search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
ctdb-scripts: Improve update and listing code
[samba4-gss.git] / python / samba / tests / krb5 / kdc_tgs_tests.py
blob58ed49d27c02b97cab8b029b8aee29e87bd39292
1 #!/usr/bin/env python3
2 # Unix SMB/CIFS implementation.
3 # Copyright (C) Stefan Metzmacher 2020
4 # Copyright (C) 2020 Catalyst.Net Ltd
5 #
6 # This program is free software; you can redistribute it and/or modify
7 # it under the terms of the GNU General Public License as published by
8 # the Free Software Foundation; either version 3 of the License, or
9 # (at your option) any later version.
10 #
11 # This program is distributed in the hope that it will be useful,
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU General Public License for more details.
15 #
16 # You should have received a copy of the GNU General Public License
17 # along with this program. If not, see <http://www.gnu.org/licenses/>.
18 #
19
20 import sys
21 import os
22
23 sys.path.insert(0, "bin/python")
24 os.environ["PYTHONUNBUFFERED"] = "1"
25
26 from functools import partial
27
28 import ldb
29
30 from samba import dsdb, ntstatus
31
32 from samba.dcerpc import krb5pac, security
33
34
35 import samba.tests.krb5.kcrypto as kcrypto
36 from samba.tests.krb5.kdc_base_test import KDCBaseTest
37 from samba.tests.krb5.raw_testcase import Krb5EncryptionKey
38 from samba.tests.krb5.rfc4120_constants import (
39 AES256_CTS_HMAC_SHA1_96,
40 ARCFOUR_HMAC_MD5,
41 FX_FAST_ARMOR_AP_REQUEST,
42 KRB_ERROR,
43 KDC_ERR_BADKEYVER,
44 KDC_ERR_BADMATCH,
45 KDC_ERR_ETYPE_NOSUPP,
46 KDC_ERR_GENERIC,
47 KDC_ERR_MODIFIED,
48 KDC_ERR_NOT_US,
49 KDC_ERR_POLICY,
50 KDC_ERR_PREAUTH_REQUIRED,
51 KDC_ERR_C_PRINCIPAL_UNKNOWN,
52 KDC_ERR_S_PRINCIPAL_UNKNOWN,
53 KDC_ERR_SERVER_NOMATCH,
54 KDC_ERR_TKT_EXPIRED,
55 KDC_ERR_TGT_REVOKED,
56 KRB_ERR_TKT_NYV,
57 KDC_ERR_WRONG_REALM,
58 NT_ENTERPRISE_PRINCIPAL,
59 NT_PRINCIPAL,
60 NT_SRV_INST,
61 )
62 import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
63
64 global_asn1_print = False
65 global_hexdump = False
66
67
68 class KdcTgsBaseTests(KDCBaseTest):
69 def _as_req(self,
70 creds,
71 expected_error,
72 target_creds,
73 etype,
74 expected_ticket_etype=None):
75 user_name = creds.get_username()
76 cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
77 names=user_name.split('/'))
78
79 target_name = target_creds.get_username()
80 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
81 names=['host', target_name[:-1]])
82
83 if expected_error:
84 expected_sname = sname
85 else:
86 expected_sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
87 names=[target_name])
88
89 realm = creds.get_realm()
90 salt = creds.get_salt()
91
92 till = self.get_KerberosTime(offset=36000)
93
94 ticket_decryption_key = (
95 self.TicketDecryptionKey_from_creds(target_creds,
96 etype=expected_ticket_etype))
97 expected_etypes = target_creds.tgs_supported_enctypes
98
99 kdc_options = ('forwardable,'
100 'renewable,'
101 'canonicalize,'
102 'renewable-ok')
103 kdc_options = krb5_asn1.KDCOptions(kdc_options)
104
105 if expected_error:
106 initial_error = (KDC_ERR_PREAUTH_REQUIRED, expected_error)
107 else:
108 initial_error = KDC_ERR_PREAUTH_REQUIRED
109
110 rep, kdc_exchange_dict = self._test_as_exchange(
111 creds=creds,
112 cname=cname,
113 realm=realm,
114 sname=sname,
115 till=till,
116 expected_error_mode=initial_error,
117 expected_crealm=realm,
118 expected_cname=cname,
119 expected_srealm=realm,
120 expected_sname=sname,
121 expected_salt=salt,
122 expected_supported_etypes=expected_etypes,
123 etypes=etype,
124 padata=None,
125 kdc_options=kdc_options,
126 preauth_key=None,
127 ticket_decryption_key=ticket_decryption_key)
128 self.assertIsNotNone(rep)
129 self.assertEqual(KRB_ERROR, rep['msg-type'])
130 error_code = rep['error-code']
131 if expected_error:
132 self.assertIn(error_code, initial_error)
133 if error_code == expected_error:
134 return
135 else:
136 self.assertEqual(initial_error, error_code)
137
138 etype_info2 = kdc_exchange_dict['preauth_etype_info2']
139
140 preauth_key = self.PasswordKey_from_etype_info2(creds,
141 etype_info2[0],
142 creds.get_kvno())
143
144 ts_enc_padata = self.get_enc_timestamp_pa_data_from_key(preauth_key)
145
146 padata = [ts_enc_padata]
147
148 expected_realm = realm.upper()
149
150 rep, kdc_exchange_dict = self._test_as_exchange(
151 creds=creds,
152 cname=cname,
153 realm=realm,
154 sname=sname,
155 till=till,
156 expected_error_mode=expected_error,
157 expected_crealm=expected_realm,
158 expected_cname=cname,
159 expected_srealm=expected_realm,
160 expected_sname=expected_sname,
161 expected_salt=salt,
162 expected_supported_etypes=expected_etypes,
163 etypes=etype,
164 padata=padata,
165 kdc_options=kdc_options,
166 preauth_key=preauth_key,
167 ticket_decryption_key=ticket_decryption_key,
168 expect_edata=False)
169 if expected_error:
170 self.check_error_rep(rep, expected_error)
171 return None
172
173 self.check_as_reply(rep)
174 return kdc_exchange_dict['rep_ticket_creds']
175
176 def _armored_as_req(self,
177 client_creds,
178 target_creds,
179 armor_tgt,
180 *,
181 target_sname=None,
182 expected_error=0,
183 expected_sname=None,
184 expect_edata=None,
185 expect_status=None,
186 expected_status=None,
187 expected_groups=None,
188 expect_device_info=None,
189 expected_device_groups=None,
190 expect_device_claims=None,
191 expected_device_claims=None):
192 client_username = client_creds.get_username()
193 client_realm = client_creds.get_realm()
194 client_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
195 names=[client_username])
196
197 if target_sname is None:
198 target_name = target_creds.get_username()
199 target_sname = self.PrincipalName_create(
200 name_type=NT_PRINCIPAL, names=[target_name])
201 target_realm = target_creds.get_realm()
202 target_decryption_key = self.TicketDecryptionKey_from_creds(
203 target_creds)
204 target_etypes = target_creds.tgs_supported_enctypes
205
206 authenticator_subkey = self.RandomKey(kcrypto.Enctype.AES256)
207 armor_key = self.generate_armor_key(authenticator_subkey,
208 armor_tgt.session_key)
209
210 preauth_key = self.PasswordKey_from_creds(client_creds,
211 kcrypto.Enctype.AES256)
212
213 client_challenge_key = (
214 self.generate_client_challenge_key(armor_key, preauth_key))
215 fast_padata = [self.get_challenge_pa_data(client_challenge_key)]
216
217 def _generate_fast_padata(kdc_exchange_dict,
218 _callback_dict,
219 req_body):
220 return list(fast_padata), req_body
221
222 etypes = kcrypto.Enctype.AES256, kcrypto.Enctype.RC4
223
224 if expected_error:
225 check_error_fn = self.generic_check_kdc_error
226 check_rep_fn = None
227 else:
228 check_error_fn = None
229 check_rep_fn = self.generic_check_kdc_rep
230
231 pac_options = '1' # claims support
232
233 samdb = self.get_samdb()
234 domain_sid_str = samdb.get_domain_sid()
235
236 if expected_groups is not None:
237 expected_groups = self.map_sids(expected_groups, None, domain_sid_str)
238
239 if expected_device_groups is not None:
240 expected_device_groups = self.map_sids(expected_device_groups, None, domain_sid_str)
241
242 if expected_sname is None:
243 expected_sname = target_sname
244
245 kdc_exchange_dict = self.as_exchange_dict(
246 creds=client_creds,
247 expected_crealm=client_realm,
248 expected_cname=client_cname,
249 expected_srealm=target_realm,
250 expected_sname=expected_sname,
251 expected_supported_etypes=target_etypes,
252 ticket_decryption_key=target_decryption_key,
253 generate_fast_fn=self.generate_simple_fast,
254 generate_fast_armor_fn=self.generate_ap_req,
255 generate_fast_padata_fn=_generate_fast_padata,
256 fast_armor_type=FX_FAST_ARMOR_AP_REQUEST,
257 check_error_fn=check_error_fn,
258 check_rep_fn=check_rep_fn,
259 check_kdc_private_fn=self.generic_check_kdc_private,
260 expected_error_mode=expected_error,
261 expected_salt=client_creds.get_salt(),
262 expect_edata=expect_edata,
263 expect_status=expect_status,
264 expected_status=expected_status,
265 expected_groups=expected_groups,
266 expect_device_info=expect_device_info,
267 expected_device_domain_sid=domain_sid_str,
268 expected_device_groups=expected_device_groups,
269 expect_device_claims=expect_device_claims,
270 expected_device_claims=expected_device_claims,
271 authenticator_subkey=authenticator_subkey,
272 preauth_key=preauth_key,
273 armor_key=armor_key,
274 armor_tgt=armor_tgt,
275 armor_subkey=authenticator_subkey,
276 kdc_options='0',
277 pac_options=pac_options,
278 # PA-DATA types are not important for these tests.
279 check_patypes=False)
280
281 rep = self._generic_kdc_exchange(
282 kdc_exchange_dict,
283 cname=client_cname,
284 realm=client_realm,
285 sname=target_sname,
286 etypes=etypes)
287 if expected_error:
288 self.check_error_rep(rep, expected_error)
289 return None
290 else:
291 self.check_as_reply(rep)
292 return kdc_exchange_dict['rep_ticket_creds']
293
294 def _tgs_req(self, tgt, expected_error, creds, target_creds, *,
295 armor_tgt=None,
296 kdc_options='0',
297 pac_options=None,
298 expected_cname=None,
299 expected_sname=None,
300 expected_account_name=None,
301 expected_flags=None,
302 additional_ticket=None,
303 decryption_key=None,
304 generate_padata_fn=None,
305 generate_fast_padata_fn=None,
306 sname=None,
307 srealm=None,
308 till=None,
309 etypes=None,
310 expected_ticket_etype=None,
311 expected_supported_etypes=None,
312 expect_pac=True,
313 expect_pac_attrs=None,
314 expect_pac_attrs_pac_request=None,
315 expect_requester_sid=None,
316 expect_edata=False,
317 expected_sid=None,
318 expected_groups=None,
319 unexpected_groups=None,
320 expect_device_info=None,
321 expected_device_domain_sid=None,
322 expected_device_groups=None,
323 expect_client_claims=None,
324 expected_client_claims=None,
325 unexpected_client_claims=None,
326 expect_device_claims=None,
327 expected_device_claims=None,
328 expect_status=None,
329 expected_status=None,
330 expected_proxy_target=None,
331 expected_transited_services=None,
332 expected_extra_pac_buffers=None,
333 check_patypes=True):
334 if srealm is False:
335 srealm = None
336 elif srealm is None:
337 srealm = target_creds.get_realm()
338
339 if sname is False:
340 sname = None
341 if expected_sname is None:
342 expected_sname = self.get_krbtgt_sname()
343 else:
344 if sname is None:
345 target_name = target_creds.get_username()
346 if target_name == 'krbtgt':
347 sname = self.PrincipalName_create(
348 name_type=NT_SRV_INST,
349 names=[target_name, srealm])
350 else:
351 if target_name[-1] == '$':
352 target_name = target_name[:-1]
353 sname = self.PrincipalName_create(
354 name_type=NT_PRINCIPAL,
355 names=['host', target_name])
356
357 if expected_sname is None:
358 expected_sname = sname
359
360 if additional_ticket is not None:
361 additional_tickets = [additional_ticket.ticket]
362 if decryption_key is None:
363 decryption_key = additional_ticket.session_key
364 else:
365 additional_tickets = None
366 if decryption_key is None:
367 decryption_key = self.TicketDecryptionKey_from_creds(
368 target_creds, etype=expected_ticket_etype)
369
370 subkey = self.RandomKey(tgt.session_key.etype)
371
372 if armor_tgt is not None:
373 armor_subkey = self.RandomKey(subkey.etype)
374 explicit_armor_key = self.generate_armor_key(armor_subkey,
375 armor_tgt.session_key)
376 armor_key = kcrypto.cf2(explicit_armor_key.key,
377 subkey.key,
378 b'explicitarmor',
379 b'tgsarmor')
380 armor_key = Krb5EncryptionKey(armor_key, None)
381
382 generate_fast_fn = self.generate_simple_fast
383 generate_fast_armor_fn = self.generate_ap_req
384
385 if pac_options is None:
386 pac_options = '1' # claims support
387 else:
388 armor_subkey = None
389 armor_key = None
390 generate_fast_fn = None
391 generate_fast_armor_fn = None
392
393 if etypes is None:
394 etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
395
396 if expected_error:
397 check_error_fn = self.generic_check_kdc_error
398 check_rep_fn = None
399 else:
400 check_error_fn = None
401 check_rep_fn = self.generic_check_kdc_rep
402
403 if expected_cname is None:
404 expected_cname = tgt.cname
405
406 kdc_exchange_dict = self.tgs_exchange_dict(
407 creds=creds,
408 expected_crealm=tgt.crealm,
409 expected_cname=expected_cname,
410 expected_srealm=srealm,
411 expected_sname=expected_sname,
412 expected_account_name=expected_account_name,
413 expected_flags=expected_flags,
414 ticket_decryption_key=decryption_key,
415 generate_padata_fn=generate_padata_fn,
416 generate_fast_padata_fn=generate_fast_padata_fn,
417 generate_fast_fn=generate_fast_fn,
418 generate_fast_armor_fn=generate_fast_armor_fn,
419 check_error_fn=check_error_fn,
420 check_rep_fn=check_rep_fn,
421 check_kdc_private_fn=self.generic_check_kdc_private,
422 expected_error_mode=expected_error,
423 expect_status=expect_status,
424 expected_status=expected_status,
425 tgt=tgt,
426 armor_key=armor_key,
427 armor_tgt=armor_tgt,
428 armor_subkey=armor_subkey,
429 pac_options=pac_options,
430 authenticator_subkey=subkey,
431 kdc_options=kdc_options,
432 expected_supported_etypes=expected_supported_etypes,
433 expect_edata=expect_edata,
434 expect_pac=expect_pac,
435 expect_pac_attrs=expect_pac_attrs,
436 expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
437 expect_requester_sid=expect_requester_sid,
438 expected_sid=expected_sid,
439 expected_groups=expected_groups,
440 unexpected_groups=unexpected_groups,
441 expect_device_info=expect_device_info,
442 expected_device_domain_sid=expected_device_domain_sid,
443 expected_device_groups=expected_device_groups,
444 expect_client_claims=expect_client_claims,
445 expected_client_claims=expected_client_claims,
446 unexpected_client_claims=unexpected_client_claims,
447 expect_device_claims=expect_device_claims,
448 expected_device_claims=expected_device_claims,
449 expected_proxy_target=expected_proxy_target,
450 expected_transited_services=expected_transited_services,
451 expected_extra_pac_buffers=expected_extra_pac_buffers,
452 check_patypes=check_patypes)
453
454 rep = self._generic_kdc_exchange(kdc_exchange_dict,
455 cname=None,
456 realm=srealm,
457 sname=sname,
458 till_time=till,
459 etypes=etypes,
460 additional_tickets=additional_tickets)
461 if expected_error:
462 self.check_error_rep(rep, expected_error)
463 return None
464 else:
465 self.check_tgs_reply(rep)
466 return kdc_exchange_dict['rep_ticket_creds']
467
468
469 class KdcTgsTests(KdcTgsBaseTests):
470
471 def setUp(self):
472 super().setUp()
473 self.do_asn1_print = global_asn1_print
474 self.do_hexdump = global_hexdump
475
476 def test_tgs_req_cname_does_not_not_match_authenticator_cname(self):
477 """ Try and obtain a ticket from the TGS, but supply a cname
478 that differs from that provided to the krbtgt
479 """
480 # Create the user account
481 samdb = self.get_samdb()
482 user_name = "tsttktusr"
483 (uc, _) = self.create_account(samdb, user_name)
484 realm = uc.get_realm().lower()
485
486 # Do the initial AS-REQ, should get a pre-authentication required
487 # response
488 etype = (AES256_CTS_HMAC_SHA1_96,)
489 cname = self.PrincipalName_create(
490 name_type=NT_PRINCIPAL, names=[user_name])
491 sname = self.PrincipalName_create(
492 name_type=NT_SRV_INST, names=["krbtgt", realm])
493
494 rep = self.as_req(cname, sname, realm, etype)
495 self.check_pre_authentication(rep)
496
497 # Do the next AS-REQ
498 padata = self.get_enc_timestamp_pa_data(uc, rep)
499 key = self.get_as_rep_key(uc, rep)
500 rep = self.as_req(cname, sname, realm, etype, padata=[padata])
501 self.check_as_reply(rep)
502
503 # Request a service ticket, but use a cname that does not match
504 # that in the original AS-REQ
505 enc_part2 = self.get_as_rep_enc_data(key, rep)
506 key = self.EncryptionKey_import(enc_part2['key'])
507 ticket = rep['ticket']
508
509 cname = self.PrincipalName_create(
510 name_type=NT_PRINCIPAL,
511 names=["Administrator"])
512 sname = self.PrincipalName_create(
513 name_type=NT_PRINCIPAL,
514 names=["host", samdb.host_dns_name()])
515
516 (rep, enc_part) = self.tgs_req(cname, sname, realm, ticket, key, etype,
517 creds=uc,
518 expected_error_mode=KDC_ERR_BADMATCH,
519 expect_edata=False)
520
521 self.assertIsNone(
522 enc_part,
523 "rep = {%s}, enc_part = {%s}" % (rep, enc_part))
524 self.assertEqual(KRB_ERROR, rep['msg-type'], "rep = {%s}" % rep)
525 self.assertEqual(
526 KDC_ERR_BADMATCH,
527 rep['error-code'],
528 "rep = {%s}" % rep)
529
530 def test_ldap_service_ticket(self):
531 """Get a ticket to the ldap service
532 """
533 # Create the user account
534 samdb = self.get_samdb()
535 user_name = "tsttktusr"
536 (uc, _) = self.create_account(samdb, user_name)
537 realm = uc.get_realm().lower()
538
539 # Do the initial AS-REQ, should get a pre-authentication required
540 # response
541 etype = (AES256_CTS_HMAC_SHA1_96,)
542 cname = self.PrincipalName_create(
543 name_type=NT_PRINCIPAL, names=[user_name])
544 sname = self.PrincipalName_create(
545 name_type=NT_SRV_INST, names=["krbtgt", realm])
546
547 rep = self.as_req(cname, sname, realm, etype)
548 self.check_pre_authentication(rep)
549
550 # Do the next AS-REQ
551 padata = self.get_enc_timestamp_pa_data(uc, rep)
552 key = self.get_as_rep_key(uc, rep)
553 rep = self.as_req(cname, sname, realm, etype, padata=[padata])
554 self.check_as_reply(rep)
555
556 enc_part2 = self.get_as_rep_enc_data(key, rep)
557 key = self.EncryptionKey_import(enc_part2['key'])
558 ticket = rep['ticket']
559
560 # Request a ticket to the ldap service
561 sname = self.PrincipalName_create(
562 name_type=NT_SRV_INST,
563 names=["ldap", samdb.host_dns_name()])
564
565 (rep, _) = self.tgs_req(
566 cname, sname, uc.get_realm(), ticket, key, etype,
567 service_creds=self.get_dc_creds())
568
569 self.check_tgs_reply(rep)
570
571 def test_get_ticket_for_host_service_of_machine_account(self):
572
573 # Create a user and machine account for the test.
574 #
575 samdb = self.get_samdb()
576 user_name = "tsttktusr"
577 (uc, dn) = self.create_account(samdb, user_name)
578 (mc, _) = self.create_account(samdb, "tsttktmac",
579 account_type=self.AccountType.COMPUTER)
580 realm = uc.get_realm().lower()
581
582 # Do the initial AS-REQ, should get a pre-authentication required
583 # response
584 etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
585 cname = self.PrincipalName_create(
586 name_type=NT_PRINCIPAL, names=[user_name])
587 sname = self.PrincipalName_create(
588 name_type=NT_SRV_INST, names=["krbtgt", realm])
589
590 rep = self.as_req(cname, sname, realm, etype)
591 self.check_pre_authentication(rep)
592
593 # Do the next AS-REQ
594 padata = self.get_enc_timestamp_pa_data(uc, rep)
595 key = self.get_as_rep_key(uc, rep)
596 rep = self.as_req(cname, sname, realm, etype, padata=[padata])
597 self.check_as_reply(rep)
598
599 # Request a ticket to the host service on the machine account
600 ticket = rep['ticket']
601 enc_part2 = self.get_as_rep_enc_data(key, rep)
602 key = self.EncryptionKey_import(enc_part2['key'])
603 cname = self.PrincipalName_create(
604 name_type=NT_PRINCIPAL,
605 names=[user_name])
606 sname = self.PrincipalName_create(
607 name_type=NT_PRINCIPAL,
608 names=[mc.get_username()])
609
610 (rep, enc_part) = self.tgs_req(
611 cname, sname, uc.get_realm(), ticket, key, etype,
612 service_creds=mc)
613 self.check_tgs_reply(rep)
614
615 # Check the contents of the service ticket
616 ticket = rep['ticket']
617 enc_part = self.decode_service_ticket(mc, ticket)
618
619 pac_data = self.get_pac_data(enc_part['authorization-data'])
620 sid = uc.get_sid()
621 upn = "%s@%s" % (uc.get_username(), realm)
622 self.assertEqual(
623 uc.get_username(),
624 str(pac_data.account_name),
625 "rep = {%s},%s" % (rep, pac_data))
626 self.assertEqual(
627 uc.get_username(),
628 pac_data.logon_name,
629 "rep = {%s},%s" % (rep, pac_data))
630 self.assertEqual(
631 uc.get_realm(),
632 pac_data.domain_name,
633 "rep = {%s},%s" % (rep, pac_data))
634 self.assertEqual(
635 upn,
636 pac_data.upn,
637 "rep = {%s},%s" % (rep, pac_data))
638 self.assertEqual(
639 sid,
640 pac_data.account_sid,
641 "rep = {%s},%s" % (rep, pac_data))
642
643 def test_request(self):
644 client_creds = self.get_client_creds()
645 service_creds = self.get_service_creds()
646
647 tgt = self.get_tgt(client_creds)
648
649 pac = self.get_ticket_pac(tgt)
650 self.assertIsNotNone(pac)
651
652 ticket = self._make_tgs_request(client_creds, service_creds, tgt)
653
654 pac = self.get_ticket_pac(ticket)
655 self.assertIsNotNone(pac)
656
657 def test_request_no_pac(self):
658 client_creds = self.get_client_creds()
659 service_creds = self.get_service_creds()
660
661 tgt = self.get_tgt(client_creds, pac_request=False)
662
663 pac = self.get_ticket_pac(tgt)
664 self.assertIsNotNone(pac)
665
666 ticket = self._make_tgs_request(client_creds, service_creds, tgt,
667 pac_request=False, expect_pac=False)
668
669 pac = self.get_ticket_pac(ticket, expect_pac=False)
670 self.assertIsNone(pac)
671
672 def test_request_enterprise_canon(self):
673 upn = self.get_new_username()
674 client_creds = self.get_cached_creds(
675 account_type=self.AccountType.USER,
676 opts={'upn': upn})
677 service_creds = self.get_service_creds()
678
679 user_name = client_creds.get_username()
680 realm = client_creds.get_realm()
681 client_account = f'{user_name}@{realm}'
682
683 expected_cname = self.PrincipalName_create(
684 name_type=NT_PRINCIPAL,
685 names=[user_name])
686
687 kdc_options = 'canonicalize'
688
689 tgt = self.get_tgt(client_creds,
690 client_account=client_account,
691 client_name_type=NT_ENTERPRISE_PRINCIPAL,
692 expected_cname=expected_cname,
693 expected_account_name=user_name,
694 kdc_options=kdc_options)
695
696 self._make_tgs_request(
697 client_creds, service_creds, tgt,
698 client_account=client_account,
699 client_name_type=NT_ENTERPRISE_PRINCIPAL,
700 expected_cname=expected_cname,
701 expected_account_name=user_name,
702 kdc_options=kdc_options)
703
704 def test_request_enterprise_canon_case(self):
705 upn = self.get_new_username()
706 client_creds = self.get_cached_creds(
707 account_type=self.AccountType.USER,
708 opts={'upn': upn})
709 service_creds = self.get_service_creds()
710
711 user_name = client_creds.get_username()
712 realm = client_creds.get_realm().lower()
713 client_account = f'{user_name}@{realm}'
714
715 expected_cname = self.PrincipalName_create(
716 name_type=NT_PRINCIPAL,
717 names=[user_name])
718
719 kdc_options = 'canonicalize'
720
721 tgt = self.get_tgt(client_creds,
722 client_account=client_account,
723 client_name_type=NT_ENTERPRISE_PRINCIPAL,
724 expected_cname=expected_cname,
725 expected_account_name=user_name,
726 kdc_options=kdc_options)
727
728 self._make_tgs_request(
729 client_creds, service_creds, tgt,
730 client_account=client_account,
731 client_name_type=NT_ENTERPRISE_PRINCIPAL,
732 expected_cname=expected_cname,
733 expected_account_name=user_name,
734 kdc_options=kdc_options)
735
736 def test_request_enterprise_canon_mac(self):
737 upn = self.get_new_username()
738 client_creds = self.get_cached_creds(
739 account_type=self.AccountType.COMPUTER,
740 opts={'upn': upn})
741 service_creds = self.get_service_creds()
742
743 user_name = client_creds.get_username()
744 realm = client_creds.get_realm()
745 client_account = f'{user_name}@{realm}'
746
747 expected_cname = self.PrincipalName_create(
748 name_type=NT_PRINCIPAL,
749 names=[user_name])
750
751 kdc_options = 'canonicalize'
752
753 tgt = self.get_tgt(client_creds,
754 client_account=client_account,
755 client_name_type=NT_ENTERPRISE_PRINCIPAL,
756 expected_cname=expected_cname,
757 expected_account_name=user_name,
758 kdc_options=kdc_options)
759
760 self._make_tgs_request(
761 client_creds, service_creds, tgt,
762 client_account=client_account,
763 client_name_type=NT_ENTERPRISE_PRINCIPAL,
764 expected_cname=expected_cname,
765 expected_account_name=user_name,
766 kdc_options=kdc_options)
767
768 def test_request_enterprise_canon_case_mac(self):
769 upn = self.get_new_username()
770 client_creds = self.get_cached_creds(
771 account_type=self.AccountType.COMPUTER,
772 opts={'upn': upn})
773 service_creds = self.get_service_creds()
774
775 user_name = client_creds.get_username()
776 realm = client_creds.get_realm().lower()
777 client_account = f'{user_name}@{realm}'
778
779 expected_cname = self.PrincipalName_create(
780 name_type=NT_PRINCIPAL,
781 names=[user_name])
782
783 kdc_options = 'canonicalize'
784
785 tgt = self.get_tgt(client_creds,
786 client_account=client_account,
787 client_name_type=NT_ENTERPRISE_PRINCIPAL,
788 expected_cname=expected_cname,
789 expected_account_name=user_name,
790 kdc_options=kdc_options)
791
792 self._make_tgs_request(
793 client_creds, service_creds, tgt,
794 client_account=client_account,
795 client_name_type=NT_ENTERPRISE_PRINCIPAL,
796 expected_cname=expected_cname,
797 expected_account_name=user_name,
798 kdc_options=kdc_options)
799
800 def test_request_enterprise_no_canon(self):
801 upn = self.get_new_username()
802 client_creds = self.get_cached_creds(
803 account_type=self.AccountType.USER,
804 opts={'upn': upn})
805 service_creds = self.get_service_creds()
806
807 user_name = client_creds.get_username()
808 realm = client_creds.get_realm()
809 client_account = f'{user_name}@{realm}'
810
811 kdc_options = '0'
812
813 tgt = self.get_tgt(client_creds,
814 client_account=client_account,
815 client_name_type=NT_ENTERPRISE_PRINCIPAL,
816 expected_account_name=user_name,
817 kdc_options=kdc_options)
818
819 self._make_tgs_request(
820 client_creds, service_creds, tgt,
821 client_account=client_account,
822 client_name_type=NT_ENTERPRISE_PRINCIPAL,
823 expected_account_name=user_name,
824 kdc_options=kdc_options)
825
826 def test_request_enterprise_no_canon_case(self):
827 upn = self.get_new_username()
828 client_creds = self.get_cached_creds(
829 account_type=self.AccountType.USER,
830 opts={'upn': upn})
831 service_creds = self.get_service_creds()
832
833 user_name = client_creds.get_username()
834 realm = client_creds.get_realm().lower()
835 client_account = f'{user_name}@{realm}'
836
837 kdc_options = '0'
838
839 tgt = self.get_tgt(client_creds,
840 client_account=client_account,
841 client_name_type=NT_ENTERPRISE_PRINCIPAL,
842 expected_account_name=user_name,
843 kdc_options=kdc_options)
844
845 self._make_tgs_request(
846 client_creds, service_creds, tgt,
847 client_account=client_account,
848 client_name_type=NT_ENTERPRISE_PRINCIPAL,
849 expected_account_name=user_name,
850 kdc_options=kdc_options)
851
852 def test_request_enterprise_no_canon_mac(self):
853 upn = self.get_new_username()
854 client_creds = self.get_cached_creds(
855 account_type=self.AccountType.COMPUTER,
856 opts={'upn': upn})
857 service_creds = self.get_service_creds()
858
859 user_name = client_creds.get_username()
860 realm = client_creds.get_realm()
861 client_account = f'{user_name}@{realm}'
862
863 kdc_options = '0'
864
865 tgt = self.get_tgt(client_creds,
866 client_account=client_account,
867 client_name_type=NT_ENTERPRISE_PRINCIPAL,
868 expected_account_name=user_name,
869 kdc_options=kdc_options)
870
871 self._make_tgs_request(
872 client_creds, service_creds, tgt,
873 client_account=client_account,
874 client_name_type=NT_ENTERPRISE_PRINCIPAL,
875 expected_account_name=user_name,
876 kdc_options=kdc_options)
877
878 def test_request_enterprise_no_canon_case_mac(self):
879 upn = self.get_new_username()
880 client_creds = self.get_cached_creds(
881 account_type=self.AccountType.COMPUTER,
882 opts={'upn': upn})
883 service_creds = self.get_service_creds()
884
885 user_name = client_creds.get_username()
886 realm = client_creds.get_realm().lower()
887 client_account = f'{user_name}@{realm}'
888
889 kdc_options = '0'
890
891 tgt = self.get_tgt(client_creds,
892 client_account=client_account,
893 client_name_type=NT_ENTERPRISE_PRINCIPAL,
894 expected_account_name=user_name,
895 kdc_options=kdc_options)
896
897 self._make_tgs_request(
898 client_creds, service_creds, tgt,
899 client_account=client_account,
900 client_name_type=NT_ENTERPRISE_PRINCIPAL,
901 expected_account_name=user_name,
902 kdc_options=kdc_options)
903
904 def test_client_no_auth_data_required(self):
905 client_creds = self.get_cached_creds(
906 account_type=self.AccountType.USER,
907 opts={'no_auth_data_required': True})
908 service_creds = self.get_service_creds()
909
910 tgt = self.get_tgt(client_creds)
911
912 pac = self.get_ticket_pac(tgt)
913 self.assertIsNotNone(pac)
914
915 ticket = self._make_tgs_request(client_creds, service_creds, tgt)
916
917 pac = self.get_ticket_pac(ticket)
918 self.assertIsNotNone(pac)
919
920 def test_no_pac_client_no_auth_data_required(self):
921 client_creds = self.get_cached_creds(
922 account_type=self.AccountType.USER,
923 opts={'no_auth_data_required': True})
924 service_creds = self.get_service_creds()
925
926 tgt = self.get_tgt(client_creds)
927
928 pac = self.get_ticket_pac(tgt)
929 self.assertIsNotNone(pac)
930
931 ticket = self._make_tgs_request(client_creds, service_creds, tgt,
932 pac_request=False, expect_pac=True)
933
934 pac = self.get_ticket_pac(ticket)
935 self.assertIsNotNone(pac)
936
937 def test_service_no_auth_data_required(self):
938 client_creds = self.get_client_creds()
939 service_creds = self.get_cached_creds(
940 account_type=self.AccountType.COMPUTER,
941 opts={'no_auth_data_required': True})
942
943 tgt = self.get_tgt(client_creds)
944
945 pac = self.get_ticket_pac(tgt)
946 self.assertIsNotNone(pac)
947
948 ticket = self._make_tgs_request(client_creds, service_creds, tgt,
949 expect_pac=False)
950
951 pac = self.get_ticket_pac(ticket, expect_pac=False)
952 self.assertIsNone(pac)
953
954 def test_no_pac_service_no_auth_data_required(self):
955 client_creds = self.get_client_creds()
956 service_creds = self.get_cached_creds(
957 account_type=self.AccountType.COMPUTER,
958 opts={'no_auth_data_required': True})
959
960 tgt = self.get_tgt(client_creds, pac_request=False)
961
962 pac = self.get_ticket_pac(tgt)
963 self.assertIsNotNone(pac)
964
965 ticket = self._make_tgs_request(client_creds, service_creds, tgt,
966 pac_request=False, expect_pac=False)
967
968 pac = self.get_ticket_pac(ticket, expect_pac=False)
969 self.assertIsNone(pac)
970
971 def test_remove_pac_service_no_auth_data_required(self):
972 client_creds = self.get_client_creds()
973 service_creds = self.get_cached_creds(
974 account_type=self.AccountType.COMPUTER,
975 opts={'no_auth_data_required': True})
976
977 tgt = self.modified_ticket(self.get_tgt(client_creds),
978 exclude_pac=True)
979
980 pac = self.get_ticket_pac(tgt, expect_pac=False)
981 self.assertIsNone(pac)
982
983 self._make_tgs_request(client_creds, service_creds, tgt,
984 expect_error=True)
985
986 def test_remove_pac_client_no_auth_data_required(self):
987 client_creds = self.get_cached_creds(
988 account_type=self.AccountType.USER,
989 opts={'no_auth_data_required': True})
990 service_creds = self.get_service_creds()
991
992 tgt = self.modified_ticket(self.get_tgt(client_creds),
993 exclude_pac=True)
994
995 pac = self.get_ticket_pac(tgt, expect_pac=False)
996 self.assertIsNone(pac)
997
998 self._make_tgs_request(client_creds, service_creds, tgt,
999 expect_error=True)
1000
1001 def test_remove_pac(self):
1002 client_creds = self.get_client_creds()
1003 service_creds = self.get_service_creds()
1004
1005 tgt = self.modified_ticket(self.get_tgt(client_creds),
1006 exclude_pac=True)
1007
1008 pac = self.get_ticket_pac(tgt, expect_pac=False)
1009 self.assertIsNone(pac)
1010
1011 self._make_tgs_request(client_creds, service_creds, tgt,
1012 expect_error=True)
1013
1014 def test_upn_dns_info_ex_user(self):
1015 client_creds = self.get_client_creds()
1016 self._run_upn_dns_info_ex_test(client_creds)
1017
1018 def test_upn_dns_info_ex_mac(self):
1019 mach_creds = self.get_mach_creds()
1020 self._run_upn_dns_info_ex_test(mach_creds)
1021
1022 def test_upn_dns_info_ex_upn_user(self):
1023 client_creds = self.get_cached_creds(
1024 account_type=self.AccountType.USER,
1025 opts={'upn': 'upn_dns_info_test_upn0@bar'})
1026 self._run_upn_dns_info_ex_test(client_creds)
1027
1028 def test_upn_dns_info_ex_upn_mac(self):
1029 mach_creds = self.get_cached_creds(
1030 account_type=self.AccountType.COMPUTER,
1031 opts={'upn': 'upn_dns_info_test_upn1@bar'})
1032 self._run_upn_dns_info_ex_test(mach_creds)
1033
1034 def _run_upn_dns_info_ex_test(self, client_creds):
1035 service_creds = self.get_service_creds()
1036
1037 account_name = client_creds.get_username()
1038 upn_name = client_creds.get_upn()
1039 if upn_name is None:
1040 realm = client_creds.get_realm().lower()
1041 upn_name = f'{account_name}@{realm}'
1042 sid = client_creds.get_sid()
1043
1044 tgt = self.get_tgt(client_creds,
1045 expected_account_name=account_name,
1046 expected_upn_name=upn_name,
1047 expected_sid=sid)
1048
1049 self._make_tgs_request(client_creds, service_creds, tgt,
1050 expected_account_name=account_name,
1051 expected_upn_name=upn_name,
1052 expected_sid=sid)
1053
1054 # Test making a TGS request.
1055 def test_tgs_req(self):
1056 creds = self._get_creds()
1057 tgt = self._get_tgt(creds)
1058 self._run_tgs(tgt, creds, expected_error=0)
1059
1060 def test_renew_req(self):
1061 creds = self._get_creds()
1062 tgt = self._get_tgt(creds, renewable=True)
1063 self._renew_tgt(tgt, creds, expected_error=0,
1064 expect_pac_attrs=True,
1065 expect_pac_attrs_pac_request=True,
1066 expect_requester_sid=True)
1067
1068 def test_validate_req(self):
1069 creds = self._get_creds()
1070 tgt = self._get_tgt(creds, invalid=True)
1071 self._validate_tgt(tgt, creds, expected_error=0,
1072 expect_pac_attrs=True,
1073 expect_pac_attrs_pac_request=True,
1074 expect_requester_sid=True)
1075
1076 def test_s4u2self_req(self):
1077 creds = self._get_creds()
1078 tgt = self._get_tgt(creds)
1079 self._s4u2self(tgt, creds, expected_error=0)
1080
1081 def test_user2user_req(self):
1082 creds = self._get_creds()
1083 tgt = self._get_tgt(creds)
1084 self._user2user(tgt, creds, expected_error=0)
1085
1086 def test_user2user_user_self_req(self):
1087 creds = self._get_user_creds()
1088 tgt = self._get_tgt(creds)
1089 username = creds.get_username()
1090 sname = self.PrincipalName_create(
1091 name_type=NT_PRINCIPAL,
1092 names=[username])
1093 self._user2user(tgt, creds, sname=sname, user_tgt=tgt, user_creds=creds, expected_error=0)
1094
1095 def test_user2user_computer_self_princ1_req(self):
1096 creds = self._get_creds()
1097 tgt = self._get_tgt(creds)
1098 username = creds.get_username()
1099 sname = self.PrincipalName_create(
1100 name_type=NT_PRINCIPAL,
1101 names=[username])
1102 self._user2user(tgt, creds, sname=sname, user_tgt=tgt, user_creds=creds, expected_error=0)
1103
1104 def test_user2user_computer_self_princ2_req(self):
1105 creds = self._get_creds()
1106 tgt = self._get_tgt(creds)
1107 self._user2user(tgt, creds, user_tgt=tgt, user_creds=creds, expected_error=0)
1108
1109 def test_fast_req(self):
1110 creds = self._get_creds()
1111 tgt = self._get_tgt(creds)
1112 self._fast(tgt, creds, expected_error=0)
1113
1114 def test_tgs_req_invalid(self):
1115 creds = self._get_creds()
1116 tgt = self._get_tgt(creds, invalid=True)
1117 self._run_tgs(tgt, creds, expected_error=KRB_ERR_TKT_NYV)
1118
1119 def test_s4u2self_req_invalid(self):
1120 creds = self._get_creds()
1121 tgt = self._get_tgt(creds, invalid=True)
1122 self._s4u2self(tgt, creds, expected_error=KRB_ERR_TKT_NYV)
1123
1124 def test_user2user_req_invalid(self):
1125 creds = self._get_creds()
1126 tgt = self._get_tgt(creds, invalid=True)
1127 self._user2user(tgt, creds, expected_error=KRB_ERR_TKT_NYV)
1128
1129 def test_fast_req_invalid(self):
1130 creds = self._get_creds()
1131 tgt = self._get_tgt(creds, invalid=True)
1132 self._fast(tgt, creds, expected_error=KRB_ERR_TKT_NYV,
1133 expected_sname=self.get_krbtgt_sname())
1134
1135 def test_tgs_req_no_requester_sid(self):
1136 creds = self._get_creds()
1137 tgt = self._get_tgt(creds, remove_requester_sid=True)
1138
1139 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1140
1141 def test_tgs_req_no_pac_attrs(self):
1142 creds = self._get_creds()
1143 tgt = self._get_tgt(creds, remove_pac_attrs=True)
1144
1145 self._run_tgs(tgt, creds, expected_error=0, expect_pac=True,
1146 expect_pac_attrs=False)
1147
1148 def test_tgs_req_from_rodc_no_requester_sid(self):
1149 creds = self._get_creds(replication_allowed=True,
1150 revealed_to_rodc=True)
1151 tgt = self._get_tgt(creds, from_rodc=True, remove_requester_sid=True)
1152
1153 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1154
1155 def test_tgs_req_from_rodc_no_pac_attrs(self):
1156 creds = self._get_creds(replication_allowed=True,
1157 revealed_to_rodc=True)
1158 tgt = self._get_tgt(creds, from_rodc=True, remove_pac_attrs=True)
1159 self._run_tgs(tgt, creds, expected_error=0, expect_pac=True,
1160 expect_pac_attrs=False)
1161
1162 def test_tgs_req_extra_pac_buffers(self):
1163 extra_pac_buffers = [123, 456, 789]
1164
1165 creds = self._get_creds()
1166 tgt = self._get_tgt(creds, extra_pac_buffers=extra_pac_buffers)
1167
1168 # Expect that the extra PAC buffers are retained in the TGT.
1169 self._run_tgs(tgt, creds, expected_error=0,
1170 expected_extra_pac_buffers=extra_pac_buffers)
1171
1172 def test_tgs_req_from_rodc_extra_pac_buffers(self):
1173 extra_pac_buffers = [123, 456, 789]
1174
1175 creds = self._get_creds(replication_allowed=True,
1176 revealed_to_rodc=True)
1177 tgt = self._get_tgt(creds, from_rodc=True,
1178 extra_pac_buffers=extra_pac_buffers)
1179
1180 # Expect that the extra PAC buffers are removed from the RODC‐issued
1181 # TGT.
1182 self._run_tgs(tgt, creds, expected_error=0)
1183
1184 # Test making a request without a PAC.
1185 def test_tgs_no_pac(self):
1186 creds = self._get_creds()
1187 tgt = self._get_tgt(creds, remove_pac=True)
1188 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1189
1190 def test_renew_no_pac(self):
1191 creds = self._get_creds()
1192 tgt = self._get_tgt(creds, renewable=True, remove_pac=True)
1193 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1194
1195 def test_validate_no_pac(self):
1196 creds = self._get_creds()
1197 tgt = self._get_tgt(creds, invalid=True, remove_pac=True)
1198 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1199
1200 def test_s4u2self_no_pac(self):
1201 creds = self._get_creds()
1202 tgt = self._get_tgt(creds, remove_pac=True)
1203 self._s4u2self(tgt, creds,
1204 expected_error=KDC_ERR_TGT_REVOKED,
1205 expect_edata=False)
1206
1207 def test_user2user_no_pac(self):
1208 creds = self._get_creds()
1209 tgt = self._get_tgt(creds, remove_pac=True)
1210 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1211
1212 def test_fast_no_pac(self):
1213 creds = self._get_creds()
1214 tgt = self._get_tgt(creds, remove_pac=True)
1215 self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
1216 expected_sname=self.get_krbtgt_sname())
1217
1218 def test_fast_as_req_no_pac(self):
1219 creds = self._get_creds()
1220 tgt = self._get_tgt(creds, remove_pac=True)
1221 self._fast_as_req(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
1222 expected_sname=self.get_krbtgt_sname())
1223
1224 # Test making a request with authdata and without a PAC.
1225 def test_tgs_authdata_no_pac(self):
1226 creds = self._get_creds()
1227 tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
1228 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1229
1230 def test_renew_authdata_no_pac(self):
1231 creds = self._get_creds()
1232 tgt = self._get_tgt(creds, renewable=True, remove_pac=True,
1233 allow_empty_authdata=True)
1234 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1235
1236 def test_validate_authdata_no_pac(self):
1237 creds = self._get_creds()
1238 tgt = self._get_tgt(creds, invalid=True, remove_pac=True,
1239 allow_empty_authdata=True)
1240 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1241
1242 def test_s4u2self_authdata_no_pac(self):
1243 creds = self._get_creds()
1244 tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
1245 self._s4u2self(tgt, creds,
1246 expected_error=KDC_ERR_TGT_REVOKED,
1247 expect_edata=False)
1248
1249 def test_user2user_authdata_no_pac(self):
1250 creds = self._get_creds()
1251 tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
1252 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1253
1254 def test_fast_authdata_no_pac(self):
1255 creds = self._get_creds()
1256 tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
1257 self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
1258 expected_sname=self.get_krbtgt_sname())
1259
1260 def test_fast_as_req_authdata_no_pac(self):
1261 creds = self._get_creds()
1262 tgt = self._get_tgt(creds, remove_pac=True, allow_empty_authdata=True)
1263 self._fast_as_req(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
1264 expected_sname=self.get_krbtgt_sname())
1265
1266 # Test changing the SID in the PAC to that of another account.
1267 def test_tgs_sid_mismatch_existing(self):
1268 creds = self._get_creds()
1269 existing_rid = self._get_existing_rid()
1270 tgt = self._get_tgt(creds, new_rid=existing_rid)
1271 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1272
1273 def test_renew_sid_mismatch_existing(self):
1274 creds = self._get_creds()
1275 existing_rid = self._get_existing_rid()
1276 tgt = self._get_tgt(creds, renewable=True, new_rid=existing_rid)
1277 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1278
1279 def test_validate_sid_mismatch_existing(self):
1280 creds = self._get_creds()
1281 existing_rid = self._get_existing_rid()
1282 tgt = self._get_tgt(creds, invalid=True, new_rid=existing_rid)
1283 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1284
1285 def test_s4u2self_sid_mismatch_existing(self):
1286 creds = self._get_creds()
1287 existing_rid = self._get_existing_rid()
1288 tgt = self._get_tgt(creds, new_rid=existing_rid)
1289 self._s4u2self(tgt, creds,
1290 expected_error=KDC_ERR_TGT_REVOKED)
1291
1292 def test_user2user_sid_mismatch_existing(self):
1293 creds = self._get_creds()
1294 existing_rid = self._get_existing_rid()
1295 tgt = self._get_tgt(creds, new_rid=existing_rid)
1296 self._user2user(tgt, creds,
1297 expected_error=KDC_ERR_TGT_REVOKED)
1298
1299 def test_fast_sid_mismatch_existing(self):
1300 creds = self._get_creds()
1301 existing_rid = self._get_existing_rid()
1302 tgt = self._get_tgt(creds, new_rid=existing_rid)
1303 self._fast(tgt, creds,
1304 expected_error=KDC_ERR_TGT_REVOKED,
1305 expected_sname=self.get_krbtgt_sname())
1306
1307 def test_fast_as_req_sid_mismatch_existing(self):
1308 creds = self._get_creds()
1309 existing_rid = self._get_existing_rid()
1310 tgt = self._get_tgt(creds, new_rid=existing_rid)
1311 self._fast_as_req(tgt, creds,
1312 expected_error=KDC_ERR_TGT_REVOKED,
1313 expected_sname=self.get_krbtgt_sname())
1314
1315 def test_requester_sid_mismatch_existing(self):
1316 creds = self._get_creds()
1317 existing_rid = self._get_existing_rid()
1318 tgt = self._get_tgt(creds, new_rid=existing_rid,
1319 can_modify_logon_info=False)
1320 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1321
1322 def test_logon_info_sid_mismatch_existing(self):
1323 creds = self._get_creds()
1324 existing_rid = self._get_existing_rid()
1325 tgt = self._get_tgt(creds, new_rid=existing_rid,
1326 can_modify_requester_sid=False)
1327 self._run_tgs(tgt, creds, expected_error=0)
1328
1329 def test_logon_info_only_sid_mismatch_existing(self):
1330 creds = self._get_creds()
1331 existing_rid = self._get_existing_rid()
1332 tgt = self._get_tgt(creds, new_rid=existing_rid,
1333 remove_requester_sid=True)
1334 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1335
1336 # Test changing the SID in the PAC to a non-existent one.
1337 def test_tgs_sid_mismatch_nonexisting(self):
1338 creds = self._get_creds()
1339 nonexistent_rid = self._get_non_existent_rid()
1340 tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
1341 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1342
1343 def test_renew_sid_mismatch_nonexisting(self):
1344 creds = self._get_creds()
1345 nonexistent_rid = self._get_non_existent_rid()
1346 tgt = self._get_tgt(creds, renewable=True,
1347 new_rid=nonexistent_rid)
1348 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1349
1350 def test_validate_sid_mismatch_nonexisting(self):
1351 creds = self._get_creds()
1352 nonexistent_rid = self._get_non_existent_rid()
1353 tgt = self._get_tgt(creds, invalid=True,
1354 new_rid=nonexistent_rid)
1355 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1356
1357 def test_s4u2self_sid_mismatch_nonexisting(self):
1358 creds = self._get_creds()
1359 nonexistent_rid = self._get_non_existent_rid()
1360 tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
1361 self._s4u2self(tgt, creds,
1362 expected_error=KDC_ERR_TGT_REVOKED)
1363
1364 def test_user2user_sid_mismatch_nonexisting(self):
1365 creds = self._get_creds()
1366 nonexistent_rid = self._get_non_existent_rid()
1367 tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
1368 self._user2user(tgt, creds,
1369 expected_error=KDC_ERR_TGT_REVOKED)
1370
1371 def test_fast_sid_mismatch_nonexisting(self):
1372 creds = self._get_creds()
1373 nonexistent_rid = self._get_non_existent_rid()
1374 tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
1375 self._fast(tgt, creds,
1376 expected_error=KDC_ERR_TGT_REVOKED,
1377 expected_sname=self.get_krbtgt_sname())
1378
1379 def test_fast_as_req_sid_mismatch_nonexisting(self):
1380 creds = self._get_creds()
1381 nonexistent_rid = self._get_non_existent_rid()
1382 tgt = self._get_tgt(creds, new_rid=nonexistent_rid)
1383 self._fast_as_req(tgt, creds,
1384 expected_error=KDC_ERR_TGT_REVOKED,
1385 expected_sname=self.get_krbtgt_sname())
1386
1387 def test_requester_sid_mismatch_nonexisting(self):
1388 creds = self._get_creds()
1389 nonexistent_rid = self._get_non_existent_rid()
1390 tgt = self._get_tgt(creds, new_rid=nonexistent_rid,
1391 can_modify_logon_info=False)
1392 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1393
1394 def test_logon_info_sid_mismatch_nonexisting(self):
1395 creds = self._get_creds()
1396 nonexistent_rid = self._get_non_existent_rid()
1397 tgt = self._get_tgt(creds, new_rid=nonexistent_rid,
1398 can_modify_requester_sid=False)
1399 self._run_tgs(tgt, creds, expected_error=0)
1400
1401 def test_logon_info_only_sid_mismatch_nonexisting(self):
1402 creds = self._get_creds()
1403 nonexistent_rid = self._get_non_existent_rid()
1404 tgt = self._get_tgt(creds, new_rid=nonexistent_rid,
1405 remove_requester_sid=True)
1406 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1407
1408 # Test with an RODC-issued ticket where the client is revealed to the RODC.
1409 def test_tgs_rodc_revealed(self):
1410 creds = self._get_creds(replication_allowed=True,
1411 revealed_to_rodc=True)
1412 tgt = self._get_tgt(creds, from_rodc=True)
1413 self._run_tgs(tgt, creds, expected_error=0)
1414
1415 def test_renew_rodc_revealed(self):
1416 creds = self._get_creds(replication_allowed=True,
1417 revealed_to_rodc=True)
1418 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1419 self._renew_tgt(tgt, creds, expected_error=0,
1420 expect_pac_attrs=False,
1421 expect_requester_sid=True)
1422
1423 def test_validate_rodc_revealed(self):
1424 creds = self._get_creds(replication_allowed=True,
1425 revealed_to_rodc=True)
1426 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1427 self._validate_tgt(tgt, creds, expected_error=0,
1428 expect_pac_attrs=False,
1429 expect_requester_sid=True)
1430
1431 # This test fails on Windows, which gives KDC_ERR_C_PRINCIPAL_UNKNOWN when
1432 # attempting to use S4U2Self with a TGT from an RODC.
1433 def test_s4u2self_rodc_revealed(self):
1434 creds = self._get_creds(replication_allowed=True,
1435 revealed_to_rodc=True)
1436 tgt = self._get_tgt(creds, from_rodc=True)
1437 self._s4u2self(tgt, creds,
1438 expected_error=KDC_ERR_C_PRINCIPAL_UNKNOWN)
1439
1440 def test_user2user_rodc_revealed(self):
1441 creds = self._get_creds(replication_allowed=True,
1442 revealed_to_rodc=True)
1443 tgt = self._get_tgt(creds, from_rodc=True)
1444 self._user2user(tgt, creds, expected_error=0)
1445
1446 # Test with an RODC-issued ticket where the SID in the PAC is changed to
1447 # that of another account.
1448 def test_tgs_rodc_sid_mismatch_existing(self):
1449 creds = self._get_creds(replication_allowed=True,
1450 revealed_to_rodc=True)
1451 existing_rid = self._get_existing_rid(replication_allowed=True,
1452 revealed_to_rodc=True)
1453 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid)
1454 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1455
1456 def test_renew_rodc_sid_mismatch_existing(self):
1457 creds = self._get_creds(replication_allowed=True,
1458 revealed_to_rodc=True)
1459 existing_rid = self._get_existing_rid(replication_allowed=True,
1460 revealed_to_rodc=True)
1461 tgt = self._get_tgt(creds, renewable=True, from_rodc=True,
1462 new_rid=existing_rid)
1463 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1464
1465 def test_validate_rodc_sid_mismatch_existing(self):
1466 creds = self._get_creds(replication_allowed=True,
1467 revealed_to_rodc=True)
1468 existing_rid = self._get_existing_rid(replication_allowed=True,
1469 revealed_to_rodc=True)
1470 tgt = self._get_tgt(creds, invalid=True, from_rodc=True,
1471 new_rid=existing_rid)
1472 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1473
1474 def test_s4u2self_rodc_sid_mismatch_existing(self):
1475 creds = self._get_creds(replication_allowed=True,
1476 revealed_to_rodc=True)
1477 existing_rid = self._get_existing_rid(replication_allowed=True,
1478 revealed_to_rodc=True)
1479 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid)
1480 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1481
1482 def test_user2user_rodc_sid_mismatch_existing(self):
1483 creds = self._get_creds(replication_allowed=True,
1484 revealed_to_rodc=True)
1485 existing_rid = self._get_existing_rid(replication_allowed=True,
1486 revealed_to_rodc=True)
1487 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid)
1488 self._user2user(tgt, creds,
1489 expected_error=KDC_ERR_TGT_REVOKED)
1490
1491 def test_fast_rodc_sid_mismatch_existing(self):
1492 creds = self._get_creds(replication_allowed=True,
1493 revealed_to_rodc=True)
1494 existing_rid = self._get_existing_rid(replication_allowed=True,
1495 revealed_to_rodc=True)
1496 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid)
1497 self._fast(tgt, creds,
1498 expected_error=KDC_ERR_TGT_REVOKED,
1499 expected_sname=self.get_krbtgt_sname())
1500
1501 def test_tgs_rodc_requester_sid_mismatch_existing(self):
1502 creds = self._get_creds(replication_allowed=True,
1503 revealed_to_rodc=True)
1504 existing_rid = self._get_existing_rid(replication_allowed=True,
1505 revealed_to_rodc=True)
1506 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid,
1507 can_modify_logon_info=False)
1508 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1509
1510 def test_tgs_rodc_logon_info_sid_mismatch_existing(self):
1511 creds = self._get_creds(replication_allowed=True,
1512 revealed_to_rodc=True)
1513 existing_rid = self._get_existing_rid(replication_allowed=True,
1514 revealed_to_rodc=True)
1515 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid,
1516 can_modify_requester_sid=False)
1517 self._run_tgs(tgt, creds, expected_error=0)
1518
1519 def test_tgs_rodc_logon_info_only_sid_mismatch_existing(self):
1520 creds = self._get_creds(replication_allowed=True,
1521 revealed_to_rodc=True)
1522 existing_rid = self._get_existing_rid(replication_allowed=True,
1523 revealed_to_rodc=True)
1524 tgt = self._get_tgt(creds, from_rodc=True, new_rid=existing_rid,
1525 remove_requester_sid=True)
1526 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1527
1528 # Test with an RODC-issued ticket where the SID in the PAC is changed to a
1529 # non-existent one.
1530 def test_tgs_rodc_sid_mismatch_nonexisting(self):
1531 creds = self._get_creds(replication_allowed=True,
1532 revealed_to_rodc=True)
1533 nonexistent_rid = self._get_non_existent_rid()
1534 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid)
1535 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1536
1537 def test_renew_rodc_sid_mismatch_nonexisting(self):
1538 creds = self._get_creds(replication_allowed=True,
1539 revealed_to_rodc=True)
1540 nonexistent_rid = self._get_non_existent_rid()
1541 tgt = self._get_tgt(creds, renewable=True, from_rodc=True,
1542 new_rid=nonexistent_rid)
1543 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1544
1545 def test_validate_rodc_sid_mismatch_nonexisting(self):
1546 creds = self._get_creds(replication_allowed=True,
1547 revealed_to_rodc=True)
1548 nonexistent_rid = self._get_non_existent_rid()
1549 tgt = self._get_tgt(creds, invalid=True, from_rodc=True,
1550 new_rid=nonexistent_rid)
1551 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1552
1553 def test_s4u2self_rodc_sid_mismatch_nonexisting(self):
1554 creds = self._get_creds(replication_allowed=True,
1555 revealed_to_rodc=True)
1556 nonexistent_rid = self._get_non_existent_rid()
1557 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid)
1558 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1559
1560 def test_user2user_rodc_sid_mismatch_nonexisting(self):
1561 creds = self._get_creds(replication_allowed=True,
1562 revealed_to_rodc=True)
1563 nonexistent_rid = self._get_non_existent_rid()
1564 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid)
1565 self._user2user(tgt, creds,
1566 expected_error=KDC_ERR_TGT_REVOKED)
1567
1568 def test_fast_rodc_sid_mismatch_nonexisting(self):
1569 creds = self._get_creds(replication_allowed=True,
1570 revealed_to_rodc=True)
1571 nonexistent_rid = self._get_non_existent_rid()
1572 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid)
1573 self._fast(tgt, creds,
1574 expected_error=KDC_ERR_TGT_REVOKED,
1575 expected_sname=self.get_krbtgt_sname())
1576
1577 def test_tgs_rodc_requester_sid_mismatch_nonexisting(self):
1578 creds = self._get_creds(replication_allowed=True,
1579 revealed_to_rodc=True)
1580 nonexistent_rid = self._get_non_existent_rid()
1581 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid,
1582 can_modify_logon_info=False)
1583 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1584
1585 def test_tgs_rodc_logon_info_sid_mismatch_nonexisting(self):
1586 creds = self._get_creds(replication_allowed=True,
1587 revealed_to_rodc=True)
1588 nonexistent_rid = self._get_non_existent_rid()
1589 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid,
1590 can_modify_requester_sid=False)
1591 self._run_tgs(tgt, creds, expected_error=0)
1592
1593 def test_tgs_rodc_logon_info_only_sid_mismatch_nonexisting(self):
1594 creds = self._get_creds(replication_allowed=True,
1595 revealed_to_rodc=True)
1596 nonexistent_rid = self._get_non_existent_rid()
1597 tgt = self._get_tgt(creds, from_rodc=True, new_rid=nonexistent_rid,
1598 remove_requester_sid=True)
1599 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1600
1601 # Test with an RODC-issued ticket where the client is not revealed to the
1602 # RODC.
1603 def test_tgs_rodc_not_revealed(self):
1604 creds = self._get_creds(replication_allowed=True)
1605 tgt = self._get_tgt(creds, from_rodc=True)
1606 # TODO: error code
1607 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1608
1609 def test_renew_rodc_not_revealed(self):
1610 creds = self._get_creds(replication_allowed=True)
1611 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1612 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1613
1614 def test_validate_rodc_not_revealed(self):
1615 creds = self._get_creds(replication_allowed=True)
1616 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1617 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1618
1619 def test_s4u2self_rodc_not_revealed(self):
1620 creds = self._get_creds(replication_allowed=True)
1621 tgt = self._get_tgt(creds, from_rodc=True)
1622 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1623
1624 def test_user2user_rodc_not_revealed(self):
1625 creds = self._get_creds(replication_allowed=True)
1626 tgt = self._get_tgt(creds, from_rodc=True)
1627 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1628
1629 # Test with an RODC-issued ticket where the RODC account does not have the
1630 # PARTIAL_SECRETS bit set.
1631 def test_tgs_rodc_no_partial_secrets(self):
1632 creds = self._get_creds(replication_allowed=True,
1633 revealed_to_rodc=True)
1634 tgt = self._get_tgt(creds, from_rodc=True)
1635 self._remove_rodc_partial_secrets()
1636 self._run_tgs(tgt, creds, expected_error=KDC_ERR_POLICY)
1637
1638 def test_renew_rodc_no_partial_secrets(self):
1639 creds = self._get_creds(replication_allowed=True,
1640 revealed_to_rodc=True)
1641 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1642 self._remove_rodc_partial_secrets()
1643 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_POLICY)
1644
1645 def test_validate_rodc_no_partial_secrets(self):
1646 creds = self._get_creds(replication_allowed=True,
1647 revealed_to_rodc=True)
1648 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1649 self._remove_rodc_partial_secrets()
1650 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_POLICY)
1651
1652 def test_s4u2self_rodc_no_partial_secrets(self):
1653 creds = self._get_creds(replication_allowed=True,
1654 revealed_to_rodc=True)
1655 tgt = self._get_tgt(creds, from_rodc=True)
1656 self._remove_rodc_partial_secrets()
1657 self._s4u2self(tgt, creds, expected_error=KDC_ERR_POLICY)
1658
1659 def test_user2user_rodc_no_partial_secrets(self):
1660 creds = self._get_creds(replication_allowed=True,
1661 revealed_to_rodc=True)
1662 tgt = self._get_tgt(creds, from_rodc=True)
1663 self._remove_rodc_partial_secrets()
1664 self._user2user(tgt, creds, expected_error=KDC_ERR_POLICY)
1665
1666 def test_fast_rodc_no_partial_secrets(self):
1667 creds = self._get_creds(replication_allowed=True,
1668 revealed_to_rodc=True)
1669 tgt = self._get_tgt(creds, from_rodc=True)
1670 self._remove_rodc_partial_secrets()
1671 self._fast(tgt, creds, expected_error=KDC_ERR_POLICY,
1672 expected_sname=self.get_krbtgt_sname())
1673
1674 # Test with an RODC-issued ticket where the RODC account does not have an
1675 # msDS-KrbTgtLink.
1676 def test_tgs_rodc_no_krbtgt_link(self):
1677 creds = self._get_creds(replication_allowed=True,
1678 revealed_to_rodc=True)
1679 tgt = self._get_tgt(creds, from_rodc=True)
1680 self._remove_rodc_krbtgt_link()
1681 self._run_tgs(tgt, creds, expected_error=KDC_ERR_POLICY)
1682
1683 def test_renew_rodc_no_krbtgt_link(self):
1684 creds = self._get_creds(replication_allowed=True,
1685 revealed_to_rodc=True)
1686 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1687 self._remove_rodc_krbtgt_link()
1688 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_POLICY)
1689
1690 def test_validate_rodc_no_krbtgt_link(self):
1691 creds = self._get_creds(replication_allowed=True,
1692 revealed_to_rodc=True)
1693 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1694 self._remove_rodc_krbtgt_link()
1695 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_POLICY)
1696
1697 def test_s4u2self_rodc_no_krbtgt_link(self):
1698 creds = self._get_creds(replication_allowed=True,
1699 revealed_to_rodc=True)
1700 tgt = self._get_tgt(creds, from_rodc=True)
1701 self._remove_rodc_krbtgt_link()
1702 self._s4u2self(tgt, creds, expected_error=KDC_ERR_POLICY)
1703
1704 def test_user2user_rodc_no_krbtgt_link(self):
1705 creds = self._get_creds(replication_allowed=True,
1706 revealed_to_rodc=True)
1707 tgt = self._get_tgt(creds, from_rodc=True)
1708 self._remove_rodc_krbtgt_link()
1709 self._user2user(tgt, creds, expected_error=KDC_ERR_POLICY)
1710
1711 def test_fast_rodc_no_krbtgt_link(self):
1712 creds = self._get_creds(replication_allowed=True,
1713 revealed_to_rodc=True)
1714 tgt = self._get_tgt(creds, from_rodc=True)
1715 self._remove_rodc_krbtgt_link()
1716 self._fast(tgt, creds, expected_error=KDC_ERR_POLICY,
1717 expected_sname=self.get_krbtgt_sname())
1718
1719 # Test with an RODC-issued ticket where the client is not allowed to
1720 # replicate to the RODC.
1721 def test_tgs_rodc_not_allowed(self):
1722 creds = self._get_creds(revealed_to_rodc=True)
1723 tgt = self._get_tgt(creds, from_rodc=True)
1724 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1725
1726 def test_renew_rodc_not_allowed(self):
1727 creds = self._get_creds(revealed_to_rodc=True)
1728 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1729 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1730
1731 def test_validate_rodc_not_allowed(self):
1732 creds = self._get_creds(revealed_to_rodc=True)
1733 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1734 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1735
1736 def test_s4u2self_rodc_not_allowed(self):
1737 creds = self._get_creds(revealed_to_rodc=True)
1738 tgt = self._get_tgt(creds, from_rodc=True)
1739 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1740
1741 def test_user2user_rodc_not_allowed(self):
1742 creds = self._get_creds(revealed_to_rodc=True)
1743 tgt = self._get_tgt(creds, from_rodc=True)
1744 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1745
1746 def test_fast_rodc_not_allowed(self):
1747 creds = self._get_creds(revealed_to_rodc=True)
1748 tgt = self._get_tgt(creds, from_rodc=True)
1749 self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
1750 expected_sname=self.get_krbtgt_sname())
1751
1752 # Test with an RODC-issued ticket where the client is denied from
1753 # replicating to the RODC.
1754 def test_tgs_rodc_denied(self):
1755 creds = self._get_creds(replication_denied=True,
1756 revealed_to_rodc=True)
1757 tgt = self._get_tgt(creds, from_rodc=True)
1758 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1759
1760 def test_renew_rodc_denied(self):
1761 creds = self._get_creds(replication_denied=True,
1762 revealed_to_rodc=True)
1763 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1764 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1765
1766 def test_validate_rodc_denied(self):
1767 creds = self._get_creds(replication_denied=True,
1768 revealed_to_rodc=True)
1769 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1770 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1771
1772 def test_s4u2self_rodc_denied(self):
1773 creds = self._get_creds(replication_denied=True,
1774 revealed_to_rodc=True)
1775 tgt = self._get_tgt(creds, from_rodc=True)
1776 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1777
1778 def test_user2user_rodc_denied(self):
1779 creds = self._get_creds(replication_denied=True,
1780 revealed_to_rodc=True)
1781 tgt = self._get_tgt(creds, from_rodc=True)
1782 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1783
1784 def test_fast_rodc_denied(self):
1785 creds = self._get_creds(replication_denied=True,
1786 revealed_to_rodc=True)
1787 tgt = self._get_tgt(creds, from_rodc=True)
1788 self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
1789 expected_sname=self.get_krbtgt_sname())
1790
1791 # Test with an RODC-issued ticket where the client is both allowed and
1792 # denied replicating to the RODC.
1793 def test_tgs_rodc_allowed_denied(self):
1794 creds = self._get_creds(replication_allowed=True,
1795 replication_denied=True,
1796 revealed_to_rodc=True)
1797 tgt = self._get_tgt(creds, from_rodc=True)
1798 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1799
1800 def test_renew_rodc_allowed_denied(self):
1801 creds = self._get_creds(replication_allowed=True,
1802 replication_denied=True,
1803 revealed_to_rodc=True)
1804 tgt = self._get_tgt(creds, renewable=True, from_rodc=True)
1805 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1806
1807 def test_validate_rodc_allowed_denied(self):
1808 creds = self._get_creds(replication_allowed=True,
1809 replication_denied=True,
1810 revealed_to_rodc=True)
1811 tgt = self._get_tgt(creds, invalid=True, from_rodc=True)
1812 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1813
1814 def test_s4u2self_rodc_allowed_denied(self):
1815 creds = self._get_creds(replication_allowed=True,
1816 replication_denied=True,
1817 revealed_to_rodc=True)
1818 tgt = self._get_tgt(creds, from_rodc=True)
1819 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1820
1821 def test_user2user_rodc_allowed_denied(self):
1822 creds = self._get_creds(replication_allowed=True,
1823 replication_denied=True,
1824 revealed_to_rodc=True)
1825 tgt = self._get_tgt(creds, from_rodc=True)
1826 self._user2user(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
1827
1828 def test_fast_rodc_allowed_denied(self):
1829 creds = self._get_creds(replication_allowed=True,
1830 replication_denied=True,
1831 revealed_to_rodc=True)
1832 tgt = self._get_tgt(creds, from_rodc=True)
1833 self._fast(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED,
1834 expected_sname=self.get_krbtgt_sname())
1835
1836 # Test making a TGS request with an RC4-encrypted TGT.
1837 def test_tgs_rc4(self):
1838 creds = self._get_creds()
1839 tgt = self._get_tgt(creds, etype=kcrypto.Enctype.RC4)
1840 self._run_tgs(tgt, creds, expected_error=(KDC_ERR_GENERIC,
1841 KDC_ERR_BADKEYVER),
1842 expect_edata=True,
1843 # We aren’t particular about whether or not we get an
1844 # NTSTATUS.
1845 expect_status=None,
1846 expected_status=ntstatus.NT_STATUS_INSUFFICIENT_RESOURCES)
1847
1848 def test_renew_rc4(self):
1849 creds = self._get_creds()
1850 tgt = self._get_tgt(creds, renewable=True, etype=kcrypto.Enctype.RC4)
1851 self._renew_tgt(tgt, creds, expected_error=(KDC_ERR_GENERIC,
1852 KDC_ERR_BADKEYVER),
1853 expect_pac_attrs=True,
1854 expect_pac_attrs_pac_request=True,
1855 expect_requester_sid=True)
1856
1857 def test_validate_rc4(self):
1858 creds = self._get_creds()
1859 tgt = self._get_tgt(creds, invalid=True, etype=kcrypto.Enctype.RC4)
1860 self._validate_tgt(tgt, creds, expected_error=(KDC_ERR_GENERIC,
1861 KDC_ERR_BADKEYVER),
1862 expect_pac_attrs=True,
1863 expect_pac_attrs_pac_request=True,
1864 expect_requester_sid=True)
1865
1866 def test_s4u2self_rc4(self):
1867 creds = self._get_creds()
1868 tgt = self._get_tgt(creds, etype=kcrypto.Enctype.RC4)
1869 self._s4u2self(tgt, creds, expected_error=(KDC_ERR_GENERIC,
1870 KDC_ERR_BADKEYVER),
1871 expect_edata=True,
1872 # We aren’t particular about whether or not we get an
1873 # NTSTATUS.
1874 expect_status=None,
1875 expected_status=ntstatus.NT_STATUS_INSUFFICIENT_RESOURCES)
1876
1877 def test_user2user_rc4(self):
1878 creds = self._get_creds()
1879 tgt = self._get_tgt(creds, etype=kcrypto.Enctype.RC4)
1880 self._user2user(tgt, creds, expected_error=KDC_ERR_ETYPE_NOSUPP)
1881
1882 def test_fast_rc4(self):
1883 creds = self._get_creds()
1884 tgt = self._get_tgt(creds, etype=kcrypto.Enctype.RC4)
1885 self._fast(tgt, creds, expected_error=KDC_ERR_GENERIC,
1886 expect_edata=self.expect_padata_outer)
1887
1888 # Test with a TGT that has the lifetime of a kpasswd ticket (two minutes).
1889 def test_tgs_kpasswd(self):
1890 creds = self._get_creds()
1891 tgt = self.modify_lifetime(self._get_tgt(creds), lifetime=2 * 60)
1892 self._run_tgs(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
1893
1894 def test_renew_kpasswd(self):
1895 creds = self._get_creds()
1896 tgt = self._get_tgt(creds, renewable=True)
1897 tgt = self.modify_lifetime(tgt, lifetime=2 * 60)
1898 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
1899
1900 def test_validate_kpasswd(self):
1901 creds = self._get_creds()
1902 tgt = self._get_tgt(creds, invalid=True)
1903 tgt = self.modify_lifetime(tgt, lifetime=2 * 60)
1904 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
1905
1906 def test_s4u2self_kpasswd(self):
1907 creds = self._get_creds()
1908 tgt = self.modify_lifetime(self._get_tgt(creds), lifetime=2 * 60)
1909 self._s4u2self(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
1910
1911 def test_user2user_kpasswd(self):
1912 creds = self._get_creds()
1913 tgt = self.modify_lifetime(self._get_tgt(creds), lifetime=2 * 60)
1914 self._user2user(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
1915
1916 def test_fast_kpasswd(self):
1917 creds = self._get_creds()
1918 tgt = self.modify_lifetime(self._get_tgt(creds), lifetime=2 * 60)
1919 self._fast(tgt, creds, expected_error=KDC_ERR_TKT_EXPIRED)
1920
1921 # Test user-to-user with incorrect service principal names.
1922 def test_user2user_matching_sname_host(self):
1923 creds = self._get_creds()
1924 tgt = self._get_tgt(creds)
1925
1926 user_name = creds.get_username()
1927 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1928 names=['host', user_name])
1929
1930 self._user2user(tgt, creds, sname=sname,
1931 expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
1932
1933 def test_user2user_matching_sname_no_host(self):
1934 creds = self._get_creds()
1935 tgt = self._get_tgt(creds)
1936
1937 user_name = creds.get_username()
1938 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1939 names=[user_name])
1940
1941 self._user2user(tgt, creds, sname=sname, expected_error=0)
1942
1943 def test_user2user_wrong_sname(self):
1944 creds = self._get_creds()
1945 tgt = self._get_tgt(creds)
1946
1947 other_creds = self._get_mach_creds()
1948 user_name = other_creds.get_username()
1949 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1950 names=[user_name])
1951
1952 self._user2user(tgt, creds, sname=sname,
1953 expected_error=KDC_ERR_BADMATCH)
1954
1955 def test_user2user_other_sname(self):
1956 other_name = self.get_new_username()
1957 spn = f'host/{other_name}'
1958 creds = self.get_cached_creds(
1959 account_type=self.AccountType.COMPUTER,
1960 opts={'spn': spn})
1961 tgt = self._get_tgt(creds)
1962
1963 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
1964 names=['host', other_name])
1965
1966 self._user2user(tgt, creds, sname=sname, expected_error=0)
1967
1968 def test_user2user_wrong_sname_krbtgt(self):
1969 creds = self._get_creds()
1970 tgt = self._get_tgt(creds)
1971
1972 sname = self.get_krbtgt_sname()
1973
1974 self._user2user(tgt, creds, sname=sname,
1975 expected_error=KDC_ERR_BADMATCH)
1976
1977 def test_user2user_wrong_srealm(self):
1978 creds = self._get_creds()
1979 tgt = self._get_tgt(creds)
1980
1981 self._user2user(tgt, creds, srealm='OTHER.REALM',
1982 expected_error=(KDC_ERR_WRONG_REALM,
1983 KDC_ERR_S_PRINCIPAL_UNKNOWN))
1984
1985 def test_user2user_tgt_correct_realm(self):
1986 creds = self._get_creds()
1987 tgt = self._get_tgt(creds)
1988
1989 realm = creds.get_realm().encode('utf-8')
1990 tgt = self._modify_tgt(tgt, crealm=realm)
1991
1992 self._user2user(tgt, creds,
1993 expected_error=0)
1994
1995 def test_user2user_tgt_wrong_realm(self):
1996 creds = self._get_creds()
1997 tgt = self._get_tgt(creds)
1998
1999 tgt = self._modify_tgt(tgt, crealm=b'OTHER.REALM')
2000
2001 self._user2user(tgt, creds,
2002 expected_error=(
2003 KDC_ERR_POLICY, # Windows
2004 KDC_ERR_C_PRINCIPAL_UNKNOWN, # Heimdal
2005 KDC_ERR_SERVER_NOMATCH, # MIT
2006 ),
2007 expect_edata=True,
2008 expected_status=ntstatus.NT_STATUS_NO_MATCH)
2009
2010 def test_user2user_tgt_correct_cname(self):
2011 creds = self._get_creds()
2012 tgt = self._get_tgt(creds)
2013
2014 user_name = creds.get_username()
2015 user_name = user_name.encode('utf-8')
2016 cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
2017 names=[user_name])
2018
2019 tgt = self._modify_tgt(tgt, cname=cname)
2020
2021 self._user2user(tgt, creds, expected_error=0)
2022
2023 def test_user2user_tgt_other_cname(self):
2024 samdb = self.get_samdb()
2025
2026 other_name = self.get_new_username()
2027 upn = f'{other_name}@{samdb.domain_dns_name()}'
2028
2029 creds = self.get_cached_creds(
2030 account_type=self.AccountType.COMPUTER,
2031 opts={'upn': upn})
2032 tgt = self._get_tgt(creds)
2033
2034 cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
2035 names=[other_name.encode('utf-8')])
2036
2037 tgt = self._modify_tgt(tgt, cname=cname)
2038
2039 self._user2user(tgt, creds, expected_error=0)
2040
2041 def test_user2user_tgt_cname_host(self):
2042 creds = self._get_creds()
2043 tgt = self._get_tgt(creds)
2044
2045 user_name = creds.get_username()
2046 user_name = user_name.encode('utf-8')
2047 cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
2048 names=[b'host', user_name])
2049
2050 tgt = self._modify_tgt(tgt, cname=cname)
2051
2052 self._user2user(tgt, creds,
2053 expected_error=(KDC_ERR_TGT_REVOKED,
2054 KDC_ERR_C_PRINCIPAL_UNKNOWN))
2055
2056 def test_user2user_non_existent_sname(self):
2057 creds = self._get_creds()
2058 tgt = self._get_tgt(creds)
2059
2060 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
2061 names=['host', 'non_existent_user'])
2062
2063 self._user2user(tgt, creds, sname=sname,
2064 expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
2065
2066 def test_user2user_no_sname(self):
2067 creds = self._get_creds()
2068 tgt = self._get_tgt(creds)
2069
2070 self._user2user(tgt, creds, sname=False,
2071 expected_error=(KDC_ERR_GENERIC,
2072 KDC_ERR_S_PRINCIPAL_UNKNOWN))
2073
2074 def test_tgs_service_ticket(self):
2075 creds = self._get_creds()
2076 tgt = self._get_tgt(creds)
2077
2078 service_creds = self.get_service_creds()
2079 service_ticket = self.get_service_ticket(tgt, service_creds)
2080
2081 self._run_tgs(service_ticket, creds,
2082 expected_error=(KDC_ERR_NOT_US, KDC_ERR_POLICY))
2083
2084 def test_renew_service_ticket(self):
2085 creds = self._get_creds()
2086 tgt = self._get_tgt(creds)
2087
2088 service_creds = self.get_service_creds()
2089 service_ticket = self.get_service_ticket(tgt, service_creds)
2090
2091 service_ticket = self.modified_ticket(
2092 service_ticket,
2093 modify_fn=self._modify_renewable,
2094 checksum_keys=self.get_krbtgt_checksum_key())
2095
2096 self._renew_tgt(service_ticket, creds,
2097 expected_error=KDC_ERR_POLICY)
2098
2099 def test_validate_service_ticket(self):
2100 creds = self._get_creds()
2101 tgt = self._get_tgt(creds)
2102
2103 service_creds = self.get_service_creds()
2104 service_ticket = self.get_service_ticket(tgt, service_creds)
2105
2106 service_ticket = self.modified_ticket(
2107 service_ticket,
2108 modify_fn=self._modify_invalid,
2109 checksum_keys=self.get_krbtgt_checksum_key())
2110
2111 self._validate_tgt(service_ticket, creds,
2112 expected_error=KDC_ERR_POLICY)
2113
2114 def test_s4u2self_service_ticket(self):
2115 creds = self._get_creds()
2116 tgt = self._get_tgt(creds)
2117
2118 service_creds = self.get_service_creds()
2119 service_ticket = self.get_service_ticket(tgt, service_creds)
2120
2121 self._s4u2self(service_ticket, creds,
2122 expected_error=(KDC_ERR_NOT_US, KDC_ERR_POLICY))
2123
2124 def test_user2user_service_ticket(self):
2125 creds = self._get_creds()
2126 tgt = self._get_tgt(creds)
2127
2128 service_creds = self.get_service_creds()
2129 service_ticket = self.get_service_ticket(tgt, service_creds)
2130
2131 self._user2user(service_ticket, creds,
2132 expected_error=(KDC_ERR_MODIFIED, KDC_ERR_POLICY))
2133
2134 # Expected to fail against Windows, which does not produce an error.
2135 def test_fast_service_ticket(self):
2136 creds = self._get_creds()
2137 tgt = self._get_tgt(creds)
2138
2139 service_creds = self.get_service_creds()
2140 service_ticket = self.get_service_ticket(tgt, service_creds)
2141
2142 self._fast(service_ticket, creds,
2143 expected_error=(KDC_ERR_POLICY,
2144 KDC_ERR_S_PRINCIPAL_UNKNOWN))
2145
2146 def test_single_component_krbtgt_requester_sid_as_req(self):
2147 """Test that TGTs issued to a single‐component krbtgt principal always
2148 contain a requester SID PAC buffer.
2149 """
2150
2151 creds = self._get_creds()
2152
2153 # Create a single‐component principal of the form ‘krbtgt@REALM’.
2154 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
2155 names=['krbtgt'])
2156
2157 # Don’t request canonicalization.
2158 kdc_options = 'forwardable,renewable,renewable-ok'
2159
2160 # Get a TGT and assert that the requester SID PAC buffer is present.
2161 self.get_tgt(creds,
2162 sname=sname,
2163 kdc_options=kdc_options,
2164 expect_requester_sid=True)
2165
2166 def test_single_component_krbtgt_requester_sid_tgs_req(self):
2167 """Test that TGTs issued to a single‐component krbtgt principal always
2168 contain a requester SID PAC buffer.
2169 """
2170
2171 creds = self._get_creds()
2172 tgt = self.get_tgt(creds)
2173
2174 # Create a single‐component principal of the form ‘krbtgt@REALM’.
2175 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
2176 names=['krbtgt'])
2177
2178 # Don’t request canonicalization.
2179 kdc_options = '0'
2180
2181 # Get a TGT and assert that the requester SID PAC buffer is present.
2182 self.get_service_ticket(tgt,
2183 self.get_krbtgt_creds(),
2184 sname=sname,
2185 kdc_options=kdc_options,
2186 expect_requester_sid=True)
2187
2188 def test_single_component_krbtgt_no_pac_as_req(self):
2189 """Test that TGTs issued to a single‐component krbtgt principal always
2190 contain a PAC.
2191 """
2192
2193 creds = self._get_creds()
2194
2195 # Create a single‐component principal of the form ‘krbtgt@REALM’.
2196 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
2197 names=['krbtgt'])
2198
2199 # Don’t request canonicalization.
2200 kdc_options = 'forwardable,renewable,renewable-ok'
2201
2202 # Get a TGT and assert that the requester SID PAC buffer is present.
2203 self.get_tgt(creds,
2204 sname=sname,
2205 kdc_options=kdc_options,
2206 # Request that no PAC be issued.
2207 pac_request=False,
2208 # Ensure that a PAC is issued nonetheless.
2209 expect_pac=True)
2210
2211 def test_single_component_krbtgt_no_pac_tgs_req(self):
2212 """Test that TGTs issued to a single‐component krbtgt principal always
2213 contain a PAC.
2214 """
2215
2216 creds = self._get_creds()
2217 tgt = self.get_tgt(creds)
2218
2219 # Create a single‐component principal of the form ‘krbtgt@REALM’.
2220 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
2221 names=['krbtgt'])
2222
2223 # Don’t request canonicalization.
2224 kdc_options = '0'
2225
2226 # Get a TGT and assert that the requester SID PAC buffer is present.
2227 self.get_service_ticket(tgt,
2228 self.get_krbtgt_creds(),
2229 sname=sname,
2230 kdc_options=kdc_options,
2231 # Request that no PAC be issued.
2232 pac_request=False,
2233 # Ensure that a PAC is issued nonetheless.
2234 expect_pac=True,
2235 expect_pac_attrs=True,
2236 expect_pac_attrs_pac_request=True)
2237
2238 def test_single_component_krbtgt_service_ticket(self):
2239 """Test that TGTs issued to a single‐component krbtgt principal can be
2240 used to get service tickets.
2241 """
2242
2243 creds = self._get_creds()
2244
2245 # Create a single‐component principal of the form ‘krbtgt@REALM’.
2246 sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
2247 names=['krbtgt'])
2248
2249 # Don’t request canonicalization.
2250 kdc_options = 'forwardable,renewable,renewable-ok'
2251
2252 # Get a TGT.
2253 tgt = self.get_tgt(creds,
2254 sname=sname,
2255 kdc_options=kdc_options)
2256
2257 # Ensure that we can use the TGT to get a service ticket.
2258 self._run_tgs(tgt, creds, expected_error=0)
2259
2260 def test_pac_attrs_none(self):
2261 creds = self._get_creds()
2262 self.get_tgt(creds, pac_request=None,
2263 expect_pac=True,
2264 expect_pac_attrs=True,
2265 expect_pac_attrs_pac_request=None)
2266
2267 def test_pac_attrs_false(self):
2268 creds = self._get_creds()
2269 self.get_tgt(creds, pac_request=False,
2270 expect_pac=True,
2271 expect_pac_attrs=True,
2272 expect_pac_attrs_pac_request=False)
2273
2274 def test_pac_attrs_true(self):
2275 creds = self._get_creds()
2276 self.get_tgt(creds, pac_request=True,
2277 expect_pac=True,
2278 expect_pac_attrs=True,
2279 expect_pac_attrs_pac_request=True)
2280
2281 def test_pac_attrs_renew_none(self):
2282 creds = self._get_creds()
2283 tgt = self.get_tgt(creds, pac_request=None,
2284 expect_pac=True,
2285 expect_pac_attrs=True,
2286 expect_pac_attrs_pac_request=None)
2287 tgt = self._modify_tgt(tgt, renewable=True)
2288
2289 self._renew_tgt(tgt, creds, expected_error=0,
2290 expect_pac=True,
2291 expect_pac_attrs=True,
2292 expect_pac_attrs_pac_request=None,
2293 expect_requester_sid=True)
2294
2295 def test_pac_attrs_renew_false(self):
2296 creds = self._get_creds()
2297 tgt = self.get_tgt(creds, pac_request=False,
2298 expect_pac=True,
2299 expect_pac_attrs=True,
2300 expect_pac_attrs_pac_request=False)
2301 tgt = self._modify_tgt(tgt, renewable=True)
2302
2303 self._renew_tgt(tgt, creds, expected_error=0,
2304 expect_pac=True,
2305 expect_pac_attrs=True,
2306 expect_pac_attrs_pac_request=False,
2307 expect_requester_sid=True)
2308
2309 def test_pac_attrs_renew_true(self):
2310 creds = self._get_creds()
2311 tgt = self.get_tgt(creds, pac_request=True,
2312 expect_pac=True,
2313 expect_pac_attrs=True,
2314 expect_pac_attrs_pac_request=True)
2315 tgt = self._modify_tgt(tgt, renewable=True)
2316
2317 self._renew_tgt(tgt, creds, expected_error=0,
2318 expect_pac=True,
2319 expect_pac_attrs=True,
2320 expect_pac_attrs_pac_request=True,
2321 expect_requester_sid=True)
2322
2323 def test_pac_attrs_rodc_renew_none(self):
2324 creds = self._get_creds(replication_allowed=True,
2325 revealed_to_rodc=True)
2326 tgt = self.get_tgt(creds, pac_request=None,
2327 expect_pac=True,
2328 expect_pac_attrs=True,
2329 expect_pac_attrs_pac_request=None)
2330 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True)
2331
2332 self._renew_tgt(tgt, creds, expected_error=0,
2333 expect_pac=True,
2334 expect_pac_attrs=False,
2335 expect_requester_sid=True)
2336
2337 def test_pac_attrs_rodc_renew_false(self):
2338 creds = self._get_creds(replication_allowed=True,
2339 revealed_to_rodc=True)
2340 tgt = self.get_tgt(creds, pac_request=False,
2341 expect_pac=True,
2342 expect_pac_attrs=True,
2343 expect_pac_attrs_pac_request=False)
2344 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True)
2345
2346 self._renew_tgt(tgt, creds, expected_error=0,
2347 expect_pac=True,
2348 expect_pac_attrs=False,
2349 expect_requester_sid=True)
2350
2351 def test_pac_attrs_rodc_renew_true(self):
2352 creds = self._get_creds(replication_allowed=True,
2353 revealed_to_rodc=True)
2354 tgt = self.get_tgt(creds, pac_request=True,
2355 expect_pac=True,
2356 expect_pac_attrs=True,
2357 expect_pac_attrs_pac_request=True)
2358 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True)
2359
2360 self._renew_tgt(tgt, creds, expected_error=0,
2361 expect_pac=True,
2362 expect_pac_attrs=False,
2363 expect_requester_sid=True)
2364
2365 def test_pac_attrs_missing_renew_none(self):
2366 creds = self._get_creds()
2367 tgt = self.get_tgt(creds, pac_request=None,
2368 expect_pac=True,
2369 expect_pac_attrs=True,
2370 expect_pac_attrs_pac_request=None)
2371 tgt = self._modify_tgt(tgt, renewable=True,
2372 remove_pac_attrs=True)
2373
2374 self._renew_tgt(tgt, creds, expected_error=0,
2375 expect_pac=True,
2376 expect_pac_attrs=False,
2377 expect_requester_sid=True)
2378
2379 def test_pac_attrs_missing_renew_false(self):
2380 creds = self._get_creds()
2381 tgt = self.get_tgt(creds, pac_request=False,
2382 expect_pac=True,
2383 expect_pac_attrs=True,
2384 expect_pac_attrs_pac_request=False)
2385 tgt = self._modify_tgt(tgt, renewable=True,
2386 remove_pac_attrs=True)
2387
2388 self._renew_tgt(tgt, creds, expected_error=0,
2389 expect_pac=True,
2390 expect_pac_attrs=False,
2391 expect_requester_sid=True)
2392
2393 def test_pac_attrs_missing_renew_true(self):
2394 creds = self._get_creds()
2395 tgt = self.get_tgt(creds, pac_request=True,
2396 expect_pac=True,
2397 expect_pac_attrs=True,
2398 expect_pac_attrs_pac_request=True)
2399 tgt = self._modify_tgt(tgt, renewable=True,
2400 remove_pac_attrs=True)
2401
2402 self._renew_tgt(tgt, creds, expected_error=0,
2403 expect_pac=True,
2404 expect_pac_attrs=False,
2405 expect_requester_sid=True)
2406
2407 def test_pac_attrs_missing_rodc_renew_none(self):
2408 creds = self._get_creds(replication_allowed=True,
2409 revealed_to_rodc=True)
2410 tgt = self.get_tgt(creds, pac_request=None,
2411 expect_pac=True,
2412 expect_pac_attrs=True,
2413 expect_pac_attrs_pac_request=None)
2414 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True,
2415 remove_pac_attrs=True)
2416
2417 self._renew_tgt(tgt, creds, expected_error=0,
2418 expect_pac=True,
2419 expect_pac_attrs=False,
2420 expect_requester_sid=True)
2421
2422 def test_pac_attrs_missing_rodc_renew_false(self):
2423 creds = self._get_creds(replication_allowed=True,
2424 revealed_to_rodc=True)
2425 tgt = self.get_tgt(creds, pac_request=False,
2426 expect_pac=True,
2427 expect_pac_attrs=True,
2428 expect_pac_attrs_pac_request=False)
2429 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True,
2430 remove_pac_attrs=True)
2431
2432 self._renew_tgt(tgt, creds, expected_error=0,
2433 expect_pac=True,
2434 expect_pac_attrs=False,
2435 expect_requester_sid=True)
2436
2437 def test_pac_attrs_missing_rodc_renew_true(self):
2438 creds = self._get_creds(replication_allowed=True,
2439 revealed_to_rodc=True)
2440 tgt = self.get_tgt(creds, pac_request=True,
2441 expect_pac=True,
2442 expect_pac_attrs=True,
2443 expect_pac_attrs_pac_request=True)
2444 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True,
2445 remove_pac_attrs=True)
2446
2447 self._renew_tgt(tgt, creds, expected_error=0,
2448 expect_pac=True,
2449 expect_pac_attrs=False,
2450 expect_requester_sid=True)
2451
2452 def test_tgs_pac_attrs_none(self):
2453 creds = self._get_creds()
2454 tgt = self.get_tgt(creds, pac_request=None,
2455 expect_pac=True,
2456 expect_pac_attrs=True,
2457 expect_pac_attrs_pac_request=None)
2458
2459 self._run_tgs(tgt, creds, expected_error=0, expect_pac=True,
2460 expect_pac_attrs=False)
2461
2462 def test_tgs_pac_attrs_false(self):
2463 creds = self._get_creds()
2464 tgt = self.get_tgt(creds, pac_request=False,
2465 expect_pac=True,
2466 expect_pac_attrs=True,
2467 expect_pac_attrs_pac_request=False)
2468
2469 self._run_tgs(tgt, creds, expected_error=0, expect_pac=False,
2470 expect_pac_attrs=False)
2471
2472 def test_tgs_pac_attrs_true(self):
2473 creds = self._get_creds()
2474 tgt = self.get_tgt(creds, pac_request=True,
2475 expect_pac=True,
2476 expect_pac_attrs=True,
2477 expect_pac_attrs_pac_request=True)
2478
2479 self._run_tgs(tgt, creds, expected_error=0, expect_pac=True,
2480 expect_pac_attrs=False)
2481
2482 def test_as_requester_sid(self):
2483 creds = self._get_creds()
2484
2485 sid = creds.get_sid()
2486
2487 self.get_tgt(creds, pac_request=None,
2488 expect_pac=True,
2489 expected_sid=sid,
2490 expect_requester_sid=True)
2491
2492 def test_tgs_requester_sid(self):
2493 creds = self._get_creds()
2494
2495 sid = creds.get_sid()
2496
2497 tgt = self.get_tgt(creds, pac_request=None,
2498 expect_pac=True,
2499 expected_sid=sid,
2500 expect_requester_sid=True)
2501
2502 self._run_tgs(tgt, creds, expected_error=0, expect_pac=True,
2503 expect_requester_sid=False)
2504
2505 def test_tgs_requester_sid_renew(self):
2506 creds = self._get_creds()
2507
2508 sid = creds.get_sid()
2509
2510 tgt = self.get_tgt(creds, pac_request=None,
2511 expect_pac=True,
2512 expected_sid=sid,
2513 expect_requester_sid=True)
2514 tgt = self._modify_tgt(tgt, renewable=True)
2515
2516 self._renew_tgt(tgt, creds, expected_error=0, expect_pac=True,
2517 expect_pac_attrs=True,
2518 expect_pac_attrs_pac_request=None,
2519 expected_sid=sid,
2520 expect_requester_sid=True)
2521
2522 def test_tgs_requester_sid_rodc_renew(self):
2523 creds = self._get_creds(replication_allowed=True,
2524 revealed_to_rodc=True)
2525
2526 sid = creds.get_sid()
2527
2528 tgt = self.get_tgt(creds, pac_request=None,
2529 expect_pac=True,
2530 expected_sid=sid,
2531 expect_requester_sid=True)
2532 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True)
2533
2534 self._renew_tgt(tgt, creds, expected_error=0, expect_pac=True,
2535 expect_pac_attrs=False,
2536 expected_sid=sid,
2537 expect_requester_sid=True)
2538
2539 def test_tgs_requester_sid_missing_renew(self):
2540 creds = self._get_creds()
2541
2542 sid = creds.get_sid()
2543
2544 tgt = self.get_tgt(creds, pac_request=None,
2545 expect_pac=True,
2546 expected_sid=sid,
2547 expect_requester_sid=True)
2548 tgt = self._modify_tgt(tgt, renewable=True,
2549 remove_requester_sid=True)
2550
2551 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
2552
2553 def test_tgs_requester_sid_missing_rodc_renew(self):
2554 creds = self._get_creds(replication_allowed=True,
2555 revealed_to_rodc=True)
2556
2557 sid = creds.get_sid()
2558
2559 tgt = self.get_tgt(creds, pac_request=None,
2560 expect_pac=True,
2561 expected_sid=sid,
2562 expect_requester_sid=True)
2563 tgt = self._modify_tgt(tgt, from_rodc=True, renewable=True,
2564 remove_requester_sid=True)
2565
2566 self._renew_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
2567
2568 def test_tgs_requester_sid_validate(self):
2569 creds = self._get_creds()
2570
2571 sid = creds.get_sid()
2572
2573 tgt = self.get_tgt(creds, pac_request=None,
2574 expect_pac=True,
2575 expected_sid=sid,
2576 expect_requester_sid=True)
2577 tgt = self._modify_tgt(tgt, invalid=True)
2578
2579 self._validate_tgt(tgt, creds, expected_error=0, expect_pac=True,
2580 expect_pac_attrs=True,
2581 expect_pac_attrs_pac_request=None,
2582 expected_sid=sid,
2583 expect_requester_sid=True)
2584
2585 def test_tgs_requester_sid_rodc_validate(self):
2586 creds = self._get_creds(replication_allowed=True,
2587 revealed_to_rodc=True)
2588
2589 sid = creds.get_sid()
2590
2591 tgt = self.get_tgt(creds, pac_request=None,
2592 expect_pac=True,
2593 expected_sid=sid,
2594 expect_requester_sid=True)
2595 tgt = self._modify_tgt(tgt, from_rodc=True, invalid=True)
2596
2597 self._validate_tgt(tgt, creds, expected_error=0, expect_pac=True,
2598 expect_pac_attrs=False,
2599 expected_sid=sid,
2600 expect_requester_sid=True)
2601
2602 def test_tgs_requester_sid_missing_validate(self):
2603 creds = self._get_creds()
2604
2605 sid = creds.get_sid()
2606
2607 tgt = self.get_tgt(creds, pac_request=None,
2608 expect_pac=True,
2609 expected_sid=sid,
2610 expect_requester_sid=True)
2611 tgt = self._modify_tgt(tgt, invalid=True,
2612 remove_requester_sid=True)
2613
2614 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
2615
2616 def test_tgs_requester_sid_missing_rodc_validate(self):
2617 creds = self._get_creds(replication_allowed=True,
2618 revealed_to_rodc=True)
2619
2620 sid = creds.get_sid()
2621
2622 tgt = self.get_tgt(creds, pac_request=None,
2623 expect_pac=True,
2624 expected_sid=sid,
2625 expect_requester_sid=True)
2626 tgt = self._modify_tgt(tgt, from_rodc=True, invalid=True,
2627 remove_requester_sid=True)
2628
2629 self._validate_tgt(tgt, creds, expected_error=KDC_ERR_TGT_REVOKED)
2630
2631 def test_tgs_pac_request_none(self):
2632 creds = self._get_creds()
2633 tgt = self.get_tgt(creds, pac_request=None)
2634
2635 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2636
2637 pac = self.get_ticket_pac(ticket)
2638 self.assertIsNotNone(pac)
2639
2640 def test_tgs_pac_request_false(self):
2641 creds = self._get_creds()
2642 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2643
2644 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False)
2645
2646 pac = self.get_ticket_pac(ticket, expect_pac=False)
2647 self.assertIsNone(pac)
2648
2649 def test_tgs_pac_request_true(self):
2650 creds = self._get_creds()
2651 tgt = self.get_tgt(creds, pac_request=True)
2652
2653 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2654
2655 pac = self.get_ticket_pac(ticket)
2656 self.assertIsNotNone(pac)
2657
2658 def test_renew_pac_request_none(self):
2659 creds = self._get_creds()
2660 tgt = self.get_tgt(creds, pac_request=None)
2661 tgt = self._modify_tgt(tgt, renewable=True)
2662
2663 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2664 expect_pac_attrs=True,
2665 expect_pac_attrs_pac_request=None,
2666 expect_requester_sid=True)
2667
2668 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2669
2670 pac = self.get_ticket_pac(ticket)
2671 self.assertIsNotNone(pac)
2672
2673 def test_renew_pac_request_false(self):
2674 creds = self._get_creds()
2675 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2676 tgt = self._modify_tgt(tgt, renewable=True)
2677
2678 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2679 expect_pac_attrs=True,
2680 expect_pac_attrs_pac_request=False,
2681 expect_requester_sid=True)
2682
2683 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False)
2684
2685 pac = self.get_ticket_pac(ticket, expect_pac=False)
2686 self.assertIsNone(pac)
2687
2688 def test_renew_pac_request_true(self):
2689 creds = self._get_creds()
2690 tgt = self.get_tgt(creds, pac_request=True)
2691 tgt = self._modify_tgt(tgt, renewable=True)
2692
2693 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2694 expect_pac_attrs=True,
2695 expect_pac_attrs_pac_request=True,
2696 expect_requester_sid=True)
2697
2698 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2699
2700 pac = self.get_ticket_pac(ticket)
2701 self.assertIsNotNone(pac)
2702
2703 def test_rodc_renew_pac_request_none(self):
2704 creds = self._get_creds(replication_allowed=True,
2705 revealed_to_rodc=True)
2706 tgt = self.get_tgt(creds, pac_request=None)
2707 tgt = self._modify_tgt(tgt, renewable=True, from_rodc=True)
2708
2709 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2710 expect_pac_attrs=False,
2711 expect_requester_sid=True)
2712
2713 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2714
2715 pac = self.get_ticket_pac(ticket)
2716 self.assertIsNotNone(pac)
2717
2718 def test_rodc_renew_pac_request_false(self):
2719 creds = self._get_creds(replication_allowed=True,
2720 revealed_to_rodc=True)
2721 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2722 tgt = self._modify_tgt(tgt, renewable=True, from_rodc=True)
2723
2724 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2725 expect_pac_attrs=False,
2726 expect_requester_sid=True)
2727
2728 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2729
2730 pac = self.get_ticket_pac(ticket)
2731 self.assertIsNotNone(pac)
2732
2733 def test_rodc_renew_pac_request_true(self):
2734 creds = self._get_creds(replication_allowed=True,
2735 revealed_to_rodc=True)
2736 tgt = self.get_tgt(creds, pac_request=True)
2737 tgt = self._modify_tgt(tgt, renewable=True, from_rodc=True)
2738
2739 tgt = self._renew_tgt(tgt, creds, expected_error=0, expect_pac=None,
2740 expect_pac_attrs=False,
2741 expect_requester_sid=True)
2742
2743 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2744
2745 pac = self.get_ticket_pac(ticket)
2746 self.assertIsNotNone(pac)
2747
2748 def test_validate_pac_request_none(self):
2749 creds = self._get_creds()
2750 tgt = self.get_tgt(creds, pac_request=None)
2751 tgt = self._modify_tgt(tgt, invalid=True)
2752
2753 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2754 expect_pac_attrs=True,
2755 expect_pac_attrs_pac_request=None,
2756 expect_requester_sid=True)
2757
2758 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2759
2760 pac = self.get_ticket_pac(ticket)
2761 self.assertIsNotNone(pac)
2762
2763 def test_validate_pac_request_false(self):
2764 creds = self._get_creds()
2765 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2766 tgt = self._modify_tgt(tgt, invalid=True)
2767
2768 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2769 expect_pac_attrs=True,
2770 expect_pac_attrs_pac_request=False,
2771 expect_requester_sid=True)
2772
2773 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=False)
2774
2775 pac = self.get_ticket_pac(ticket, expect_pac=False)
2776 self.assertIsNone(pac)
2777
2778 def test_validate_pac_request_true(self):
2779 creds = self._get_creds()
2780 tgt = self.get_tgt(creds, pac_request=True)
2781 tgt = self._modify_tgt(tgt, invalid=True)
2782
2783 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2784 expect_pac_attrs=True,
2785 expect_pac_attrs_pac_request=True,
2786 expect_requester_sid=True)
2787
2788 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2789
2790 pac = self.get_ticket_pac(ticket)
2791 self.assertIsNotNone(pac)
2792
2793 def test_rodc_validate_pac_request_none(self):
2794 creds = self._get_creds(replication_allowed=True,
2795 revealed_to_rodc=True)
2796 tgt = self.get_tgt(creds, pac_request=None)
2797 tgt = self._modify_tgt(tgt, invalid=True, from_rodc=True)
2798
2799 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2800 expect_pac_attrs=False,
2801 expect_requester_sid=True)
2802
2803 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2804
2805 pac = self.get_ticket_pac(ticket)
2806 self.assertIsNotNone(pac)
2807
2808 def test_rodc_validate_pac_request_false(self):
2809 creds = self._get_creds(replication_allowed=True,
2810 revealed_to_rodc=True)
2811 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2812 tgt = self._modify_tgt(tgt, invalid=True, from_rodc=True)
2813
2814 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2815 expect_pac_attrs=False,
2816 expect_requester_sid=True)
2817
2818 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2819
2820 pac = self.get_ticket_pac(ticket)
2821 self.assertIsNotNone(pac)
2822
2823 def test_rodc_validate_pac_request_true(self):
2824 creds = self._get_creds(replication_allowed=True,
2825 revealed_to_rodc=True)
2826 tgt = self.get_tgt(creds, pac_request=True)
2827 tgt = self._modify_tgt(tgt, invalid=True, from_rodc=True)
2828
2829 tgt = self._validate_tgt(tgt, creds, expected_error=0, expect_pac=None,
2830 expect_pac_attrs=False,
2831 expect_requester_sid=True)
2832
2833 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2834
2835 pac = self.get_ticket_pac(ticket)
2836 self.assertIsNotNone(pac)
2837
2838 def test_s4u2self_pac_request_none(self):
2839 creds = self._get_creds()
2840 tgt = self.get_tgt(creds, pac_request=None)
2841
2842 ticket = self._s4u2self(tgt, creds, expected_error=0, expect_pac=True)
2843
2844 pac = self.get_ticket_pac(ticket)
2845 self.assertIsNotNone(pac)
2846
2847 def test_s4u2self_pac_request_false(self):
2848 creds = self._get_creds()
2849 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2850
2851 ticket = self._s4u2self(tgt, creds, expected_error=0, expect_pac=True)
2852
2853 pac = self.get_ticket_pac(ticket)
2854 self.assertIsNotNone(pac)
2855
2856 def test_s4u2self_pac_request_true(self):
2857 creds = self._get_creds()
2858 tgt = self.get_tgt(creds, pac_request=True)
2859
2860 ticket = self._s4u2self(tgt, creds, expected_error=0, expect_pac=True)
2861
2862 pac = self.get_ticket_pac(ticket)
2863 self.assertIsNotNone(pac)
2864
2865 def test_user2user_pac_request_none(self):
2866 creds = self._get_creds()
2867 tgt = self.get_tgt(creds, pac_request=None)
2868
2869 ticket = self._user2user(tgt, creds, expected_error=0, expect_pac=True)
2870
2871 pac = self.get_ticket_pac(ticket)
2872 self.assertIsNotNone(pac)
2873
2874 def test_user2user_pac_request_false(self):
2875 creds = self._get_creds()
2876 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2877
2878 ticket = self._user2user(tgt, creds, expected_error=0,
2879 expect_pac=True)
2880
2881 pac = self.get_ticket_pac(ticket, expect_pac=True)
2882 self.assertIsNotNone(pac)
2883
2884 def test_user2user_pac_request_true(self):
2885 creds = self._get_creds()
2886 tgt = self.get_tgt(creds, pac_request=True)
2887
2888 ticket = self._user2user(tgt, creds, expected_error=0, expect_pac=True)
2889
2890 pac = self.get_ticket_pac(ticket)
2891 self.assertIsNotNone(pac)
2892
2893 def test_user2user_user_pac_request_none(self):
2894 creds = self._get_creds()
2895 tgt = self.get_tgt(creds)
2896
2897 user_creds = self._get_mach_creds()
2898 user_tgt = self.get_tgt(user_creds, pac_request=None)
2899
2900 ticket = self._user2user(tgt, creds, expected_error=0,
2901 user_tgt=user_tgt, user_creds=user_creds,
2902 expect_pac=True)
2903
2904 pac = self.get_ticket_pac(ticket)
2905 self.assertIsNotNone(pac)
2906
2907 def test_user2user_user_pac_request_false(self):
2908 creds = self._get_creds()
2909 tgt = self.get_tgt(creds)
2910
2911 user_creds = self._get_mach_creds()
2912 user_tgt = self.get_tgt(user_creds, pac_request=False, expect_pac=None)
2913
2914 ticket = self._user2user(tgt, creds, expected_error=0,
2915 user_tgt=user_tgt, user_creds=user_creds,
2916 expect_pac=False)
2917
2918 pac = self.get_ticket_pac(ticket, expect_pac=False)
2919 self.assertIsNone(pac)
2920
2921 def test_user2user_user_pac_request_true(self):
2922 creds = self._get_creds()
2923 tgt = self.get_tgt(creds)
2924
2925 user_creds = self._get_mach_creds()
2926 user_tgt = self.get_tgt(user_creds, pac_request=True)
2927
2928 ticket = self._user2user(tgt, creds, expected_error=0,
2929 user_tgt=user_tgt, user_creds=user_creds,
2930 expect_pac=True)
2931
2932 pac = self.get_ticket_pac(ticket)
2933 self.assertIsNotNone(pac)
2934
2935 def test_fast_pac_request_none(self):
2936 creds = self._get_creds()
2937 tgt = self.get_tgt(creds, pac_request=None)
2938
2939 ticket = self._fast(tgt, creds, expected_error=0, expect_pac=True)
2940
2941 pac = self.get_ticket_pac(ticket)
2942 self.assertIsNotNone(pac)
2943
2944 def test_fast_pac_request_false(self):
2945 creds = self._get_creds()
2946 tgt = self.get_tgt(creds, pac_request=False)
2947
2948 ticket = self._fast(tgt, creds, expected_error=0,
2949 expect_pac=True)
2950
2951 pac = self.get_ticket_pac(ticket, expect_pac=True)
2952 self.assertIsNotNone(pac)
2953
2954 def test_fast_pac_request_true(self):
2955 creds = self._get_creds()
2956 tgt = self.get_tgt(creds, pac_request=True)
2957
2958 ticket = self._fast(tgt, creds, expected_error=0, expect_pac=True)
2959
2960 pac = self.get_ticket_pac(ticket)
2961 self.assertIsNotNone(pac)
2962
2963 def test_tgs_rodc_pac_request_none(self):
2964 creds = self._get_creds(replication_allowed=True,
2965 revealed_to_rodc=True)
2966 tgt = self.get_tgt(creds, pac_request=None)
2967 tgt = self._modify_tgt(tgt, from_rodc=True)
2968
2969 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2970
2971 pac = self.get_ticket_pac(ticket)
2972 self.assertIsNotNone(pac)
2973
2974 def test_tgs_rodc_pac_request_false(self):
2975 creds = self._get_creds(replication_allowed=True,
2976 revealed_to_rodc=True)
2977 tgt = self.get_tgt(creds, pac_request=False, expect_pac=None)
2978 tgt = self._modify_tgt(tgt, from_rodc=True)
2979
2980 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2981
2982 pac = self.get_ticket_pac(ticket)
2983 self.assertIsNotNone(pac)
2984
2985 def test_tgs_rodc_pac_request_true(self):
2986 creds = self._get_creds(replication_allowed=True,
2987 revealed_to_rodc=True)
2988 tgt = self.get_tgt(creds, pac_request=True)
2989 tgt = self._modify_tgt(tgt, from_rodc=True)
2990
2991 ticket = self._run_tgs(tgt, creds, expected_error=0, expect_pac=True)
2992
2993 pac = self.get_ticket_pac(ticket)
2994 self.assertIsNotNone(pac)
2995
2996 def test_tgs_rename(self):
2997 creds = self.get_cached_creds(account_type=self.AccountType.USER,
2998 use_cache=False)
2999 tgt = self.get_tgt(creds)
3000
3001 # Rename the account.
3002 new_name = self.get_new_username()
3003
3004 samdb = self.get_samdb()
3005 msg = ldb.Message(creds.get_dn())
3006 msg['sAMAccountName'] = ldb.MessageElement(new_name,
3007 ldb.FLAG_MOD_REPLACE,
3008 'sAMAccountName')
3009 samdb.modify(msg)
3010
3011 self._run_tgs(tgt, creds, expected_error=(KDC_ERR_TGT_REVOKED,
3012 KDC_ERR_C_PRINCIPAL_UNKNOWN))
3013
3014 # Test making a TGS request for a ticket expiring post-2038.
3015 def test_tgs_req_future_till(self):
3016 creds = self._get_creds()
3017 tgt = self._get_tgt(creds)
3018
3019 target_creds = self.get_service_creds()
3020 self._tgs_req(
3021 tgt=tgt,
3022 expected_error=0,
3023 creds=creds,
3024 target_creds=target_creds,
3025 till='99990913024805Z')
3026
3027 def test_tgs_unicode(self):
3028 creds = self.get_cached_creds(
3029 account_type=self.AccountType.COMPUTER,
3030 opts={'name_prefix': '🔐'})
3031 tgt = self._get_tgt(creds)
3032 self._run_tgs(tgt, creds, expected_error=0)
3033
3034 def test_renew_unicode(self):
3035 creds = self.get_cached_creds(
3036 account_type=self.AccountType.COMPUTER,
3037 opts={'name_prefix': '🔐'})
3038 tgt = self._get_tgt(creds, renewable=True)
3039 self._renew_tgt(tgt, creds, expected_error=0,
3040 expect_pac_attrs=True,
3041 expect_pac_attrs_pac_request=True,
3042 expect_requester_sid=True)
3043
3044 def test_validate_unicode(self):
3045 creds = self.get_cached_creds(
3046 account_type=self.AccountType.COMPUTER,
3047 opts={'name_prefix': '🔐'})
3048 tgt = self._get_tgt(creds, invalid=True)
3049 self._validate_tgt(tgt, creds, expected_error=0,
3050 expect_pac_attrs=True,
3051 expect_pac_attrs_pac_request=True,
3052 expect_requester_sid=True)
3053
3054 def test_s4u2self_unicode(self):
3055 creds = self.get_cached_creds(
3056 account_type=self.AccountType.COMPUTER,
3057 opts={'name_prefix': '🔐'})
3058 tgt = self._get_tgt(creds)
3059 self._s4u2self(tgt, creds,
3060 expected_error=0,
3061 expect_edata=False)
3062
3063 def test_user2user_unicode(self):
3064 creds = self.get_cached_creds(
3065 account_type=self.AccountType.COMPUTER,
3066 opts={'name_prefix': '🔐'})
3067 tgt = self._get_tgt(creds)
3068 self._user2user(tgt, creds, expected_error=0)
3069
3070 def test_fast_unicode(self):
3071 creds = self.get_cached_creds(
3072 account_type=self.AccountType.COMPUTER,
3073 opts={'name_prefix': '🔐'})
3074 tgt = self._get_tgt(creds)
3075 self._fast(tgt, creds, expected_error=0)
3076
3077 def test_fast_as_req_unicode(self):
3078 creds = self.get_cached_creds(
3079 account_type=self.AccountType.COMPUTER,
3080 opts={'name_prefix': '🔐'})
3081 tgt = self._get_tgt(creds)
3082 self._fast_as_req(tgt, creds, expected_error=0)
3083
3084 def _modify_renewable(self, enc_part):
3085 # Set the renewable flag.
3086 enc_part = self.modify_ticket_flag(enc_part, 'renewable', value=True)
3087
3088 # Set the renew-till time to be in the future.
3089 renew_till = self.get_KerberosTime(offset=100 * 60 * 60)
3090 enc_part['renew-till'] = renew_till
3091
3092 return enc_part
3093
3094 def _modify_invalid(self, enc_part):
3095 # Set the invalid flag.
3096 enc_part = self.modify_ticket_flag(enc_part, 'invalid', value=True)
3097
3098 # Set the ticket start time to be in the past.
3099 past_time = self.get_KerberosTime(offset=-100 * 60 * 60)
3100 enc_part['starttime'] = past_time
3101
3102 return enc_part
3103
3104 def _get_tgt(self,
3105 client_creds,
3106 renewable=False,
3107 invalid=False,
3108 from_rodc=False,
3109 new_rid=None,
3110 remove_pac=False,
3111 allow_empty_authdata=False,
3112 can_modify_logon_info=True,
3113 can_modify_requester_sid=True,
3114 remove_pac_attrs=False,
3115 remove_requester_sid=False,
3116 etype=None,
3117 cksum_etype=None,
3118 extra_pac_buffers=None):
3119 self.assertFalse(renewable and invalid)
3120
3121 if remove_pac:
3122 self.assertIsNone(new_rid)
3123
3124 tgt = self.get_tgt(client_creds)
3125
3126 return self._modify_tgt(
3127 tgt=tgt,
3128 renewable=renewable,
3129 invalid=invalid,
3130 from_rodc=from_rodc,
3131 new_rid=new_rid,
3132 remove_pac=remove_pac,
3133 allow_empty_authdata=allow_empty_authdata,
3134 can_modify_logon_info=can_modify_logon_info,
3135 can_modify_requester_sid=can_modify_requester_sid,
3136 remove_pac_attrs=remove_pac_attrs,
3137 remove_requester_sid=remove_requester_sid,
3138 etype=etype,
3139 cksum_etype=cksum_etype,
3140 extra_pac_buffers=extra_pac_buffers)
3141
3142 def _modify_tgt(self,
3143 tgt,
3144 *,
3145 renewable=False,
3146 invalid=False,
3147 from_rodc=False,
3148 new_rid=None,
3149 remove_pac=False,
3150 allow_empty_authdata=False,
3151 cname=None,
3152 crealm=None,
3153 can_modify_logon_info=True,
3154 can_modify_requester_sid=True,
3155 remove_pac_attrs=False,
3156 remove_requester_sid=False,
3157 etype=None,
3158 cksum_etype=None,
3159 extra_pac_buffers=None):
3160 if from_rodc:
3161 krbtgt_creds = self.get_mock_rodc_krbtgt_creds()
3162 else:
3163 krbtgt_creds = self.get_krbtgt_creds()
3164
3165 modify_pac_fns = []
3166
3167 if new_rid is not None or remove_requester_sid or remove_pac_attrs:
3168 def change_sid_fn(pac):
3169 pac_buffers = pac.buffers
3170 for pac_buffer in pac_buffers:
3171 if pac_buffer.type == krb5pac.PAC_TYPE_LOGON_INFO:
3172 if new_rid is not None and can_modify_logon_info:
3173 logon_info = pac_buffer.info.info
3174
3175 logon_info.info3.base.rid = new_rid
3176 elif pac_buffer.type == krb5pac.PAC_TYPE_REQUESTER_SID:
3177 if remove_requester_sid:
3178 pac.num_buffers -= 1
3179 pac_buffers.remove(pac_buffer)
3180 elif new_rid is not None and can_modify_requester_sid:
3181 requester_sid = pac_buffer.info
3182
3183 samdb = self.get_samdb()
3184 domain_sid = samdb.get_domain_sid()
3185
3186 new_sid = f'{domain_sid}-{new_rid}'
3187
3188 requester_sid.sid = security.dom_sid(new_sid)
3189 elif pac_buffer.type == krb5pac.PAC_TYPE_ATTRIBUTES_INFO:
3190 if remove_pac_attrs:
3191 pac.num_buffers -= 1
3192 pac_buffers.remove(pac_buffer)
3193
3194 pac.buffers = pac_buffers
3195
3196 return pac
3197
3198 modify_pac_fns.append(change_sid_fn)
3199
3200 krbtgt_key = self.TicketDecryptionKey_from_creds(krbtgt_creds,
3201 etype)
3202
3203 if remove_pac:
3204 checksum_keys = None
3205 else:
3206 if etype == cksum_etype:
3207 cksum_key = krbtgt_key
3208 else:
3209 cksum_key = self.TicketDecryptionKey_from_creds(krbtgt_creds,
3210 cksum_etype)
3211 checksum_keys = {
3212 krb5pac.PAC_TYPE_KDC_CHECKSUM: cksum_key
3213 }
3214
3215 if renewable:
3216 flags_modify_fn = self._modify_renewable
3217 elif invalid:
3218 flags_modify_fn = self._modify_invalid
3219 else:
3220 flags_modify_fn = None
3221
3222 if cname is not None or crealm is not None:
3223 def modify_fn(enc_part):
3224 if flags_modify_fn is not None:
3225 enc_part = flags_modify_fn(enc_part)
3226
3227 if cname is not None:
3228 enc_part['cname'] = cname
3229
3230 if crealm is not None:
3231 enc_part['crealm'] = crealm
3232
3233 return enc_part
3234 else:
3235 modify_fn = flags_modify_fn
3236
3237 if cname is not None:
3238 def change_cname_fn(pac):
3239 for pac_buffer in pac.buffers:
3240 if pac_buffer.type == krb5pac.PAC_TYPE_LOGON_NAME:
3241 logon_info = pac_buffer.info
3242
3243 logon_info.account_name = (
3244 cname['name-string'][0].decode('utf-8'))
3245
3246 return pac
3247
3248 modify_pac_fns.append(change_cname_fn)
3249
3250 if extra_pac_buffers is not None:
3251 modify_pac_fns.append(partial(self.add_extra_pac_buffers,
3252 buffers=extra_pac_buffers))
3253
3254 return self.modified_ticket(
3255 tgt,
3256 new_ticket_key=krbtgt_key,
3257 modify_fn=modify_fn,
3258 modify_pac_fn=modify_pac_fns or None,
3259 exclude_pac=remove_pac,
3260 allow_empty_authdata=allow_empty_authdata,
3261 update_pac_checksums=not remove_pac,
3262 checksum_keys=checksum_keys)
3263
3264 def _remove_rodc_partial_secrets(self):
3265 samdb = self.get_samdb()
3266
3267 rodc_ctx = self.get_mock_rodc_ctx()
3268 rodc_dn = ldb.Dn(samdb, rodc_ctx.acct_dn)
3269
3270 def add_rodc_partial_secrets():
3271 msg = ldb.Message()
3272 msg.dn = rodc_dn
3273 msg['userAccountControl'] = ldb.MessageElement(
3274 str(rodc_ctx.userAccountControl),
3275 ldb.FLAG_MOD_REPLACE,
3276 'userAccountControl')
3277 samdb.modify(msg)
3278
3279 self.addCleanup(add_rodc_partial_secrets)
3280
3281 uac = rodc_ctx.userAccountControl & ~dsdb.UF_PARTIAL_SECRETS_ACCOUNT
3282
3283 msg = ldb.Message()
3284 msg.dn = rodc_dn
3285 msg['userAccountControl'] = ldb.MessageElement(
3286 str(uac),
3287 ldb.FLAG_MOD_REPLACE,
3288 'userAccountControl')
3289 samdb.modify(msg)
3290
3291 def _remove_rodc_krbtgt_link(self):
3292 samdb = self.get_samdb()
3293
3294 rodc_ctx = self.get_mock_rodc_ctx()
3295 rodc_dn = ldb.Dn(samdb, rodc_ctx.acct_dn)
3296
3297 def add_rodc_krbtgt_link():
3298 msg = ldb.Message()
3299 msg.dn = rodc_dn
3300 msg['msDS-KrbTgtLink'] = ldb.MessageElement(
3301 rodc_ctx.new_krbtgt_dn,
3302 ldb.FLAG_MOD_ADD,
3303 'msDS-KrbTgtLink')
3304 samdb.modify(msg)
3305
3306 self.addCleanup(add_rodc_krbtgt_link)
3307
3308 msg = ldb.Message()
3309 msg.dn = rodc_dn
3310 msg['msDS-KrbTgtLink'] = ldb.MessageElement(
3311 [],
3312 ldb.FLAG_MOD_DELETE,
3313 'msDS-KrbTgtLink')
3314 samdb.modify(msg)
3315
3316 def _get_creds(self,
3317 replication_allowed=False,
3318 replication_denied=False,
3319 revealed_to_rodc=False):
3320 return self.get_cached_creds(
3321 account_type=self.AccountType.COMPUTER,
3322 opts={
3323 'allowed_replication_mock': replication_allowed,
3324 'denied_replication_mock': replication_denied,
3325 'revealed_to_mock_rodc': revealed_to_rodc,
3326 'id': 0
3327 })
3328
3329 def _get_existing_rid(self,
3330 replication_allowed=False,
3331 replication_denied=False,
3332 revealed_to_rodc=False):
3333 other_creds = self.get_cached_creds(
3334 account_type=self.AccountType.COMPUTER,
3335 opts={
3336 'allowed_replication_mock': replication_allowed,
3337 'denied_replication_mock': replication_denied,
3338 'revealed_to_mock_rodc': revealed_to_rodc,
3339 'id': 1
3340 })
3341
3342 other_sid = other_creds.get_sid()
3343 other_rid = int(other_sid.rsplit('-', 1)[1])
3344
3345 return other_rid
3346
3347 def _get_mach_creds(self):
3348 return self.get_cached_creds(
3349 account_type=self.AccountType.COMPUTER,
3350 opts={
3351 'allowed_replication_mock': True,
3352 'denied_replication_mock': False,
3353 'revealed_to_mock_rodc': True,
3354 'id': 2
3355 })
3356
3357 def _get_user_creds(self,
3358 replication_allowed=False,
3359 replication_denied=False,
3360 revealed_to_rodc=False):
3361 return self.get_cached_creds(
3362 account_type=self.AccountType.USER,
3363 opts={
3364 'allowed_replication_mock': replication_allowed,
3365 'denied_replication_mock': replication_denied,
3366 'revealed_to_mock_rodc': revealed_to_rodc,
3367 'id': 3
3368 })
3369
3370 def _get_non_existent_rid(self):
3371 return (1 << 30) - 1
3372
3373 def _run_tgs(self, tgt, creds, expected_error, *, expect_pac=True,
3374 expect_pac_attrs=None, expect_pac_attrs_pac_request=None,
3375 expect_requester_sid=None, expected_sid=None,
3376 expect_edata=False, expect_status=None, expected_status=None,
3377 expected_extra_pac_buffers=None):
3378 target_creds = self.get_service_creds()
3379 return self._tgs_req(
3380 tgt, expected_error, creds, target_creds,
3381 expect_pac=expect_pac,
3382 expect_pac_attrs=expect_pac_attrs,
3383 expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
3384 expect_requester_sid=expect_requester_sid,
3385 expected_sid=expected_sid,
3386 expect_edata=expect_edata,
3387 expect_status=expect_status,
3388 expected_status=expected_status,
3389 expected_extra_pac_buffers=expected_extra_pac_buffers)
3390
3391 # These tests fail against Windows, which does not implement ticket
3392 # renewal.
3393 def _renew_tgt(self, tgt, creds, expected_error, *, expect_pac=True,
3394 expect_pac_attrs=None, expect_pac_attrs_pac_request=None,
3395 expect_requester_sid=None, expected_sid=None):
3396 krbtgt_creds = self.get_krbtgt_creds()
3397 kdc_options = str(krb5_asn1.KDCOptions('renew'))
3398 return self._tgs_req(
3399 tgt, expected_error, creds, krbtgt_creds,
3400 kdc_options=kdc_options,
3401 expect_pac=expect_pac,
3402 expect_pac_attrs=expect_pac_attrs,
3403 expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
3404 expect_requester_sid=expect_requester_sid,
3405 expected_sid=expected_sid)
3406
3407 # These tests fail against Windows, which does not implement ticket
3408 # validation.
3409 def _validate_tgt(self, tgt, creds, expected_error, *, expect_pac=True,
3410 expect_pac_attrs=None,
3411 expect_pac_attrs_pac_request=None,
3412 expect_requester_sid=None,
3413 expected_sid=None):
3414 krbtgt_creds = self.get_krbtgt_creds()
3415 kdc_options = str(krb5_asn1.KDCOptions('validate'))
3416 return self._tgs_req(
3417 tgt, expected_error, creds, krbtgt_creds,
3418 kdc_options=kdc_options,
3419 expect_pac=expect_pac,
3420 expect_pac_attrs=expect_pac_attrs,
3421 expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
3422 expect_requester_sid=expect_requester_sid,
3423 expected_sid=expected_sid)
3424
3425 def _s4u2self(self, tgt, tgt_creds, expected_error, *, expect_pac=True,
3426 expect_edata=False, expect_status=None,
3427 expected_status=None):
3428 user_creds = self._get_mach_creds()
3429
3430 user_name = user_creds.get_username()
3431 user_cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
3432 names=[user_name])
3433 user_realm = user_creds.get_realm()
3434
3435 def generate_s4u2self_padata(_kdc_exchange_dict,
3436 _callback_dict,
3437 req_body):
3438 padata = self.PA_S4U2Self_create(
3439 name=user_cname,
3440 realm=user_realm,
3441 tgt_session_key=tgt.session_key,
3442 ctype=None)
3443
3444 return [padata], req_body
3445
3446 return self._tgs_req(tgt, expected_error, tgt_creds, tgt_creds,
3447 expected_cname=user_cname,
3448 generate_padata_fn=generate_s4u2self_padata,
3449 expect_edata=expect_edata,
3450 expect_status=expect_status,
3451 expected_status=expected_status,
3452 expect_pac=expect_pac)
3453
3454 def _user2user(self, tgt, tgt_creds, expected_error, *,
3455 sname=None,
3456 srealm=None, user_tgt=None, user_creds=None,
3457 expect_edata=False,
3458 expect_pac=True, expected_status=None):
3459 if user_tgt is None:
3460 user_creds = self._get_mach_creds()
3461 user_tgt = self.get_tgt(user_creds)
3462 else:
3463 self.assertIsNotNone(user_creds,
3464 'if supplying user_tgt, user_creds should be '
3465 'supplied also')
3466
3467 kdc_options = str(krb5_asn1.KDCOptions('enc-tkt-in-skey'))
3468 return self._tgs_req(user_tgt, expected_error, user_creds, tgt_creds,
3469 kdc_options=kdc_options,
3470 additional_ticket=tgt,
3471 sname=sname,
3472 srealm=srealm,
3473 expect_edata=expect_edata,
3474 expect_pac=expect_pac,
3475 expected_status=expected_status)
3476
3477 def _fast(self, armor_tgt, armor_tgt_creds, expected_error,
3478 expected_sname=None, expect_pac=True, expect_edata=False):
3479 user_creds = self._get_mach_creds()
3480 user_tgt = self.get_tgt(user_creds)
3481
3482 target_creds = self.get_service_creds()
3483
3484 return self._tgs_req(user_tgt, expected_error,
3485 user_creds, target_creds,
3486 armor_tgt=armor_tgt,
3487 expected_sname=expected_sname,
3488 expect_pac=expect_pac,
3489 expect_edata=expect_edata)
3490
3491 def _fast_as_req(self, armor_tgt, armor_tgt_creds, expected_error,
3492 expected_sname=None):
3493 user_creds = self._get_mach_creds()
3494 target_creds = self.get_service_creds()
3495
3496 return self._armored_as_req(user_creds, target_creds, armor_tgt,
3497 expected_error=expected_error,
3498 expected_sname=expected_sname,
3499 expect_edata=False)
3500
3501
3502 if __name__ == "__main__":
3503 global_asn1_print = False
3504 global_hexdump = False
3505 import unittest
3506 unittest.main()
GSS-enabled samba4