| blob | 6f0b36a25f631ce30e53d9b04cb7f92155db1035 |
1 #!/usr/bin/env python3
2 # Unix SMB/CIFS implementation.
3 # Copyright (C) Stefan Metzmacher 2020
4 # Copyright (C) Catalyst.Net Ltd
5 #
6 # This program is free software; you can redistribute it and/or modify
7 # it under the terms of the GNU General Public License as published by
8 # the Free Software Foundation; either version 3 of the License, or
9 # (at your option) any later version.
10 #
11 # This program is distributed in the hope that it will be useful,
12 # but WITHOUT ANY WARRANTY; without even the implied warranty of
13 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 # GNU General Public License for more details.
15 #
16 # You should have received a copy of the GNU General Public License
17 # along with this program. If not, see <http://www.gnu.org/licenses/>.
18 #
20 import sys
21 import os
34 KDC_ERR_TGT_REVOKED,
35 KDC_ERR_TKT_EXPIRED,
36 KPASSWD_ACCESSDENIED,
37 KPASSWD_AUTHERROR,
38 KPASSWD_HARDERROR,
39 KPASSWD_INITIAL_FLAG_NEEDED,
40 KPASSWD_MALFORMED,
41 KPASSWD_SOFTERROR,
42 KPASSWD_SUCCESS,
43 NT_PRINCIPAL,
44 NT_SRV_INST,
45 )
51 # Note: these tests do not pass on Windows, which returns different error codes
52 # to the ones we have chosen, and does not always return additional error data.
62 # Get the old 'dSHeuristics' if it was set
65 # Reset the 'dSHeuristics' as they were before
68 # Set the 'dSHeuristics' to activate the correct 'userPassword'
69 # behaviour
72 # Get the old 'minPwdAge'
75 # Reset the 'minPwdAge' as it was before
78 # Set it temporarily to '0'
82 opts = {
84 }
86 # Create the account.
91 return creds
105 # Test setting a password with kpasswd.
107 # Create an account for testing.
110 # Get an initial ticket to kpasswd.
114 expected_code = KPASSWD_SUCCESS
117 # Set the password.
120 new_password,
121 expected_code,
122 expected_msg,
125 # Test the newly set password.
129 # Test changing a password with kpasswd.
131 # Create an account for testing.
134 # Get an initial ticket to kpasswd.
138 expected_code = KPASSWD_SUCCESS
141 # Change the password.
144 new_password,
145 expected_code,
146 expected_msg,
149 # Test the newly set password.
153 # Test kpasswd without setting the canonicalize option.
155 # Create an account for testing.
160 # Get an initial ticket to kpasswd.
164 expected_code = KPASSWD_SUCCESS
167 # Set the password.
170 new_password,
171 expected_code,
172 expected_msg,
177 # Get an initial ticket to kpasswd.
181 # Change the password.
184 new_password,
185 expected_code,
186 expected_msg,
189 # Test kpasswd with the canonicalize option reset and a non-canonical
190 # (by conversion to title case) realm.
192 # Create an account for testing.
198 # Get an initial ticket to kpasswd.
203 expected_code = KPASSWD_SUCCESS
206 # Set the password.
209 new_password,
210 expected_code,
211 expected_msg,
216 # Get an initial ticket to kpasswd.
221 # Change the password.
224 new_password,
225 expected_code,
226 expected_msg,
229 # Test kpasswd with the canonicalize option set.
231 # Create an account for testing.
234 # Get an initial ticket to kpasswd. We set the canonicalize flag here.
238 expected_code = KPASSWD_SUCCESS
241 # Set the password.
244 new_password,
245 expected_code,
246 expected_msg,
251 # Get an initial ticket to kpasswd. We set the canonicalize flag here.
255 # Change the password.
258 new_password,
259 expected_code,
260 expected_msg,
263 # Test kpasswd with the canonicalize option set and a non-canonical (by
264 # conversion to title case) realm.
266 # Create an account for testing.
272 # Get an initial ticket to kpasswd. We set the canonicalize flag here.
277 expected_code = KPASSWD_SUCCESS
280 # Set the password.
283 new_password,
284 expected_code,
285 expected_msg,
290 # Get an initial ticket to kpasswd. We set the canonicalize flag here.
295 # Change the password.
298 new_password,
299 expected_code,
300 expected_msg,
303 # Test kpasswd rejects a password that does not meet complexity
304 # requirements.
306 # Create an account for testing.
309 # Get an initial ticket to kpasswd.
313 expected_code = KPASSWD_SOFTERROR
316 # Set the password.
319 new_password,
320 expected_code,
321 expected_msg,
324 # Change the password.
326 new_password,
327 expected_code,
328 expected_msg,
331 # Test kpasswd rejects an empty new password.
333 # Create an account for testing.
336 # Get an initial ticket to kpasswd.
345 # Set the password.
348 new_password,
349 expected_code,
350 expected_msg,
353 expected_code = KPASSWD_HARDERROR
356 # Change the password.
358 new_password,
359 expected_code,
360 expected_msg,
363 # Test kpasswd rejects a request that does not include a random sequence
364 # number.
366 # Create an account for testing.
369 # Get an initial ticket to kpasswd.
373 expected_code = KPASSWD_HARDERROR
376 # Set the password.
379 new_password,
380 expected_code,
381 expected_msg,
385 # Change the password.
387 new_password,
388 expected_code,
389 expected_msg,
393 # Test kpasswd rejects a ticket issued by an RODC.
395 # Create an account for testing.
398 # Get an initial ticket to kpasswd.
402 # Have the ticket be issued by the RODC.
405 expected_code = KPASSWD_HARDERROR
408 # Set the password.
411 new_password,
412 expected_code,
413 expected_msg,
416 # Change the password.
418 new_password,
419 expected_code,
420 expected_msg,
423 # Test setting a password, specifying the principal of the target user.
425 # Create an account for testing.
432 # Get an initial ticket to kpasswd.
436 expected_code = KPASSWD_MALFORMED
441 # Change the password.
444 new_password,
445 expected_code,
446 expected_msg,
450 # Test that kpasswd rejects a password set specifying only the realm of the
451 # target user.
453 # Create an account for testing.
456 # Get an initial ticket to kpasswd.
466 # Change the password.
469 new_password,
470 expected_code,
471 expected_msg,
475 # Show that a user cannot set a password, specifying both principal and
476 # realm of the target user, without having control access.
478 # Create an account for testing.
485 # Get an initial ticket to kpasswd.
489 expected_code = KPASSWD_ACCESSDENIED
492 # Change the password.
495 new_password,
496 expected_code,
497 expected_msg,
502 # Test setting a password, specifying both principal and realm of the
503 # target user, when the user has control access on their account.
505 # Create an account for testing.
519 # Give the user control access on their account.
523 # Get a non-initial ticket to kpasswd. Since we have the right to
524 # change the account's password, we don't need an initial ticket.
527 krbtgt_creds,
532 expected_code = KPASSWD_SUCCESS
535 # Change the password.
538 new_password,
539 expected_code,
540 expected_msg,
545 # Test setting a password when the existing password has expired.
547 # Create an account for testing, with an expired password.
550 # Get an initial ticket to kpasswd.
554 expected_code = KPASSWD_SUCCESS
557 # Set the password.
560 new_password,
561 expected_code,
562 expected_msg,
565 # Test changing a password when the existing password has expired.
567 # Create an account for testing, with an expired password.
570 # Get an initial ticket to kpasswd.
574 expected_code = KPASSWD_SUCCESS
577 # Change the password.
580 new_password,
581 expected_code,
582 expected_msg,
585 # Check the lifetime of a kpasswd ticket is not more than two minutes.
587 # Create an account for testing.
590 # Get an initial ticket to kpasswd.
594 # Check the lifetime of the ticket is equal to two minutes.
598 # Ensure we cannot perform a TGS-REQ with a kpasswd ticket.
602 # Get an initial ticket to kpasswd.
606 # Change the sname of the ticket to match that of a TGT.
612 # Try to use that ticket to get a service ticket.
615 # This fails due to missing REQUESTER_SID buffer.
618 KDC_ERR_TKT_EXPIRED))
620 # Ensure we cannot perform a TGS-REQ with a kpasswd ticket containing a
621 # requester SID and having a remaining lifetime of two minutes.
625 # Get an initial ticket to kpasswd.
629 # Change the sname of the ticket to match that of a TGT.
635 # Modify the ticket to add a requester SID and give it two minutes to
636 # live.
641 # Try to use that ticket to get a service ticket.
644 # This fails due to the lifetime being too short.
648 # Show we can perform a TGS-REQ with a kpasswd ticket containing a
649 # requester SID if the remaining lifetime exceeds two minutes.
653 # Get an initial ticket to kpasswd.
657 # Change the sname of the ticket to match that of a TGT.
663 # Modify the ticket to add a requester SID and give it two minutes and
664 # ten seconds to live.
669 # Try to use that ticket to get a service ticket.
672 # This succeeds.
676 # Show that we cannot provide a TGT to kpasswd to change the password.
678 # Create an account for testing, and get a TGT.
682 # Change the sname of the ticket to match that of kadmin/changepw.
685 expected_code = KPASSWD_AUTHERROR
688 # Set the password.
691 new_password,
692 expected_code,
693 expected_msg,
696 # Change the password.
698 new_password,
699 expected_code,
700 expected_msg,
703 # Show that we cannot provide a TGT to kpasswd that was obtained with a
704 # single‐component principal.
706 # Create an account for testing.
709 # Create a single‐component principal of the form ‘krbtgt@REALM’.
713 # Don’t request canonicalization.
716 # Get a TGT.
719 # Change the sname of the ticket to match that of kadmin/changepw.
722 expected_code = KPASSWD_AUTHERROR
725 # Set the password.
728 new_password,
729 expected_code,
730 expected_msg,
733 # Change the password.
735 new_password,
736 expected_code,
737 expected_msg,
740 # Test that kpasswd rejects requests with a service ticket.
742 # Create an account for testing, and get a TGT.
746 # Get a non-initial ticket to kpasswd.
749 krbtgt_creds,
754 expected_code = KPASSWD_INITIAL_FLAG_NEEDED
757 # Set the password.
760 new_password,
761 expected_code,
762 expected_msg,
765 # Change the password.
767 new_password,
768 expected_code,
769 expected_msg,
772 # Show that kpasswd accepts requests with a service ticket modified to set
773 # the 'initial' flag.
775 # Create an account for testing, and get a TGT.
780 # Get a service ticket, and modify it to set the 'initial' flag.
784 # Get a non-initial ticket to kpasswd.
786 krbtgt_creds,
800 expected_code = KPASSWD_SUCCESS
805 # Set the password.
808 new_password,
809 expected_code,
810 expected_msg,
816 # Change the password.
819 new_password,
820 expected_code,
821 expected_msg,
824 # Test that kpasswd rejects requests where the ticket is encrypted with a
825 # key other than the krbtgt's.
827 # Create an account for testing.
832 # Get an initial ticket to kpasswd.
836 # Get a key belonging to the Administrator account.
840 'a kvno is required to tell the DB '
842 checksum_keys = {
844 }
846 # Re-encrypt the ticket using the Administrator's key.
851 # Set the sname of the ticket to that of the Administrator account.
856 expected_code = KPASSWD_HARDERROR
859 # Set the password.
862 new_password,
863 expected_code,
864 expected_msg,
867 # Change the password.
869 new_password,
870 expected_code,
871 expected_msg,
875 # Create an account for testing.
881 # Get an initial ticket to kpasswd.
885 # Get a key belonging to our account.
888 'a kvno is required to tell the DB '
890 checksum_keys = {
892 }
894 # Re-encrypt the ticket using our key.
899 # Set the sname of the ticket to that of our account.
905 expected_code = KPASSWD_HARDERROR
908 # Set the password.
911 new_password,
912 expected_code,
913 expected_msg,
916 # Change the password.
918 new_password,
919 expected_code,
920 expected_msg,
923 # Test that kpasswd rejects requests where the ticket is encrypted with a
924 # key belonging to a server account other than the krbtgt.
926 # Create an account for testing.
931 # Get an initial ticket to kpasswd.
935 # Get a key belonging to the DC's account.
939 'a kvno is required to tell the DB '
941 checksum_keys = {
943 }
945 # Re-encrypt the ticket using the DC's key.
950 # Set the sname of the ticket to that of the DC's account.
956 expected_code = KPASSWD_HARDERROR
959 # Set the password.
962 new_password,
963 expected_code,
964 expected_msg,
967 # Change the password.
969 new_password,
970 expected_code,
971 expected_msg,
978 import unittest