgt(creds, invalid=True, from_rodc=True,
1438 new_rid=existing_rid)
1439 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1440
1441 def test_s4u2self_rodc_sid_mismatch_existing(self):
1442 creds = self._get_creds(replication_allowed=True,
1443 revealed_to_rodc=True)
1444 existing_rid = self._get_existing_rid(replication_allowed=True,
1445 revealed_to_rodc=True)
1446 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid)
1447 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1448
1449 def test_user2user_rodc_sid_mismatch_existing(self):
1450 creds = self._get_creds(replication_allowed=True,
1451 revealed_to_rodc=True)
1452 existing_rid = self._get_existing_rid(replication_allowed=True,
1453 revealed_to_rodc=True)
1454 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid)
1455 self._user2user(tgt, creds,
1456 expected_error=KDC_ERR_TGT_REVOKED)
1457
1458 def test_fast_rodc_sid_mismatch_existing(self):
1459 creds = self._get_creds(replication_allowed=True,
1460 revealed_to_rodc=True)
1461 existing_rid = self._get_existing_rid(replication_allowed=True,
1462 revealed_to_rodc=True)
1463 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid)
1464 self._fast(tgt, creds,
1465 expected_error=KDC_ERR_TGT_REVOKED,
1466 expected_sname=self.get_krbtgt_sname())
1467
1468 def test_tgs_rodc_requester_sid_mismatch_existing(self):
1469 creds = self._get_creds(replication_allowed=True,
1470 revealed_to_rodc=True)
1471 existing_rid = self._get_existing_rid(replication_allowed=True,
1472 revealed_to_rodc=True)
1473 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid,
1474 can_modify_logon_info=False)
1475 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1476
1477 def test_tgs_rodc_logon_info_sid_mismatch_existing(self):
1478 creds = self._get_creds(replication_allowed=True,
1479 revealed_to_rodc=True)
1480 existing_rid = self._get_existing_rid(replication_allowed=True,
1481 revealed_to_rodc=True)
1482 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid,
1483 can_modify_requester_sid=False)
1484 self._run_tgs(tgt, creds, expected_error=0)
1485
1486 def test_tgs_rodc_logon_info_only_sid_mismatch_existing(self):
1487 creds = self._get_creds(replication_allowed=True,
1488 revealed_to_rodc=True)
1489 existing_rid = self._get_existing_rid(replication_allowed=True,
1490 revealed_to_rodc=True)
1491 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid,
1492 remove_requester_sid=True)
1493 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1494
1495 # Test with an RODC-issued ticket where the SID in the PAC is changed to a
1496 # non-existent one.
1497 def test_tgs_rodc_sid_mismatch_nonexisting(self):
1498 creds = self._get_creds(replication_allowed=True,
1499 revealed_to_rodc=True)
1500 nonexistent_rid = self._get_non_existent_rid()
1501 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid)
1502 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1503
1504 def test_renew_rodc_sid_mismatch_nonexisting(self):
1505 creds = self._get_creds(replication_allowed=True,
1506 revealed_to_rodc=True)
1507 nonexistent_rid = self._get_non_existent_rid()
1508 tgt = self._get_tgt(creds, renewable=True, from_rodc=True,
1509 new_rid=nonexistent_rid)
1510 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1511
1512 def test_validate_rodc_sid_mismatch_nonexisting(self):
1513 creds = self._get_creds(replication_allowed=True,
1514 revealed_to_rodc=True)
1515 nonexistent_rid = self._get_non_existent_rid()
1516 tgt = self._get_tgt(creds, invalid=True, from_rodc=True,
1517 new_rid=nonexistent_rid)
1518 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1519
1520 def test_s4u2self_rodc_sid_mismatch_nonexisting(self):
1521 creds = self._get_creds(replication_allowed=True,
1522 revealed_to_rodc=True)
1523 nonexistent_rid = self._get_non_existent_rid()
1524 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid)
1525 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1526
1527 def test_user2user_rodc_sid_mismatch_nonexisting(self):
1528 creds = self._get_creds(replication_allowed=True,
1529 revealed_to_rodc=True)
1530 nonexistent_rid = self._get_non_existent_rid()
1531 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid)
1532 self._user2user(tgt, creds,
1533 expected_error=KDC_ERR_TGT_REVOKED)
1534
1535 def test_fast_rodc_sid_mismatch_nonexisting(self):
1536 creds = self._get_creds(replication_allowed=True,
1537 revealed_to_rodc=True)
1538 nonexistent_rid = self._get_non_existent_rid()
1539 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid)
1540 self._fast(tgt, creds,
1541 expected_error=KDC_ERR_TGT_REVOKED,
1542 expected_sname=self.get_krbtgt_sname())
1543
1544 def test_tgs_rodc_requester_sid_mismatch_nonexisting(self):
1545 creds = self._get_creds(replication_allowed=True,
1546 revealed_to_rodc=True)
1547 nonexistent_rid = self._get_non_existent_rid()
1548 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid,
1549 can_modify_logon_info=False)
1550 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1551
1552 def test_tgs_rodc_logon_info_sid_mismatch_nonexisting(self):
1553 creds = self._get_creds(replication_allowed=True,
1554 revealed_to_rodc=True)
1555 nonexistent_rid = self._get_non_existent_rid()
1556 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid,
1557 can_modify_requester_sid=False)
1558 self._run_tgs(tgt, creds, expected_error=0)
1559
1560 def test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting(self):
1561 creds = self._get_creds(replication_allowed=True,
1562 revealed_to_rodc=True)
1563 nonexistent_rid = self._get_non_existent_rid()
1564 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid,
1565 remove_requester_sid=True)
1566 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1567
1568 # Test with an RODC-issued ticket where the client is not revealed to the
1569 # RODC.
1570 def test_tgs_rodc_not_revealed(self):
1571 creds = self._get_creds(replication_allowed=True)
1572 tgt = self._get_tgt(creds, from_rodc=True)
1573 # TODO: error code
1574 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1575
1576 def test_renew_rodc_not_revealed(self):
1577 creds = self._get_creds(replication_allowed=True)
1578 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1579 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1580
1581 def test_validate_rodc_not_revealed(self):
1582 creds = self._get_creds(replication_allowed=True)
1583 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1584 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1585
1586 def test_s4u2self_rodc_not_revealed(self):
1587 creds = self._get_creds(replication_allowed=True)
1588 tgt = self._get_tgt(creds, from_rodc=True)
1589 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1590
1591 def test_user2user_rodc_not_revealed(self):
1592 creds = self._get_creds(replication_allowed=True)
1593 tgt = self._get_tgt(creds, from_rodc=True)
1594 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1595
1596 # Test with an RODC-issued ticket where the RODC account does not have the
1597 # PARTIAL_SECRETS bit set.
1598 def test_tgs_rodc_no_partial_secrets(self):
1599 creds = self._get_creds(replication_allowed=True,
1600 revealed_to_rodc=True)
1601 tgt = self._get_tgt(creds, from_rodc=True)
1602 self._remove_rodc_partial_secrets()
1603 self._run_tgs(tgt, creds, expected_error=KDC_ERR_POLICY)
1604
1605 def test_renew_rodc_no_partial_secrets(self):
1606 creds = self._get_creds(replication_allowed=True,
1607 revealed_to_rodc=True)
1608 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1609 self._remove_rodc_partial_secrets()
1610 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_POLICY)
1611
1612 def test_validate_rodc_no_partial_secrets(self):
1613 creds = self._get_creds(replication_allowed=True,
1614 revealed_to_rodc=True)
1615 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1616 self._remove_rodc_partial_secrets()
1617 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_POLICY)
1618
1619 def test_s4u2self_rodc_no_partial_secrets(self):
1620 creds = self._get_creds(replication_allowed=True,
1621 revealed_to_rodc=True)
1622 tgt = self._get_tgt(creds, from_rodc=True)
1623 self._remove_rodc_partial_secrets()
1624 self._s4u2self(tgt, creds, expected_error=KDC_ERR_POLICY)
1625
1626 def test_user2user_rodc_no_partial_secrets(self):
1627 creds = self._get_creds(replication_allowed=True,
1628 revealed_to_rodc=True)
1629 tgt = self._get_tgt(creds, from_rodc=True)
1630 self._remove_rodc_partial_secrets()
1631 self._user2user(tgt, creds, expected_error=KDC_ERR_POLICY)
1632
1633 def test_fast_rodc_no_partial_secrets(self):
1634 creds = self._get_creds(replication_allowed=True,
1635 revealed_to_rodc=True)
1636 tgt = self._get_tgt(creds, from_rodc=True)
1637 self._remove_rodc_partial_secrets()
1638 self._fast(tgt, creds, expected_error=KDC_ERR_POLICY,
1639 expected_sname=self.get_krbtgt_sname())
1640
1641 # Test with an RODC-issued ticket where the RODC account does not have an
1642 # msDS-KrbTgtLink.
1643 def test_tgs_rodc_no_krbtgt_link(self):
1644 creds = self._get_creds(replication_allowed=True,
1645 revealed_to_rodc=True)
1646 tgt = self._get_tgt(creds, from_rodc=True)
1647 self._remove_rodc_krbtgt_link()
1648 self._run_tgs(tgt, creds, expected_error=KDC_ERR_POLICY)
1649
1650 def test_renew_rodc_no_krbtgt_link(self):
1651 creds = self._get_creds(replication_allowed=True,
1652 revealed_to_rodc=True)
1653 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1654 self._remove_rodc_krbtgt_link()
1655 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_POLICY)
1656
1657 def test_validate_rodc_no_krbtgt_link(self):
1658 creds = self._get_creds(replication_allowed=True,
1659 revealed_to_rodc=True)
1660 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1661 self._remove_rodc_krbtgt_link()
1662 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_POLICY)
1663
1664 def test_s4u2self_rodc_no_krbtgt_link(self):
1665 creds = self._get_creds(replication_allowed=True,
1666 revealed_to_rodc=True)
1667 tgt = self._get_tgt(creds, from_rodc=True)
1668 self._remove_rodc_krbtgt_link()
1669 self._s4u2self(tgt, creds, expected_error=KDC_ERR_POLICY)
1670
1671 def test_user2user_rodc_no_krbtgt_link(self):
1672 creds = self._get_creds(replication_allowed=True,
1673 revealed_to_rodc=True)
1674 tgt = self._get_tgt(creds, from_rodc=True)
1675 self._remove_rodc_krbtgt_link()
1676 self._user2user(tgt, creds, expected_error=KDC_ERR_POLICY)
1677
1678 def test_fast_rodc_no_krbtgt_link(self):
1679 creds = self._get_creds(replication_allowed=True,
1680 revealed_to_rodc=True)
1681 tgt = self._get_tgt(creds, from_rodc=True)
1682 self._remove_rodc_krbtgt_link()
1683 self._fast(tgt, creds, expected_error=KDC_ERR_POLICY,
1684 expected_sname=self.get_krbtgt_sname())
1685
1686 # Test with an RODC-issued ticket where the client is not allowed to
1687 # replicate to the RODC.
1688 def test_tgs_rodc_not_allowed(self):
1689 creds = self._get_creds(revealed_to_rodc=True)
1690 tgt = self._get_tgt(creds, from_rodc=True)
1691 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1692
1693 def test_renew_rodc_not_allowed(self):
1694 creds = self._get_creds(revealed_to_rodc=True)
1695 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1696 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1697
1698 def test_validate_rodc_not_allowed(self):
1699 creds = self._get_creds(revealed_to_rodc=True)
1700 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1701 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1702
1703 def test_s4u2self_rodc_not_allowed(self):
1704 creds = self._get_creds(revealed_to_rodc=True)
1705 tgt = self._get_tgt(creds, from_rodc=True)
1706 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1707
1708 def test_user2user_rodc_not_allowed(self):
1709 creds = self._get_creds(revealed_to_rodc=True)
1710 tgt = self._get_tgt(creds, from_rodc=True)
1711 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1712
1713 def test_fast_rodc_not_allowed(self):
1714 creds = self._get_creds(revealed_to_rodc=True)
1715 tgt = self._get_tgt(creds, from_rodc=True)
1716 self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
1717 expected_sname=self.get_krbtgt_sname())
1718
1719 # Test with an RODC-issued ticket where the client is denied from
1720 # replicating to the RODC.
1721 def test_tgs_rodc_denied(self):
1722 creds = self._get_creds(replication_denied=True,
1723 revealed_to_rodc=True)
1724 tgt = self._get_tgt(creds, from_rodc=True)
1725 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1726
1727 def test_renew_rodc_denied(self):
1728 creds = self._get_creds(replication_denied=True,
1729 revealed_to_rodc=True)
1730 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1731 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1732
1733 def test_validate_rodc_denied(self):
1734 creds = self._get_creds(replication_denied=True,
1735 revealed_to_rodc=True)
1736 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1737 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1738
1739 def test_s4u2self_rodc_denied(self):
1740 creds = self._get_creds(replication_denied=True,
1741 revealed_to_rodc=True)
1742 tgt = self._get_tgt(creds, from_rodc=True)
1743 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1744
1745 def test_user2user_rodc_denied(self):
1746 creds = self._get_creds(replication_denied=True,
1747 revealed_to_rodc=True)
1748 tgt = self._get_tgt(creds, from_rodc=True)
1749 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1750
1751 def test_fast_rodc_denied(self):
1752 creds = self._get_creds(replication_denied=True,
1753 revealed_to_rodc=True)
1754 tgt = self._get_tgt(creds, from_rodc=True)
1755 self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
1756 expected_sname=self.get_krbtgt_sname())
1757
1758 # Test with an RODC-issued ticket where the client is both allowed and
1759 # denied replicating to the RODC.
1760 def test_tgs_rodc_allowed_denied(self):
1761 creds = self._get_creds(replication_allowed=True,
1762 replication_denied=True,
1763 revealed_to_rodc=True)
1764 tgt = self._get_tgt(creds, from_rodc=True)
1765 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1766
1767 def test_renew_rodc_allowed_denied(self):
1768 creds = self._get_creds(replication_allowed=True,
1769 replication_denied=True,
1770 revealed_to_rodc=True)
1771 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1772 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1773
1774 def test_validate_rodc_allowed_denied(self):
1775 creds = self._get_creds(replication_allowed=True,
1776 replication_denied=True,
1777 revealed_to_rodc=True)
1778 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1779 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1780
1781 def test_s4u2self_rodc_allowed_denied(self):
1782 creds = self._get_creds(replication_allowed=True,
1783 replication_denied=True,
1784 revealed_to_rodc=True)
1785 tgt = self._get_tgt(creds, from_rodc=True)
1786 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1787
1788 def test_user2user_rodc_allowed_denied(self):
1789 creds = self._get_creds(replication_allowed=True,
1790 replication_denied=True,
1791 revealed_to_rodc=True)
1792 tgt = self._get_tgt(creds, from_rodc=True)
1793 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1794
1795 def test_fast_rodc_allowed_denied(self):
1796 creds = self._get_creds(replication_allowed=True,
1797 replication_denied=True,
1798 revealed_to_rodc=True)
1799 tgt = self._get_tgt(creds, from_rodc=True)
1800 self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
1801 expected_sname=self.get_krbtgt_sname())
1802
1803 # Test making a TGS request with an RC4-encrypted TGT.
1804 def test_tgs_rc4(self):
1805 creds = self._get_creds()
1806 tgt = self._get_tgt(creds, etype=kcrypto.Enctype.RC4)
1807 self._run_tgs(tgt, creds, expected_error=(KDC_ERR_GENERIC,
1808 KDC_ERR_BADKEYVER),
1809 expect_edata=True,
1810 # We aren’t particular about whether or not we get an
1811 # NTSTATUS.
1812 expect_status=None,
1813 expected_status=ntstatus.NT_STATUS_INSUFFICIENT_RESOURCES)
1814
1815 def test_renew_rc4(self):
1816 creds = self._get_creds()
1817 tgt = self._get_tgt(creds, renewable=True, etype=kcrypto.Enctype.RC4)
1818 self._renew_tgt(tgt, creds, expected_error=(KDC_ERR_GENERIC,
1819 KDC_ERR_BADKEYVER),
1820 expect_pac_attrs=True,
1821 expect_pac_attrs_pac_request=True,
1822 expect_requester_sid=True)
1823
1824 def test_validate_rc4(self):
1825 creds = self._get_creds()
1826 tgt = self._get_tgt(creds, invalid=True, etype=kcrypto.Enctype.RC4)
1827 self._validate_tgt(tgt, creds, expected_error=(KDC_ERR_GENERIC,
1828 KDC_ERR_BADKEYVER),
1829 expect_pac_attrs=True,
1830 expect_pac_attrs_pac_request=True,
1831 expect_requester_sid=True)
1832
1833 def test_s4u2self_rc4(self):
1834 creds = self._get_creds()
1835 tgt = self._get_tgt(creds, etype=kcrypto.Enctype.RC4)
1836 self._s4u2self(tgt, creds, expected_error=(KDC_ERR_GENERIC,
1837 KDC_ERR_BADKEYVER),
1838 expect_edata=True,
1839 # We aren’t particular about whether or not we get an
1840 # NTSTATUS.
1841 expect_status=None,
1842 expected_status=ntstatus.NT_STATUS_INSUFFICIENT_RESOURCES)
1843
1844 def test_user2user_rc4(self):
1845 creds = self._get_creds()
1846 tgt = self._get_tgt(creds, etype=kcrypto.Enctype.RC4)
1847 self._user2user(tgt, creds, expected_error=KDC_ERR_ETYPE_NOSUPP)
1848
1849 def test_fast_rc4(self):
1850 creds = self._get_creds()
1851 tgt = self._get_tgt(creds, etype=kcrypto.Enctype.RC4)
1852 self._fast(tgt, creds, expected_error=KDC_ERR_GENERIC,
1853 expect_edata=self.expect_padata_outer)
1854
1855 # Test with a TGT that has the lifetime of a kpasswd ticket (two minutes).
1856 def test_tgs_kpasswd(self):
1857 creds = self._get_creds()
1858 tgt = self.modify_lifetime(self._get_tgt(creds), lifetime=2 * 60)
1859 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
1860
1861 def test_renew_kpasswd(self):
1862 creds = self._get_creds()
1863 tgt = self._get_tgt(creds, renewable=True)
1864 tgt = self.modify_lifetime(tgt, lifetime=2 * 60)
1865 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
1866
1867 def test_validate_kpasswd(self):
1868 creds = self._get_creds()
1869 tgt = self._get_tgt(creds, invalid=True)
1870 tgt = self.modify_lifetime(tgt, lifetime=2 * 60)
1871 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
1872
1873 def test_s4u2self_kpasswd(self):
1874 creds = self._get_creds()
1875 tgt = self.modify_lifetime(self._get_tgt(creds), lifetime=2 * 60)
1876 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
1877
1878 def test_user2user_kpasswd(self):
1879 creds = self._get_creds()
1880 tgt = self.modify_lifetime(self._get_tgt(creds), lifetime=2 * 60)
1881 self._user2user(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
1882
1883 def test_fast_kpasswd(self):
1884 creds = self._get_creds()
1885 tgt = self.modify_lifetime(self._get_tgt(creds), lifetime=2 * 60)
1886 self._fast(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
1887
1888 # Test user-to-user with incorrect service principal names.
1889 def test_user2user_matching_sname_host(self):
1890 creds = self._get_creds()
1891 tgt = self._get_tgt(creds)
1892
1893 user_name = creds.get_username()
1894 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1895 names=['host', user_name])
1896
1897 self._user2user(tgt, creds, sname=sname,
1898 expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
1899
1900 def test_user2user_matching_sname_no_host(self):
1901 creds = self._get_creds()
1902 tgt = self._get_tgt(creds)
1903
1904 user_name = creds.get_username()
1905 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1906 names=[user_name])
1907
1908 self._user2user(tgt, creds, sname=sname, expected_error=0)
1909
1910 def test_user2user_wrong_sname(self):
1911 creds = self._get_creds()
1912 tgt = self._get_tgt(creds)
1913
1914 other_creds = self._get_mach_creds()
1915 user_name = other_creds.get_username()
1916 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1917 names=[user_name])
1918
1919 self._user2user(tgt, creds, sname=sname,
1920 expected_error=KDC_ERR_BADMATCH)
1921
1922 def test_user2user_other_sname(self):
1923 other_name = self.get_new_username()
1924 spn = f'host/{other_name}'
1925 creds = self.get_cached_creds(
1926 account_type=self.AccountType.COMPUTER,
1927 opts={'spn': spn})
1928 tgt = self._get_tgt(creds)
1929
1930 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1931 names=['host', other_name])
1932
1933 self._user2user(tgt, creds, sname=sname, expected_error=0)
1934
1935 def test_user2user_wrong_sname_krbtgt(self):
1936 creds = self._get_creds()
1937 tgt = self._get_tgt(creds)
1938
1939 sname = self.get_krbtgt_sname()
1940
1941 self._user2user(tgt, creds, sname=sname,
1942 expected_error=KDC_ERR_BADMATCH)
1943
1944 def test_user2user_wrong_srealm(self):
1945 creds = self._get_creds()
1946 tgt = self._get_tgt(creds)
1947
1948 self._user2user(tgt, creds, srealm='OTHER.REALM',
1949 expected_error=(KDC_ERR_WRONG_REALM,
1950 KDC_ERR_S_PRINCIPAL_UNKNOWN))
1951
1952 def test_user2user_tgt_correct_realm(self):
1953 creds = self._get_creds()
1954 tgt = self._get_tgt(creds)
1955
1956 realm = creds.get_realm().encode('utf-8')
1957 tgt = self._modify_tgt(tgt, realm)
1958
1959 self._user2user(tgt, creds,
1960 expected_error=0)
1961
1962 def test_user2user_tgt_wrong_realm(self):
1963 creds = self._get_creds()
1964 tgt = self._get_tgt(creds)
1965
1966 tgt = self._modify_tgt(tgt, b'OTHER.REALM')
1967
1968 self._user2user(tgt, creds,
1969 expected_error=0)
1970
1971 def test_user2user_tgt_correct_cname(self):
1972 creds = self._get_creds()
1973 tgt = self._get_tgt(creds)
1974
1975 user_name = creds.get_username()
1976 user_name = user_name.encode('utf-8')
1977 cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1978 names=[user_name])
1979
1980 tgt = self._modify_tgt(tgt, cname=cname)
1981
1982 self._user2user(tgt, creds, expected_error=0)
1983
1984 def test_user2user_tgt_other_cname(self):
1985 samdb = self.get_samdb()
1986
1987 other_name = self.get_new_username()
1988 upn = f'{other_name}@{samdb.domain_dns_name()}'
1989
1990 creds = self.get_cached_creds(
1991 account_type=self.AccountType.COMPUTER,
1992 opts={'upn': upn})
1993 tgt = self._get_tgt(creds)
1994
1995 cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1996 names=[other_name.encode('utf-8')])
1997
1998 tgt = self._modify_tgt(tgt, cname=cname)
1999
2000 self._user2user(tgt, creds, expected_error=0)
2001
2002 def test_user2user_tgt_cname_host(self):
2003 creds = self._get_creds()
2004 tgt = self._get_tgt(creds)
2005
2006 user_name = creds.get_username()
2007 user_name = user_name.encode('utf-8')
2008 cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
2009 names=[b'host', user_name])
2010
2011 tgt = self._modify_tgt(tgt, cname=cname)
2012
2013 self._user2user(tgt, creds,
2014 expected_error=(KDC_ERR_TGT_REVOKED,
2015 KDC_ERR_C_PRINCIPAL_UNKNOWN))
2016
2017 def test_user2user_non_existent_sname(self):
2018 creds = self._get_creds()
2019 tgt = self._get_tgt(creds)
2020
2021 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
2022 names=['host', 'non_existent_user'])
2023
2024 self._user2user(tgt, creds, sname=sname,
2025 expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
2026
2027 def test_user2user_no_sname(self):
2028 creds = self._get_creds()
2029 tgt = self._get_tgt(creds)
2030
2031 self._user2user(tgt, creds, sname=False,
2032 expected_error=(KDC_ERR_GENERIC,
2033 KDC_ERR_S_PRINCIPAL_UNKNOWN))
2034
2035 def test_tgs_service_ticket(self):
2036 creds = self._get_creds()
2037 tgt = self._get_tgt(creds)
2038
2039 service_creds = self.get_service_creds()
2040 service_ticket = self.get_service_ticket(tgt, service_creds)
2041
2042 self._run_tgs(service_ticket, creds,
2043 expected_error=(KDC_ERR_NOT_US, KDC_ERR_POLICY))
2044
2045 def test_renew_service_ticket(self):
2046 creds = self._get_creds()
2047 tgt = self._get_tgt(creds)
2048
2049 service_creds = self.get_service_creds()
2050 service_ticket = self.get_service_ticket(tgt, service_creds)
2051
2052 service_ticket = self.modified_ticket(
2053 service_ticket,
2054 modify_fn=self._modify_renewable,
2055 checksum_keys=self.get_krbtgt_checksum_key())
2056
2057 self._renew_tgt(service_ticket, creds,
2058 expected_error=KDC_ERR_POLICY)
2059
2060 def test_validate_service_ticket(self):
2061 creds = self._get_creds()
2062 tgt = self._get_tgt(creds)
2063
2064 service_creds = self.get_service_creds()
2065 service_ticket = self.get_service_ticket(tgt, service_creds)
2066
2067 service_ticket = self.modified_ticket(
2068 service_ticket,
2069 modify_fn=self._modify_invalid,
2070 checksum_keys=self.get_krbtgt_checksum_key())
2071
2072 self._validate_tgt(service_ticket, creds,
2073 expected_error=KDC_ERR_POLICY)
2074
2075 def test_s4u2self_service_ticket(self):
2076 creds = self._get_creds()
2077 tgt = self._get_tgt(creds)
2078
2079 service_creds = self.get_service_creds()
2080 service_ticket = self.get_service_ticket(tgt, service_creds)
2081
2082 self._s4u2self(service_ticket, creds,
2083 expected_error=(KDC_ERR_NOT_US, KDC_ERR_POLICY))
2084
2085 def test_user2user_service_ticket(self):
2086 creds = self._get_creds()
2087 tgt = self._get_tgt(creds)
2088
2089 service_creds = self.get_service_creds()
2090 service_ticket = self.get_service_ticket(tgt, service_creds)
2091
2092 self._user2user(service_ticket, creds,
2093 expected_error=(KDC_ERR_MODIFIED, KDC_ERR_POLICY))
2094
2095 # Expected to fail against Windows, which does not produce an error.
2096 def test_fast_service_ticket(self):
2097 creds = self._get_creds()
2098 tgt = self._get_tgt(creds)
2099
2100 service_creds = self.get_service_creds()
2101 service_ticket = self.get_service_ticket(tgt, service_creds)
2102
2103 self._fast(service_ticket, creds,
2104 expected_error=(KDC_ERR_POLICY,
2105 KDC_ERR_S_PRINCIPAL_UNKNOWN))
2106
2107 def test_pac_attrs_none(self):
2108 creds = self._get_creds()
2109 self.get_tgt(creds, pac_request=None,
2110 expect_pac=True,
2111 expect_pac_attrs=True,
2112 expect_pac_attrs_pac_request=None)
2113
2114 def test_pac_attrs_false(self):
2115 creds = self._get_creds()
2116 self.get_tgt(creds, pac_request=False,
2117 expect_pac=True,
2118 expect_pac_attrs=True,
2119 expect_pac_attrs_pac_request=False)
2120
2121 def test_pac_attrs_true(self):
2122 creds = self._get_creds()
2123 self.get_tgt(creds, pac_request=True,
2124 expect_pac=True,
2125 expect_pac_attrs=True,
2126 expect_pac_attrs_pac_request=True)
2127
2128 def test_pac_attrs_renew_none(self):
2129 creds = self._get_creds()
2130 tgt = self.get_tgt(creds, pac_request=None,
2131 expect_pac=True,
2132 expect_pac_attrs=True,
2133 expect_pac_attrs_pac_request=None)
2134 tgt = self._modify_tgt(tgt, renewable=True)
2135
2136 self._renew_tgt(tgt, creds, expected_error=0,
2137 expect_pac=True,
2138 expect_pac_attrs=True,
2139 expect_pac_attrs_pac_request=None,
2140 expect_requester_sid=True)
2141
2142 def test_pac_attrs_renew_false(self):
2143 creds = self._get_creds()
2144 tgt = self.get_tgt(creds, pac_request=False,
2145 expect_pac=True,
2146 expect_pac_attrs=True,
2147 expect_pac_attrs_pac_request=False)
2148 tgt = self._modify_tgt(tgt, renewable=True)
2149
2150 self._renew_tgt(tgt, creds, expected_error=0,
2151 expect_pac=True,
2152 expect_pac_attrs=True,
2153 expect_pac_attrs_pac_request=False,
2154 expect_requester_sid=True)
2155
2156 def test_pac_attrs_renew_true(self):
2157 creds = self._get_creds()
2158 tgt = self.get_tgt(creds, pac_request=True,
2159 expect_pac=True,
2160 expect_pac_attrs=True,
2161 expect_pac_attrs_pac_request=True)
2162 tgt = self._modify_tgt(tgt, renewable=True)
2163
2164 self._renew_tgt(tgt, creds, expected_error=0,
2165 expect_pac=True,
2166 expect_pac_attrs=True,
2167 expect_pac_attrs_pac_request=True,
2168 expect_requester_sid=True)
2169
2170 def test_pac_attrs_rodc_renew_none(self):
2171 creds = self._get_creds(replication_allowed=True,
2172 revealed_to_rodc=True)
2173 tgt = self.get_tgt(creds, pac_request=None,
2174 expect_pac=True,
2175 expect_pac_attrs=True,
2176 expect_pac_attrs_pac_request=None)
2177 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True)
2178
2179 self._renew_tgt(tgt, creds, expected_error=0,
2180 expect_pac=True,
2181 expect_pac_attrs=False,
2182 expect_requester_sid=True)
2183
2184 def test_pac_attrs_rodc_renew_false(self):
2185 creds = self._get_creds(replication_allowed=True,
2186 revealed_to_rodc=True)
2187 tgt = self.get_tgt(creds, pac_request=False,
2188 expect_pac=True,
2189 expect_pac_attrs=True,
2190 expect_pac_attrs_pac_request=False)
2191 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True)
2192
2193 self._renew_tgt(tgt, creds, expected_error=0,
2194 expect_pac=True,
2195 expect_pac_attrs=False,
2196 expect_requester_sid=True)
2197
2198 def test_pac_attrs_rodc_renew_true(self):
2199 creds = self._get_creds(replication_allowed=True,
2200 revealed_to_rodc=True)
2201 tgt = self.get_tgt(creds, pac_request=True,
2202 expect_pac=True,
2203 expect_pac_attrs=True,
2204 expect_pac_attrs_pac_request=True)
2205 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True)
2206
2207 self._renew_tgt(tgt, creds, expected_error=0,
2208 expect_pac=True,
2209 expect_pac_attrs=False,
2210 expect_requester_sid=True)
2211
2212 def test_pac_attrs_missing_renew_none(self):
2213 creds = self._get_creds()
2214 tgt = self.get_tgt(creds, pac_request=None,
2215 expect_pac=True,
2216 expect_pac_attrs=True,
2217 expect_pac_attrs_pac_request=None)
2218 tgt = self._modify_tgt(tgt, renewable=True,
2219 remove_pac_attrs=True)
2220
2221 self._renew_tgt(tgt, creds, expected_error=0,
2222 expect_pac=True,
2223 expect_pac_attrs=False,
2224 expect_requester_sid=True)
2225
2226 def test_pac_attrs_missing_renew_false(self):
2227 creds = self._get_creds()
2228 tgt = self.get_tgt(creds, pac_request=False,
2229 expect_pac=True,
2230 expect_pac_attrs=True,
2231 expect_pac_attrs_pac_request=False)
2232 tgt = self._modify_tgt(tgt, renewable=True,
2233 remove_pac_attrs=True)
2234
2235 self._renew_tgt(tgt, creds, expected_error=0,
2236 expect_pac=True,
2237 expect_pac_attrs=False,
2238 expect_requester_sid=True)
2239
2240 def test_pac_attrs_missing_renew_true(self):
2241 creds = self._get_creds()
2242 tgt = self.get_tgt(creds, pac_request=True,
2243 expect_pac=True,
2244 expect_pac_attrs=True,
2245 expect_pac_attrs_pac_request=True)
2246 tgt = self._modify_tgt(tgt, renewable=True,
2247 remove_pac_attrs=True)
2248
2249 self._renew_tgt(tgt, creds, expected_error=0,
2250 expect_pac=True,
2251 expect_pac_attrs=False,
2252 expect_requester_sid=True)
2253
2254 def test_pac_attrs_missing_rodc_renew_none(self):
2255 creds = self._get_creds(replication_allowed=True,
2256 revealed_to_rodc=True)
2257 tgt = self.get_tgt(creds, pac_request=None,
2258 expect_pac=True,
2259 expect_pac_attrs=True,
2260 expect_pac_attrs_pac_request=None)
2261 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True,
2262 remove_pac_attrs=True)
2263
2264 self._renew_tgt(tgt, creds, expected_error=0,
2265 expect_pac=True,
2266 expect_pac_attrs=False,
2267 expect_requester_sid=True)
2268
2269 def test_pac_attrs_missing_rodc_renew_false(self):
2270 creds = self._get_creds(replication_allowed=True,
2271 revealed_to_rodc=True)
2272 tgt = self.get_tgt(creds, pac_request=False,
2273 expect_pac=True,
2274 expect_pac_attrs=True,
2275 expect_pac_attrs_pac_request=False)
2276 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True,
2277 remove_pac_attrs=True)
2278
2279 self._renew_tgt(tgt, creds, expected_error=0,
2280 expect_pac=True,
2281 expect_pac_attrs=False,
2282 expect_requester_sid=True)
2283
2284 def test_pac_attrs_missing_rodc_renew_true(self):
2285 creds = self._get_creds(replication_allowed=True,
2286 revealed_to_rodc=True)
2287 tgt = self.get_tgt(creds, pac_request=True,
2288 expect_pac=True,
2289 expect_pac_attrs=True,
2290 expect_pac_attrs_pac_request=True)
2291 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True,
2292 remove_pac_attrs=True)
2293
2294 self._renew_tgt(tgt, creds, expected_error=0,
2295 expect_pac=True,
2296 expect_pac_attrs=False,
2297 expect_requester_sid=True)
2298
2299 def test_tgs_pac_attrs_none(self):
2300 creds = self._get_creds()
2301 tgt = self.get_tgt(creds, pac_request=None,
2302 expect_pac=True,
2303 expect_pac_attrs=True,
2304 expect_pac_attrs_pac_request=None)
2305
2306 self._run_tgs(tgt, creds, expected_error=0, expect_pac=True,
2307 expect_pac_attrs=False)
2308
2309 def test_tgs_pac_attrs_false(self):
2310 creds = self._get_creds()
2311 tgt = self.get_tgt(creds, pac_request=False,
2312 expect_pac=True,
2313 expect_pac_attrs=True,
2314 expect_pac_attrs_pac_request=False)
2315
2316 self._run_tgs(tgt, creds, expected_error=0, expect_pac=False,
2317 expect_pac_attrs=False)
2318
2319 def test_tgs_pac_attrs_true(self):
2320 creds = self._get_creds()
2321 tgt = self.get_tgt(creds, pac_request=True,
2322 expect_pac=True,
2323 expect_pac_attrs=True,
2324 expect_pac_attrs_pac_request=True)
2325
2326 self._run_tgs(tgt, creds, expected_error=0, expect_pac=True,
2327 expect_pac_attrs=False)
2328
2329 def test_as_requester_sid(self):
2330 creds = self._get_creds()
2331
2332 sid = creds.get_sid()
2333
2334 self.get_tgt(creds, pac_request=None,
2335 expect_pac=True,
2336 expected_sid=sid,
2337 expect_requester_sid=True)
2338
2339 def test_tgs_requester_sid(self):
2340 creds = self._get_creds()
2341
2342 sid = creds.get_sid()
2343
2344 tgt = self.get_tgt(creds, pac_request=None,
2345 expect_pac=True,
2346 expected_sid=sid,
2347 expect_requester_sid=True)
2348
2349 self._run_tgs(tgt, creds, expected_error=0, expect_pac=True,
2350 expect_requester_sid=False)
2351
2352 def test_tgs_requester_sid_renew(self):
2353 creds = self._get_creds()
2354
2355 sid = creds.get_sid()
2356
2357 tgt = self.get_tgt(creds, pac_request=None,
2358 expect_pac=True,
2359 expected_sid=sid,
2360 expect_requester_sid=True)
2361 tgt = self._modify_tgt(tgt, renewable=True)
2362
2363 self._renew_tgt(tgt, creds, expected_error=0, expect_pac=True,
2364 expect_pac_attrs=True,
2365 expect_pac_attrs_pac_request=None,
2366 expected_sid=sid,
2367 expect_requester_sid=True)
2368
2369 def test_tgs_requester_sid_rodc_renew(self):
2370 creds = self._get_creds(replication_allowed=True,
2371 revealed_to_rodc=True)
2372
2373 sid = creds.get_sid()
2374
2375 tgt = self.get_tgt(creds, pac_request=None,
2376 expect_pac=True,
2377 expected_sid=sid,
2378 expect_requester_sid=True)
2379 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True)
2380
2381 self._renew_tgt(tgt, creds, expected_error=0, expect_pac=True,
2382 expect_pac_attrs=False,
2383 expected_sid=sid,
2384 expect_requester_sid=True)
2385
2386 def test_tgs_requester_sid_missing_renew(self):
2387 creds = self._get_creds()
2388
2389 sid = creds.get_sid()
2390
2391 tgt = self.get_tgt(creds, pac_request=None,
2392 expect_pac=True,
2393 expected_sid=sid,
2394 expect_requester_sid=True)
2395 tgt = self._modify_tgt(tgt, renewable=True,
2396 remove_requester_sid=True)
2397
2398 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
2399
2400 def test_tgs_requester_sid_missing_rodc_renew(self):
2401 creds = self._get_creds(replication_allowed=True,
2402 revealed_to_rodc=True)
2403
2404 sid = creds.get_sid()
2405
2406 tgt = self.get_tgt(creds, pac_request=None,
2407 expect_pac=True,
2408 expected_sid=sid,
2409 expect_requester_sid=True)
2410 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True,
2411 remove_requester_sid=True)
2412
2413 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
2414
2415 def test_tgs_requester_sid_validate(self):
2416 creds = self._get_creds()
2417
2418 sid = creds.get_sid()
2419
2420 tgt = self.get_tgt(creds, pac_request=None,
2421 expect_pac=True,
2422 expected_sid=sid,
2423 expect_requester_sid=True)
2424 tgt = self._modify_tgt(tgt, invalid=True)
2425
2426 self._validate_tgt(tgt, creds, expected_error=0, expect_pac=True,
2427 expect_pac_attrs=True,
2428 expect_pac_attrs_pac_request=None,
2429 expected_sid=sid,
2430 expect_requester_sid=True)
2431
2432 def test_tgs_requester_sid_rodc_validate(self):
2433 creds = self._get_creds(replication_allowed=True,
2434 revealed_to_rodc=True)
2435
2436 sid = creds.get_sid()
2437
2438 tgt = self.get_tgt(creds, pac_request=None,
2439 expect_pac=True,
2440 expected_sid=sid,
2441 expect_requester_sid=True)
2442 tgt = self._modify_tgt(tgt, from_rodc=True, invalid=True)
2443
2444 self._validate_tgt(tgt, creds, expected_error=0, expect_pac=True,
2445 expect_pac_attrs=False,
2446 expected_sid=sid,
2447 expect_requester_sid=True)
2448
2449 def test_tgs_requester_sid_missing_validate(self):
2450 creds = self._get_creds()
2451
2452 sid = creds.get_sid()
2453
2454 tgt = self.get_tgt(creds, pac_request=None,
2455 expect_pac=True,
2456 expected_sid=sid,
2457 expect_requester_sid=True)
2458 tgt = self._modify_tgt(tgt, invalid=True,
2459 remove_requester_sid=True)
2460
2461 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
2462
2463 def test_tgs_requester_sid_missing_rodc_validate(self):
2464 creds = self._get_creds(replication_allowed=True,
2465 revealed_to_rodc=True)
2466
2467 sid = creds.get_sid()
2468
2469 tgt = self.get_tgt(creds, pac_request=None,
2470 expect_pac=True,
2471 expected_sid=sid,
2472 expect_requester_sid=True)
2473 tgt = self._modify_tgt(tgt, from_rodc=True, invalid=True,
2474 remove_requester_sid=True)
2475
2476 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
2477
2478 def test_tgs_pac_request_none(self):
2479 creds = self._get_creds()
2480 tgt = self.get_tgt(creds, pac_request=None)
2481
2482 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2483
2484 pac = self.get_ticket_pac(ticket)
2485 self.assertIsNotNone(pac)
2486
2487 def test_tgs_pac_request_false(self):
2488 creds = self._get_creds()
2489 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2490
2491 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False)
2492
2493 pac = self.get_ticket_pac(ticket, expect_pac=False)
2494 self.assertIsNone(pac)
2495
2496 def test_tgs_pac_request_true(self):
2497 creds = self._get_creds()
2498 tgt = self.get_tgt(creds, pac_request=True)
2499
2500 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2501
2502 pac = self.get_ticket_pac(ticket)
2503 self.assertIsNotNone(pac)
2504
2505 def test_renew_pac_request_none(self):
2506 creds = self._get_creds()
2507 tgt = self.get_tgt(creds, pac_request=None)
2508 tgt = self._modify_tgt(tgt, renewable=True)
2509
2510 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2511 expect_pac_attrs=True,
2512 expect_pac_attrs_pac_request=None,
2513 expect_requester_sid=True)
2514
2515 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2516
2517 pac = self.get_ticket_pac(ticket)
2518 self.assertIsNotNone(pac)
2519
2520 def test_renew_pac_request_false(self):
2521 creds = self._get_creds()
2522 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2523 tgt = self._modify_tgt(tgt, renewable=True)
2524
2525 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2526 expect_pac_attrs=True,
2527 expect_pac_attrs_pac_request=False,
2528 expect_requester_sid=True)
2529
2530 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False)
2531
2532 pac = self.get_ticket_pac(ticket, expect_pac=False)
2533 self.assertIsNone(pac)
2534
2535 def test_renew_pac_request_true(self):
2536 creds = self._get_creds()
2537 tgt = self.get_tgt(creds, pac_request=True)
2538 tgt = self._modify_tgt(tgt, renewable=True)
2539
2540 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2541 expect_pac_attrs=True,
2542 expect_pac_attrs_pac_request=True,
2543 expect_requester_sid=True)
2544
2545 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2546
2547 pac = self.get_ticket_pac(ticket)
2548 self.assertIsNotNone(pac)
2549
2550 def test_rodc_renew_pac_request_none(self):
2551 creds = self._get_creds(replication_allowed=True,
2552 revealed_to_rodc=True)
2553 tgt = self.get_tgt(creds, pac_request=None)
2554 tgt = self._modify_tgt(tgt, renewable=True, from_rodc=True)
2555
2556 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2557 expect_pac_attrs=False,
2558 expect_requester_sid=True)
2559
2560 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2561
2562 pac = self.get_ticket_pac(ticket)
2563 self.assertIsNotNone(pac)
2564
2565 def test_rodc_renew_pac_request_false(self):
2566 creds = self._get_creds(replication_allowed=True,
2567 revealed_to_rodc=True)
2568 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2569 tgt = self._modify_tgt(tgt, renewable=True, from_rodc=True)
2570
2571 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2572 expect_pac_attrs=False,
2573 expect_requester_sid=True)
2574
2575 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2576
2577 pac = self.get_ticket_pac(ticket)
2578 self.assertIsNotNone(pac)
2579
2580 def test_rodc_renew_pac_request_true(self):
2581 creds = self._get_creds(replication_allowed=True,
2582 revealed_to_rodc=True)
2583 tgt = self.get_tgt(creds, pac_request=True)
2584 tgt = self._modify_tgt(tgt, renewable=True, from_rodc=True)
2585
2586 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2587 expect_pac_attrs=False,
2588 expect_requester_sid=True)
2589
2590 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2591
2592 pac = self.get_ticket_pac(ticket)
2593 self.assertIsNotNone(pac)
2594
2595 def test_validate_pac_request_none(self):
2596 creds = self._get_creds()
2597 tgt = self.get_tgt(creds, pac_request=None)
2598 tgt = self._modify_tgt(tgt, invalid=True)
2599
2600 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2601 expect_pac_attrs=True,
2602 expect_pac_attrs_pac_request=None,
2603 expect_requester_sid=True)
2604
2605 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2606
2607 pac = self.get_ticket_pac(ticket)
2608 self.assertIsNotNone(pac)
2609
2610 def test_validate_pac_request_false(self):
2611 creds = self._get_creds()
2612 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2613 tgt = self._modify_tgt(tgt, invalid=True)
2614
2615 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2616 expect_pac_attrs=True,
2617 expect_pac_attrs_pac_request=False,
2618 expect_requester_sid=True)
2619
2620 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False)
2621
2622 pac = self.get_ticket_pac(ticket, expect_pac=False)
2623 self.assertIsNone(pac)
2624
2625 def test_validate_pac_request_true(self):
2626 creds = self._get_creds()
2627 tgt = self.get_tgt(creds, pac_request=True)
2628 tgt = self._modify_tgt(tgt, invalid=True)
2629
2630 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2631 expect_pac_attrs=True,
2632 expect_pac_attrs_pac_request=True,
2633 expect_requester_sid=True)
2634
2635 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2636
2637 pac = self.get_ticket_pac(ticket)
2638 self.assertIsNotNone(pac)
2639
2640 def test_rodc_validate_pac_request_none(self):
2641 creds = self._get_creds(replication_allowed=True,
2642 revealed_to_rodc=True)
2643 tgt = self.get_tgt(creds, pac_request=None)
2644 tgt = self._modify_tgt(tgt, invalid=True, from_rodc=True)
2645
2646 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2647 expect_pac_attrs=False,
2648 expect_requester_sid=True)
2649
2650 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2651
2652 pac = self.get_ticket_pac(ticket)
2653 self.assertIsNotNone(pac)
2654
2655 def test_rodc_validate_pac_request_false(self):
2656 creds = self._get_creds(replication_allowed=True,
2657 revealed_to_rodc=True)
2658 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2659 tgt = self._modify_tgt(tgt, invalid=True, from_rodc=True)
2660
2661 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2662 expect_pac_attrs=False,
2663 expect_requester_sid=True)
2664
2665 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2666
2667 pac = self.get_ticket_pac(ticket)
2668 self.assertIsNotNone(pac)
2669
2670 def test_rodc_validate_pac_request_true(self):
2671 creds = self._get_creds(replication_allowed=True,
2672 revealed_to_rodc=True)
2673 tgt = self.get_tgt(creds, pac_request=True)
2674 tgt = self._modify_tgt(tgt, invalid=True, from_rodc=True)
2675
2676 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2677 expect_pac_attrs=False,
2678 expect_requester_sid=True)
2679
2680 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2681
2682 pac = self.get_ticket_pac(ticket)
2683 self.assertIsNotNone(pac)
2684
2685 def test_s4u2self_pac_request_none(self):
2686 creds = self._get_creds()
2687 tgt = self.get_tgt(creds, pac_request=None)
2688
2689 ticket = self._s4u2self(tgt, creds, expected_error=0, expect_pac=True)
2690
2691 pac = self.get_ticket_pac(ticket)
2692 self.assertIsNotNone(pac)
2693
2694 def test_s4u2self_pac_request_false(self):
2695 creds = self._get_creds()
2696 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2697
2698 ticket = self._s4u2self(tgt, creds, expected_error=0, expect_pac=True)
2699
2700 pac = self.get_ticket_pac(ticket)
2701 self.assertIsNotNone(pac)
2702
2703 def test_s4u2self_pac_request_true(self):
2704 creds = self._get_creds()
2705 tgt = self.get_tgt(creds, pac_request=True)
2706
2707 ticket = self._s4u2self(tgt, creds, expected_error=0, expect_pac=True)
2708
2709 pac = self.get_ticket_pac(ticket)
2710 self.assertIsNotNone(pac)
2711
2712 def test_user2user_pac_request_none(self):
2713 creds = self._get_creds()
2714 tgt = self.get_tgt(creds, pac_request=None)
2715
2716 ticket = self._user2user(tgt, creds, expected_error=0, expect_pac=True)
2717
2718 pac = self.get_ticket_pac(ticket)
2719 self.assertIsNotNone(pac)
2720
2721 def test_user2user_pac_request_false(self):
2722 creds = self._get_creds()
2723 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2724
2725 ticket = self._user2user(tgt, creds, expected_error=0,
2726 expect_pac=True)
2727
2728 pac = self.get_ticket_pac(ticket, expect_pac=True)
2729 self.assertIsNotNone(pac)
2730
2731 def test_user2user_pac_request_true(self):
2732 creds = self._get_creds()
2733 tgt = self.get_tgt(creds, pac_request=True)
2734
2735 ticket = self._user2user(tgt, creds, expected_error=0, expect_pac=True)
2736
2737 pac = self.get_ticket_pac(ticket)
2738 self.assertIsNotNone(pac)
2739
2740 def test_user2user_user_pac_request_none(self):
2741 creds = self._get_creds()
2742 tgt = self.get_tgt(creds)
2743
2744 user_creds = self._get_mach_creds()
2745 user_tgt = self.get_tgt(user_creds, pac_request=None)
2746
2747 ticket = self._user2user(tgt, creds, expected_error=0,
2748 user_tgt=user_tgt, user_creds=user_creds,
2749 expect_pac=True)
2750
2751 pac = self.get_ticket_pac(ticket)
2752 self.assertIsNotNone(pac)
2753
2754 def test_user2user_user_pac_request_false(self):
2755 creds = self._get_creds()
2756 tgt = self.get_tgt(creds)
2757
2758 user_creds = self._get_mach_creds()
2759 user_tgt = self.get_tgt(user_creds, pac_request=False, expect_pac=None)
2760
2761 ticket = self._user2user(tgt, creds, expected_error=0,
2762 user_tgt=user_tgt, user_creds=user_creds,
2763 expect_pac=False)
2764
2765 pac = self.get_ticket_pac(ticket, expect_pac=False)
2766 self.assertIsNone(pac)
2767
2768 def test_user2user_user_pac_request_true(self):
2769 creds = self._get_creds()
2770 tgt = self.get_tgt(creds)
2771
2772 user_creds = self._get_mach_creds()
2773 user_tgt = self.get_tgt(user_creds, pac_request=True)
2774
2775 ticket = self._user2user(tgt, creds, expected_error=0,
2776 user_tgt=user_tgt, user_creds=user_creds,
2777 expect_pac=True)
2778
2779 pac = self.get_ticket_pac(ticket)
2780 self.assertIsNotNone(pac)
2781
2782 def test_fast_pac_request_none(self):
2783 creds = self._get_creds()
2784 tgt = self.get_tgt(creds, pac_request=None)
2785
2786 ticket = self._fast(tgt, creds, expected_error=0, expect_pac=True)
2787
2788 pac = self.get_ticket_pac(ticket)
2789 self.assertIsNotNone(pac)
2790
2791 def test_fast_pac_request_false(self):
2792 creds = self._get_creds()
2793 tgt = self.get_tgt(creds, pac_request=False)
2794
2795 ticket = self._fast(tgt, creds, expected_error=0,
2796 expect_pac=True)
2797
2798 pac = self.get_ticket_pac(ticket, expect_pac=True)
2799 self.assertIsNotNone(pac)
2800
2801 def test_fast_pac_request_true(self):
2802 creds = self._get_creds()
2803 tgt = self.get_tgt(creds, pac_request=True)
2804
2805 ticket = self._fast(tgt, creds, expected_error=0, expect_pac=True)
2806
2807 pac = self.get_ticket_pac(ticket)
2808 self.assertIsNotNone(pac)
2809
2810 def test_tgs_rodc_pac_request_none(self):
2811 creds = self._get_creds(replication_allowed=True,
2812 revealed_to_rodc=True)
2813 tgt = self.get_tgt(creds, pac_request=None)
2814 tgt = self._modify_tgt(tgt, from_rodc=True)
2815
2816 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2817
2818 pac = self.get_ticket_pac(ticket)
2819 self.assertIsNotNone(pac)
2820
2821 def test_tgs_rodc_pac_request_false(self):
2822 creds = self._get_creds(replication_allowed=True,
2823 revealed_to_rodc=True)
2824 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2825 tgt = self._modify_tgt(tgt, from_rodc=True)
2826
2827 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2828
2829 pac = self.get_ticket_pac(ticket)
2830 self.assertIsNotNone(pac)
2831
2832 def test_tgs_rodc_pac_request_true(self):
2833 creds = self._get_creds(replication_allowed=True,
2834 revealed_to_rodc=True)
2835 tgt = self.get_tgt(creds, pac_request=True)
2836 tgt = self._modify_tgt(tgt, from_rodc=True)
2837
2838 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2839
2840 pac = self.get_ticket_pac(ticket)
2841 self.assertIsNotNone(pac)
2842
2843 def test_tgs_rename(self):
2844 creds = self.get_cached_creds(account_type=self.AccountType.USER,
2845 use_cache=False)
2846 tgt = self.get_tgt(creds)
2847
2848 # Rename the account.
2849 new_name = self.get_new_username()
2850
2851 samdb = self.get_samdb()
2852 msg = ldb.Message(creds.get_dn())
2853 msg['sAMAccountName'] = ldb.MessageElement(new_name,
2854 ldb.FLAG_MOD_REPLACE,
2855 'sAMAccountName')
2856 samdb.modify(msg)
2857
2858 self._run_tgs(tgt, creds, expected_error=(KDC_ERR_TGT_REVOKED,
2859 KDC_ERR_C_PRINCIPAL_UNKNOWN))
2860
2861 # Test making a TGS request for a ticket expiring post-2038.
2862 def test_tgs_req_future_till(self):
2863 creds = self._get_creds()
2864 tgt = self._get_tgt(creds)
2865
2866 target_creds = self.get_service_creds()
2867 self._tgs_req(
2868 tgt=tgt,
2869 expected_error=0,
2870 creds=creds,
2871 target_creds=target_creds,
2872 till='99990913024805Z')
2873
2874 def _modify_renewable(self, enc_part):
2875 # Set the renewable flag.
2876 enc_part = self.modify_ticket_flag(enc_part, 'renewable', value=True)
2877
2878 # Set the renew-till time to be in the future.
2879 renew_till = self.get_KerberosTime(offset=100 * 60 * 60)
2880 enc_part['renew-till'] = renew_till
2881
2882 return enc_part
2883
2884 def _modify_invalid(self, enc_part):
2885 # Set the invalid flag.
2886 enc_part = self.modify_ticket_flag(enc_part, 'invalid', value=True)
2887
2888 # Set the ticket start time to be in the past.
2889 past_time = self.get_KerberosTime(offset=-100 * 60 * 60)
2890 enc_part['starttime'] = past_time
2891
2892 return enc_part
2893
2894 def _get_tgt(self,
2895 client_creds,
2896 renewable=False,
2897 invalid=False,
2898 from_rodc=False,
2899 new_rid=None,
2900 remove_pac=False,
2901 allow_empty_authdata=False,
2902 can_modify_logon_info=True,
2903 can_modify_requester_sid=True,
2904 remove_pac_attrs=False,
2905 remove_requester_sid=False,
2906 etype=None,
2907 cksum_etype=None):
2908 self.assertFalse(renewable and invalid)
2909
2910 if remove_pac:
2911 self.assertIsNone(new_rid)
2912
2913 tgt = self.get_tgt(client_creds)
2914
2915 return self._modify_tgt(
2916 tgt=tgt,
2917 renewable=renewable,
2918 invalid=invalid,
2919 from_rodc=from_rodc,
2920 new_rid=new_rid,
2921 remove_pac=remove_pac,
2922 allow_empty_authdata=allow_empty_authdata,
2923 can_modify_logon_info=can_modify_logon_info,
2924 can_modify_requester_sid=can_modify_requester_sid,
2925 remove_pac_attrs=remove_pac_attrs,
2926 remove_requester_sid=remove_requester_sid,
2927 etype=etype,
2928 cksum_etype=cksum_etype)
2929
2930 def _modify_tgt(self,
2931 tgt,
2932 renewable=False,
2933 invalid=False,
2934 from_rodc=False,
2935 new_rid=None,
2936 remove_pac=False,
2937 allow_empty_authdata=False,
2938 cname=None,
2939 crealm=None,
2940 can_modify_logon_info=True,
2941 can_modify_requester_sid=True,
2942 remove_pac_attrs=False,
2943 remove_requester_sid=False,
2944 etype=None,
2945 cksum_etype=None):
2946 if from_rodc:
2947 krbtgt_creds = self.get_mock_rodc_krbtgt_creds()
2948 else:
2949 krbtgt_creds = self.get_krbtgt_creds()
2950
2951 if new_rid is not None or remove_requester_sid or remove_pac_attrs:
2952 def change_sid_fn(pac):
2953 pac_buffers = pac.buffers
2954 for pac_buffer in pac_buffers:
2955 if pac_buffer.type == krb5pac.PAC_TYPE_LOGON_INFO:
2956 if new_rid is not None and can_modify_logon_info:
2957 logon_info = pac_buffer.info.info
2958
2959 logon_info.info3.base.rid = new_rid
2960 elif pac_buffer.type == krb5pac.PAC_TYPE_REQUESTER_SID:
2961 if remove_requester_sid:
2962 pac.num_buffers -= 1
2963 pac_buffers.remove(pac_buffer)
2964 elif new_rid is not None and can_modify_requester_sid:
2965 requester_sid = pac_buffer.info
2966
2967 samdb = self.get_samdb()
2968 domain_sid = samdb.get_domain_sid()
2969
2970 new_sid = f'{domain_sid}-{new_rid}'
2971
2972 requester_sid.sid = security.dom_sid(new_sid)
2973 elif pac_buffer.type == krb5pac.PAC_TYPE_ATTRIBUTES_INFO:
2974 if remove_pac_attrs:
2975 pac.num_buffers -= 1
2976 pac_buffers.remove(pac_buffer)
2977
2978 pac.buffers = pac_buffers
2979
2980 return pac
2981 else:
2982 change_sid_fn = None
2983
2984 krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds,
2985 etype)
2986
2987 if remove_pac:
2988 checksum_keys = None
2989 else:
2990 if etype == cksum_etype:
2991 cksum_key = krbtgt_key
2992 else:
2993 cksum_key = self.TicketDecryptionKey_from_creds(krbtgt_creds,
2994 cksum_etype)
2995 checksum_keys = {
2996 krb5pac.PAC_TYPE_KDC_CHECKSUM: cksum_key
2997 }
2998
2999 if renewable:
3000 flags_modify_fn = self._modify_renewable
3001 elif invalid:
3002 flags_modify_fn = self._modify_invalid
3003 else:
3004 flags_modify_fn = None
3005
3006 if cname is not None or crealm is not None:
3007 def modify_fn(enc_part):
3008 if flags_modify_fn is not None:
3009 enc_part = flags_modify_fn(enc_part)
3010
3011 if cname is not None:
3012 enc_part['cname'] = cname
3013
3014 if crealm is not None:
3015 enc_part['crealm'] = crealm
3016
3017 return enc_part
3018 else:
3019 modify_fn = flags_modify_fn
3020
3021 if cname is not None:
3022 def modify_pac_fn(pac):
3023 if change_sid_fn is not None:
3024 pac = change_sid_fn(pac)
3025
3026 for pac_buffer in pac.buffers:
3027 if pac_buffer.type == krb5pac.PAC_TYPE_LOGON_NAME:
3028 logon_info = pac_buffer.info
3029
3030 logon_info.account_name = (
3031 cname['name-string'][0].decode('utf-8'))
3032
3033 return pac
3034 else:
3035 modify_pac_fn = change_sid_fn
3036
3037 return self.modified_ticket(
3038 tgt,
3039 new_ticket_key=krbtgt_key,
3040 modify_fn=modify_fn,
3041 modify_pac_fn=modify_pac_fn,
3042 exclude_pac=remove_pac,
3043 allow_empty_authdata=allow_empty_authdata,
3044 update_pac_checksums=not remove_pac,
3045 checksum_keys=checksum_keys)
3046
3047 def _remove_rodc_partial_secrets(self):
3048 samdb = self.get_samdb()
3049
3050 rodc_ctx = self.get_mock_rodc_ctx()
3051 rodc_dn = ldb.Dn(samdb, rodc_ctx.acct_dn)
3052
3053 def add_rodc_partial_secrets():
3054 msg = ldb.Message()
3055 msg.dn = rodc_dn
3056 msg['userAccountControl'] = ldb.MessageElement(
3057 str(rodc_ctx.userAccountControl),
3058 ldb.FLAG_MOD_REPLACE,
3059 'userAccountControl')
3060 samdb.modify(msg)
3061
3062 self.addCleanup(add_rodc_partial_secrets)
3063
3064 uac = rodc_ctx.userAccountControl & ~dsdb.UF_PARTIAL_SECRETS_ACCOUNT
3065
3066 msg = ldb.Message()
3067 msg.dn = rodc_dn
3068 msg['userAccountControl'] = ldb.MessageElement(
3069 str(uac),
3070 ldb.FLAG_MOD_REPLACE,
3071 'userAccountControl')
3072 samdb.modify(msg)
3073
3074 def _remove_rodc_krbtgt_link(self):
3075 samdb = self.get_samdb()
3076
3077 rodc_ctx = self.get_mock_rodc_ctx()
3078 rodc_dn = ldb.Dn(samdb, rodc_ctx.acct_dn)
3079
3080 def add_rodc_krbtgt_link():
3081 msg = ldb.Message()
3082 msg.dn = rodc_dn
3083 msg['msDS-KrbTgtLink'] = ldb.MessageElement(
3084 rodc_ctx.new_krbtgt_dn,
3085 ldb.FLAG_MOD_ADD,
3086 'msDS-KrbTgtLink')
3087 samdb.modify(msg)
3088
3089 self.addCleanup(add_rodc_krbtgt_link)
3090
3091 msg = ldb.Message()
3092 msg.dn = rodc_dn
3093 msg['msDS-KrbTgtLink'] = ldb.MessageElement(
3094 [],
3095 ldb.FLAG_MOD_DELETE,
3096 'msDS-KrbTgtLink')
3097 samdb.modify(msg)
3098
3099 def _get_creds(self,
3100 replication_allowed=False,
3101 replication_denied=False,
3102 revealed_to_rodc=False):
3103 return self.get_cached_creds(
3104 account_type=self.AccountType.COMPUTER,
3105 opts={
3106 'allowed_replication_mock': replication_allowed,
3107 'denied_replication_mock': replication_denied,
3108 'revealed_to_mock_rodc': revealed_to_rodc,
3109 'id': 0
3110 })
3111
3112 def _get_existing_rid(self,
3113 replication_allowed=False,
3114 replication_denied=False,
3115 revealed_to_rodc=False):
3116 other_creds = self.get_cached_creds(
3117 account_type=self.AccountType.COMPUTER,
3118 opts={
3119 'allowed_replication_mock': replication_allowed,
3120 'denied_replication_mock': replication_denied,
3121 'revealed_to_mock_rodc': revealed_to_rodc,
3122 'id': 1
3123 })
3124
3125 other_sid = other_creds.get_sid()
3126 other_rid = int(other_sid.rsplit('-', 1)[1])
3127
3128 return other_rid
3129
3130 def _get_mach_creds(self):
3131 return self.get_cached_creds(
3132 account_type=self.AccountType.COMPUTER,
3133 opts={
3134 'allowed_replication_mock': True,
3135 'denied_replication_mock': False,
3136 'revealed_to_mock_rodc': True,
3137 'id': 2
3138 })
3139
3140 def _get_user_creds(self,
3141 replication_allowed=False,
3142 replication_denied=False,
3143 revealed_to_rodc=False):
3144 return self.get_cached_creds(
3145 account_type=self.AccountType.USER,
3146 opts={
3147 'allowed_replication_mock': replication_allowed,
3148 'denied_replication_mock': replication_denied,
3149 'revealed_to_mock_rodc': revealed_to_rodc,
3150 'id': 3
3151 })
3152
3153 def _get_non_existent_rid(self):
3154 return (1 << 30) - 1
3155
3156 def _run_tgs(self, tgt, creds, expected_error, *, expect_pac=True,
3157 expect_pac_attrs=None, expect_pac_attrs_pac_request=None,
3158 expect_requester_sid=None, expected_sid=None,
3159 expect_edata=False, expect_status=None, expected_status=None):
3160 target_creds = self.get_service_creds()
3161 return self._tgs_req(
3162 tgt, expected_error, creds, target_creds,
3163 expect_pac=expect_pac,
3164 expect_pac_attrs=expect_pac_attrs,
3165 expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
3166 expect_requester_sid=expect_requester_sid,
3167 expected_sid=expected_sid,
3168 expect_edata=expect_edata,
3169 expect_status=expect_status,
3170 expected_status=expected_status)
3171
3172 # These tests fail against Windows, which does not implement ticket
3173 # renewal.
3174 def _renew_tgt(self, tgt, creds, expected_error, *, expect_pac=True,
3175 expect_pac_attrs=None, expect_pac_attrs_pac_request=None,
3176 expect_requester_sid=None, expected_sid=None):
3177 krbtgt_creds = self.get_krbtgt_creds()
3178 kdc_options = str(krb5_asn1.KDCOptions('renew'))
3179 return self._tgs_req(
3180 tgt, expected_error, creds, krbtgt_creds,
3181 kdc_options=kdc_options,
3182 expect_pac=expect_pac,
3183 expect_pac_attrs=expect_pac_attrs,
3184 expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
3185 expect_requester_sid=expect_requester_sid,
3186 expected_sid=expected_sid)
3187
3188 # These tests fail against Windows, which does not implement ticket
3189 # validation.
3190 def _validate_tgt(self, tgt, creds, expected_error, *, expect_pac=True,
3191 expect_pac_attrs=None,
3192 expect_pac_attrs_pac_request=None,
3193 expect_requester_sid=None,
3194 expected_sid=None):
3195 krbtgt_creds = self.get_krbtgt_creds()
3196 kdc_options = str(krb5_asn1.KDCOptions('validate'))
3197 return self._tgs_req(
3198 tgt, expected_error, creds, krbtgt_creds,
3199 kdc_options=kdc_options,
3200 expect_pac=expect_pac,
3201 expect_pac_attrs=expect_pac_attrs,
3202 expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
3203 expect_requester_sid=expect_requester_sid,
3204 expected_sid=expected_sid)
3205
3206 def _s4u2self(self, tgt, tgt_creds, expected_error, *, expect_pac=True,
3207 expect_edata=False, expect_status=None,
3208 expected_status=None):
3209 user_creds = self._get_mach_creds()
3210
3211 user_name = user_creds.get_username()
3212 user_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
3213 names=[user_name])
3214 user_realm = user_creds.get_realm()
3215
3216 def generate_s4u2self_padata(_kdc_exchange_dict,
3217 _callback_dict,
3218 req_body):
3219 padata = self.PA_S4U2Self_create(
3220 name=user_cname,
3221 realm=user_realm,
3222 tgt_session_key=tgt.session_key,
3223 ctype=None)
3224
3225 return [padata], req_body
3226
3227 return self._tgs_req(tgt, expected_error, tgt_creds, tgt_creds,
3228 expected_cname=user_cname,
3229 generate_padata_fn=generate_s4u2self_padata,
3230 expect_edata=expect_edata,
3231 expect_status=expect_status,
3232 expected_status=expected_status,
3233 expect_pac=expect_pac)
3234
3235 def _user2user(self, tgt, tgt_creds, expected_error, *,
3236 sname=None,
3237 srealm=None, user_tgt=None, user_creds=None,
3238 expect_pac=True, expected_status=None):
3239 if user_tgt is None:
3240 user_creds = self._get_mach_creds()
3241 user_tgt = self.get_tgt(user_creds)
3242 else:
3243 self.assertIsNotNone(user_creds,
3244 'if supplying user_tgt, user_creds should be '
3245 'supplied also')
3246
3247 kdc_options = str(krb5_asn1.KDCOptions('enc-tkt-in-skey'))
3248 return self._tgs_req(user_tgt, expected_error, user_creds, tgt_creds,
3249 kdc_options=kdc_options,
3250 additional_ticket=tgt,
3251 sname=sname,
3252 srealm=srealm,
3253 expect_pac=expect_pac,
3254 expected_status=expected_status)
3255
3256 def _fast(self, armor_tgt, armor_tgt_creds, expected_error,
3257 expected_sname=None, expect_pac=True, expect_edata=False):
3258 user_creds = self._get_mach_creds()
3259 user_tgt = self.get_tgt(user_creds)
3260
3261 target_creds = self.get_service_creds()
3262
3263 return self._tgs_req(user_tgt, expected_error,
3264 user_creds, target_creds,
3265 armor_tgt=armor_tgt,
3266 expected_sname=expected_sname,
3267 expect_pac=expect_pac,
3268 expect_edata=expect_edata)
3269
3270 def _fast_as_req(self, armor_tgt, armor_tgt_creds, expected_error):
3271 user_creds = self._get_mach_creds()
3272 target_creds = self.get_service_creds()
3273
3274 return self._armored_as_req(user_creds, target_creds, armor_tgt,
3275 expected_error=expected_error,
3276 expected_sname=self.get_krbtgt_sname(),
3277 expect_edata=False)
3278
3279
3280 if __name__ == "__main__":
3281 global_asn1_print = False
3282 global_hexdump = False
3283 import unittest
3284 unittest.main()
Samba git mirror