Skip to content

Commit

Permalink
tests/krb5: Add test for S4U2Self with wrong sname
Browse files Browse the repository at this point in the history 
Signed-off-by: Joseph Sutton <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
  • Loading branch information
@jsutton24 @abartlet
jsutton24 authored and abartlet committed Nov 30, 2021
1 parent d5d22bf commit bac5f75
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 1 deletion.
32 changes: 31 additions & 1 deletion python/samba/tests/krb5/s4u_tests.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,6 +36,7 @@
from samba.tests.krb5.rfc4120_constants import (
AES256_CTS_HMAC_SHA1_96,
ARCFOUR_HMAC_MD5,
KDC_ERR_BADMATCH,
KDC_ERR_BADOPTION,
KDC_ERR_BAD_INTEGRITY,
KDC_ERR_GENERIC,
Expand Down Expand Up @@ -243,7 +244,9 @@ def _run_s4u2self_test(self, kdc_dict):
client_dn = client_creds.get_dn()
sid = self.get_objectSid(samdb, client_dn)

service_name = service_creds.get_username()[:-1]
service_name = kdc_dict.pop('service_name', None)
if service_name is None:
service_name = service_creds.get_username()[:-1]
service_sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
names=['host', service_name])

Expand Down Expand Up @@ -474,6 +477,33 @@ def test_s4u2self_trusted_nonempty_allowed(self):
'expected_flags': 'forwardable'
})

# Do an S4U2Self with the sname in the request different to that of the
# service. We expect an error.
def test_s4u2self_wrong_sname(self):
other_creds = self.get_cached_creds(
account_type=self.AccountType.COMPUTER,
opts={
'trusted_to_auth_for_delegation': True,
'id': 0
})
other_sname = other_creds.get_username()[:-1]

self._run_s4u2self_test(
{
'expected_error_mode': KDC_ERR_BADMATCH,
'expect_edata': False,
'client_opts': {
'not_delegated': False
},
'service_opts': {
'trusted_to_auth_for_delegation': True
},
'service_name': other_sname,
'kdc_options': 'forwardable',
'modify_service_tgt_fn': functools.partial(
self.set_ticket_forwardable, flag=True)
})

def _run_delegation_test(self, kdc_dict):
client_opts = kdc_dict.pop('client_opts', None)
client_creds = self.get_cached_creds(
Expand Down
1 change: 1 addition & 0 deletions selftest/knownfail_heimdal_kdc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -81,6 +81,7 @@
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_zeroed_service_checksum
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_forwardable
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_not_trusted_empty_allowed
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_wrong_sname
#
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_no_auth_data_required
^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_rbcd_no_auth_data_required
Expand Down

0 comments on commit bac5f75

Please sign in to comment.