From f462037f85c3f4cd2aaad538c635259c017ed7f9 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 27 Oct 2021 14:24:50 +1300 Subject: [PATCH 001/380] Revert "bootstrap: Cope with case changes in CentOS 8 repo names" This reverts commit 9b5dd480590fb4693547e9a1e27452058c0f5da8. [abartlet@samba.org Reverted to allow subsequent patches to apply cleanly] --- .gitlab-ci.yml | 2 +- bootstrap/config.py | 3 +-- bootstrap/generated-dists/centos8/bootstrap.sh | 3 +-- bootstrap/sha1sum.txt | 2 +- 4 files changed, 4 insertions(+), 6 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index c706dac66bd..56adf10c7be 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,7 +22,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: 8bec130a6b741608616302662edee02fd39f3baf + SAMBA_CI_CONTAINER_TAG: 41319f2580c026f66b2750604a0eb15d6b6f7b50 # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. diff --git a/bootstrap/config.py b/bootstrap/config.py index 5ead9f74501..bcada1dc628 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -226,8 +226,7 @@ set -xueo pipefail yum update -y yum install -y dnf-plugins-core yum install -y epel-release -yum config-manager --set-enabled PowerTools -y || \ - yum config-manager --set-enabled powertools -y +yum config-manager --set-enabled PowerTools -y yum update -y yum install -y \ diff --git a/bootstrap/generated-dists/centos8/bootstrap.sh b/bootstrap/generated-dists/centos8/bootstrap.sh index e6fab86e446..22484b3f6ad 100755 --- a/bootstrap/generated-dists/centos8/bootstrap.sh +++ b/bootstrap/generated-dists/centos8/bootstrap.sh @@ -10,8 +10,7 @@ set -xueo pipefail yum update -y yum install -y dnf-plugins-core yum install -y epel-release -yum config-manager --set-enabled PowerTools -y || \ - yum config-manager --set-enabled powertools -y +yum config-manager --set-enabled PowerTools -y yum update -y yum install -y \ diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index 5328cff1cd3..62c2245564e 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -8bec130a6b741608616302662edee02fd39f3baf +41319f2580c026f66b2750604a0eb15d6b6f7b50 -- 2.25.1 From 7f39b48fb55b62e920b87acaf77e5948c55f0c61 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 4 Mar 2020 13:58:48 +1300 Subject: [PATCH 002/380] bootstrap: Remove long-unsupported OS versions Samba has not built on these versions for quite some time due to the need for Python 3.5 and GnuTLS 3.4.7 These were always marked as broken, but given the requirements these are never likely to come back. Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider (cherry picked from commit d048d7e17d756099e208fa4d6b931a147b0b1489) --- .gitlab-ci.yml | 2 +- bootstrap/.gitlab-ci.yml | 12 -- bootstrap/config.py | 64 ---------- bootstrap/generated-dists/Vagrantfile | 28 ----- bootstrap/generated-dists/centos6/Dockerfile | 27 ----- .../generated-dists/centos6/bootstrap.sh | 109 ------------------ bootstrap/generated-dists/centos6/locale.sh | 55 --------- .../generated-dists/centos6/packages.yml | 89 -------------- bootstrap/generated-dists/debian7/Dockerfile | 27 ----- .../generated-dists/debian7/bootstrap.sh | 101 ---------------- bootstrap/generated-dists/debian7/locale.sh | 55 --------- .../generated-dists/debian7/packages.yml | 86 -------------- bootstrap/generated-dists/debian8/Dockerfile | 27 ----- .../generated-dists/debian8/bootstrap.sh | 105 ----------------- bootstrap/generated-dists/debian8/locale.sh | 55 --------- .../generated-dists/debian8/packages.yml | 90 --------------- .../generated-dists/ubuntu1404/Dockerfile | 27 ----- .../generated-dists/ubuntu1404/bootstrap.sh | 103 ----------------- .../generated-dists/ubuntu1404/locale.sh | 55 --------- .../generated-dists/ubuntu1404/packages.yml | 88 -------------- bootstrap/sha1sum.txt | 2 +- 21 files changed, 2 insertions(+), 1205 deletions(-) delete mode 100644 bootstrap/generated-dists/centos6/Dockerfile delete mode 100755 bootstrap/generated-dists/centos6/bootstrap.sh delete mode 100755 bootstrap/generated-dists/centos6/locale.sh delete mode 100644 bootstrap/generated-dists/centos6/packages.yml delete mode 100644 bootstrap/generated-dists/debian7/Dockerfile delete mode 100755 bootstrap/generated-dists/debian7/bootstrap.sh delete mode 100755 bootstrap/generated-dists/debian7/locale.sh delete mode 100644 bootstrap/generated-dists/debian7/packages.yml delete mode 100644 bootstrap/generated-dists/debian8/Dockerfile delete mode 100755 bootstrap/generated-dists/debian8/bootstrap.sh delete mode 100755 bootstrap/generated-dists/debian8/locale.sh delete mode 100644 bootstrap/generated-dists/debian8/packages.yml delete mode 100644 bootstrap/generated-dists/ubuntu1404/Dockerfile delete mode 100755 bootstrap/generated-dists/ubuntu1404/bootstrap.sh delete mode 100755 bootstrap/generated-dists/ubuntu1404/locale.sh delete mode 100644 bootstrap/generated-dists/ubuntu1404/packages.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 56adf10c7be..00ffff202d9 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,7 +22,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: 41319f2580c026f66b2750604a0eb15d6b6f7b50 + SAMBA_CI_CONTAINER_TAG: cd4cebb9c611fb98f3a21171dd4832df930add28 # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml index aa0b6448d74..cbf1cb9b58a 100644 --- a/bootstrap/.gitlab-ci.yml +++ b/bootstrap/.gitlab-ci.yml @@ -89,21 +89,12 @@ ubuntu1804: ubuntu1604: extends: .build_image_template -ubuntu1404: - extends: .build_image_template_force_broken - debian10: extends: .build_image_template debian9: extends: .build_image_template -debian8: - extends: .build_image_template_force_broken - -debian7: - extends: .build_image_template_force_broken - fedora31: extends: .build_image_template @@ -124,9 +115,6 @@ centos7: # We install a compat-gnutls34 package for GnuTLS >= 3.4.7 PKG_CONFIG_PATH: /usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig -centos6: - extends: .build_image_template_force_broken - opensuse150: extends: .build_image_template diff --git a/bootstrap/config.py b/bootstrap/config.py index bcada1dc628..552524ae759 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -374,30 +374,6 @@ end DEB_DISTS = { - 'debian7': { - 'docker_image': 'debian:7', - 'vagrant_box': 'debian/wheezy64', - 'replace': { - 'libgnutls28-dev': 'libgnutls-dev', - 'libsystemd-dev': '', # not available, remove - 'lmdb-utils': '', # not available, remove - 'liblmdb-dev': '', # not available, remove - 'python-gpg': 'python-gpgme', - 'python3-gpg': '', # no python3 gpg pkg available, remove - 'language-pack-en': '', # included in locales - 'liburing-dev': '', # not available - } - }, - 'debian8': { - 'docker_image': 'debian:8', - 'vagrant_box': 'debian/jessie64', - 'replace': { - 'python-gpg': 'python-gpgme', - 'python3-gpg': 'python3-gpgme', - 'language-pack-en': '', # included in locales - 'liburing-dev': '', # not available - } - }, 'debian9': { 'docker_image': 'debian:9', 'vagrant_box': 'debian/stretch64', @@ -414,22 +390,6 @@ DEB_DISTS = { 'liburing-dev': '', # not available } }, - 'ubuntu1404': { - 'docker_image': 'ubuntu:14.04', - 'vagrant_box': 'ubuntu/trusty64', - 'replace': { - 'libsystemd-dev': '', # remove - 'libgnutls28-dev': 'libgnutls-dev', - 'python-gpg': 'python-gpgme', - 'python3-gpg': 'python3-gpgme', - 'lmdb-utils': 'lmdb-utils/trusty-backports', - 'liblmdb-dev': 'liblmdb-dev/trusty-backports', - 'libunwind-dev': 'libunwind8-dev', - 'glusterfs-common': '', - 'libcephfs-dev': '', - 'liburing-dev': '', # not available - } - }, 'ubuntu1604': { 'docker_image': 'ubuntu:16.04', 'vagrant_box': 'ubuntu/xenial64', @@ -452,30 +412,6 @@ DEB_DISTS = { RPM_DISTS = { - 'centos6': { - 'docker_image': 'centos:6', - 'vagrant_box': 'centos/6', - 'bootstrap': YUM_BOOTSTRAP, - 'replace': { - 'lsb-release': 'redhat-lsb', - 'python3': 'python36', - 'python3-devel': 'python36-devel', - 'python2-gpg': 'pygpgme', - 'python3-gpg': '', # no python3-gpg yet - '@development-tools': '"@Development Tools"', # add quotes - 'glibc-langpack-en': '', # included in glibc-common - 'glibc-locale-source': '', # included in glibc-common - 'procps-ng': 'procps', # centos6 still use old name - # update perl core modules on centos - # fix: Can't locate Archive/Tar.pm in @INC - 'perl': 'perl-core', - 'rpcsvc-proto-devel': '', - 'glusterfs-api-devel': '', - 'glusterfs-devel': '', - 'libcephfs-devel': '', - 'liburing-devel': '', # not available - } - }, 'centos7': { 'docker_image': 'centos:7', 'vagrant_box': 'centos/7', diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile index b3cb6bea485..983e66aa57f 100644 --- a/bootstrap/generated-dists/Vagrantfile +++ b/bootstrap/generated-dists/Vagrantfile @@ -10,13 +10,6 @@ Vagrant.configure("2") do |config| config.ssh.insert_key = false - config.vm.define "centos6" do |v| - v.vm.box = "centos/6" - v.vm.hostname = "centos6" - v.vm.provision :shell, path: "centos6/bootstrap.sh" - v.vm.provision :shell, path: "centos6/locale.sh" - end - config.vm.define "centos7" do |v| v.vm.box = "centos/7" v.vm.hostname = "centos7" @@ -38,20 +31,6 @@ Vagrant.configure("2") do |config| v.vm.provision :shell, path: "debian10/locale.sh" end - config.vm.define "debian7" do |v| - v.vm.box = "debian/wheezy64" - v.vm.hostname = "debian7" - v.vm.provision :shell, path: "debian7/bootstrap.sh" - v.vm.provision :shell, path: "debian7/locale.sh" - end - - config.vm.define "debian8" do |v| - v.vm.box = "debian/jessie64" - v.vm.hostname = "debian8" - v.vm.provision :shell, path: "debian8/bootstrap.sh" - v.vm.provision :shell, path: "debian8/locale.sh" - end - config.vm.define "debian9" do |v| v.vm.box = "debian/stretch64" v.vm.hostname = "debian9" @@ -94,13 +73,6 @@ Vagrant.configure("2") do |config| v.vm.provision :shell, path: "opensuse151/locale.sh" end - config.vm.define "ubuntu1404" do |v| - v.vm.box = "ubuntu/trusty64" - v.vm.hostname = "ubuntu1404" - v.vm.provision :shell, path: "ubuntu1404/bootstrap.sh" - v.vm.provision :shell, path: "ubuntu1404/locale.sh" - end - config.vm.define "ubuntu1604" do |v| v.vm.box = "ubuntu/xenial64" v.vm.hostname = "ubuntu1604" diff --git a/bootstrap/generated-dists/centos6/Dockerfile b/bootstrap/generated-dists/centos6/Dockerfile deleted file mode 100644 index 2716eebdd35..00000000000 --- a/bootstrap/generated-dists/centos6/Dockerfile +++ /dev/null @@ -1,27 +0,0 @@ -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -FROM centos:6 - -# pass in with --build-arg while build -ARG SHA1SUM -RUN [ -n $SHA1SUM ] && echo $SHA1SUM > /sha1sum.txt - -ADD *.sh /tmp/ -# need root permission, do it before USER samba -RUN /tmp/bootstrap.sh && /tmp/locale.sh - -# if ld.gold exists, force link it to ld -RUN set -x; LD=$(which ld); LD_GOLD=$(which ld.gold); test -x $LD_GOLD && ln -sf $LD_GOLD $LD && test -x $LD && echo "$LD is now $LD_GOLD" - -# make test can not work with root, so we have to create a new user -RUN useradd -m -U -s /bin/bash samba && \ - mkdir -p /etc/sudoers.d && \ - echo "samba ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/samba - -USER samba -WORKDIR /home/samba -# samba tests rely on this -ENV USER=samba LC_ALL=en_US.utf8 LANG=en_US.utf8 \ No newline at end of file diff --git a/bootstrap/generated-dists/centos6/bootstrap.sh b/bootstrap/generated-dists/centos6/bootstrap.sh deleted file mode 100755 index ee6fcc33799..00000000000 --- a/bootstrap/generated-dists/centos6/bootstrap.sh +++ /dev/null @@ -1,109 +0,0 @@ -#!/bin/bash - -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -set -xueo pipefail - -yum update -y -yum install -y epel-release -yum install -y yum-plugin-copr -yum copr enable -y sergiomb/SambaAD -yum update -y - -yum install -y \ - "@Development Tools" \ - acl \ - attr \ - autoconf \ - avahi-devel \ - bind-utils \ - binutils \ - bison \ - chrpath \ - cups-devel \ - curl \ - dbus-devel \ - docbook-dtds \ - docbook-style-xsl \ - flex \ - gawk \ - gcc \ - gdb \ - git \ - glib2-devel \ - glibc-common \ - gnutls-devel \ - gpgme-devel \ - gzip \ - hostname \ - htop \ - jansson-devel \ - keyutils-libs-devel \ - krb5-devel \ - krb5-server \ - lcov \ - libacl-devel \ - libarchive-devel \ - libattr-devel \ - libblkid-devel \ - libbsd-devel \ - libcap-devel \ - libicu-devel \ - libnsl2-devel \ - libpcap-devel \ - libsemanage-python \ - libtasn1-devel \ - libtasn1-tools \ - libtirpc-devel \ - libunwind-devel \ - libuuid-devel \ - libxslt \ - lmdb \ - lmdb-devel \ - make \ - mingw64-gcc \ - ncurses-devel \ - openldap-devel \ - pam-devel \ - patch \ - perl-Archive-Tar \ - perl-ExtUtils-MakeMaker \ - perl-JSON-Parse \ - perl-Parse-Yapp \ - perl-Test-Base \ - perl-core \ - perl-generators \ - perl-interpreter \ - pkgconfig \ - policycoreutils-python \ - popt-devel \ - procps \ - psmisc \ - python3-dns \ - python3-markdown \ - python36 \ - python36-devel \ - quota-devel \ - readline-devel \ - redhat-lsb \ - rng-tools \ - rpcgen \ - rsync \ - sed \ - sudo \ - systemd-devel \ - tar \ - tree \ - which \ - xfsprogs-devel \ - yum-utils \ - zlib-devel - -yum clean all - -if [ ! -f /usr/bin/python3 ]; then - ln -sf /usr/bin/python3.6 /usr/bin/python3 -fi \ No newline at end of file diff --git a/bootstrap/generated-dists/centos6/locale.sh b/bootstrap/generated-dists/centos6/locale.sh deleted file mode 100755 index cc64e180483..00000000000 --- a/bootstrap/generated-dists/centos6/locale.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash - -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -set -xueo pipefail - -# refer to /usr/share/i18n/locales -INPUTFILE=en_US -# refer to /usr/share/i18n/charmaps -CHARMAP=UTF-8 -# locale to generate in /usr/lib/locale -# glibc/localedef will normalize UTF-8 to utf8, follow the naming style -LOCALE=$INPUTFILE.utf8 - -# if locale is already correct, exit -( locale | grep LC_ALL | grep -i $LOCALE ) && exit 0 - -# if locale not available, generate locale into /usr/lib/locale -if ! ( locale --all-locales | grep -i $LOCALE ) -then - # no-archive means create its own dir - localedef --inputfile $INPUTFILE --charmap $CHARMAP --no-archive $LOCALE -fi - -# update locale conf and global env file -# set both LC_ALL and LANG for safe - -# update conf for Debian family -FILE=/etc/default/locale -if [ -f $FILE ] -then - echo LC_ALL="$LOCALE" > $FILE - echo LANG="$LOCALE" >> $FILE -fi - -# update conf for RedHat family -FILE=/etc/locale.conf -if [ -f $FILE ] -then - # LC_ALL is not valid in this file, set LANG only - echo LANG="$LOCALE" > $FILE -fi - -# update global env file -FILE=/etc/environment -if [ -f $FILE ] -then - # append LC_ALL if not exist - grep LC_ALL $FILE || echo LC_ALL="$LOCALE" >> $FILE - # append LANG if not exist - grep LANG $FILE || echo LANG="$LOCALE" >> $FILE -fi \ No newline at end of file diff --git a/bootstrap/generated-dists/centos6/packages.yml b/bootstrap/generated-dists/centos6/packages.yml deleted file mode 100644 index 1e2b5a98fa6..00000000000 --- a/bootstrap/generated-dists/centos6/packages.yml +++ /dev/null @@ -1,89 +0,0 @@ ---- -packages: - - "@Development Tools" - - acl - - attr - - autoconf - - avahi-devel - - bind-utils - - binutils - - bison - - chrpath - - cups-devel - - curl - - dbus-devel - - docbook-dtds - - docbook-style-xsl - - flex - - gawk - - gcc - - gdb - - git - - glib2-devel - - glibc-common - - gnutls-devel - - gpgme-devel - - gzip - - hostname - - htop - - jansson-devel - - keyutils-libs-devel - - krb5-devel - - krb5-server - - lcov - - libacl-devel - - libarchive-devel - - libattr-devel - - libblkid-devel - - libbsd-devel - - libcap-devel - - libicu-devel - - libnsl2-devel - - libpcap-devel - - libsemanage-python - - libtasn1-devel - - libtasn1-tools - - libtirpc-devel - - libunwind-devel - - libuuid-devel - - libxslt - - lmdb - - lmdb-devel - - make - - mingw64-gcc - - ncurses-devel - - openldap-devel - - pam-devel - - patch - - perl-Archive-Tar - - perl-ExtUtils-MakeMaker - - perl-JSON-Parse - - perl-Parse-Yapp - - perl-Test-Base - - perl-core - - perl-generators - - perl-interpreter - - pkgconfig - - policycoreutils-python - - popt-devel - - procps - - psmisc - - python3-dns - - python3-markdown - - python36 - - python36-devel - - quota-devel - - readline-devel - - redhat-lsb - - rng-tools - - rpcgen - - rsync - - sed - - sudo - - systemd-devel - - tar - - tree - - which - - xfsprogs-devel - - yum-utils - - zlib-devel \ No newline at end of file diff --git a/bootstrap/generated-dists/debian7/Dockerfile b/bootstrap/generated-dists/debian7/Dockerfile deleted file mode 100644 index dfe0e389653..00000000000 --- a/bootstrap/generated-dists/debian7/Dockerfile +++ /dev/null @@ -1,27 +0,0 @@ -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -FROM debian:7 - -# pass in with --build-arg while build -ARG SHA1SUM -RUN [ -n $SHA1SUM ] && echo $SHA1SUM > /sha1sum.txt - -ADD *.sh /tmp/ -# need root permission, do it before USER samba -RUN /tmp/bootstrap.sh && /tmp/locale.sh - -# if ld.gold exists, force link it to ld -RUN set -x; LD=$(which ld); LD_GOLD=$(which ld.gold); test -x $LD_GOLD && ln -sf $LD_GOLD $LD && test -x $LD && echo "$LD is now $LD_GOLD" - -# make test can not work with root, so we have to create a new user -RUN useradd -m -U -s /bin/bash samba && \ - mkdir -p /etc/sudoers.d && \ - echo "samba ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/samba - -USER samba -WORKDIR /home/samba -# samba tests rely on this -ENV USER=samba LC_ALL=en_US.utf8 LANG=en_US.utf8 \ No newline at end of file diff --git a/bootstrap/generated-dists/debian7/bootstrap.sh b/bootstrap/generated-dists/debian7/bootstrap.sh deleted file mode 100755 index daedce84fd9..00000000000 --- a/bootstrap/generated-dists/debian7/bootstrap.sh +++ /dev/null @@ -1,101 +0,0 @@ -#!/bin/bash - -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -set -xueo pipefail - -export DEBIAN_FRONTEND=noninteractive -apt-get -y update - -apt-get -y install \ - acl \ - apt-utils \ - attr \ - autoconf \ - bind9utils \ - binutils \ - bison \ - build-essential \ - chrpath \ - curl \ - debhelper \ - dnsutils \ - docbook-xml \ - docbook-xsl \ - flex \ - gcc \ - gdb \ - git \ - glusterfs-common \ - gzip \ - heimdal-multidev \ - hostname \ - htop \ - krb5-config \ - krb5-kdc \ - krb5-user \ - lcov \ - libacl1-dev \ - libarchive-dev \ - libattr1-dev \ - libavahi-common-dev \ - libblkid-dev \ - libbsd-dev \ - libcap-dev \ - libcephfs-dev \ - libcups2-dev \ - libdbus-1-dev \ - libglib2.0-dev \ - libgnutls-dev \ - libgpgme11-dev \ - libicu-dev \ - libjansson-dev \ - libjs-jquery \ - libjson-perl \ - libkrb5-dev \ - libldap2-dev \ - libncurses5-dev \ - libpam0g-dev \ - libparse-yapp-perl \ - libpcap-dev \ - libpopt-dev \ - libreadline-dev \ - libtasn1-bin \ - libtasn1-dev \ - libunwind-dev \ - locales \ - lsb-release \ - make \ - mawk \ - mingw-w64 \ - patch \ - perl \ - perl-modules \ - pkg-config \ - procps \ - psmisc \ - python3 \ - python3-dbg \ - python3-dev \ - python3-dnspython \ - python3-iso8601 \ - python3-markdown \ - python3-matplotlib \ - python3-pexpect \ - rng-tools \ - rsync \ - sed \ - sudo \ - tar \ - tree \ - uuid-dev \ - xfslibs-dev \ - xsltproc \ - zlib1g-dev - -apt-get -y autoremove -apt-get -y autoclean -apt-get -y clean \ No newline at end of file diff --git a/bootstrap/generated-dists/debian7/locale.sh b/bootstrap/generated-dists/debian7/locale.sh deleted file mode 100755 index cc64e180483..00000000000 --- a/bootstrap/generated-dists/debian7/locale.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash - -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -set -xueo pipefail - -# refer to /usr/share/i18n/locales -INPUTFILE=en_US -# refer to /usr/share/i18n/charmaps -CHARMAP=UTF-8 -# locale to generate in /usr/lib/locale -# glibc/localedef will normalize UTF-8 to utf8, follow the naming style -LOCALE=$INPUTFILE.utf8 - -# if locale is already correct, exit -( locale | grep LC_ALL | grep -i $LOCALE ) && exit 0 - -# if locale not available, generate locale into /usr/lib/locale -if ! ( locale --all-locales | grep -i $LOCALE ) -then - # no-archive means create its own dir - localedef --inputfile $INPUTFILE --charmap $CHARMAP --no-archive $LOCALE -fi - -# update locale conf and global env file -# set both LC_ALL and LANG for safe - -# update conf for Debian family -FILE=/etc/default/locale -if [ -f $FILE ] -then - echo LC_ALL="$LOCALE" > $FILE - echo LANG="$LOCALE" >> $FILE -fi - -# update conf for RedHat family -FILE=/etc/locale.conf -if [ -f $FILE ] -then - # LC_ALL is not valid in this file, set LANG only - echo LANG="$LOCALE" > $FILE -fi - -# update global env file -FILE=/etc/environment -if [ -f $FILE ] -then - # append LC_ALL if not exist - grep LC_ALL $FILE || echo LC_ALL="$LOCALE" >> $FILE - # append LANG if not exist - grep LANG $FILE || echo LANG="$LOCALE" >> $FILE -fi \ No newline at end of file diff --git a/bootstrap/generated-dists/debian7/packages.yml b/bootstrap/generated-dists/debian7/packages.yml deleted file mode 100644 index 3cac6870b3e..00000000000 --- a/bootstrap/generated-dists/debian7/packages.yml +++ /dev/null @@ -1,86 +0,0 @@ ---- -packages: - - acl - - apt-utils - - attr - - autoconf - - bind9utils - - binutils - - bison - - build-essential - - chrpath - - curl - - debhelper - - dnsutils - - docbook-xml - - docbook-xsl - - flex - - gcc - - gdb - - git - - glusterfs-common - - gzip - - heimdal-multidev - - hostname - - htop - - krb5-config - - krb5-kdc - - krb5-user - - lcov - - libacl1-dev - - libarchive-dev - - libattr1-dev - - libavahi-common-dev - - libblkid-dev - - libbsd-dev - - libcap-dev - - libcephfs-dev - - libcups2-dev - - libdbus-1-dev - - libglib2.0-dev - - libgnutls-dev - - libgpgme11-dev - - libicu-dev - - libjansson-dev - - libjs-jquery - - libjson-perl - - libkrb5-dev - - libldap2-dev - - libncurses5-dev - - libpam0g-dev - - libparse-yapp-perl - - libpcap-dev - - libpopt-dev - - libreadline-dev - - libtasn1-bin - - libtasn1-dev - - libunwind-dev - - locales - - lsb-release - - make - - mawk - - mingw-w64 - - patch - - perl - - perl-modules - - pkg-config - - procps - - psmisc - - python3 - - python3-dbg - - python3-dev - - python3-dnspython - - python3-iso8601 - - python3-markdown - - python3-matplotlib - - python3-pexpect - - rng-tools - - rsync - - sed - - sudo - - tar - - tree - - uuid-dev - - xfslibs-dev - - xsltproc - - zlib1g-dev \ No newline at end of file diff --git a/bootstrap/generated-dists/debian8/Dockerfile b/bootstrap/generated-dists/debian8/Dockerfile deleted file mode 100644 index a5a35654c22..00000000000 --- a/bootstrap/generated-dists/debian8/Dockerfile +++ /dev/null @@ -1,27 +0,0 @@ -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -FROM debian:8 - -# pass in with --build-arg while build -ARG SHA1SUM -RUN [ -n $SHA1SUM ] && echo $SHA1SUM > /sha1sum.txt - -ADD *.sh /tmp/ -# need root permission, do it before USER samba -RUN /tmp/bootstrap.sh && /tmp/locale.sh - -# if ld.gold exists, force link it to ld -RUN set -x; LD=$(which ld); LD_GOLD=$(which ld.gold); test -x $LD_GOLD && ln -sf $LD_GOLD $LD && test -x $LD && echo "$LD is now $LD_GOLD" - -# make test can not work with root, so we have to create a new user -RUN useradd -m -U -s /bin/bash samba && \ - mkdir -p /etc/sudoers.d && \ - echo "samba ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/samba - -USER samba -WORKDIR /home/samba -# samba tests rely on this -ENV USER=samba LC_ALL=en_US.utf8 LANG=en_US.utf8 \ No newline at end of file diff --git a/bootstrap/generated-dists/debian8/bootstrap.sh b/bootstrap/generated-dists/debian8/bootstrap.sh deleted file mode 100755 index 010508360ed..00000000000 --- a/bootstrap/generated-dists/debian8/bootstrap.sh +++ /dev/null @@ -1,105 +0,0 @@ -#!/bin/bash - -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -set -xueo pipefail - -export DEBIAN_FRONTEND=noninteractive -apt-get -y update - -apt-get -y install \ - acl \ - apt-utils \ - attr \ - autoconf \ - bind9utils \ - binutils \ - bison \ - build-essential \ - chrpath \ - curl \ - debhelper \ - dnsutils \ - docbook-xml \ - docbook-xsl \ - flex \ - gcc \ - gdb \ - git \ - glusterfs-common \ - gzip \ - heimdal-multidev \ - hostname \ - htop \ - krb5-config \ - krb5-kdc \ - krb5-user \ - lcov \ - libacl1-dev \ - libarchive-dev \ - libattr1-dev \ - libavahi-common-dev \ - libblkid-dev \ - libbsd-dev \ - libcap-dev \ - libcephfs-dev \ - libcups2-dev \ - libdbus-1-dev \ - libglib2.0-dev \ - libgnutls28-dev \ - libgpgme11-dev \ - libicu-dev \ - libjansson-dev \ - libjs-jquery \ - libjson-perl \ - libkrb5-dev \ - libldap2-dev \ - liblmdb-dev \ - libncurses5-dev \ - libpam0g-dev \ - libparse-yapp-perl \ - libpcap-dev \ - libpopt-dev \ - libreadline-dev \ - libsystemd-dev \ - libtasn1-bin \ - libtasn1-dev \ - libunwind-dev \ - lmdb-utils \ - locales \ - lsb-release \ - make \ - mawk \ - mingw-w64 \ - patch \ - perl \ - perl-modules \ - pkg-config \ - procps \ - psmisc \ - python3 \ - python3-dbg \ - python3-dev \ - python3-dnspython \ - python3-gpgme \ - python3-iso8601 \ - python3-markdown \ - python3-matplotlib \ - python3-pexpect \ - rng-tools \ - rsync \ - sed \ - sudo \ - tar \ - tree \ - uuid-dev \ - xfslibs-dev \ - xsltproc \ - zlib1g-dev - -apt-get -y autoremove -apt-get -y autoclean -apt-get -y clean \ No newline at end of file diff --git a/bootstrap/generated-dists/debian8/locale.sh b/bootstrap/generated-dists/debian8/locale.sh deleted file mode 100755 index cc64e180483..00000000000 --- a/bootstrap/generated-dists/debian8/locale.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash - -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -set -xueo pipefail - -# refer to /usr/share/i18n/locales -INPUTFILE=en_US -# refer to /usr/share/i18n/charmaps -CHARMAP=UTF-8 -# locale to generate in /usr/lib/locale -# glibc/localedef will normalize UTF-8 to utf8, follow the naming style -LOCALE=$INPUTFILE.utf8 - -# if locale is already correct, exit -( locale | grep LC_ALL | grep -i $LOCALE ) && exit 0 - -# if locale not available, generate locale into /usr/lib/locale -if ! ( locale --all-locales | grep -i $LOCALE ) -then - # no-archive means create its own dir - localedef --inputfile $INPUTFILE --charmap $CHARMAP --no-archive $LOCALE -fi - -# update locale conf and global env file -# set both LC_ALL and LANG for safe - -# update conf for Debian family -FILE=/etc/default/locale -if [ -f $FILE ] -then - echo LC_ALL="$LOCALE" > $FILE - echo LANG="$LOCALE" >> $FILE -fi - -# update conf for RedHat family -FILE=/etc/locale.conf -if [ -f $FILE ] -then - # LC_ALL is not valid in this file, set LANG only - echo LANG="$LOCALE" > $FILE -fi - -# update global env file -FILE=/etc/environment -if [ -f $FILE ] -then - # append LC_ALL if not exist - grep LC_ALL $FILE || echo LC_ALL="$LOCALE" >> $FILE - # append LANG if not exist - grep LANG $FILE || echo LANG="$LOCALE" >> $FILE -fi \ No newline at end of file diff --git a/bootstrap/generated-dists/debian8/packages.yml b/bootstrap/generated-dists/debian8/packages.yml deleted file mode 100644 index 1c9552b85f3..00000000000 --- a/bootstrap/generated-dists/debian8/packages.yml +++ /dev/null @@ -1,90 +0,0 @@ ---- -packages: - - acl - - apt-utils - - attr - - autoconf - - bind9utils - - binutils - - bison - - build-essential - - chrpath - - curl - - debhelper - - dnsutils - - docbook-xml - - docbook-xsl - - flex - - gcc - - gdb - - git - - glusterfs-common - - gzip - - heimdal-multidev - - hostname - - htop - - krb5-config - - krb5-kdc - - krb5-user - - lcov - - libacl1-dev - - libarchive-dev - - libattr1-dev - - libavahi-common-dev - - libblkid-dev - - libbsd-dev - - libcap-dev - - libcephfs-dev - - libcups2-dev - - libdbus-1-dev - - libglib2.0-dev - - libgnutls28-dev - - libgpgme11-dev - - libicu-dev - - libjansson-dev - - libjs-jquery - - libjson-perl - - libkrb5-dev - - libldap2-dev - - liblmdb-dev - - libncurses5-dev - - libpam0g-dev - - libparse-yapp-perl - - libpcap-dev - - libpopt-dev - - libreadline-dev - - libsystemd-dev - - libtasn1-bin - - libtasn1-dev - - libunwind-dev - - lmdb-utils - - locales - - lsb-release - - make - - mawk - - mingw-w64 - - patch - - perl - - perl-modules - - pkg-config - - procps - - psmisc - - python3 - - python3-dbg - - python3-dev - - python3-dnspython - - python3-gpgme - - python3-iso8601 - - python3-markdown - - python3-matplotlib - - python3-pexpect - - rng-tools - - rsync - - sed - - sudo - - tar - - tree - - uuid-dev - - xfslibs-dev - - xsltproc - - zlib1g-dev \ No newline at end of file diff --git a/bootstrap/generated-dists/ubuntu1404/Dockerfile b/bootstrap/generated-dists/ubuntu1404/Dockerfile deleted file mode 100644 index 4cbb2d3902c..00000000000 --- a/bootstrap/generated-dists/ubuntu1404/Dockerfile +++ /dev/null @@ -1,27 +0,0 @@ -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -FROM ubuntu:14.04 - -# pass in with --build-arg while build -ARG SHA1SUM -RUN [ -n $SHA1SUM ] && echo $SHA1SUM > /sha1sum.txt - -ADD *.sh /tmp/ -# need root permission, do it before USER samba -RUN /tmp/bootstrap.sh && /tmp/locale.sh - -# if ld.gold exists, force link it to ld -RUN set -x; LD=$(which ld); LD_GOLD=$(which ld.gold); test -x $LD_GOLD && ln -sf $LD_GOLD $LD && test -x $LD && echo "$LD is now $LD_GOLD" - -# make test can not work with root, so we have to create a new user -RUN useradd -m -U -s /bin/bash samba && \ - mkdir -p /etc/sudoers.d && \ - echo "samba ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/samba - -USER samba -WORKDIR /home/samba -# samba tests rely on this -ENV USER=samba LC_ALL=en_US.utf8 LANG=en_US.utf8 \ No newline at end of file diff --git a/bootstrap/generated-dists/ubuntu1404/bootstrap.sh b/bootstrap/generated-dists/ubuntu1404/bootstrap.sh deleted file mode 100755 index 78c8969ac69..00000000000 --- a/bootstrap/generated-dists/ubuntu1404/bootstrap.sh +++ /dev/null @@ -1,103 +0,0 @@ -#!/bin/bash - -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -set -xueo pipefail - -export DEBIAN_FRONTEND=noninteractive -apt-get -y update - -apt-get -y install \ - acl \ - apt-utils \ - attr \ - autoconf \ - bind9utils \ - binutils \ - bison \ - build-essential \ - chrpath \ - curl \ - debhelper \ - dnsutils \ - docbook-xml \ - docbook-xsl \ - flex \ - gcc \ - gdb \ - git \ - gzip \ - heimdal-multidev \ - hostname \ - htop \ - krb5-config \ - krb5-kdc \ - krb5-user \ - language-pack-en \ - lcov \ - libacl1-dev \ - libarchive-dev \ - libattr1-dev \ - libavahi-common-dev \ - libblkid-dev \ - libbsd-dev \ - libcap-dev \ - libcups2-dev \ - libdbus-1-dev \ - libglib2.0-dev \ - libgnutls-dev \ - libgpgme11-dev \ - libicu-dev \ - libjansson-dev \ - libjs-jquery \ - libjson-perl \ - libkrb5-dev \ - libldap2-dev \ - liblmdb-dev/trusty-backports \ - libncurses5-dev \ - libpam0g-dev \ - libparse-yapp-perl \ - libpcap-dev \ - libpopt-dev \ - libreadline-dev \ - libtasn1-bin \ - libtasn1-dev \ - libunwind8-dev \ - lmdb-utils/trusty-backports \ - locales \ - lsb-release \ - make \ - mawk \ - mingw-w64 \ - patch \ - perl \ - perl-modules \ - pkg-config \ - procps \ - psmisc \ - python3 \ - python3-dbg \ - python3-dev \ - python3-dnspython \ - python3-gpgme \ - python3-iso8601 \ - python3-markdown \ - python3-matplotlib \ - python3-pexpect \ - rng-tools \ - rsync \ - sed \ - sudo \ - tar \ - tree \ - uuid-dev \ - xfslibs-dev \ - xsltproc \ - zlib1g-dev - -apt-get -y autoremove -apt-get -y autoclean -apt-get -y clean \ No newline at end of file diff --git a/bootstrap/generated-dists/ubuntu1404/locale.sh b/bootstrap/generated-dists/ubuntu1404/locale.sh deleted file mode 100755 index cc64e180483..00000000000 --- a/bootstrap/generated-dists/ubuntu1404/locale.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash - -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -set -xueo pipefail - -# refer to /usr/share/i18n/locales -INPUTFILE=en_US -# refer to /usr/share/i18n/charmaps -CHARMAP=UTF-8 -# locale to generate in /usr/lib/locale -# glibc/localedef will normalize UTF-8 to utf8, follow the naming style -LOCALE=$INPUTFILE.utf8 - -# if locale is already correct, exit -( locale | grep LC_ALL | grep -i $LOCALE ) && exit 0 - -# if locale not available, generate locale into /usr/lib/locale -if ! ( locale --all-locales | grep -i $LOCALE ) -then - # no-archive means create its own dir - localedef --inputfile $INPUTFILE --charmap $CHARMAP --no-archive $LOCALE -fi - -# update locale conf and global env file -# set both LC_ALL and LANG for safe - -# update conf for Debian family -FILE=/etc/default/locale -if [ -f $FILE ] -then - echo LC_ALL="$LOCALE" > $FILE - echo LANG="$LOCALE" >> $FILE -fi - -# update conf for RedHat family -FILE=/etc/locale.conf -if [ -f $FILE ] -then - # LC_ALL is not valid in this file, set LANG only - echo LANG="$LOCALE" > $FILE -fi - -# update global env file -FILE=/etc/environment -if [ -f $FILE ] -then - # append LC_ALL if not exist - grep LC_ALL $FILE || echo LC_ALL="$LOCALE" >> $FILE - # append LANG if not exist - grep LANG $FILE || echo LANG="$LOCALE" >> $FILE -fi \ No newline at end of file diff --git a/bootstrap/generated-dists/ubuntu1404/packages.yml b/bootstrap/generated-dists/ubuntu1404/packages.yml deleted file mode 100644 index f6c8a0aaa00..00000000000 --- a/bootstrap/generated-dists/ubuntu1404/packages.yml +++ /dev/null @@ -1,88 +0,0 @@ ---- -packages: - - acl - - apt-utils - - attr - - autoconf - - bind9utils - - binutils - - bison - - build-essential - - chrpath - - curl - - debhelper - - dnsutils - - docbook-xml - - docbook-xsl - - flex - - gcc - - gdb - - git - - gzip - - heimdal-multidev - - hostname - - htop - - krb5-config - - krb5-kdc - - krb5-user - - language-pack-en - - lcov - - libacl1-dev - - libarchive-dev - - libattr1-dev - - libavahi-common-dev - - libblkid-dev - - libbsd-dev - - libcap-dev - - libcups2-dev - - libdbus-1-dev - - libglib2.0-dev - - libgnutls-dev - - libgpgme11-dev - - libicu-dev - - libjansson-dev - - libjs-jquery - - libjson-perl - - libkrb5-dev - - libldap2-dev - - liblmdb-dev/trusty-backports - - libncurses5-dev - - libpam0g-dev - - libparse-yapp-perl - - libpcap-dev - - libpopt-dev - - libreadline-dev - - libtasn1-bin - - libtasn1-dev - - libunwind8-dev - - lmdb-utils/trusty-backports - - locales - - lsb-release - - make - - mawk - - mingw-w64 - - patch - - perl - - perl-modules - - pkg-config - - procps - - psmisc - - python3 - - python3-dbg - - python3-dev - - python3-dnspython - - python3-gpgme - - python3-iso8601 - - python3-markdown - - python3-matplotlib - - python3-pexpect - - rng-tools - - rsync - - sed - - sudo - - tar - - tree - - uuid-dev - - xfslibs-dev - - xsltproc - - zlib1g-dev \ No newline at end of file diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index 62c2245564e..2378dd2d94f 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -41319f2580c026f66b2750604a0eb15d6b6f7b50 +cd4cebb9c611fb98f3a21171dd4832df930add28 -- 2.25.1 From bf46319a4cbb0f8fb4231b77d7ca68b475ef0970 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Wed, 4 Mar 2020 13:55:27 +1300 Subject: [PATCH 003/380] .gitlab-ci.yml: Do not build Samba for Ubuntu 16.04 or Debian 9 any longer These only have Python 3.5 and we want to increase the minimum to Python 3.6. Signed-off-by: Andrew Bartlett Reviewed-by: Andreas Schneider (cherry picked from commit e9ce0f13e695f1d7e719923628255ea786a90c20) --- .gitlab-ci.yml | 10 +- bootstrap/.gitlab-ci.yml | 6 - bootstrap/config.py | 19 ---- bootstrap/generated-dists/Vagrantfile | 14 --- bootstrap/generated-dists/debian9/Dockerfile | 27 ----- .../generated-dists/debian9/bootstrap.sh | 105 ------------------ bootstrap/generated-dists/debian9/locale.sh | 55 --------- .../generated-dists/debian9/packages.yml | 90 --------------- .../generated-dists/ubuntu1604/Dockerfile | 27 ----- .../generated-dists/ubuntu1604/bootstrap.sh | 104 ----------------- .../generated-dists/ubuntu1604/locale.sh | 55 --------- .../generated-dists/ubuntu1604/packages.yml | 89 --------------- bootstrap/sha1sum.txt | 2 +- 13 files changed, 2 insertions(+), 601 deletions(-) delete mode 100644 bootstrap/generated-dists/debian9/Dockerfile delete mode 100755 bootstrap/generated-dists/debian9/bootstrap.sh delete mode 100755 bootstrap/generated-dists/debian9/locale.sh delete mode 100644 bootstrap/generated-dists/debian9/packages.yml delete mode 100644 bootstrap/generated-dists/ubuntu1604/Dockerfile delete mode 100755 bootstrap/generated-dists/ubuntu1604/bootstrap.sh delete mode 100755 bootstrap/generated-dists/ubuntu1604/locale.sh delete mode 100644 bootstrap/generated-dists/ubuntu1604/packages.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 00ffff202d9..9bd5dd04b4f 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,7 +22,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: cd4cebb9c611fb98f3a21171dd4832df930add28 + SAMBA_CI_CONTAINER_TAG: 2b0275df23424240774afcd61fae8abed8663996 # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. @@ -277,14 +277,6 @@ ubuntu1804-samba-o3: extends: .samba-o3-template image: $SAMBA_CI_CONTAINER_IMAGE_ubuntu1804 -ubuntu1604-samba-o3: - extends: .samba-o3-template - image: $SAMBA_CI_CONTAINER_IMAGE_ubuntu1604 - -debian9-samba-o3: - extends: .samba-o3-template - image: $SAMBA_CI_CONTAINER_IMAGE_debian9 - debian10-samba-o3: extends: .samba-o3-template image: $SAMBA_CI_CONTAINER_IMAGE_debian10 diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml index cbf1cb9b58a..4e52da09dcc 100644 --- a/bootstrap/.gitlab-ci.yml +++ b/bootstrap/.gitlab-ci.yml @@ -86,15 +86,9 @@ services: ubuntu1804: extends: .build_image_template -ubuntu1604: - extends: .build_image_template - debian10: extends: .build_image_template -debian9: - extends: .build_image_template - fedora31: extends: .build_image_template diff --git a/bootstrap/config.py b/bootstrap/config.py index 552524ae759..19a2cf08b9d 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -374,14 +374,6 @@ end DEB_DISTS = { - 'debian9': { - 'docker_image': 'debian:9', - 'vagrant_box': 'debian/stretch64', - 'replace': { - 'language-pack-en': '', # included in locales - 'liburing-dev': '', # not available - } - }, 'debian10': { 'docker_image': 'debian:10', 'vagrant_box': 'debian/buster64', @@ -390,17 +382,6 @@ DEB_DISTS = { 'liburing-dev': '', # not available } }, - 'ubuntu1604': { - 'docker_image': 'ubuntu:16.04', - 'vagrant_box': 'ubuntu/xenial64', - 'replace': { - 'python-gpg': 'python-gpgme', - 'python3-gpg': 'python3-gpgme', - 'glusterfs-common': '', - 'libcephfs-dev': '', - 'liburing-dev': '', # not available - } - }, 'ubuntu1804': { 'docker_image': 'ubuntu:18.04', 'vagrant_box': 'ubuntu/bionic64', diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile index 983e66aa57f..091c65488cb 100644 --- a/bootstrap/generated-dists/Vagrantfile +++ b/bootstrap/generated-dists/Vagrantfile @@ -31,13 +31,6 @@ Vagrant.configure("2") do |config| v.vm.provision :shell, path: "debian10/locale.sh" end - config.vm.define "debian9" do |v| - v.vm.box = "debian/stretch64" - v.vm.hostname = "debian9" - v.vm.provision :shell, path: "debian9/bootstrap.sh" - v.vm.provision :shell, path: "debian9/locale.sh" - end - config.vm.define "fedora29" do |v| v.vm.box = "fedora/29-cloud-base" v.vm.hostname = "fedora29" @@ -73,13 +66,6 @@ Vagrant.configure("2") do |config| v.vm.provision :shell, path: "opensuse151/locale.sh" end - config.vm.define "ubuntu1604" do |v| - v.vm.box = "ubuntu/xenial64" - v.vm.hostname = "ubuntu1604" - v.vm.provision :shell, path: "ubuntu1604/bootstrap.sh" - v.vm.provision :shell, path: "ubuntu1604/locale.sh" - end - config.vm.define "ubuntu1804" do |v| v.vm.box = "ubuntu/bionic64" v.vm.hostname = "ubuntu1804" diff --git a/bootstrap/generated-dists/debian9/Dockerfile b/bootstrap/generated-dists/debian9/Dockerfile deleted file mode 100644 index 50195295447..00000000000 --- a/bootstrap/generated-dists/debian9/Dockerfile +++ /dev/null @@ -1,27 +0,0 @@ -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -FROM debian:9 - -# pass in with --build-arg while build -ARG SHA1SUM -RUN [ -n $SHA1SUM ] && echo $SHA1SUM > /sha1sum.txt - -ADD *.sh /tmp/ -# need root permission, do it before USER samba -RUN /tmp/bootstrap.sh && /tmp/locale.sh - -# if ld.gold exists, force link it to ld -RUN set -x; LD=$(which ld); LD_GOLD=$(which ld.gold); test -x $LD_GOLD && ln -sf $LD_GOLD $LD && test -x $LD && echo "$LD is now $LD_GOLD" - -# make test can not work with root, so we have to create a new user -RUN useradd -m -U -s /bin/bash samba && \ - mkdir -p /etc/sudoers.d && \ - echo "samba ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/samba - -USER samba -WORKDIR /home/samba -# samba tests rely on this -ENV USER=samba LC_ALL=en_US.utf8 LANG=en_US.utf8 \ No newline at end of file diff --git a/bootstrap/generated-dists/debian9/bootstrap.sh b/bootstrap/generated-dists/debian9/bootstrap.sh deleted file mode 100755 index f0847eb3c20..00000000000 --- a/bootstrap/generated-dists/debian9/bootstrap.sh +++ /dev/null @@ -1,105 +0,0 @@ -#!/bin/bash - -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -set -xueo pipefail - -export DEBIAN_FRONTEND=noninteractive -apt-get -y update - -apt-get -y install \ - acl \ - apt-utils \ - attr \ - autoconf \ - bind9utils \ - binutils \ - bison \ - build-essential \ - chrpath \ - curl \ - debhelper \ - dnsutils \ - docbook-xml \ - docbook-xsl \ - flex \ - gcc \ - gdb \ - git \ - glusterfs-common \ - gzip \ - heimdal-multidev \ - hostname \ - htop \ - krb5-config \ - krb5-kdc \ - krb5-user \ - lcov \ - libacl1-dev \ - libarchive-dev \ - libattr1-dev \ - libavahi-common-dev \ - libblkid-dev \ - libbsd-dev \ - libcap-dev \ - libcephfs-dev \ - libcups2-dev \ - libdbus-1-dev \ - libglib2.0-dev \ - libgnutls28-dev \ - libgpgme11-dev \ - libicu-dev \ - libjansson-dev \ - libjs-jquery \ - libjson-perl \ - libkrb5-dev \ - libldap2-dev \ - liblmdb-dev \ - libncurses5-dev \ - libpam0g-dev \ - libparse-yapp-perl \ - libpcap-dev \ - libpopt-dev \ - libreadline-dev \ - libsystemd-dev \ - libtasn1-bin \ - libtasn1-dev \ - libunwind-dev \ - lmdb-utils \ - locales \ - lsb-release \ - make \ - mawk \ - mingw-w64 \ - patch \ - perl \ - perl-modules \ - pkg-config \ - procps \ - psmisc \ - python3 \ - python3-dbg \ - python3-dev \ - python3-dnspython \ - python3-gpg \ - python3-iso8601 \ - python3-markdown \ - python3-matplotlib \ - python3-pexpect \ - rng-tools \ - rsync \ - sed \ - sudo \ - tar \ - tree \ - uuid-dev \ - xfslibs-dev \ - xsltproc \ - zlib1g-dev - -apt-get -y autoremove -apt-get -y autoclean -apt-get -y clean \ No newline at end of file diff --git a/bootstrap/generated-dists/debian9/locale.sh b/bootstrap/generated-dists/debian9/locale.sh deleted file mode 100755 index cc64e180483..00000000000 --- a/bootstrap/generated-dists/debian9/locale.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash - -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -set -xueo pipefail - -# refer to /usr/share/i18n/locales -INPUTFILE=en_US -# refer to /usr/share/i18n/charmaps -CHARMAP=UTF-8 -# locale to generate in /usr/lib/locale -# glibc/localedef will normalize UTF-8 to utf8, follow the naming style -LOCALE=$INPUTFILE.utf8 - -# if locale is already correct, exit -( locale | grep LC_ALL | grep -i $LOCALE ) && exit 0 - -# if locale not available, generate locale into /usr/lib/locale -if ! ( locale --all-locales | grep -i $LOCALE ) -then - # no-archive means create its own dir - localedef --inputfile $INPUTFILE --charmap $CHARMAP --no-archive $LOCALE -fi - -# update locale conf and global env file -# set both LC_ALL and LANG for safe - -# update conf for Debian family -FILE=/etc/default/locale -if [ -f $FILE ] -then - echo LC_ALL="$LOCALE" > $FILE - echo LANG="$LOCALE" >> $FILE -fi - -# update conf for RedHat family -FILE=/etc/locale.conf -if [ -f $FILE ] -then - # LC_ALL is not valid in this file, set LANG only - echo LANG="$LOCALE" > $FILE -fi - -# update global env file -FILE=/etc/environment -if [ -f $FILE ] -then - # append LC_ALL if not exist - grep LC_ALL $FILE || echo LC_ALL="$LOCALE" >> $FILE - # append LANG if not exist - grep LANG $FILE || echo LANG="$LOCALE" >> $FILE -fi \ No newline at end of file diff --git a/bootstrap/generated-dists/debian9/packages.yml b/bootstrap/generated-dists/debian9/packages.yml deleted file mode 100644 index a242cd8b362..00000000000 --- a/bootstrap/generated-dists/debian9/packages.yml +++ /dev/null @@ -1,90 +0,0 @@ ---- -packages: - - acl - - apt-utils - - attr - - autoconf - - bind9utils - - binutils - - bison - - build-essential - - chrpath - - curl - - debhelper - - dnsutils - - docbook-xml - - docbook-xsl - - flex - - gcc - - gdb - - git - - glusterfs-common - - gzip - - heimdal-multidev - - hostname - - htop - - krb5-config - - krb5-kdc - - krb5-user - - lcov - - libacl1-dev - - libarchive-dev - - libattr1-dev - - libavahi-common-dev - - libblkid-dev - - libbsd-dev - - libcap-dev - - libcephfs-dev - - libcups2-dev - - libdbus-1-dev - - libglib2.0-dev - - libgnutls28-dev - - libgpgme11-dev - - libicu-dev - - libjansson-dev - - libjs-jquery - - libjson-perl - - libkrb5-dev - - libldap2-dev - - liblmdb-dev - - libncurses5-dev - - libpam0g-dev - - libparse-yapp-perl - - libpcap-dev - - libpopt-dev - - libreadline-dev - - libsystemd-dev - - libtasn1-bin - - libtasn1-dev - - libunwind-dev - - lmdb-utils - - locales - - lsb-release - - make - - mawk - - mingw-w64 - - patch - - perl - - perl-modules - - pkg-config - - procps - - psmisc - - python3 - - python3-dbg - - python3-dev - - python3-dnspython - - python3-gpg - - python3-iso8601 - - python3-markdown - - python3-matplotlib - - python3-pexpect - - rng-tools - - rsync - - sed - - sudo - - tar - - tree - - uuid-dev - - xfslibs-dev - - xsltproc - - zlib1g-dev \ No newline at end of file diff --git a/bootstrap/generated-dists/ubuntu1604/Dockerfile b/bootstrap/generated-dists/ubuntu1604/Dockerfile deleted file mode 100644 index 93001fcdcca..00000000000 --- a/bootstrap/generated-dists/ubuntu1604/Dockerfile +++ /dev/null @@ -1,27 +0,0 @@ -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -FROM ubuntu:16.04 - -# pass in with --build-arg while build -ARG SHA1SUM -RUN [ -n $SHA1SUM ] && echo $SHA1SUM > /sha1sum.txt - -ADD *.sh /tmp/ -# need root permission, do it before USER samba -RUN /tmp/bootstrap.sh && /tmp/locale.sh - -# if ld.gold exists, force link it to ld -RUN set -x; LD=$(which ld); LD_GOLD=$(which ld.gold); test -x $LD_GOLD && ln -sf $LD_GOLD $LD && test -x $LD && echo "$LD is now $LD_GOLD" - -# make test can not work with root, so we have to create a new user -RUN useradd -m -U -s /bin/bash samba && \ - mkdir -p /etc/sudoers.d && \ - echo "samba ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/samba - -USER samba -WORKDIR /home/samba -# samba tests rely on this -ENV USER=samba LC_ALL=en_US.utf8 LANG=en_US.utf8 \ No newline at end of file diff --git a/bootstrap/generated-dists/ubuntu1604/bootstrap.sh b/bootstrap/generated-dists/ubuntu1604/bootstrap.sh deleted file mode 100755 index a8f47762ded..00000000000 --- a/bootstrap/generated-dists/ubuntu1604/bootstrap.sh +++ /dev/null @@ -1,104 +0,0 @@ -#!/bin/bash - -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -set -xueo pipefail - -export DEBIAN_FRONTEND=noninteractive -apt-get -y update - -apt-get -y install \ - acl \ - apt-utils \ - attr \ - autoconf \ - bind9utils \ - binutils \ - bison \ - build-essential \ - chrpath \ - curl \ - debhelper \ - dnsutils \ - docbook-xml \ - docbook-xsl \ - flex \ - gcc \ - gdb \ - git \ - gzip \ - heimdal-multidev \ - hostname \ - htop \ - krb5-config \ - krb5-kdc \ - krb5-user \ - language-pack-en \ - lcov \ - libacl1-dev \ - libarchive-dev \ - libattr1-dev \ - libavahi-common-dev \ - libblkid-dev \ - libbsd-dev \ - libcap-dev \ - libcups2-dev \ - libdbus-1-dev \ - libglib2.0-dev \ - libgnutls28-dev \ - libgpgme11-dev \ - libicu-dev \ - libjansson-dev \ - libjs-jquery \ - libjson-perl \ - libkrb5-dev \ - libldap2-dev \ - liblmdb-dev \ - libncurses5-dev \ - libpam0g-dev \ - libparse-yapp-perl \ - libpcap-dev \ - libpopt-dev \ - libreadline-dev \ - libsystemd-dev \ - libtasn1-bin \ - libtasn1-dev \ - libunwind-dev \ - lmdb-utils \ - locales \ - lsb-release \ - make \ - mawk \ - mingw-w64 \ - patch \ - perl \ - perl-modules \ - pkg-config \ - procps \ - psmisc \ - python3 \ - python3-dbg \ - python3-dev \ - python3-dnspython \ - python3-gpgme \ - python3-iso8601 \ - python3-markdown \ - python3-matplotlib \ - python3-pexpect \ - rng-tools \ - rsync \ - sed \ - sudo \ - tar \ - tree \ - uuid-dev \ - xfslibs-dev \ - xsltproc \ - zlib1g-dev - -apt-get -y autoremove -apt-get -y autoclean -apt-get -y clean \ No newline at end of file diff --git a/bootstrap/generated-dists/ubuntu1604/locale.sh b/bootstrap/generated-dists/ubuntu1604/locale.sh deleted file mode 100755 index cc64e180483..00000000000 --- a/bootstrap/generated-dists/ubuntu1604/locale.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash - -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -set -xueo pipefail - -# refer to /usr/share/i18n/locales -INPUTFILE=en_US -# refer to /usr/share/i18n/charmaps -CHARMAP=UTF-8 -# locale to generate in /usr/lib/locale -# glibc/localedef will normalize UTF-8 to utf8, follow the naming style -LOCALE=$INPUTFILE.utf8 - -# if locale is already correct, exit -( locale | grep LC_ALL | grep -i $LOCALE ) && exit 0 - -# if locale not available, generate locale into /usr/lib/locale -if ! ( locale --all-locales | grep -i $LOCALE ) -then - # no-archive means create its own dir - localedef --inputfile $INPUTFILE --charmap $CHARMAP --no-archive $LOCALE -fi - -# update locale conf and global env file -# set both LC_ALL and LANG for safe - -# update conf for Debian family -FILE=/etc/default/locale -if [ -f $FILE ] -then - echo LC_ALL="$LOCALE" > $FILE - echo LANG="$LOCALE" >> $FILE -fi - -# update conf for RedHat family -FILE=/etc/locale.conf -if [ -f $FILE ] -then - # LC_ALL is not valid in this file, set LANG only - echo LANG="$LOCALE" > $FILE -fi - -# update global env file -FILE=/etc/environment -if [ -f $FILE ] -then - # append LC_ALL if not exist - grep LC_ALL $FILE || echo LC_ALL="$LOCALE" >> $FILE - # append LANG if not exist - grep LANG $FILE || echo LANG="$LOCALE" >> $FILE -fi \ No newline at end of file diff --git a/bootstrap/generated-dists/ubuntu1604/packages.yml b/bootstrap/generated-dists/ubuntu1604/packages.yml deleted file mode 100644 index c3cd9af9c3e..00000000000 --- a/bootstrap/generated-dists/ubuntu1604/packages.yml +++ /dev/null @@ -1,89 +0,0 @@ ---- -packages: - - acl - - apt-utils - - attr - - autoconf - - bind9utils - - binutils - - bison - - build-essential - - chrpath - - curl - - debhelper - - dnsutils - - docbook-xml - - docbook-xsl - - flex - - gcc - - gdb - - git - - gzip - - heimdal-multidev - - hostname - - htop - - krb5-config - - krb5-kdc - - krb5-user - - language-pack-en - - lcov - - libacl1-dev - - libarchive-dev - - libattr1-dev - - libavahi-common-dev - - libblkid-dev - - libbsd-dev - - libcap-dev - - libcups2-dev - - libdbus-1-dev - - libglib2.0-dev - - libgnutls28-dev - - libgpgme11-dev - - libicu-dev - - libjansson-dev - - libjs-jquery - - libjson-perl - - libkrb5-dev - - libldap2-dev - - liblmdb-dev - - libncurses5-dev - - libpam0g-dev - - libparse-yapp-perl - - libpcap-dev - - libpopt-dev - - libreadline-dev - - libsystemd-dev - - libtasn1-bin - - libtasn1-dev - - libunwind-dev - - lmdb-utils - - locales - - lsb-release - - make - - mawk - - mingw-w64 - - patch - - perl - - perl-modules - - pkg-config - - procps - - psmisc - - python3 - - python3-dbg - - python3-dev - - python3-dnspython - - python3-gpgme - - python3-iso8601 - - python3-markdown - - python3-matplotlib - - python3-pexpect - - rng-tools - - rsync - - sed - - sudo - - tar - - tree - - uuid-dev - - xfslibs-dev - - xsltproc - - zlib1g-dev \ No newline at end of file diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index 2378dd2d94f..7344075d11d 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -cd4cebb9c611fb98f3a21171dd4832df930add28 +2b0275df23424240774afcd61fae8abed8663996 -- 2.25.1 From 8a9e1d2f57aaac8e8ae2a4ff56f098e5896eedaa Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 17 Mar 2020 16:49:02 +1300 Subject: [PATCH 004/380] bootstrap: Bring back a Ubuntu 16.04 build but just for the samba-fuzz task This is needed to restore oss-fuzz support, as this uses the Ubuntu 16.04 package list because all the docker images provided start with a Ubuntu 16.04 base. REF: https://github.com/google/oss-fuzz/issues/3505 REF: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=21189 Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer (cherry picked from commit e10910f8de542b0be9b89942791bd37288b7a32a) --- .gitlab-ci.yml | 3 +- bootstrap/.gitlab-ci.yml | 11 +- bootstrap/config.py | 11 ++ bootstrap/generated-dists/Vagrantfile | 7 ++ .../generated-dists/ubuntu1604/Dockerfile | 27 +++++ .../generated-dists/ubuntu1604/bootstrap.sh | 104 ++++++++++++++++++ .../generated-dists/ubuntu1604/locale.sh | 55 +++++++++ .../generated-dists/ubuntu1604/packages.yml | 89 +++++++++++++++ bootstrap/sha1sum.txt | 2 +- 9 files changed, 305 insertions(+), 4 deletions(-) create mode 100644 bootstrap/generated-dists/ubuntu1604/Dockerfile create mode 100755 bootstrap/generated-dists/ubuntu1604/bootstrap.sh create mode 100755 bootstrap/generated-dists/ubuntu1604/locale.sh create mode 100644 bootstrap/generated-dists/ubuntu1604/packages.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 9bd5dd04b4f..8becacb8d4e 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,7 +22,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: 2b0275df23424240774afcd61fae8abed8663996 + SAMBA_CI_CONTAINER_TAG: 6bb2eeaf8203467d9a93a722071b0f081027410e # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. @@ -157,6 +157,7 @@ samba-static: samba-fuzz: extends: .shared_template + image: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-ubuntu1604:${SAMBA_CI_CONTAINER_TAG} ctdb: extends: .shared_template diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml index 4e52da09dcc..ecd9f4d4223 100644 --- a/bootstrap/.gitlab-ci.yml +++ b/bootstrap/.gitlab-ci.yml @@ -9,6 +9,7 @@ services: - gce variables: SAMBA_CI_IS_BROKEN_IMAGE: "no" + SAMBA_CI_TEST_JOB: "samba-o3" before_script: # Ensure we are generating correct the container - uname -a @@ -40,9 +41,9 @@ services: docker run --volume $(pwd):${samba_repo_root} --workdir ${samba_repo_root} ${ci_image_name} \ bootstrap/template.py --sha1sum > /tmp/sha1sum-template.txt diff -u bootstrap/sha1sum.txt /tmp/sha1sum-template.txt - # run smoke test with samba-o3 + # run smoke test with samba-o3 or samba-fuzz docker run --volume $(pwd):${samba_repo_root} --workdir ${samba_repo_root} ${ci_image_name} \ - /bin/bash -c "sudo chown -R samba:samba ./** && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py samba-o3 --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase" + /bin/bash -c "sudo chown -R samba:samba ./** && export PKG_CONFIG_PATH=/usr/lib64/compat-gnutls34/pkgconfig:/usr/lib64/compat-nettle32/pkgconfig && script/autobuild.py ${SAMBA_CI_TEST_JOB} --verbose --nocleanup --keeplogs --tail --testbase /tmp/samba-testbase" docker tag ${ci_image_name} ${ci_image_path}:${SAMBA_CI_CONTAINER_TAG} docker tag ${ci_image_name} ${ci_image_path}:${timestamp_tag} # We build all images, but only upload is it's not marked as broken @@ -83,6 +84,12 @@ services: # - $SAMBA_CI_REBUILD_BROKEN_IMAGES == "yes" +# This is ONLY for oss-fuzz, so we test a fuzz build not a real one +ubuntu1604: + extends: .build_image_template + variables: + SAMBA_CI_TEST_JOB: "samba-fuzz" + ubuntu1804: extends: .build_image_template diff --git a/bootstrap/config.py b/bootstrap/config.py index 19a2cf08b9d..ff9bb150672 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -382,6 +382,17 @@ DEB_DISTS = { 'liburing-dev': '', # not available } }, + 'ubuntu1604': { + 'docker_image': 'ubuntu:16.04', + 'vagrant_box': 'ubuntu/xenial64', + 'replace': { + 'python-gpg': 'python-gpgme', + 'python3-gpg': 'python3-gpgme', + 'glusterfs-common': '', + 'libcephfs-dev': '', + 'liburing-dev': '', # not available + } + }, 'ubuntu1804': { 'docker_image': 'ubuntu:18.04', 'vagrant_box': 'ubuntu/bionic64', diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile index 091c65488cb..47c58d5a87b 100644 --- a/bootstrap/generated-dists/Vagrantfile +++ b/bootstrap/generated-dists/Vagrantfile @@ -66,6 +66,13 @@ Vagrant.configure("2") do |config| v.vm.provision :shell, path: "opensuse151/locale.sh" end + config.vm.define "ubuntu1604" do |v| + v.vm.box = "ubuntu/xenial64" + v.vm.hostname = "ubuntu1604" + v.vm.provision :shell, path: "ubuntu1604/bootstrap.sh" + v.vm.provision :shell, path: "ubuntu1604/locale.sh" + end + config.vm.define "ubuntu1804" do |v| v.vm.box = "ubuntu/bionic64" v.vm.hostname = "ubuntu1804" diff --git a/bootstrap/generated-dists/ubuntu1604/Dockerfile b/bootstrap/generated-dists/ubuntu1604/Dockerfile new file mode 100644 index 00000000000..93001fcdcca --- /dev/null +++ b/bootstrap/generated-dists/ubuntu1604/Dockerfile @@ -0,0 +1,27 @@ +# +# This file is generated by 'bootstrap/template.py --render' +# See also bootstrap/config.py +# + +FROM ubuntu:16.04 + +# pass in with --build-arg while build +ARG SHA1SUM +RUN [ -n $SHA1SUM ] && echo $SHA1SUM > /sha1sum.txt + +ADD *.sh /tmp/ +# need root permission, do it before USER samba +RUN /tmp/bootstrap.sh && /tmp/locale.sh + +# if ld.gold exists, force link it to ld +RUN set -x; LD=$(which ld); LD_GOLD=$(which ld.gold); test -x $LD_GOLD && ln -sf $LD_GOLD $LD && test -x $LD && echo "$LD is now $LD_GOLD" + +# make test can not work with root, so we have to create a new user +RUN useradd -m -U -s /bin/bash samba && \ + mkdir -p /etc/sudoers.d && \ + echo "samba ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/samba + +USER samba +WORKDIR /home/samba +# samba tests rely on this +ENV USER=samba LC_ALL=en_US.utf8 LANG=en_US.utf8 \ No newline at end of file diff --git a/bootstrap/generated-dists/ubuntu1604/bootstrap.sh b/bootstrap/generated-dists/ubuntu1604/bootstrap.sh new file mode 100755 index 00000000000..a8f47762ded --- /dev/null +++ b/bootstrap/generated-dists/ubuntu1604/bootstrap.sh @@ -0,0 +1,104 @@ +#!/bin/bash + +# +# This file is generated by 'bootstrap/template.py --render' +# See also bootstrap/config.py +# + +set -xueo pipefail + +export DEBIAN_FRONTEND=noninteractive +apt-get -y update + +apt-get -y install \ + acl \ + apt-utils \ + attr \ + autoconf \ + bind9utils \ + binutils \ + bison \ + build-essential \ + chrpath \ + curl \ + debhelper \ + dnsutils \ + docbook-xml \ + docbook-xsl \ + flex \ + gcc \ + gdb \ + git \ + gzip \ + heimdal-multidev \ + hostname \ + htop \ + krb5-config \ + krb5-kdc \ + krb5-user \ + language-pack-en \ + lcov \ + libacl1-dev \ + libarchive-dev \ + libattr1-dev \ + libavahi-common-dev \ + libblkid-dev \ + libbsd-dev \ + libcap-dev \ + libcups2-dev \ + libdbus-1-dev \ + libglib2.0-dev \ + libgnutls28-dev \ + libgpgme11-dev \ + libicu-dev \ + libjansson-dev \ + libjs-jquery \ + libjson-perl \ + libkrb5-dev \ + libldap2-dev \ + liblmdb-dev \ + libncurses5-dev \ + libpam0g-dev \ + libparse-yapp-perl \ + libpcap-dev \ + libpopt-dev \ + libreadline-dev \ + libsystemd-dev \ + libtasn1-bin \ + libtasn1-dev \ + libunwind-dev \ + lmdb-utils \ + locales \ + lsb-release \ + make \ + mawk \ + mingw-w64 \ + patch \ + perl \ + perl-modules \ + pkg-config \ + procps \ + psmisc \ + python3 \ + python3-dbg \ + python3-dev \ + python3-dnspython \ + python3-gpgme \ + python3-iso8601 \ + python3-markdown \ + python3-matplotlib \ + python3-pexpect \ + rng-tools \ + rsync \ + sed \ + sudo \ + tar \ + tree \ + uuid-dev \ + xfslibs-dev \ + xsltproc \ + zlib1g-dev + +apt-get -y autoremove +apt-get -y autoclean +apt-get -y clean \ No newline at end of file diff --git a/bootstrap/generated-dists/ubuntu1604/locale.sh b/bootstrap/generated-dists/ubuntu1604/locale.sh new file mode 100755 index 00000000000..cc64e180483 --- /dev/null +++ b/bootstrap/generated-dists/ubuntu1604/locale.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# This file is generated by 'bootstrap/template.py --render' +# See also bootstrap/config.py +# + +set -xueo pipefail + +# refer to /usr/share/i18n/locales +INPUTFILE=en_US +# refer to /usr/share/i18n/charmaps +CHARMAP=UTF-8 +# locale to generate in /usr/lib/locale +# glibc/localedef will normalize UTF-8 to utf8, follow the naming style +LOCALE=$INPUTFILE.utf8 + +# if locale is already correct, exit +( locale | grep LC_ALL | grep -i $LOCALE ) && exit 0 + +# if locale not available, generate locale into /usr/lib/locale +if ! ( locale --all-locales | grep -i $LOCALE ) +then + # no-archive means create its own dir + localedef --inputfile $INPUTFILE --charmap $CHARMAP --no-archive $LOCALE +fi + +# update locale conf and global env file +# set both LC_ALL and LANG for safe + +# update conf for Debian family +FILE=/etc/default/locale +if [ -f $FILE ] +then + echo LC_ALL="$LOCALE" > $FILE + echo LANG="$LOCALE" >> $FILE +fi + +# update conf for RedHat family +FILE=/etc/locale.conf +if [ -f $FILE ] +then + # LC_ALL is not valid in this file, set LANG only + echo LANG="$LOCALE" > $FILE +fi + +# update global env file +FILE=/etc/environment +if [ -f $FILE ] +then + # append LC_ALL if not exist + grep LC_ALL $FILE || echo LC_ALL="$LOCALE" >> $FILE + # append LANG if not exist + grep LANG $FILE || echo LANG="$LOCALE" >> $FILE +fi \ No newline at end of file diff --git a/bootstrap/generated-dists/ubuntu1604/packages.yml b/bootstrap/generated-dists/ubuntu1604/packages.yml new file mode 100644 index 00000000000..c3cd9af9c3e --- /dev/null +++ b/bootstrap/generated-dists/ubuntu1604/packages.yml @@ -0,0 +1,89 @@ +--- +packages: + - acl + - apt-utils + - attr + - autoconf + - bind9utils + - binutils + - bison + - build-essential + - chrpath + - curl + - debhelper + - dnsutils + - docbook-xml + - docbook-xsl + - flex + - gcc + - gdb + - git + - gzip + - heimdal-multidev + - hostname + - htop + - krb5-config + - krb5-kdc + - krb5-user + - language-pack-en + - lcov + - libacl1-dev + - libarchive-dev + - libattr1-dev + - libavahi-common-dev + - libblkid-dev + - libbsd-dev + - libcap-dev + - libcups2-dev + - libdbus-1-dev + - libglib2.0-dev + - libgnutls28-dev + - libgpgme11-dev + - libicu-dev + - libjansson-dev + - libjs-jquery + - libjson-perl + - libkrb5-dev + - libldap2-dev + - liblmdb-dev + - libncurses5-dev + - libpam0g-dev + - libparse-yapp-perl + - libpcap-dev + - libpopt-dev + - libreadline-dev + - libsystemd-dev + - libtasn1-bin + - libtasn1-dev + - libunwind-dev + - lmdb-utils + - locales + - lsb-release + - make + - mawk + - mingw-w64 + - patch + - perl + - perl-modules + - pkg-config + - procps + - psmisc + - python3 + - python3-dbg + - python3-dev + - python3-dnspython + - python3-gpgme + - python3-iso8601 + - python3-markdown + - python3-matplotlib + - python3-pexpect + - rng-tools + - rsync + - sed + - sudo + - tar + - tree + - uuid-dev + - xfslibs-dev + - xsltproc + - zlib1g-dev \ No newline at end of file diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index 7344075d11d..1c9d01d5e7d 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -2b0275df23424240774afcd61fae8abed8663996 +6bb2eeaf8203467d9a93a722071b0f081027410e -- 2.25.1 From 726fb38c1ce2126886eaf8a8ed050c54e98c5daf Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 17 Mar 2020 17:39:48 +0100 Subject: [PATCH 005/380] bootstrap: Add podman command to readme Reviewed-by: Alexander Bokovoy (cherry picked from commit 272b43d331c7cd0452069128166404af7f088b36) --- bootstrap/READMD.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/bootstrap/READMD.md b/bootstrap/READMD.md index b8a30098b67..023686e20c4 100644 --- a/bootstrap/READMD.md +++ b/bootstrap/READMD.md @@ -83,6 +83,10 @@ With Docker: docker pull registry.gitlab.com/samba-team/devel/samba/samba-ci-ubuntu1804:${sha1sum} docker run -it -v $(pwd):/home/samba/samba samba-ci-ubuntu1804:${sha1sum} bash +With podman: + + podman run -ti --cap-add=SYS_PTRACE --security-opt seccomp=unconfined registry.gitlab.com/samba-team/devel/samba/samba-ci-ubuntu1804:${sha1sum} bash + With Vagrant: cd bootstrap/generated-dists/ -- 2.25.1 From 12fe6ac5e72ff4ca10d883ce3ef2098d8e6fd2a0 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 16 Mar 2020 17:00:16 +0100 Subject: [PATCH 006/380] third_party: Update nss_wrapper to version 1.1.10 Signed-off-by: Andreas Schneider Reviewed-by: Alexander Bokovoy Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Fri Mar 20 12:41:36 UTC 2020 on sn-devel-184 (cherry picked from commit 639e64d30d54d600e96ea06c9a2afaa91cb1c9a4) --- buildtools/wafsamba/samba_third_party.py | 2 +- third_party/nss_wrapper/nss_wrapper.c | 550 ++++++++++++++++++++--- third_party/nss_wrapper/wscript | 3 +- 3 files changed, 493 insertions(+), 62 deletions(-) diff --git a/buildtools/wafsamba/samba_third_party.py b/buildtools/wafsamba/samba_third_party.py index 38df19369d7..a7026034984 100644 --- a/buildtools/wafsamba/samba_third_party.py +++ b/buildtools/wafsamba/samba_third_party.py @@ -29,7 +29,7 @@ Build.BuildContext.CHECK_SOCKET_WRAPPER = CHECK_SOCKET_WRAPPER @conf def CHECK_NSS_WRAPPER(conf): - return conf.CHECK_BUNDLED_SYSTEM_PKG('nss_wrapper', minversion='1.1.7') + return conf.CHECK_BUNDLED_SYSTEM_PKG('nss_wrapper', minversion='1.1.10') Build.BuildContext.CHECK_NSS_WRAPPER = CHECK_NSS_WRAPPER @conf diff --git a/third_party/nss_wrapper/nss_wrapper.c b/third_party/nss_wrapper/nss_wrapper.c index 1bcd3b1b72d..d90264c6d24 100644 --- a/third_party/nss_wrapper/nss_wrapper.c +++ b/third_party/nss_wrapper/nss_wrapper.c @@ -351,6 +351,15 @@ struct nwrap_libc_fns { struct hostent *(*_libc_gethostbyname)(const char *name); #ifdef HAVE_GETHOSTBYNAME2 /* GNU extension */ struct hostent *(*_libc_gethostbyname2)(const char *name, int af); +#endif +#ifdef HAVE_GETHOSTBYNAME2_R /* GNU extension */ + int (*_libc_gethostbyname2_r)(const char *name, + int af, + struct hostent *ret, + char *buf, + size_t buflen, + struct hostent **result, + int *h_errnop); #endif struct hostent *(*_libc_gethostbyaddr)(const void *addr, socklen_t len, int type); @@ -395,6 +404,14 @@ struct nwrap_module_nss_fns { NSS_STATUS (*_nss_getgrent_r)(struct group *result, char *buffer, size_t buflen, int *errnop); NSS_STATUS (*_nss_endgrent)(void); + NSS_STATUS (*_nss_gethostbyaddr_r)(const void *addr, socklen_t addrlen, + int af, struct hostent *result, + char *buffer, size_t buflen, + int *errnop, int *h_errnop); + NSS_STATUS (*_nss_gethostbyname2_r)(const char *name, int af, + struct hostent *result, + char *buffer, size_t buflen, + int *errnop, int *h_errnop); }; struct nwrap_backend { @@ -405,6 +422,8 @@ struct nwrap_backend { struct nwrap_module_nss_fns *fns; }; +struct nwrap_vector; + struct nwrap_ops { struct passwd * (*nw_getpwnam)(struct nwrap_backend *b, const char *name); @@ -440,6 +459,18 @@ struct nwrap_ops { struct group *grdst, char *buf, size_t buflen, struct group **grdstp); void (*nw_endgrent)(struct nwrap_backend *b); + struct hostent *(*nw_gethostbyaddr)(struct nwrap_backend *b, + const void *addr, + socklen_t len, int type); + struct hostent *(*nw_gethostbyname)(struct nwrap_backend *b, + const char *name); + struct hostent *(*nw_gethostbyname2)(struct nwrap_backend *b, + const char *name, int af); + int (*nw_gethostbyname2_r)(struct nwrap_backend *b, + const char *name, int af, + struct hostent *hedst, + char *buf, size_t buflen, + struct hostent **hedstp); }; /* Public prototypes */ @@ -485,6 +516,20 @@ static int nwrap_files_getgrent_r(struct nwrap_backend *b, struct group *grdst, char *buf, size_t buflen, struct group **grdstp); static void nwrap_files_endgrent(struct nwrap_backend *b); +static struct hostent *nwrap_files_gethostbyaddr(struct nwrap_backend *b, + const void *addr, + socklen_t len, int type); +static struct hostent *nwrap_files_gethostbyname(struct nwrap_backend *b, + const char *name); +#ifdef HAVE_GETHOSTBYNAME2 +static struct hostent *nwrap_files_gethostbyname2(struct nwrap_backend *b, + const char *name, int af); +#endif /* HAVE_GETHOSTBYNAME2 */ +static int nwrap_files_gethostbyname2_r(struct nwrap_backend *b, + const char *name, int af, + struct hostent *hedst, + char *buf, size_t buflen, + struct hostent **hedstp); /* prototypes for module backend */ @@ -522,6 +567,18 @@ static void nwrap_module_setgrent(struct nwrap_backend *b); static void nwrap_module_endgrent(struct nwrap_backend *b); static int nwrap_module_initgroups(struct nwrap_backend *b, const char *user, gid_t group); +static struct hostent *nwrap_module_gethostbyaddr(struct nwrap_backend *b, + const void *addr, + socklen_t len, int type); +static struct hostent *nwrap_module_gethostbyname(struct nwrap_backend *b, + const char *name); +static struct hostent *nwrap_module_gethostbyname2(struct nwrap_backend *b, + const char *name, int af); +static int nwrap_module_gethostbyname2_r(struct nwrap_backend *b, + const char *name, int af, + struct hostent *hedst, + char *buf, size_t buflen, + struct hostent **hedstp); struct nwrap_ops nwrap_files_ops = { .nw_getpwnam = nwrap_files_getpwnam, @@ -541,6 +598,12 @@ struct nwrap_ops nwrap_files_ops = { .nw_getgrent = nwrap_files_getgrent, .nw_getgrent_r = nwrap_files_getgrent_r, .nw_endgrent = nwrap_files_endgrent, + .nw_gethostbyaddr = nwrap_files_gethostbyaddr, + .nw_gethostbyname = nwrap_files_gethostbyname, +#ifdef HAVE_GETHOSTBYNAME2 + .nw_gethostbyname2 = nwrap_files_gethostbyname2, +#endif /* HAVE_GETHOSTBYNAME2 */ + .nw_gethostbyname2_r = nwrap_files_gethostbyname2_r, }; struct nwrap_ops nwrap_module_ops = { @@ -561,6 +624,10 @@ struct nwrap_ops nwrap_module_ops = { .nw_getgrent = nwrap_module_getgrent, .nw_getgrent_r = nwrap_module_getgrent_r, .nw_endgrent = nwrap_module_endgrent, + .nw_gethostbyaddr = nwrap_module_gethostbyaddr, + .nw_gethostbyname = nwrap_module_gethostbyname, + .nw_gethostbyname2 = nwrap_module_gethostbyname2, + .nw_gethostbyname2_r = nwrap_module_gethostbyname2_r, }; struct nwrap_libc { @@ -571,7 +638,7 @@ struct nwrap_libc { }; struct nwrap_main { - int num_backends; + size_t num_backends; struct nwrap_backend *backends; struct nwrap_libc *libc; }; @@ -1318,6 +1385,27 @@ static struct hostent *libc_gethostbyname2(const char *name, int af) } #endif +#ifdef HAVE_GETHOSTBYNAME2_R /* GNU extension */ +static int libc_gethostbyname2_r(const char *name, + int af, + struct hostent *ret, + char *buf, + size_t buflen, + struct hostent **result, + int *h_errnop) +{ + nwrap_load_lib_function(NWRAP_LIBNSL, gethostbyname2_r); + + return nwrap_main_global->libc->fns->_libc_gethostbyname2_r(name, + af, + ret, + buf, + buflen, + result, + h_errnop); +} +#endif + static struct hostent *libc_gethostbyaddr(const void *addr, socklen_t len, int type) @@ -1417,22 +1505,24 @@ static int libc_getnameinfo(const struct sockaddr *sa, static void *nwrap_load_module_fn(struct nwrap_backend *b, const char *fn_name) { - void *res; - char *s; + void *res = NULL; + char *s = NULL; + int rc; - if (!b->so_handle) { + if (b->so_handle == NULL) { NWRAP_LOG(NWRAP_LOG_ERROR, "No handle"); return NULL; } - if (asprintf(&s, "_nss_%s_%s", b->name, fn_name) == -1) { + rc = asprintf(&s, "_nss_%s_%s", b->name, fn_name); + if (rc == -1) { NWRAP_LOG(NWRAP_LOG_ERROR, "Out of memory"); return NULL; } res = dlsym(b->so_handle, s); - if (!res) { - NWRAP_LOG(NWRAP_LOG_ERROR, + if (res == NULL) { + NWRAP_LOG(NWRAP_LOG_WARN, "Cannot find function %s in %s", s, b->so_path); } @@ -1475,6 +1565,10 @@ static struct nwrap_module_nss_fns *nwrap_load_module_fns(struct nwrap_backend * nwrap_load_module_fn(b, "getgrent_r"); *(void **)(&fns->_nss_endgrent) = nwrap_load_module_fn(b, "endgrent"); + *(void **)(&fns->_nss_gethostbyaddr_r) = + nwrap_load_module_fn(b, "gethostbyaddr_r"); + *(void **)(&fns->_nss_gethostbyname2_r) = + nwrap_load_module_fn(b, "gethostbyname2_r"); return fns; } @@ -1501,7 +1595,7 @@ static void *nwrap_load_module(const char *so_path) static bool nwrap_module_init(const char *name, struct nwrap_ops *ops, const char *so_path, - int *num_backends, + size_t *num_backends, struct nwrap_backend **backends) { struct nwrap_backend *b; @@ -3513,9 +3607,9 @@ static void nwrap_files_endgrent(struct nwrap_backend *b) } /* hosts functions */ -static int nwrap_files_gethostbyname(const char *name, int af, - struct hostent *result, - struct nwrap_vector *addr_list) +static int nwrap_files_internal_gethostbyname(const char *name, int af, + struct hostent *result, + struct nwrap_vector *addr_list) { struct nwrap_entlist *el; struct hostent *he; @@ -3527,6 +3621,12 @@ static int nwrap_files_gethostbyname(const char *name, int af, bool he_found = false; bool ok; + /* + * We need to make sure we have zeroed return pointer for consumers + * which don't check return values, e.g. OpenLDAP. + */ + ZERO_STRUCTP(result); + ok = nwrap_files_cache_reload(nwrap_he_global.cache); if (!ok) { NWRAP_LOG(NWRAP_LOG_ERROR, "error loading hosts file"); @@ -3611,19 +3711,30 @@ no_ent: return -1; } -#ifdef HAVE_GETHOSTBYNAME_R -static int nwrap_gethostbyname_r(const char *name, - struct hostent *ret, - char *buf, size_t buflen, - struct hostent **result, int *h_errnop) +static int nwrap_files_gethostbyname2_r(struct nwrap_backend *b, + const char *name, int af, + struct hostent *hedst, + char *buf, size_t buflen, + struct hostent **hedstp) { - struct nwrap_vector *addr_list = malloc(sizeof(struct nwrap_vector)); + struct nwrap_vector *addr_list = NULL; union { char *ptr; char **list; } g; int rc; + (void) b; /* unused */ + (void) af; /* unused */ + + if (name == NULL || hedst == NULL || buf == NULL || buflen == 0) { + errno = EINVAL; + return -1; + } + *hedstp = NULL; + buf[0] = '\0'; + + addr_list = calloc(1, sizeof(struct nwrap_vector)); if (addr_list == NULL) { NWRAP_LOG(NWRAP_LOG_ERROR, "Unable to allocate memory for address list"); @@ -3631,20 +3742,17 @@ static int nwrap_gethostbyname_r(const char *name, return -1; } - ZERO_STRUCTP(addr_list); - - rc = nwrap_files_gethostbyname(name, AF_UNSPEC, ret, addr_list); + rc = nwrap_files_internal_gethostbyname(name, af, hedst, + addr_list); if (rc == -1) { - *h_errnop = h_errno; - if (addr_list->items != NULL) { - free(addr_list->items); - } + SAFE_FREE(addr_list->items); SAFE_FREE(addr_list); errno = ENOENT; return -1; } - if (buflen < (addr_list->count * sizeof(void *))) { + /* +1 i for ending NULL pointer */ + if (buflen < ((addr_list->count + 1) * sizeof(void *))) { SAFE_FREE(addr_list->items); SAFE_FREE(addr_list); return ERANGE; @@ -3655,15 +3763,38 @@ static int nwrap_gethostbyname_r(const char *name, * +1 is for ending NULL pointer. */ memcpy(buf, addr_list->items, (addr_list->count + 1) * sizeof(void *)); - free(addr_list->items); - free(addr_list); + SAFE_FREE(addr_list->items); + SAFE_FREE(addr_list); g.ptr = buf; - ret->h_addr_list = g.list; - *result = ret; + hedst->h_addr_list = g.list; + *hedstp = hedst; return 0; } +#ifdef HAVE_GETHOSTBYNAME_R +static int nwrap_gethostbyname_r(const char *name, + struct hostent *ret, + char *buf, size_t buflen, + struct hostent **result, int *h_errnop) +{ + int rc; + size_t i; + + for (i=0; i < nwrap_main_global->num_backends; i++) { + struct nwrap_backend *b = &nwrap_main_global->backends[i]; + rc = b->ops->nw_gethostbyname2_r(b, name, AF_UNSPEC, ret, + buf, buflen, result); + if (rc == 0) { + return 0; + } else if (rc == ERANGE) { + return ERANGE; + } + } + *h_errnop = h_errno; + return ENOENT; +} + int gethostbyname_r(const char *name, struct hostent *ret, char *buf, size_t buflen, @@ -3682,6 +3813,44 @@ int gethostbyname_r(const char *name, } #endif +#ifdef HAVE_GETHOSTBYNAME2_R +static int nwrap_gethostbyname2_r(const char *name, int af, + struct hostent *ret, + char *buf, size_t buflen, + struct hostent **result, int *h_errnop) +{ + int rc; + size_t i; + + for (i=0; i < nwrap_main_global->num_backends; i++) { + struct nwrap_backend *b = &nwrap_main_global->backends[i]; + rc = b->ops->nw_gethostbyname2_r(b, name, af, ret, + buf, buflen, result); + if (rc == 0) { + return 0; + } else if (rc == ERANGE) { + return ERANGE; + } + } + *h_errnop = h_errno; + return ENOENT; +} + +int gethostbyname2_r(const char *name, int af, + struct hostent *ret, + char *buf, size_t buflen, + struct hostent **result, int *h_errnop) +{ + if (!nss_wrapper_hosts_enabled()) { + return libc_gethostbyname2_r(name, af, ret, buf, buflen, + result, h_errnop); + } + + return nwrap_gethostbyname2_r(name, af, ret, buf, buflen, result, + h_errnop); +} +#endif + static int nwrap_files_getaddrinfo(const char *name, unsigned short port, const struct addrinfo *hints, @@ -3785,7 +3954,8 @@ static int nwrap_files_getaddrinfo(const char *name, return rc; } -static struct hostent *nwrap_files_gethostbyaddr(const void *addr, +static struct hostent *nwrap_files_gethostbyaddr(struct nwrap_backend *b, + const void *addr, socklen_t len, int type) { struct hostent *he; @@ -3795,6 +3965,7 @@ static struct hostent *nwrap_files_gethostbyaddr(const void *addr, size_t i; bool ok; + (void) b; /* unused */ (void) len; /* unused */ ok = nwrap_files_cache_reload(nwrap_he_global.cache); @@ -3831,15 +4002,23 @@ static int nwrap_gethostbyaddr_r(const void *addr, socklen_t len, int type, char *buf, size_t buflen, struct hostent **result, int *h_errnop) { - *result = nwrap_files_gethostbyaddr(addr, len, type); + size_t i; + for (i=0; i < nwrap_main_global->num_backends; i++) { + struct nwrap_backend *b = &nwrap_main_global->backends[i]; + *result = b->ops->nw_gethostbyaddr(b, addr, len, type); + if (*result != NULL) { + break; + } + } + if (*result != NULL) { memset(buf, '\0', buflen); *ret = **result; return 0; - } else { - *h_errnop = h_errno; - return -1; } + + *h_errnop = h_errno; + return -1; } int gethostbyaddr_r(const void *addr, socklen_t len, int type, @@ -4336,13 +4515,189 @@ static void nwrap_module_endgrent(struct nwrap_backend *b) b->fns->_nss_endgrent(); } +static struct hostent *nwrap_module_gethostbyaddr(struct nwrap_backend *b, + const void *addr, + socklen_t len, int type) +{ + static struct hostent he; + static char *buf = NULL; + static size_t buflen = 1000; + NSS_STATUS status; + + if (b->fns->_nss_gethostbyaddr_r == NULL) { + return NULL; + } + + if (buf == NULL) { + buf = (char *)malloc(buflen); + if (buf == NULL) { + return NULL; + } + } +again: + status = b->fns->_nss_gethostbyaddr_r(addr, len, type, &he, + buf, buflen, &errno, &h_errno); + if (status == NSS_STATUS_TRYAGAIN) { + char *p = NULL; + + buflen *= 2; + p = (char *)realloc(buf, buflen); + if (p == NULL) { + SAFE_FREE(buf); + return NULL; + } + buf = p; + goto again; + } + if (status == NSS_STATUS_NOTFOUND) { + SAFE_FREE(buf); + return NULL; + } + if (status != NSS_STATUS_SUCCESS) { + SAFE_FREE(buf); + return NULL; + } + + return &he; +} + +static int nwrap_module_gethostbyname2_r(struct nwrap_backend *b, + const char *name, int af, + struct hostent *hedst, + char *buf, size_t buflen, + struct hostent **hedstp) +{ + NSS_STATUS status; + + *hedstp = NULL; + + if (b->fns->_nss_gethostbyname2_r == NULL) { + return ENOENT; + } + + status = b->fns->_nss_gethostbyname2_r(name, af, hedst, + buf, buflen, &errno, &h_errno); + switch (status) { + case NSS_STATUS_SUCCESS: + *hedstp = hedst; + return 0; + case NSS_STATUS_NOTFOUND: + if (errno != 0) { + return errno; + } + return ENOENT; + case NSS_STATUS_TRYAGAIN: + if (errno != 0) { + return errno; + } + return ERANGE; + default: + if (errno != 0) { + return errno; + } + return status; + } +} + +static struct hostent *nwrap_module_gethostbyname(struct nwrap_backend *b, + const char *name) +{ + static struct hostent he; + static char *buf = NULL; + static size_t buflen = 1000; + NSS_STATUS status; + + if (b->fns->_nss_gethostbyname2_r == NULL) { + return NULL; + } + + if (buf == NULL) { + buf = (char *)malloc(buflen); + if (buf == NULL) { + return NULL; + } + } + +again: + status = b->fns->_nss_gethostbyname2_r(name, AF_UNSPEC, &he, + buf, buflen, &errno, &h_errno); + if (status == NSS_STATUS_TRYAGAIN) { + char *p = NULL; + + buflen *= 2; + p = (char *)realloc(buf, buflen); + if (p == NULL) { + SAFE_FREE(buf); + return NULL; + } + buf = p; + goto again; + } + if (status == NSS_STATUS_NOTFOUND) { + SAFE_FREE(buf); + return NULL; + } + if (status != NSS_STATUS_SUCCESS) { + SAFE_FREE(buf); + return NULL; + } + + return &he; +} + +static struct hostent *nwrap_module_gethostbyname2(struct nwrap_backend *b, + const char *name, int af) +{ + static struct hostent he; + static char *buf = NULL; + static size_t buflen = 1000; + NSS_STATUS status; + + if (b->fns->_nss_gethostbyname2_r == NULL) { + return NULL; + } + + if (buf == NULL) { + buf = (char *)malloc(buflen); + if (buf == NULL) { + return NULL; + } + } + +again: + status = b->fns->_nss_gethostbyname2_r(name, af, &he, + buf, buflen, &errno, &h_errno); + if (status == NSS_STATUS_TRYAGAIN) { + char *p = NULL; + + buflen *= 2; + p = (char *)realloc(buf, buflen); + if (p == NULL) { + SAFE_FREE(buf); + return NULL; + } + buf = p; + goto again; + } + if (status == NSS_STATUS_NOTFOUND) { + SAFE_FREE(buf); + return NULL; + } + if (status != NSS_STATUS_SUCCESS) { + SAFE_FREE(buf); + return NULL; + } + + return &he; +} + /**************************************************************************** * GETPWNAM ***************************************************************************/ static struct passwd *nwrap_getpwnam(const char *name) { - int i; + size_t i; struct passwd *pwd; for (i=0; i < nwrap_main_global->num_backends; i++) { @@ -4372,7 +4727,8 @@ struct passwd *getpwnam(const char *name) static int nwrap_getpwnam_r(const char *name, struct passwd *pwdst, char *buf, size_t buflen, struct passwd **pwdstp) { - int i,ret; + size_t i; + int ret; for (i=0; i < nwrap_main_global->num_backends; i++) { struct nwrap_backend *b = &nwrap_main_global->backends[i]; @@ -4409,7 +4765,7 @@ int getpwnam_r(const char *name, struct passwd *pwdst, static struct passwd *nwrap_getpwuid(uid_t uid) { - int i; + size_t i; struct passwd *pwd; for (i=0; i < nwrap_main_global->num_backends; i++) { @@ -4439,7 +4795,8 @@ struct passwd *getpwuid(uid_t uid) static int nwrap_getpwuid_r(uid_t uid, struct passwd *pwdst, char *buf, size_t buflen, struct passwd **pwdstp) { - int i,ret; + size_t i; + int ret; for (i=0; i < nwrap_main_global->num_backends; i++) { struct nwrap_backend *b = &nwrap_main_global->backends[i]; @@ -4474,7 +4831,7 @@ int getpwuid_r(uid_t uid, struct passwd *pwdst, static void nwrap_setpwent(void) { - int i; + size_t i; for (i=0; i < nwrap_main_global->num_backends; i++) { struct nwrap_backend *b = &nwrap_main_global->backends[i]; @@ -4498,7 +4855,7 @@ void setpwent(void) static struct passwd *nwrap_getpwent(void) { - int i; + size_t i; struct passwd *pwd; for (i=0; i < nwrap_main_global->num_backends; i++) { @@ -4529,7 +4886,8 @@ struct passwd *getpwent(void) static int nwrap_getpwent_r(struct passwd *pwdst, char *buf, size_t buflen, struct passwd **pwdstp) { - int i,ret; + size_t i; + int ret; for (i=0; i < nwrap_main_global->num_backends; i++) { struct nwrap_backend *b = &nwrap_main_global->backends[i]; @@ -4578,7 +4936,7 @@ int getpwent_r(struct passwd *pwdst, char *buf, static void nwrap_endpwent(void) { - int i; + size_t i; for (i=0; i < nwrap_main_global->num_backends; i++) { struct nwrap_backend *b = &nwrap_main_global->backends[i]; @@ -4602,7 +4960,7 @@ void endpwent(void) static int nwrap_initgroups(const char *user, gid_t group) { - int i; + size_t i; for (i=0; i < nwrap_main_global->num_backends; i++) { struct nwrap_backend *b = &nwrap_main_global->backends[i]; @@ -4633,7 +4991,7 @@ int initgroups(const char *user, gid_t group) static struct group *nwrap_getgrnam(const char *name) { - int i; + size_t i; struct group *grp; for (i=0; i < nwrap_main_global->num_backends; i++) { @@ -4663,7 +5021,8 @@ struct group *getgrnam(const char *name) static int nwrap_getgrnam_r(const char *name, struct group *grdst, char *buf, size_t buflen, struct group **grdstp) { - int i, ret; + size_t i; + int ret; for (i=0; i < nwrap_main_global->num_backends; i++) { struct nwrap_backend *b = &nwrap_main_global->backends[i]; @@ -4704,7 +5063,7 @@ int getgrnam_r(const char *name, struct group *grp, static struct group *nwrap_getgrgid(gid_t gid) { - int i; + size_t i; struct group *grp; for (i=0; i < nwrap_main_global->num_backends; i++) { @@ -4734,7 +5093,8 @@ struct group *getgrgid(gid_t gid) static int nwrap_getgrgid_r(gid_t gid, struct group *grdst, char *buf, size_t buflen, struct group **grdstp) { - int i,ret; + size_t i; + int ret; for (i=0; i < nwrap_main_global->num_backends; i++) { struct nwrap_backend *b = &nwrap_main_global->backends[i]; @@ -4771,7 +5131,7 @@ int getgrgid_r(gid_t gid, struct group *grdst, static void nwrap_setgrent(void) { - int i; + size_t i; for (i=0; i < nwrap_main_global->num_backends; i++) { struct nwrap_backend *b = &nwrap_main_global->backends[i]; @@ -4806,7 +5166,7 @@ out: static struct group *nwrap_getgrent(void) { - int i; + size_t i; struct group *grp; for (i=0; i < nwrap_main_global->num_backends; i++) { @@ -4837,7 +5197,8 @@ struct group *getgrent(void) static int nwrap_getgrent_r(struct group *grdst, char *buf, size_t buflen, struct group **grdstp) { - int i,ret; + size_t i; + int ret; for (i=0; i < nwrap_main_global->num_backends; i++) { struct nwrap_backend *b = &nwrap_main_global->backends[i]; @@ -4887,7 +5248,7 @@ int getgrent_r(struct group *src, char *buf, static void nwrap_endgrent(void) { - int i; + size_t i; for (i=0; i < nwrap_main_global->num_backends; i++) { struct nwrap_backend *b = &nwrap_main_global->backends[i]; @@ -5129,6 +5490,7 @@ void endhostent(void) } #endif /* HAVE_SOLARIS_ENDHOSTENT */ + #ifdef BSD /* BSD implementation stores data in thread local storage but GLIBC does not */ static __thread struct hostent user_he; @@ -5137,12 +5499,37 @@ static __thread struct nwrap_vector user_addrlist; static struct hostent user_he; static struct nwrap_vector user_addrlist; #endif /* BSD */ + +static struct hostent *nwrap_files_gethostbyname(struct nwrap_backend *b, + const char *name) +{ + int ret; + + (void) b; /* unused */ + + ret = nwrap_files_internal_gethostbyname(name, AF_UNSPEC, &user_he, + &user_addrlist); + if (ret == 0) { + return &user_he; + } + + return NULL; +} + static struct hostent *nwrap_gethostbyname(const char *name) { - if (nwrap_files_gethostbyname(name, AF_UNSPEC, &user_he, &user_addrlist) == -1) { - return NULL; + size_t i; + struct hostent *he = NULL; + + for (i=0; i < nwrap_main_global->num_backends; i++) { + struct nwrap_backend *b = &nwrap_main_global->backends[i]; + he = b->ops->nw_gethostbyname(b, name); + if (he != NULL) { + return he; + } } - return &user_he; + + return NULL; } struct hostent *gethostbyname(const char *name) @@ -5164,12 +5551,37 @@ static __thread struct nwrap_vector user_addrlist2; static struct hostent user_he2; static struct nwrap_vector user_addrlist2; #endif /* BSD */ + +static struct hostent *nwrap_files_gethostbyname2(struct nwrap_backend *b, + const char *name, int af) +{ + int ret; + + (void) b; /* unused */ + + ret = nwrap_files_internal_gethostbyname(name, af, &user_he2, + &user_addrlist2); + if (ret == 0) { + return &user_he2; + } + + return NULL; +} + static struct hostent *nwrap_gethostbyname2(const char *name, int af) { - if (nwrap_files_gethostbyname(name, af, &user_he2, &user_addrlist2) == -1) { - return NULL; + size_t i; + struct hostent *he = NULL; + + for (i=0; i < nwrap_main_global->num_backends; i++) { + struct nwrap_backend *b = &nwrap_main_global->backends[i]; + he = b->ops->nw_gethostbyname2(b, name, af); + if (he != NULL) { + return he; + } } - return &user_he2; + + return NULL; } struct hostent *gethostbyname2(const char *name, int af) @@ -5185,7 +5597,18 @@ struct hostent *gethostbyname2(const char *name, int af) static struct hostent *nwrap_gethostbyaddr(const void *addr, socklen_t len, int type) { - return nwrap_files_gethostbyaddr(addr, len, type); + size_t i; + struct hostent *he = NULL; + + for (i=0; i < nwrap_main_global->num_backends; i++) { + struct nwrap_backend *b = &nwrap_main_global->backends[i]; + he = b->ops->nw_gethostbyaddr(b, addr, len, type); + if (he != NULL) { + return he; + } + } + + return NULL; } struct hostent *gethostbyaddr(const void *addr, @@ -5531,6 +5954,7 @@ static int nwrap_getnameinfo(const struct sockaddr *sa, socklen_t salen, socklen_t addrlen; uint16_t port; sa_family_t type; + size_t i; if (sa == NULL || salen < sizeof(sa_family_t)) { return EAI_FAMILY; @@ -5585,7 +6009,13 @@ static int nwrap_getnameinfo(const struct sockaddr *sa, socklen_t salen, if (host != NULL) { he = NULL; if ((flags & NI_NUMERICHOST) == 0) { - he = nwrap_files_gethostbyaddr(addr, addrlen, type); + for (i=0; i < nwrap_main_global->num_backends; i++) { + struct nwrap_backend *b = &nwrap_main_global->backends[i]; + he = b->ops->nw_gethostbyaddr(b, addr, addrlen, type); + if (he != NULL) { + break; + } + } if ((flags & NI_NAMEREQD) && (he == NULL || he->h_name == NULL)) return EAI_NONAME; } @@ -5698,7 +6128,7 @@ void nwrap_constructor(void) */ void nwrap_destructor(void) { - int i; + size_t i; NWRAP_LOCK_ALL; if (nwrap_main_global != NULL) { diff --git a/third_party/nss_wrapper/wscript b/third_party/nss_wrapper/wscript index dd83083b2e7..1f6e705ee07 100644 --- a/third_party/nss_wrapper/wscript +++ b/third_party/nss_wrapper/wscript @@ -2,7 +2,7 @@ import os -VERSION="1.1.7" +VERSION="1.1.10" def configure(conf): if conf.CHECK_NSS_WRAPPER(): @@ -28,6 +28,7 @@ def configure(conf): msg='Checking for printf format validation support') conf.CHECK_FUNCS('gethostbyaddr_r gethostbyname_r') + conf.CHECK_FUNCS('gethostbyname2 gethostbyname2_r') # Solaris conf.CHECK_FUNCS('__posix_getpwnam_r __posix_getpwuid_r') conf.CHECK_FUNCS('__posix_getgrgid_r __posix_getgrnam_r') -- 2.25.1 From e8fd17d4285019b8fd7ed48c82e52dd49101ce4c Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 19 Mar 2020 10:23:02 +0100 Subject: [PATCH 007/380] gitlab-ci: Remove Fedora 29 which is already EOL Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 087566641e32821ea3cae0d23bd70a5602581b53) --- .gitlab-ci.yml | 7 +- bootstrap/.gitlab-ci.yml | 3 - bootstrap/config.py | 9 -- bootstrap/generated-dists/Vagrantfile | 7 -- bootstrap/generated-dists/fedora29/Dockerfile | 27 ----- .../generated-dists/fedora29/bootstrap.sh | 108 ------------------ bootstrap/generated-dists/fedora29/locale.sh | 55 --------- .../generated-dists/fedora29/packages.yml | 95 --------------- bootstrap/sha1sum.txt | 2 +- 9 files changed, 2 insertions(+), 311 deletions(-) delete mode 100644 bootstrap/generated-dists/fedora29/Dockerfile delete mode 100755 bootstrap/generated-dists/fedora29/bootstrap.sh delete mode 100755 bootstrap/generated-dists/fedora29/locale.sh delete mode 100644 bootstrap/generated-dists/fedora29/packages.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 8becacb8d4e..1d89dda5045 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,7 +22,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: 6bb2eeaf8203467d9a93a722071b0f081027410e + SAMBA_CI_CONTAINER_TAG: 2366db8ea66e6a07f36b77c0f3152a06e7056adc # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. @@ -39,7 +39,6 @@ variables: SAMBA_CI_CONTAINER_IMAGE_debian10: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-debian10:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_opensuse150: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-opensuse150:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_opensuse151: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-opensuse151:${SAMBA_CI_CONTAINER_TAG} - SAMBA_CI_CONTAINER_IMAGE_fedora29: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-fedora29:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_fedora30: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-fedora30:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_fedora31: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-fedora31:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_centos7: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-centos7:${SAMBA_CI_CONTAINER_TAG} @@ -303,10 +302,6 @@ centos8-samba-o3: extends: .samba-o3-template image: $SAMBA_CI_CONTAINER_IMAGE_centos8 -fedora29-samba-o3: - extends: .samba-o3-template - image: $SAMBA_CI_CONTAINER_IMAGE_fedora29 - fedora30-samba-o3: extends: .samba-o3-template image: $SAMBA_CI_CONTAINER_IMAGE_fedora30 diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml index ecd9f4d4223..c4c8599ef3d 100644 --- a/bootstrap/.gitlab-ci.yml +++ b/bootstrap/.gitlab-ci.yml @@ -102,9 +102,6 @@ fedora31: fedora30: extends: .build_image_template -fedora29: - extends: .build_image_template - centos8: extends: .build_image_template diff --git a/bootstrap/config.py b/bootstrap/config.py index ff9bb150672..36a19a1e6cf 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -453,15 +453,6 @@ RPM_DISTS = { 'liburing-devel': '', # not available yet, Add me back, once available! } }, - 'fedora29': { - 'docker_image': 'fedora:29', - 'vagrant_box': 'fedora/29-cloud-base', - 'bootstrap': DNF_BOOTSTRAP, - 'replace': { - 'lsb-release': 'redhat-lsb', - 'liburing-devel': '', # not available - } - }, 'fedora30': { 'docker_image': 'fedora:30', 'vagrant_box': 'fedora/30-cloud-base', diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile index 47c58d5a87b..2daf1dde552 100644 --- a/bootstrap/generated-dists/Vagrantfile +++ b/bootstrap/generated-dists/Vagrantfile @@ -31,13 +31,6 @@ Vagrant.configure("2") do |config| v.vm.provision :shell, path: "debian10/locale.sh" end - config.vm.define "fedora29" do |v| - v.vm.box = "fedora/29-cloud-base" - v.vm.hostname = "fedora29" - v.vm.provision :shell, path: "fedora29/bootstrap.sh" - v.vm.provision :shell, path: "fedora29/locale.sh" - end - config.vm.define "fedora30" do |v| v.vm.box = "fedora/30-cloud-base" v.vm.hostname = "fedora30" diff --git a/bootstrap/generated-dists/fedora29/Dockerfile b/bootstrap/generated-dists/fedora29/Dockerfile deleted file mode 100644 index 268c79da161..00000000000 --- a/bootstrap/generated-dists/fedora29/Dockerfile +++ /dev/null @@ -1,27 +0,0 @@ -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -FROM fedora:29 - -# pass in with --build-arg while build -ARG SHA1SUM -RUN [ -n $SHA1SUM ] && echo $SHA1SUM > /sha1sum.txt - -ADD *.sh /tmp/ -# need root permission, do it before USER samba -RUN /tmp/bootstrap.sh && /tmp/locale.sh - -# if ld.gold exists, force link it to ld -RUN set -x; LD=$(which ld); LD_GOLD=$(which ld.gold); test -x $LD_GOLD && ln -sf $LD_GOLD $LD && test -x $LD && echo "$LD is now $LD_GOLD" - -# make test can not work with root, so we have to create a new user -RUN useradd -m -U -s /bin/bash samba && \ - mkdir -p /etc/sudoers.d && \ - echo "samba ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/samba - -USER samba -WORKDIR /home/samba -# samba tests rely on this -ENV USER=samba LC_ALL=en_US.utf8 LANG=en_US.utf8 \ No newline at end of file diff --git a/bootstrap/generated-dists/fedora29/bootstrap.sh b/bootstrap/generated-dists/fedora29/bootstrap.sh deleted file mode 100755 index effe2a9d214..00000000000 --- a/bootstrap/generated-dists/fedora29/bootstrap.sh +++ /dev/null @@ -1,108 +0,0 @@ -#!/bin/bash - -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -set -xueo pipefail - -dnf update -y - -dnf install -y \ - --setopt=install_weak_deps=False \ - @development-tools \ - acl \ - attr \ - autoconf \ - avahi-devel \ - bind-utils \ - binutils \ - bison \ - chrpath \ - cups-devel \ - curl \ - dbus-devel \ - docbook-dtds \ - docbook-style-xsl \ - flex \ - gawk \ - gcc \ - gdb \ - git \ - glib2-devel \ - glibc-common \ - glibc-langpack-en \ - glusterfs-api-devel \ - glusterfs-devel \ - gnutls-devel \ - gpgme-devel \ - gzip \ - hostname \ - htop \ - jansson-devel \ - keyutils-libs-devel \ - krb5-devel \ - krb5-server \ - lcov \ - libacl-devel \ - libarchive-devel \ - libattr-devel \ - libblkid-devel \ - libbsd-devel \ - libcap-devel \ - libcephfs-devel \ - libicu-devel \ - libnsl2-devel \ - libpcap-devel \ - libsemanage-python \ - libtasn1-devel \ - libtasn1-tools \ - libtirpc-devel \ - libunwind-devel \ - libuuid-devel \ - libxslt \ - lmdb \ - lmdb-devel \ - make \ - mingw64-gcc \ - ncurses-devel \ - openldap-devel \ - pam-devel \ - patch \ - perl \ - perl-Archive-Tar \ - perl-ExtUtils-MakeMaker \ - perl-JSON-Parse \ - perl-Parse-Yapp \ - perl-Test-Base \ - perl-generators \ - perl-interpreter \ - pkgconfig \ - policycoreutils-python \ - popt-devel \ - procps-ng \ - psmisc \ - python3 \ - python3-devel \ - python3-dns \ - python3-gpg \ - python3-markdown \ - quota-devel \ - readline-devel \ - redhat-lsb \ - rng-tools \ - rpcgen \ - rpcsvc-proto-devel \ - rsync \ - sed \ - sudo \ - systemd-devel \ - tar \ - tree \ - which \ - xfsprogs-devel \ - yum-utils \ - zlib-devel - -dnf clean all \ No newline at end of file diff --git a/bootstrap/generated-dists/fedora29/locale.sh b/bootstrap/generated-dists/fedora29/locale.sh deleted file mode 100755 index cc64e180483..00000000000 --- a/bootstrap/generated-dists/fedora29/locale.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash - -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -set -xueo pipefail - -# refer to /usr/share/i18n/locales -INPUTFILE=en_US -# refer to /usr/share/i18n/charmaps -CHARMAP=UTF-8 -# locale to generate in /usr/lib/locale -# glibc/localedef will normalize UTF-8 to utf8, follow the naming style -LOCALE=$INPUTFILE.utf8 - -# if locale is already correct, exit -( locale | grep LC_ALL | grep -i $LOCALE ) && exit 0 - -# if locale not available, generate locale into /usr/lib/locale -if ! ( locale --all-locales | grep -i $LOCALE ) -then - # no-archive means create its own dir - localedef --inputfile $INPUTFILE --charmap $CHARMAP --no-archive $LOCALE -fi - -# update locale conf and global env file -# set both LC_ALL and LANG for safe - -# update conf for Debian family -FILE=/etc/default/locale -if [ -f $FILE ] -then - echo LC_ALL="$LOCALE" > $FILE - echo LANG="$LOCALE" >> $FILE -fi - -# update conf for RedHat family -FILE=/etc/locale.conf -if [ -f $FILE ] -then - # LC_ALL is not valid in this file, set LANG only - echo LANG="$LOCALE" > $FILE -fi - -# update global env file -FILE=/etc/environment -if [ -f $FILE ] -then - # append LC_ALL if not exist - grep LC_ALL $FILE || echo LC_ALL="$LOCALE" >> $FILE - # append LANG if not exist - grep LANG $FILE || echo LANG="$LOCALE" >> $FILE -fi \ No newline at end of file diff --git a/bootstrap/generated-dists/fedora29/packages.yml b/bootstrap/generated-dists/fedora29/packages.yml deleted file mode 100644 index 3b767f8ba08..00000000000 --- a/bootstrap/generated-dists/fedora29/packages.yml +++ /dev/null @@ -1,95 +0,0 @@ ---- -packages: - - @development-tools - - acl - - attr - - autoconf - - avahi-devel - - bind-utils - - binutils - - bison - - chrpath - - cups-devel - - curl - - dbus-devel - - docbook-dtds - - docbook-style-xsl - - flex - - gawk - - gcc - - gdb - - git - - glib2-devel - - glibc-common - - glibc-langpack-en - - glusterfs-api-devel - - glusterfs-devel - - gnutls-devel - - gpgme-devel - - gzip - - hostname - - htop - - jansson-devel - - keyutils-libs-devel - - krb5-devel - - krb5-server - - lcov - - libacl-devel - - libarchive-devel - - libattr-devel - - libblkid-devel - - libbsd-devel - - libcap-devel - - libcephfs-devel - - libicu-devel - - libnsl2-devel - - libpcap-devel - - libsemanage-python - - libtasn1-devel - - libtasn1-tools - - libtirpc-devel - - libunwind-devel - - libuuid-devel - - libxslt - - lmdb - - lmdb-devel - - make - - mingw64-gcc - - ncurses-devel - - openldap-devel - - pam-devel - - patch - - perl - - perl-Archive-Tar - - perl-ExtUtils-MakeMaker - - perl-JSON-Parse - - perl-Parse-Yapp - - perl-Test-Base - - perl-generators - - perl-interpreter - - pkgconfig - - policycoreutils-python - - popt-devel - - procps-ng - - psmisc - - python3 - - python3-devel - - python3-dns - - python3-gpg - - python3-markdown - - quota-devel - - readline-devel - - redhat-lsb - - rng-tools - - rpcgen - - rpcsvc-proto-devel - - rsync - - sed - - sudo - - systemd-devel - - tar - - tree - - which - - xfsprogs-devel - - yum-utils - - zlib-devel \ No newline at end of file diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index 1c9d01d5e7d..39f2633892e 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -6bb2eeaf8203467d9a93a722071b0f081027410e +2366db8ea66e6a07f36b77c0f3152a06e7056adc -- 2.25.1 From 5ea7f8cc213d10116331189c47e8ade83753d43d Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 19 Mar 2020 10:28:23 +0100 Subject: [PATCH 008/380] gitlab-ci: Remove Fedora 30 It is pretty similar to Fedora 31, so remove it safe some CI resources. We will add Fedora 32 next. Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit ef08b30380093726297529d20b087e64caa58572) --- .gitlab-ci.yml | 7 +- bootstrap/.gitlab-ci.yml | 3 - bootstrap/config.py | 9 -- bootstrap/generated-dists/Vagrantfile | 7 -- bootstrap/generated-dists/fedora30/Dockerfile | 27 ----- .../generated-dists/fedora30/bootstrap.sh | 108 ------------------ bootstrap/generated-dists/fedora30/locale.sh | 55 --------- .../generated-dists/fedora30/packages.yml | 95 --------------- bootstrap/sha1sum.txt | 2 +- 9 files changed, 2 insertions(+), 311 deletions(-) delete mode 100644 bootstrap/generated-dists/fedora30/Dockerfile delete mode 100755 bootstrap/generated-dists/fedora30/bootstrap.sh delete mode 100755 bootstrap/generated-dists/fedora30/locale.sh delete mode 100644 bootstrap/generated-dists/fedora30/packages.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 1d89dda5045..a8e1099be11 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,7 +22,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: 2366db8ea66e6a07f36b77c0f3152a06e7056adc + SAMBA_CI_CONTAINER_TAG: 9f95136e88779ec8eed6c18614b1e0779ef2bfec # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. @@ -39,7 +39,6 @@ variables: SAMBA_CI_CONTAINER_IMAGE_debian10: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-debian10:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_opensuse150: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-opensuse150:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_opensuse151: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-opensuse151:${SAMBA_CI_CONTAINER_TAG} - SAMBA_CI_CONTAINER_IMAGE_fedora30: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-fedora30:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_fedora31: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-fedora31:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_centos7: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-centos7:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_centos8: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-centos8:${SAMBA_CI_CONTAINER_TAG} @@ -302,10 +301,6 @@ centos8-samba-o3: extends: .samba-o3-template image: $SAMBA_CI_CONTAINER_IMAGE_centos8 -fedora30-samba-o3: - extends: .samba-o3-template - image: $SAMBA_CI_CONTAINER_IMAGE_fedora30 - fedora31-samba-o3: extends: .samba-o3-template image: $SAMBA_CI_CONTAINER_IMAGE_fedora31 diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml index c4c8599ef3d..89c1453a34c 100644 --- a/bootstrap/.gitlab-ci.yml +++ b/bootstrap/.gitlab-ci.yml @@ -99,9 +99,6 @@ debian10: fedora31: extends: .build_image_template -fedora30: - extends: .build_image_template - centos8: extends: .build_image_template diff --git a/bootstrap/config.py b/bootstrap/config.py index 36a19a1e6cf..6d4d662d563 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -453,15 +453,6 @@ RPM_DISTS = { 'liburing-devel': '', # not available yet, Add me back, once available! } }, - 'fedora30': { - 'docker_image': 'fedora:30', - 'vagrant_box': 'fedora/30-cloud-base', - 'bootstrap': DNF_BOOTSTRAP, - 'replace': { - 'lsb-release': 'redhat-lsb', - 'liburing-devel': '', # not available - } - }, 'fedora31': { 'docker_image': 'fedora:31', 'vagrant_box': 'fedora/31-cloud-base', diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile index 2daf1dde552..770e364c70b 100644 --- a/bootstrap/generated-dists/Vagrantfile +++ b/bootstrap/generated-dists/Vagrantfile @@ -31,13 +31,6 @@ Vagrant.configure("2") do |config| v.vm.provision :shell, path: "debian10/locale.sh" end - config.vm.define "fedora30" do |v| - v.vm.box = "fedora/30-cloud-base" - v.vm.hostname = "fedora30" - v.vm.provision :shell, path: "fedora30/bootstrap.sh" - v.vm.provision :shell, path: "fedora30/locale.sh" - end - config.vm.define "fedora31" do |v| v.vm.box = "fedora/31-cloud-base" v.vm.hostname = "fedora31" diff --git a/bootstrap/generated-dists/fedora30/Dockerfile b/bootstrap/generated-dists/fedora30/Dockerfile deleted file mode 100644 index f2a2c3546f0..00000000000 --- a/bootstrap/generated-dists/fedora30/Dockerfile +++ /dev/null @@ -1,27 +0,0 @@ -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -FROM fedora:30 - -# pass in with --build-arg while build -ARG SHA1SUM -RUN [ -n $SHA1SUM ] && echo $SHA1SUM > /sha1sum.txt - -ADD *.sh /tmp/ -# need root permission, do it before USER samba -RUN /tmp/bootstrap.sh && /tmp/locale.sh - -# if ld.gold exists, force link it to ld -RUN set -x; LD=$(which ld); LD_GOLD=$(which ld.gold); test -x $LD_GOLD && ln -sf $LD_GOLD $LD && test -x $LD && echo "$LD is now $LD_GOLD" - -# make test can not work with root, so we have to create a new user -RUN useradd -m -U -s /bin/bash samba && \ - mkdir -p /etc/sudoers.d && \ - echo "samba ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/samba - -USER samba -WORKDIR /home/samba -# samba tests rely on this -ENV USER=samba LC_ALL=en_US.utf8 LANG=en_US.utf8 \ No newline at end of file diff --git a/bootstrap/generated-dists/fedora30/bootstrap.sh b/bootstrap/generated-dists/fedora30/bootstrap.sh deleted file mode 100755 index effe2a9d214..00000000000 --- a/bootstrap/generated-dists/fedora30/bootstrap.sh +++ /dev/null @@ -1,108 +0,0 @@ -#!/bin/bash - -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -set -xueo pipefail - -dnf update -y - -dnf install -y \ - --setopt=install_weak_deps=False \ - @development-tools \ - acl \ - attr \ - autoconf \ - avahi-devel \ - bind-utils \ - binutils \ - bison \ - chrpath \ - cups-devel \ - curl \ - dbus-devel \ - docbook-dtds \ - docbook-style-xsl \ - flex \ - gawk \ - gcc \ - gdb \ - git \ - glib2-devel \ - glibc-common \ - glibc-langpack-en \ - glusterfs-api-devel \ - glusterfs-devel \ - gnutls-devel \ - gpgme-devel \ - gzip \ - hostname \ - htop \ - jansson-devel \ - keyutils-libs-devel \ - krb5-devel \ - krb5-server \ - lcov \ - libacl-devel \ - libarchive-devel \ - libattr-devel \ - libblkid-devel \ - libbsd-devel \ - libcap-devel \ - libcephfs-devel \ - libicu-devel \ - libnsl2-devel \ - libpcap-devel \ - libsemanage-python \ - libtasn1-devel \ - libtasn1-tools \ - libtirpc-devel \ - libunwind-devel \ - libuuid-devel \ - libxslt \ - lmdb \ - lmdb-devel \ - make \ - mingw64-gcc \ - ncurses-devel \ - openldap-devel \ - pam-devel \ - patch \ - perl \ - perl-Archive-Tar \ - perl-ExtUtils-MakeMaker \ - perl-JSON-Parse \ - perl-Parse-Yapp \ - perl-Test-Base \ - perl-generators \ - perl-interpreter \ - pkgconfig \ - policycoreutils-python \ - popt-devel \ - procps-ng \ - psmisc \ - python3 \ - python3-devel \ - python3-dns \ - python3-gpg \ - python3-markdown \ - quota-devel \ - readline-devel \ - redhat-lsb \ - rng-tools \ - rpcgen \ - rpcsvc-proto-devel \ - rsync \ - sed \ - sudo \ - systemd-devel \ - tar \ - tree \ - which \ - xfsprogs-devel \ - yum-utils \ - zlib-devel - -dnf clean all \ No newline at end of file diff --git a/bootstrap/generated-dists/fedora30/locale.sh b/bootstrap/generated-dists/fedora30/locale.sh deleted file mode 100755 index cc64e180483..00000000000 --- a/bootstrap/generated-dists/fedora30/locale.sh +++ /dev/null @@ -1,55 +0,0 @@ -#!/bin/bash - -# -# This file is generated by 'bootstrap/template.py --render' -# See also bootstrap/config.py -# - -set -xueo pipefail - -# refer to /usr/share/i18n/locales -INPUTFILE=en_US -# refer to /usr/share/i18n/charmaps -CHARMAP=UTF-8 -# locale to generate in /usr/lib/locale -# glibc/localedef will normalize UTF-8 to utf8, follow the naming style -LOCALE=$INPUTFILE.utf8 - -# if locale is already correct, exit -( locale | grep LC_ALL | grep -i $LOCALE ) && exit 0 - -# if locale not available, generate locale into /usr/lib/locale -if ! ( locale --all-locales | grep -i $LOCALE ) -then - # no-archive means create its own dir - localedef --inputfile $INPUTFILE --charmap $CHARMAP --no-archive $LOCALE -fi - -# update locale conf and global env file -# set both LC_ALL and LANG for safe - -# update conf for Debian family -FILE=/etc/default/locale -if [ -f $FILE ] -then - echo LC_ALL="$LOCALE" > $FILE - echo LANG="$LOCALE" >> $FILE -fi - -# update conf for RedHat family -FILE=/etc/locale.conf -if [ -f $FILE ] -then - # LC_ALL is not valid in this file, set LANG only - echo LANG="$LOCALE" > $FILE -fi - -# update global env file -FILE=/etc/environment -if [ -f $FILE ] -then - # append LC_ALL if not exist - grep LC_ALL $FILE || echo LC_ALL="$LOCALE" >> $FILE - # append LANG if not exist - grep LANG $FILE || echo LANG="$LOCALE" >> $FILE -fi \ No newline at end of file diff --git a/bootstrap/generated-dists/fedora30/packages.yml b/bootstrap/generated-dists/fedora30/packages.yml deleted file mode 100644 index 3b767f8ba08..00000000000 --- a/bootstrap/generated-dists/fedora30/packages.yml +++ /dev/null @@ -1,95 +0,0 @@ ---- -packages: - - @development-tools - - acl - - attr - - autoconf - - avahi-devel - - bind-utils - - binutils - - bison - - chrpath - - cups-devel - - curl - - dbus-devel - - docbook-dtds - - docbook-style-xsl - - flex - - gawk - - gcc - - gdb - - git - - glib2-devel - - glibc-common - - glibc-langpack-en - - glusterfs-api-devel - - glusterfs-devel - - gnutls-devel - - gpgme-devel - - gzip - - hostname - - htop - - jansson-devel - - keyutils-libs-devel - - krb5-devel - - krb5-server - - lcov - - libacl-devel - - libarchive-devel - - libattr-devel - - libblkid-devel - - libbsd-devel - - libcap-devel - - libcephfs-devel - - libicu-devel - - libnsl2-devel - - libpcap-devel - - libsemanage-python - - libtasn1-devel - - libtasn1-tools - - libtirpc-devel - - libunwind-devel - - libuuid-devel - - libxslt - - lmdb - - lmdb-devel - - make - - mingw64-gcc - - ncurses-devel - - openldap-devel - - pam-devel - - patch - - perl - - perl-Archive-Tar - - perl-ExtUtils-MakeMaker - - perl-JSON-Parse - - perl-Parse-Yapp - - perl-Test-Base - - perl-generators - - perl-interpreter - - pkgconfig - - policycoreutils-python - - popt-devel - - procps-ng - - psmisc - - python3 - - python3-devel - - python3-dns - - python3-gpg - - python3-markdown - - quota-devel - - readline-devel - - redhat-lsb - - rng-tools - - rpcgen - - rpcsvc-proto-devel - - rsync - - sed - - sudo - - systemd-devel - - tar - - tree - - which - - xfsprogs-devel - - yum-utils - - zlib-devel \ No newline at end of file diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index 39f2633892e..ef012315ce1 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -2366db8ea66e6a07f36b77c0f3152a06e7056adc +9f95136e88779ec8eed6c18614b1e0779ef2bfec -- 2.25.1 From 4920e3348df9d2f953289e7e0ddf26d5617fed3b Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 19 Mar 2020 10:32:17 +0100 Subject: [PATCH 009/380] gitlab-ci: Add Fedora 32 (Beta) Signed-off-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andreas Schneider Autobuild-Date(master): Fri Mar 20 15:19:50 UTC 2020 on sn-devel-184 (cherry picked from commit bce99f59332ffd4d817be457ff4b39743e724319) --- .gitlab-ci.yml | 7 +- bootstrap/.gitlab-ci.yml | 3 + bootstrap/config.py | 10 ++ bootstrap/generated-dists/Vagrantfile | 7 ++ bootstrap/generated-dists/fedora32/Dockerfile | 27 +++++ .../generated-dists/fedora32/bootstrap.sh | 109 ++++++++++++++++++ bootstrap/generated-dists/fedora32/locale.sh | 55 +++++++++ .../generated-dists/fedora32/packages.yml | 96 +++++++++++++++ bootstrap/sha1sum.txt | 2 +- 9 files changed, 314 insertions(+), 2 deletions(-) create mode 100644 bootstrap/generated-dists/fedora32/Dockerfile create mode 100755 bootstrap/generated-dists/fedora32/bootstrap.sh create mode 100755 bootstrap/generated-dists/fedora32/locale.sh create mode 100644 bootstrap/generated-dists/fedora32/packages.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index a8e1099be11..bf05c3cd792 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,7 +22,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: 9f95136e88779ec8eed6c18614b1e0779ef2bfec + SAMBA_CI_CONTAINER_TAG: 9061307e79ad13733c69352a965eeb4f44bef4b7 # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. @@ -40,6 +40,7 @@ variables: SAMBA_CI_CONTAINER_IMAGE_opensuse150: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-opensuse150:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_opensuse151: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-opensuse151:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_fedora31: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-fedora31:${SAMBA_CI_CONTAINER_TAG} + SAMBA_CI_CONTAINER_IMAGE_fedora32: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-fedora32:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_centos7: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-centos7:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_centos8: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-centos8:${SAMBA_CI_CONTAINER_TAG} @@ -305,6 +306,10 @@ fedora31-samba-o3: extends: .samba-o3-template image: $SAMBA_CI_CONTAINER_IMAGE_fedora31 +fedora32-samba-o3: + extends: .samba-o3-template + image: $SAMBA_CI_CONTAINER_IMAGE_fedora32 + # # Keep the samba-o3 sections at the end ... # diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml index 89c1453a34c..8427dbdc314 100644 --- a/bootstrap/.gitlab-ci.yml +++ b/bootstrap/.gitlab-ci.yml @@ -99,6 +99,9 @@ debian10: fedora31: extends: .build_image_template +fedora32: + extends: .build_image_template + centos8: extends: .build_image_template diff --git a/bootstrap/config.py b/bootstrap/config.py index 6d4d662d563..093b84676f0 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -463,6 +463,16 @@ RPM_DISTS = { 'policycoreutils-python': 'python3-policycoreutils', } }, + 'fedora32': { + 'docker_image': 'fedora:32', + 'vagrant_box': 'fedora/32-cloud-base', + 'bootstrap': DNF_BOOTSTRAP, + 'replace': { + 'lsb-release': 'redhat-lsb', + 'libsemanage-python': 'python3-libsemanage', + 'policycoreutils-python': 'python3-policycoreutils', + } + }, 'opensuse150': { 'docker_image': 'opensuse/leap:15.0', 'vagrant_box': 'opensuse/openSUSE-15.0-x86_64', diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile index 770e364c70b..15fc686f584 100644 --- a/bootstrap/generated-dists/Vagrantfile +++ b/bootstrap/generated-dists/Vagrantfile @@ -38,6 +38,13 @@ Vagrant.configure("2") do |config| v.vm.provision :shell, path: "fedora31/locale.sh" end + config.vm.define "fedora32" do |v| + v.vm.box = "fedora/32-cloud-base" + v.vm.hostname = "fedora32" + v.vm.provision :shell, path: "fedora32/bootstrap.sh" + v.vm.provision :shell, path: "fedora32/locale.sh" + end + config.vm.define "opensuse150" do |v| v.vm.box = "opensuse/openSUSE-15.0-x86_64" v.vm.hostname = "opensuse150" diff --git a/bootstrap/generated-dists/fedora32/Dockerfile b/bootstrap/generated-dists/fedora32/Dockerfile new file mode 100644 index 00000000000..d8a75cf8445 --- /dev/null +++ b/bootstrap/generated-dists/fedora32/Dockerfile @@ -0,0 +1,27 @@ +# +# This file is generated by 'bootstrap/template.py --render' +# See also bootstrap/config.py +# + +FROM fedora:32 + +# pass in with --build-arg while build +ARG SHA1SUM +RUN [ -n $SHA1SUM ] && echo $SHA1SUM > /sha1sum.txt + +ADD *.sh /tmp/ +# need root permission, do it before USER samba +RUN /tmp/bootstrap.sh && /tmp/locale.sh + +# if ld.gold exists, force link it to ld +RUN set -x; LD=$(which ld); LD_GOLD=$(which ld.gold); test -x $LD_GOLD && ln -sf $LD_GOLD $LD && test -x $LD && echo "$LD is now $LD_GOLD" + +# make test can not work with root, so we have to create a new user +RUN useradd -m -U -s /bin/bash samba && \ + mkdir -p /etc/sudoers.d && \ + echo "samba ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/samba + +USER samba +WORKDIR /home/samba +# samba tests rely on this +ENV USER=samba LC_ALL=en_US.utf8 LANG=en_US.utf8 \ No newline at end of file diff --git a/bootstrap/generated-dists/fedora32/bootstrap.sh b/bootstrap/generated-dists/fedora32/bootstrap.sh new file mode 100755 index 00000000000..18c58092eff --- /dev/null +++ b/bootstrap/generated-dists/fedora32/bootstrap.sh @@ -0,0 +1,109 @@ +#!/bin/bash + +# +# This file is generated by 'bootstrap/template.py --render' +# See also bootstrap/config.py +# + +set -xueo pipefail + +dnf update -y + +dnf install -y \ + --setopt=install_weak_deps=False \ + @development-tools \ + acl \ + attr \ + autoconf \ + avahi-devel \ + bind-utils \ + binutils \ + bison \ + chrpath \ + cups-devel \ + curl \ + dbus-devel \ + docbook-dtds \ + docbook-style-xsl \ + flex \ + gawk \ + gcc \ + gdb \ + git \ + glib2-devel \ + glibc-common \ + glibc-langpack-en \ + glusterfs-api-devel \ + glusterfs-devel \ + gnutls-devel \ + gpgme-devel \ + gzip \ + hostname \ + htop \ + jansson-devel \ + keyutils-libs-devel \ + krb5-devel \ + krb5-server \ + lcov \ + libacl-devel \ + libarchive-devel \ + libattr-devel \ + libblkid-devel \ + libbsd-devel \ + libcap-devel \ + libcephfs-devel \ + libicu-devel \ + libnsl2-devel \ + libpcap-devel \ + libtasn1-devel \ + libtasn1-tools \ + libtirpc-devel \ + libunwind-devel \ + liburing-devel \ + libuuid-devel \ + libxslt \ + lmdb \ + lmdb-devel \ + make \ + mingw64-gcc \ + ncurses-devel \ + openldap-devel \ + pam-devel \ + patch \ + perl \ + perl-Archive-Tar \ + perl-ExtUtils-MakeMaker \ + perl-JSON-Parse \ + perl-Parse-Yapp \ + perl-Test-Base \ + perl-generators \ + perl-interpreter \ + pkgconfig \ + popt-devel \ + procps-ng \ + psmisc \ + python3 \ + python3-devel \ + python3-dns \ + python3-gpg \ + python3-libsemanage \ + python3-markdown \ + python3-policycoreutils \ + quota-devel \ + readline-devel \ + redhat-lsb \ + rng-tools \ + rpcgen \ + rpcsvc-proto-devel \ + rsync \ + sed \ + sudo \ + systemd-devel \ + tar \ + tree \ + which \ + xfsprogs-devel \ + yum-utils \ + zlib-devel + +dnf clean all \ No newline at end of file diff --git a/bootstrap/generated-dists/fedora32/locale.sh b/bootstrap/generated-dists/fedora32/locale.sh new file mode 100755 index 00000000000..cc64e180483 --- /dev/null +++ b/bootstrap/generated-dists/fedora32/locale.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# This file is generated by 'bootstrap/template.py --render' +# See also bootstrap/config.py +# + +set -xueo pipefail + +# refer to /usr/share/i18n/locales +INPUTFILE=en_US +# refer to /usr/share/i18n/charmaps +CHARMAP=UTF-8 +# locale to generate in /usr/lib/locale +# glibc/localedef will normalize UTF-8 to utf8, follow the naming style +LOCALE=$INPUTFILE.utf8 + +# if locale is already correct, exit +( locale | grep LC_ALL | grep -i $LOCALE ) && exit 0 + +# if locale not available, generate locale into /usr/lib/locale +if ! ( locale --all-locales | grep -i $LOCALE ) +then + # no-archive means create its own dir + localedef --inputfile $INPUTFILE --charmap $CHARMAP --no-archive $LOCALE +fi + +# update locale conf and global env file +# set both LC_ALL and LANG for safe + +# update conf for Debian family +FILE=/etc/default/locale +if [ -f $FILE ] +then + echo LC_ALL="$LOCALE" > $FILE + echo LANG="$LOCALE" >> $FILE +fi + +# update conf for RedHat family +FILE=/etc/locale.conf +if [ -f $FILE ] +then + # LC_ALL is not valid in this file, set LANG only + echo LANG="$LOCALE" > $FILE +fi + +# update global env file +FILE=/etc/environment +if [ -f $FILE ] +then + # append LC_ALL if not exist + grep LC_ALL $FILE || echo LC_ALL="$LOCALE" >> $FILE + # append LANG if not exist + grep LANG $FILE || echo LANG="$LOCALE" >> $FILE +fi \ No newline at end of file diff --git a/bootstrap/generated-dists/fedora32/packages.yml b/bootstrap/generated-dists/fedora32/packages.yml new file mode 100644 index 00000000000..3165af8dd82 --- /dev/null +++ b/bootstrap/generated-dists/fedora32/packages.yml @@ -0,0 +1,96 @@ +--- +packages: + - @development-tools + - acl + - attr + - autoconf + - avahi-devel + - bind-utils + - binutils + - bison + - chrpath + - cups-devel + - curl + - dbus-devel + - docbook-dtds + - docbook-style-xsl + - flex + - gawk + - gcc + - gdb + - git + - glib2-devel + - glibc-common + - glibc-langpack-en + - glusterfs-api-devel + - glusterfs-devel + - gnutls-devel + - gpgme-devel + - gzip + - hostname + - htop + - jansson-devel + - keyutils-libs-devel + - krb5-devel + - krb5-server + - lcov + - libacl-devel + - libarchive-devel + - libattr-devel + - libblkid-devel + - libbsd-devel + - libcap-devel + - libcephfs-devel + - libicu-devel + - libnsl2-devel + - libpcap-devel + - libtasn1-devel + - libtasn1-tools + - libtirpc-devel + - libunwind-devel + - liburing-devel + - libuuid-devel + - libxslt + - lmdb + - lmdb-devel + - make + - mingw64-gcc + - ncurses-devel + - openldap-devel + - pam-devel + - patch + - perl + - perl-Archive-Tar + - perl-ExtUtils-MakeMaker + - perl-JSON-Parse + - perl-Parse-Yapp + - perl-Test-Base + - perl-generators + - perl-interpreter + - pkgconfig + - popt-devel + - procps-ng + - psmisc + - python3 + - python3-devel + - python3-dns + - python3-gpg + - python3-libsemanage + - python3-markdown + - python3-policycoreutils + - quota-devel + - readline-devel + - redhat-lsb + - rng-tools + - rpcgen + - rpcsvc-proto-devel + - rsync + - sed + - sudo + - systemd-devel + - tar + - tree + - which + - xfsprogs-devel + - yum-utils + - zlib-devel \ No newline at end of file diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index ef012315ce1..df1b85b9f21 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -9f95136e88779ec8eed6c18614b1e0779ef2bfec +9061307e79ad13733c69352a965eeb4f44bef4b7 -- 2.25.1 From a7e297dbc631afdfcfe0082d9bb7318dbc0ba212 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 25 Mar 2020 22:17:46 +0100 Subject: [PATCH 010/380] bootstrap: add ubuntu2004 Ubuntu Focal Fossa (development branch) Signed-off-by: Stefan Metzmacher Reviewed-by: Isaac Boukris (cherry picked from commit 53402b353007893f3851afbf574c2a67f9f6a44b) --- .gitlab-ci.yml | 9 +- bootstrap/.gitlab-ci.yml | 3 + bootstrap/config.py | 7 ++ bootstrap/generated-dists/Vagrantfile | 7 ++ .../generated-dists/ubuntu2004/Dockerfile | 27 +++++ .../generated-dists/ubuntu2004/bootstrap.sh | 106 ++++++++++++++++++ .../generated-dists/ubuntu2004/locale.sh | 55 +++++++++ .../generated-dists/ubuntu2004/packages.yml | 91 +++++++++++++++ bootstrap/sha1sum.txt | 2 +- 9 files changed, 304 insertions(+), 3 deletions(-) create mode 100644 bootstrap/generated-dists/ubuntu2004/Dockerfile create mode 100755 bootstrap/generated-dists/ubuntu2004/bootstrap.sh create mode 100755 bootstrap/generated-dists/ubuntu2004/locale.sh create mode 100644 bootstrap/generated-dists/ubuntu2004/packages.yml diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index bf05c3cd792..efb9fe87d17 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,7 +22,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: 9061307e79ad13733c69352a965eeb4f44bef4b7 + SAMBA_CI_CONTAINER_TAG: f5212e7abcae3208b796c939432ab9bec319264a # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. @@ -33,8 +33,9 @@ variables: # Please see the samba-o3 sections at the end of this file! # We should run that for each available image # - SAMBA_CI_CONTAINER_IMAGE_ubuntu1804: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-ubuntu1804:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_ubuntu1604: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-ubuntu1604:${SAMBA_CI_CONTAINER_TAG} + SAMBA_CI_CONTAINER_IMAGE_ubuntu1804: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-ubuntu1804:${SAMBA_CI_CONTAINER_TAG} + SAMBA_CI_CONTAINER_IMAGE_ubuntu2004: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-ubuntu2004:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_debian9: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-debian9:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_debian10: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-debian10:${SAMBA_CI_CONTAINER_TAG} SAMBA_CI_CONTAINER_IMAGE_opensuse150: ${SAMBA_CI_CONTAINER_REGISTRY}/samba-ci-opensuse150:${SAMBA_CI_CONTAINER_TAG} @@ -277,6 +278,10 @@ ubuntu1804-samba-o3: extends: .samba-o3-template image: $SAMBA_CI_CONTAINER_IMAGE_ubuntu1804 +.ubuntu2004-samba-o3: + extends: .samba-o3-template + image: $SAMBA_CI_CONTAINER_IMAGE_ubuntu2004 + debian10-samba-o3: extends: .samba-o3-template image: $SAMBA_CI_CONTAINER_IMAGE_debian10 diff --git a/bootstrap/.gitlab-ci.yml b/bootstrap/.gitlab-ci.yml index 8427dbdc314..d6cf02109fd 100644 --- a/bootstrap/.gitlab-ci.yml +++ b/bootstrap/.gitlab-ci.yml @@ -93,6 +93,9 @@ ubuntu1604: ubuntu1804: extends: .build_image_template +ubuntu2004: + extends: .build_image_template + debian10: extends: .build_image_template diff --git a/bootstrap/config.py b/bootstrap/config.py index 093b84676f0..b862053b915 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -400,6 +400,13 @@ DEB_DISTS = { 'liburing-dev': '', # not available } }, + 'ubuntu2004': { + 'docker_image': 'ubuntu:20.04', + 'vagrant_box': 'ubuntu/focal64', + 'replace': { + 'liburing-dev': '', # not available + } + }, } diff --git a/bootstrap/generated-dists/Vagrantfile b/bootstrap/generated-dists/Vagrantfile index 15fc686f584..e01c20bc161 100644 --- a/bootstrap/generated-dists/Vagrantfile +++ b/bootstrap/generated-dists/Vagrantfile @@ -73,5 +73,12 @@ Vagrant.configure("2") do |config| v.vm.provision :shell, path: "ubuntu1804/locale.sh" end + config.vm.define "ubuntu2004" do |v| + v.vm.box = "ubuntu/focal64" + v.vm.hostname = "ubuntu2004" + v.vm.provision :shell, path: "ubuntu2004/bootstrap.sh" + v.vm.provision :shell, path: "ubuntu2004/locale.sh" + end + end diff --git a/bootstrap/generated-dists/ubuntu2004/Dockerfile b/bootstrap/generated-dists/ubuntu2004/Dockerfile new file mode 100644 index 00000000000..f94e8801aad --- /dev/null +++ b/bootstrap/generated-dists/ubuntu2004/Dockerfile @@ -0,0 +1,27 @@ +# +# This file is generated by 'bootstrap/template.py --render' +# See also bootstrap/config.py +# + +FROM ubuntu:20.04 + +# pass in with --build-arg while build +ARG SHA1SUM +RUN [ -n $SHA1SUM ] && echo $SHA1SUM > /sha1sum.txt + +ADD *.sh /tmp/ +# need root permission, do it before USER samba +RUN /tmp/bootstrap.sh && /tmp/locale.sh + +# if ld.gold exists, force link it to ld +RUN set -x; LD=$(which ld); LD_GOLD=$(which ld.gold); test -x $LD_GOLD && ln -sf $LD_GOLD $LD && test -x $LD && echo "$LD is now $LD_GOLD" + +# make test can not work with root, so we have to create a new user +RUN useradd -m -U -s /bin/bash samba && \ + mkdir -p /etc/sudoers.d && \ + echo "samba ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/samba + +USER samba +WORKDIR /home/samba +# samba tests rely on this +ENV USER=samba LC_ALL=en_US.utf8 LANG=en_US.utf8 \ No newline at end of file diff --git a/bootstrap/generated-dists/ubuntu2004/bootstrap.sh b/bootstrap/generated-dists/ubuntu2004/bootstrap.sh new file mode 100755 index 00000000000..97d32815d72 --- /dev/null +++ b/bootstrap/generated-dists/ubuntu2004/bootstrap.sh @@ -0,0 +1,106 @@ +#!/bin/bash + +# +# This file is generated by 'bootstrap/template.py --render' +# See also bootstrap/config.py +# + +set -xueo pipefail + +export DEBIAN_FRONTEND=noninteractive +apt-get -y update + +apt-get -y install \ + acl \ + apt-utils \ + attr \ + autoconf \ + bind9utils \ + binutils \ + bison \ + build-essential \ + chrpath \ + curl \ + debhelper \ + dnsutils \ + docbook-xml \ + docbook-xsl \ + flex \ + gcc \ + gdb \ + git \ + glusterfs-common \ + gzip \ + heimdal-multidev \ + hostname \ + htop \ + krb5-config \ + krb5-kdc \ + krb5-user \ + language-pack-en \ + lcov \ + libacl1-dev \ + libarchive-dev \ + libattr1-dev \ + libavahi-common-dev \ + libblkid-dev \ + libbsd-dev \ + libcap-dev \ + libcephfs-dev \ + libcups2-dev \ + libdbus-1-dev \ + libglib2.0-dev \ + libgnutls28-dev \ + libgpgme11-dev \ + libicu-dev \ + libjansson-dev \ + libjs-jquery \ + libjson-perl \ + libkrb5-dev \ + libldap2-dev \ + liblmdb-dev \ + libncurses5-dev \ + libpam0g-dev \ + libparse-yapp-perl \ + libpcap-dev \ + libpopt-dev \ + libreadline-dev \ + libsystemd-dev \ + libtasn1-bin \ + libtasn1-dev \ + libunwind-dev \ + lmdb-utils \ + locales \ + lsb-release \ + make \ + mawk \ + mingw-w64 \ + patch \ + perl \ + perl-modules \ + pkg-config \ + procps \ + psmisc \ + python3 \ + python3-dbg \ + python3-dev \ + python3-dnspython \ + python3-gpg \ + python3-iso8601 \ + python3-markdown \ + python3-matplotlib \ + python3-pexpect \ + rng-tools \ + rsync \ + sed \ + sudo \ + tar \ + tree \ + uuid-dev \ + xfslibs-dev \ + xsltproc \ + zlib1g-dev + +apt-get -y autoremove +apt-get -y autoclean +apt-get -y clean \ No newline at end of file diff --git a/bootstrap/generated-dists/ubuntu2004/locale.sh b/bootstrap/generated-dists/ubuntu2004/locale.sh new file mode 100755 index 00000000000..cc64e180483 --- /dev/null +++ b/bootstrap/generated-dists/ubuntu2004/locale.sh @@ -0,0 +1,55 @@ +#!/bin/bash + +# +# This file is generated by 'bootstrap/template.py --render' +# See also bootstrap/config.py +# + +set -xueo pipefail + +# refer to /usr/share/i18n/locales +INPUTFILE=en_US +# refer to /usr/share/i18n/charmaps +CHARMAP=UTF-8 +# locale to generate in /usr/lib/locale +# glibc/localedef will normalize UTF-8 to utf8, follow the naming style +LOCALE=$INPUTFILE.utf8 + +# if locale is already correct, exit +( locale | grep LC_ALL | grep -i $LOCALE ) && exit 0 + +# if locale not available, generate locale into /usr/lib/locale +if ! ( locale --all-locales | grep -i $LOCALE ) +then + # no-archive means create its own dir + localedef --inputfile $INPUTFILE --charmap $CHARMAP --no-archive $LOCALE +fi + +# update locale conf and global env file +# set both LC_ALL and LANG for safe + +# update conf for Debian family +FILE=/etc/default/locale +if [ -f $FILE ] +then + echo LC_ALL="$LOCALE" > $FILE + echo LANG="$LOCALE" >> $FILE +fi + +# update conf for RedHat family +FILE=/etc/locale.conf +if [ -f $FILE ] +then + # LC_ALL is not valid in this file, set LANG only + echo LANG="$LOCALE" > $FILE +fi + +# update global env file +FILE=/etc/environment +if [ -f $FILE ] +then + # append LC_ALL if not exist + grep LC_ALL $FILE || echo LC_ALL="$LOCALE" >> $FILE + # append LANG if not exist + grep LANG $FILE || echo LANG="$LOCALE" >> $FILE +fi \ No newline at end of file diff --git a/bootstrap/generated-dists/ubuntu2004/packages.yml b/bootstrap/generated-dists/ubuntu2004/packages.yml new file mode 100644 index 00000000000..f45deb2c808 --- /dev/null +++ b/bootstrap/generated-dists/ubuntu2004/packages.yml @@ -0,0 +1,91 @@ +--- +packages: + - acl + - apt-utils + - attr + - autoconf + - bind9utils + - binutils + - bison + - build-essential + - chrpath + - curl + - debhelper + - dnsutils + - docbook-xml + - docbook-xsl + - flex + - gcc + - gdb + - git + - glusterfs-common + - gzip + - heimdal-multidev + - hostname + - htop + - krb5-config + - krb5-kdc + - krb5-user + - language-pack-en + - lcov + - libacl1-dev + - libarchive-dev + - libattr1-dev + - libavahi-common-dev + - libblkid-dev + - libbsd-dev + - libcap-dev + - libcephfs-dev + - libcups2-dev + - libdbus-1-dev + - libglib2.0-dev + - libgnutls28-dev + - libgpgme11-dev + - libicu-dev + - libjansson-dev + - libjs-jquery + - libjson-perl + - libkrb5-dev + - libldap2-dev + - liblmdb-dev + - libncurses5-dev + - libpam0g-dev + - libparse-yapp-perl + - libpcap-dev + - libpopt-dev + - libreadline-dev + - libsystemd-dev + - libtasn1-bin + - libtasn1-dev + - libunwind-dev + - lmdb-utils + - locales + - lsb-release + - make + - mawk + - mingw-w64 + - patch + - perl + - perl-modules + - pkg-config + - procps + - psmisc + - python3 + - python3-dbg + - python3-dev + - python3-dnspython + - python3-gpg + - python3-iso8601 + - python3-markdown + - python3-matplotlib + - python3-pexpect + - rng-tools + - rsync + - sed + - sudo + - tar + - tree + - uuid-dev + - xfslibs-dev + - xsltproc + - zlib1g-dev \ No newline at end of file diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index df1b85b9f21..c3a72eec5c6 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -9061307e79ad13733c69352a965eeb4f44bef4b7 +f5212e7abcae3208b796c939432ab9bec319264a -- 2.25.1 From 3f40e387bc72c72d5e4a982bb9a114b46dc8cdb1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 24 Mar 2020 15:36:48 +0100 Subject: [PATCH 011/380] bootstrap: add python3-pyasn1/python3-cryptography for kerberos testing Signed-off-by: Stefan Metzmacher Reviewed-by: Isaac Boukris (cherry picked from commit 99b644248746a8a038d6f4b15aa621a907adc987) --- .gitlab-ci.yml | 2 +- bootstrap/config.py | 8 ++++---- bootstrap/generated-dists/centos7/bootstrap.sh | 2 ++ bootstrap/generated-dists/centos7/packages.yml | 2 ++ bootstrap/generated-dists/centos8/bootstrap.sh | 2 ++ bootstrap/generated-dists/centos8/packages.yml | 2 ++ bootstrap/generated-dists/debian10/bootstrap.sh | 2 ++ bootstrap/generated-dists/debian10/packages.yml | 2 ++ bootstrap/generated-dists/fedora31/bootstrap.sh | 2 ++ bootstrap/generated-dists/fedora31/packages.yml | 2 ++ bootstrap/generated-dists/fedora32/bootstrap.sh | 2 ++ bootstrap/generated-dists/fedora32/packages.yml | 2 ++ bootstrap/generated-dists/opensuse150/bootstrap.sh | 2 ++ bootstrap/generated-dists/opensuse150/packages.yml | 2 ++ bootstrap/generated-dists/opensuse151/bootstrap.sh | 2 ++ bootstrap/generated-dists/opensuse151/packages.yml | 2 ++ bootstrap/generated-dists/ubuntu1604/bootstrap.sh | 2 ++ bootstrap/generated-dists/ubuntu1604/packages.yml | 2 ++ bootstrap/generated-dists/ubuntu1804/bootstrap.sh | 2 ++ bootstrap/generated-dists/ubuntu1804/packages.yml | 2 ++ bootstrap/generated-dists/ubuntu2004/bootstrap.sh | 2 ++ bootstrap/generated-dists/ubuntu2004/packages.yml | 2 ++ bootstrap/sha1sum.txt | 2 +- 23 files changed, 46 insertions(+), 6 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index efb9fe87d17..6a5e8693e80 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,7 +22,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: f5212e7abcae3208b796c939432ab9bec319264a + SAMBA_CI_CONTAINER_TAG: 7414ad7ef9108d406b1f6b17ebce19e32aee9f70 # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. diff --git a/bootstrap/config.py b/bootstrap/config.py index b862053b915..196f9bdf8eb 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -129,6 +129,7 @@ PKGS = [ ('mawk', 'gawk'), ('python3', 'python3'), + ('python3-cryptography', 'python3-cryptography'), # for krb5 tests ('python3-dev', 'python3-devel'), ('python3-dbg', ''), ('python3-iso8601', ''), @@ -137,6 +138,7 @@ PKGS = [ ('python3-matplotlib', ''), ('python3-dnspython', 'python3-dns'), ('python3-pexpect', ''), # for wintest only + ('python3-pyasn1', 'python3-pyasn1'), # for krb5 tests ('', 'libsemanage-python'), ('', 'policycoreutils-python'), @@ -418,9 +420,10 @@ RPM_DISTS = { 'replace': { 'lsb-release': 'redhat-lsb', 'python3': 'python36', - 'python3-crypto': 'python36-crypto', + 'python3-cryptography': 'python36-cryptography', 'python3-devel': 'python36-devel', 'python3-dns': 'python36-dns', + 'python3-pyasn1': 'python36-pyasn1', 'python3-gpg': 'python36-gpg', 'python3-iso8601' : 'python36-iso8601', 'python3-markdown': 'python36-markdown', @@ -455,7 +458,6 @@ RPM_DISTS = { 'perl-JSON-Parse': '', # does not exist? 'perl-Test-Base': 'perl-Test-Simple', 'policycoreutils-python': 'python3-policycoreutils', - 'python3-crypto': '', 'quota-devel': '', # FIXME: Add me back, once available! 'liburing-devel': '', # not available yet, Add me back, once available! } @@ -503,7 +505,6 @@ RPM_DISTS = { 'perl-interpreter': '', 'procps-ng': 'procps', 'python-dns': 'python2-dnspython', - 'python3-crypto': 'python3-pycrypto', 'python3-dns': 'python3-dnspython', 'python3-markdown': 'python3-Markdown', 'quota-devel': '', @@ -536,7 +537,6 @@ RPM_DISTS = { 'perl-interpreter': '', 'procps-ng': 'procps', 'python-dns': 'python2-dnspython', - 'python3-crypto': 'python3-pycrypto', 'python3-dns': 'python3-dnspython', 'python3-markdown': 'python3-Markdown', 'quota-devel': '', diff --git a/bootstrap/generated-dists/centos7/bootstrap.sh b/bootstrap/generated-dists/centos7/bootstrap.sh index 2f0bb1bcc28..37f5d684663 100755 --- a/bootstrap/generated-dists/centos7/bootstrap.sh +++ b/bootstrap/generated-dists/centos7/bootstrap.sh @@ -83,9 +83,11 @@ yum install -y \ procps-ng \ psmisc \ python36 \ + python36-cryptography \ python36-devel \ python36-dns \ python36-markdown \ + python36-pyasn1 \ quota-devel \ readline-devel \ redhat-lsb \ diff --git a/bootstrap/generated-dists/centos7/packages.yml b/bootstrap/generated-dists/centos7/packages.yml index 475326b6db7..1b80882bd8c 100644 --- a/bootstrap/generated-dists/centos7/packages.yml +++ b/bootstrap/generated-dists/centos7/packages.yml @@ -69,9 +69,11 @@ packages: - procps-ng - psmisc - python36 + - python36-cryptography - python36-devel - python36-dns - python36-markdown + - python36-pyasn1 - quota-devel - readline-devel - redhat-lsb diff --git a/bootstrap/generated-dists/centos8/bootstrap.sh b/bootstrap/generated-dists/centos8/bootstrap.sh index 22484b3f6ad..61debd5e2ee 100755 --- a/bootstrap/generated-dists/centos8/bootstrap.sh +++ b/bootstrap/generated-dists/centos8/bootstrap.sh @@ -84,12 +84,14 @@ yum install -y \ procps-ng \ psmisc \ python3 \ + python3-cryptography \ python3-devel \ python3-dns \ python3-gpg \ python3-libsemanage \ python3-markdown \ python3-policycoreutils \ + python3-pyasn1 \ readline-devel \ redhat-lsb \ rng-tools \ diff --git a/bootstrap/generated-dists/centos8/packages.yml b/bootstrap/generated-dists/centos8/packages.yml index 07be0deeceb..2467b35dafb 100644 --- a/bootstrap/generated-dists/centos8/packages.yml +++ b/bootstrap/generated-dists/centos8/packages.yml @@ -69,12 +69,14 @@ packages: - procps-ng - psmisc - python3 + - python3-cryptography - python3-devel - python3-dns - python3-gpg - python3-libsemanage - python3-markdown - python3-policycoreutils + - python3-pyasn1 - readline-devel - redhat-lsb - rng-tools diff --git a/bootstrap/generated-dists/debian10/bootstrap.sh b/bootstrap/generated-dists/debian10/bootstrap.sh index f0847eb3c20..9391c1ca815 100755 --- a/bootstrap/generated-dists/debian10/bootstrap.sh +++ b/bootstrap/generated-dists/debian10/bootstrap.sh @@ -81,6 +81,7 @@ apt-get -y install \ procps \ psmisc \ python3 \ + python3-cryptography \ python3-dbg \ python3-dev \ python3-dnspython \ @@ -89,6 +90,7 @@ apt-get -y install \ python3-markdown \ python3-matplotlib \ python3-pexpect \ + python3-pyasn1 \ rng-tools \ rsync \ sed \ diff --git a/bootstrap/generated-dists/debian10/packages.yml b/bootstrap/generated-dists/debian10/packages.yml index a242cd8b362..dee4d5cef20 100644 --- a/bootstrap/generated-dists/debian10/packages.yml +++ b/bootstrap/generated-dists/debian10/packages.yml @@ -70,6 +70,7 @@ packages: - procps - psmisc - python3 + - python3-cryptography - python3-dbg - python3-dev - python3-dnspython @@ -78,6 +79,7 @@ packages: - python3-markdown - python3-matplotlib - python3-pexpect + - python3-pyasn1 - rng-tools - rsync - sed diff --git a/bootstrap/generated-dists/fedora31/bootstrap.sh b/bootstrap/generated-dists/fedora31/bootstrap.sh index 18c58092eff..09d36e88058 100755 --- a/bootstrap/generated-dists/fedora31/bootstrap.sh +++ b/bootstrap/generated-dists/fedora31/bootstrap.sh @@ -83,12 +83,14 @@ dnf install -y \ procps-ng \ psmisc \ python3 \ + python3-cryptography \ python3-devel \ python3-dns \ python3-gpg \ python3-libsemanage \ python3-markdown \ python3-policycoreutils \ + python3-pyasn1 \ quota-devel \ readline-devel \ redhat-lsb \ diff --git a/bootstrap/generated-dists/fedora31/packages.yml b/bootstrap/generated-dists/fedora31/packages.yml index 3165af8dd82..a2fbd0eb83b 100644 --- a/bootstrap/generated-dists/fedora31/packages.yml +++ b/bootstrap/generated-dists/fedora31/packages.yml @@ -72,12 +72,14 @@ packages: - procps-ng - psmisc - python3 + - python3-cryptography - python3-devel - python3-dns - python3-gpg - python3-libsemanage - python3-markdown - python3-policycoreutils + - python3-pyasn1 - quota-devel - readline-devel - redhat-lsb diff --git a/bootstrap/generated-dists/fedora32/bootstrap.sh b/bootstrap/generated-dists/fedora32/bootstrap.sh index 18c58092eff..09d36e88058 100755 --- a/bootstrap/generated-dists/fedora32/bootstrap.sh +++ b/bootstrap/generated-dists/fedora32/bootstrap.sh @@ -83,12 +83,14 @@ dnf install -y \ procps-ng \ psmisc \ python3 \ + python3-cryptography \ python3-devel \ python3-dns \ python3-gpg \ python3-libsemanage \ python3-markdown \ python3-policycoreutils \ + python3-pyasn1 \ quota-devel \ readline-devel \ redhat-lsb \ diff --git a/bootstrap/generated-dists/fedora32/packages.yml b/bootstrap/generated-dists/fedora32/packages.yml index 3165af8dd82..a2fbd0eb83b 100644 --- a/bootstrap/generated-dists/fedora32/packages.yml +++ b/bootstrap/generated-dists/fedora32/packages.yml @@ -72,12 +72,14 @@ packages: - procps-ng - psmisc - python3 + - python3-cryptography - python3-devel - python3-dns - python3-gpg - python3-libsemanage - python3-markdown - python3-policycoreutils + - python3-pyasn1 - quota-devel - readline-devel - redhat-lsb diff --git a/bootstrap/generated-dists/opensuse150/bootstrap.sh b/bootstrap/generated-dists/opensuse150/bootstrap.sh index 3fbcaacb24f..341b0ef9d35 100755 --- a/bootstrap/generated-dists/opensuse150/bootstrap.sh +++ b/bootstrap/generated-dists/opensuse150/bootstrap.sh @@ -80,9 +80,11 @@ zypper --non-interactive install \ python2-semanage \ python3 \ python3-Markdown \ + python3-cryptography \ python3-devel \ python3-dnspython \ python3-gpg \ + python3-pyasn1 \ readline-devel \ rng-tools \ rpcgen \ diff --git a/bootstrap/generated-dists/opensuse150/packages.yml b/bootstrap/generated-dists/opensuse150/packages.yml index 0eb19244677..b8c469cadca 100644 --- a/bootstrap/generated-dists/opensuse150/packages.yml +++ b/bootstrap/generated-dists/opensuse150/packages.yml @@ -68,9 +68,11 @@ packages: - python2-semanage - python3 - python3-Markdown + - python3-cryptography - python3-devel - python3-dnspython - python3-gpg + - python3-pyasn1 - readline-devel - rng-tools - rpcgen diff --git a/bootstrap/generated-dists/opensuse151/bootstrap.sh b/bootstrap/generated-dists/opensuse151/bootstrap.sh index 3fbcaacb24f..341b0ef9d35 100755 --- a/bootstrap/generated-dists/opensuse151/bootstrap.sh +++ b/bootstrap/generated-dists/opensuse151/bootstrap.sh @@ -80,9 +80,11 @@ zypper --non-interactive install \ python2-semanage \ python3 \ python3-Markdown \ + python3-cryptography \ python3-devel \ python3-dnspython \ python3-gpg \ + python3-pyasn1 \ readline-devel \ rng-tools \ rpcgen \ diff --git a/bootstrap/generated-dists/opensuse151/packages.yml b/bootstrap/generated-dists/opensuse151/packages.yml index 0eb19244677..b8c469cadca 100644 --- a/bootstrap/generated-dists/opensuse151/packages.yml +++ b/bootstrap/generated-dists/opensuse151/packages.yml @@ -68,9 +68,11 @@ packages: - python2-semanage - python3 - python3-Markdown + - python3-cryptography - python3-devel - python3-dnspython - python3-gpg + - python3-pyasn1 - readline-devel - rng-tools - rpcgen diff --git a/bootstrap/generated-dists/ubuntu1604/bootstrap.sh b/bootstrap/generated-dists/ubuntu1604/bootstrap.sh index a8f47762ded..f5791357d45 100755 --- a/bootstrap/generated-dists/ubuntu1604/bootstrap.sh +++ b/bootstrap/generated-dists/ubuntu1604/bootstrap.sh @@ -80,6 +80,7 @@ apt-get -y install \ procps \ psmisc \ python3 \ + python3-cryptography \ python3-dbg \ python3-dev \ python3-dnspython \ @@ -88,6 +89,7 @@ apt-get -y install \ python3-markdown \ python3-matplotlib \ python3-pexpect \ + python3-pyasn1 \ rng-tools \ rsync \ sed \ diff --git a/bootstrap/generated-dists/ubuntu1604/packages.yml b/bootstrap/generated-dists/ubuntu1604/packages.yml index c3cd9af9c3e..932cc162041 100644 --- a/bootstrap/generated-dists/ubuntu1604/packages.yml +++ b/bootstrap/generated-dists/ubuntu1604/packages.yml @@ -69,6 +69,7 @@ packages: - procps - psmisc - python3 + - python3-cryptography - python3-dbg - python3-dev - python3-dnspython @@ -77,6 +78,7 @@ packages: - python3-markdown - python3-matplotlib - python3-pexpect + - python3-pyasn1 - rng-tools - rsync - sed diff --git a/bootstrap/generated-dists/ubuntu1804/bootstrap.sh b/bootstrap/generated-dists/ubuntu1804/bootstrap.sh index 97d32815d72..e668057ea82 100755 --- a/bootstrap/generated-dists/ubuntu1804/bootstrap.sh +++ b/bootstrap/generated-dists/ubuntu1804/bootstrap.sh @@ -82,6 +82,7 @@ apt-get -y install \ procps \ psmisc \ python3 \ + python3-cryptography \ python3-dbg \ python3-dev \ python3-dnspython \ @@ -90,6 +91,7 @@ apt-get -y install \ python3-markdown \ python3-matplotlib \ python3-pexpect \ + python3-pyasn1 \ rng-tools \ rsync \ sed \ diff --git a/bootstrap/generated-dists/ubuntu1804/packages.yml b/bootstrap/generated-dists/ubuntu1804/packages.yml index f45deb2c808..edf5720f84c 100644 --- a/bootstrap/generated-dists/ubuntu1804/packages.yml +++ b/bootstrap/generated-dists/ubuntu1804/packages.yml @@ -71,6 +71,7 @@ packages: - procps - psmisc - python3 + - python3-cryptography - python3-dbg - python3-dev - python3-dnspython @@ -79,6 +80,7 @@ packages: - python3-markdown - python3-matplotlib - python3-pexpect + - python3-pyasn1 - rng-tools - rsync - sed diff --git a/bootstrap/generated-dists/ubuntu2004/bootstrap.sh b/bootstrap/generated-dists/ubuntu2004/bootstrap.sh index 97d32815d72..e668057ea82 100755 --- a/bootstrap/generated-dists/ubuntu2004/bootstrap.sh +++ b/bootstrap/generated-dists/ubuntu2004/bootstrap.sh @@ -82,6 +82,7 @@ apt-get -y install \ procps \ psmisc \ python3 \ + python3-cryptography \ python3-dbg \ python3-dev \ python3-dnspython \ @@ -90,6 +91,7 @@ apt-get -y install \ python3-markdown \ python3-matplotlib \ python3-pexpect \ + python3-pyasn1 \ rng-tools \ rsync \ sed \ diff --git a/bootstrap/generated-dists/ubuntu2004/packages.yml b/bootstrap/generated-dists/ubuntu2004/packages.yml index f45deb2c808..edf5720f84c 100644 --- a/bootstrap/generated-dists/ubuntu2004/packages.yml +++ b/bootstrap/generated-dists/ubuntu2004/packages.yml @@ -71,6 +71,7 @@ packages: - procps - psmisc - python3 + - python3-cryptography - python3-dbg - python3-dev - python3-dnspython @@ -79,6 +80,7 @@ packages: - python3-markdown - python3-matplotlib - python3-pexpect + - python3-pyasn1 - rng-tools - rsync - sed diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index c3a72eec5c6..085ef7c5297 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -f5212e7abcae3208b796c939432ab9bec319264a +7414ad7ef9108d406b1f6b17ebce19e32aee9f70 -- 2.25.1 From 223077cce9193ffc82d9acf0469fcc1acaa871d1 Mon Sep 17 00:00:00 2001 From: Martin Schwenke Date: Wed, 9 Dec 2020 00:03:47 +1100 Subject: [PATCH 012/380] bootstrap: Cope with case changes in CentOS 8 repo names RN: Be more flexible with repository names in CentOS 8 test environments BUG: https://bugzilla.samba.org/show_bug.cgi?id=14594 Signed-off-by: Martin Schwenke Reviewed-by: Andrew Bartlett [abartlet@samba.org backported from commit 1c59f49aaede8ec1662d4e49aef84fcd902a8a76 due to conflicts in sha1sum because changes in-between this and the last backported changes were not included] --- .gitlab-ci.yml | 2 +- bootstrap/config.py | 3 ++- bootstrap/generated-dists/centos8/bootstrap.sh | 3 ++- bootstrap/sha1sum.txt | 2 +- 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 6a5e8693e80..7c7597e31b6 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -22,7 +22,7 @@ variables: # Set this to the contents of bootstrap/sha1sum.txt # which is generated by bootstrap/template.py --render # - SAMBA_CI_CONTAINER_TAG: 7414ad7ef9108d406b1f6b17ebce19e32aee9f70 + SAMBA_CI_CONTAINER_TAG: 5a03ad6f346def64a757bcd2e71dc9a5c10ceae0 # # We use the ubuntu1804 image as default as # it matches what we have on sn-devel-184. diff --git a/bootstrap/config.py b/bootstrap/config.py index 196f9bdf8eb..93e321a7e81 100644 --- a/bootstrap/config.py +++ b/bootstrap/config.py @@ -228,7 +228,8 @@ set -xueo pipefail yum update -y yum install -y dnf-plugins-core yum install -y epel-release -yum config-manager --set-enabled PowerTools -y +yum config-manager --set-enabled PowerTools -y || \ + yum config-manager --set-enabled powertools -y yum update -y yum install -y \ diff --git a/bootstrap/generated-dists/centos8/bootstrap.sh b/bootstrap/generated-dists/centos8/bootstrap.sh index 61debd5e2ee..2ee15dba86c 100755 --- a/bootstrap/generated-dists/centos8/bootstrap.sh +++ b/bootstrap/generated-dists/centos8/bootstrap.sh @@ -10,7 +10,8 @@ set -xueo pipefail yum update -y yum install -y dnf-plugins-core yum install -y epel-release -yum config-manager --set-enabled PowerTools -y +yum config-manager --set-enabled PowerTools -y || \ + yum config-manager --set-enabled powertools -y yum update -y yum install -y \ diff --git a/bootstrap/sha1sum.txt b/bootstrap/sha1sum.txt index 085ef7c5297..b1e6736def0 100644 --- a/bootstrap/sha1sum.txt +++ b/bootstrap/sha1sum.txt @@ -1 +1 @@ -7414ad7ef9108d406b1f6b17ebce19e32aee9f70 +5a03ad6f346def64a757bcd2e71dc9a5c10ceae0 -- 2.25.1 From 64b62b7c9fea1b288d4eec350dcadaa7e8785e65 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 24 Mar 2020 14:02:58 +0100 Subject: [PATCH 013/380] python/tests: let usage.py be more verbose on errors Signed-off-by: Stefan Metzmacher Reviewed-by: Isaac Boukris (cherry picked from commit 0f805db40a4948f9902733aa03ed6ae2789dabb3) --- python/samba/tests/usage.py | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 4b7bccde758..259ec91f66e 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -331,8 +331,9 @@ class HelpTestSuper(TestCase): if self.check_return_code: self.assertEqual(p.returncode, 0, - "%s %s\nreturncode should not be %d" % - (filename, h, p.returncode)) + "%s %s\nreturncode should not be %d\n" + "err:\n%s\nout:\n%s" % + (filename, h, p.returncode, err, out)) if self.check_contains_usage: self.assertIn('usage', outl, 'lacks "Usage:"\n') if self.check_multiline: -- 2.25.1 From c55219d57f55e0bd300a23b505c2d0d1e657fd43 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 15 Feb 2020 18:33:33 +0100 Subject: [PATCH 014/380] python/tests/krb5: add crypto.py from greghudson/pyk5 as kcrypto.py This is crypto.py of commit f0612aa908062fb239d1c3873595e7204ae1691d from https://github.com/greghudson/pyk5.git This will be used in order to do raw protocol testing against [MS-KILE] KDCs. Pair-Programmed-With: Stefan Metzmacher Signed-off-by: Isaac Boukris Signed-off-by: Stefan Metzmacher Reviewed-by: Stefan Metzmacher (cherry picked from commit 679bb52c957dafcec96ff37f87d8c3496996b909) --- python/samba/tests/krb5/kcrypto.py | 713 +++++++++++++++++++++++++++++ python/samba/tests/source.py | 6 + python/samba/tests/usage.py | 4 +- 3 files changed, 722 insertions(+), 1 deletion(-) create mode 100644 python/samba/tests/krb5/kcrypto.py diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py new file mode 100644 index 00000000000..18c0f71c24c --- /dev/null +++ b/python/samba/tests/krb5/kcrypto.py @@ -0,0 +1,713 @@ +# Copyright (C) 2013 by the Massachusetts Institute of Technology. +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# * Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS +# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT +# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS +# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE +# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, +# INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES +# (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR +# SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +# OF THE POSSIBILITY OF SUCH DAMAGE. + +# XXX current status: +# * Done and tested +# - AES encryption, checksum, string2key, prf +# - cf2 (needed for FAST) +# * Still to do: +# - DES enctypes and cksumtypes +# - RC4 exported enctype (if we need it for anything) +# - Unkeyed checksums +# - Special RC4, raw DES/DES3 operations for GSSAPI +# * Difficult or low priority: +# - Camellia not supported by PyCrypto +# - Cipher state only needed for kcmd suite +# - Nonstandard enctypes and cksumtypes like des-hmac-sha1 + +from math import gcd +from functools import reduce +from struct import pack, unpack +from Crypto.Cipher import AES, DES3, ARC4 +from Crypto.Hash import HMAC, MD4, MD5, SHA +from Crypto.Protocol.KDF import PBKDF2 +from Crypto.Random import get_random_bytes + + +class Enctype(object): + DES_CRC = 1 + DES_MD4 = 2 + DES_MD5 = 3 + DES3 = 16 + AES128 = 17 + AES256 = 18 + RC4 = 23 + + +class Cksumtype(object): + CRC32 = 1 + MD4 = 2 + MD4_DES = 3 + MD5 = 7 + MD5_DES = 8 + SHA1 = 9 + SHA1_DES3 = 12 + SHA1_AES128 = 15 + SHA1_AES256 = 16 + HMAC_MD5 = -138 + + +class InvalidChecksum(ValueError): + pass + + +def _zeropad(s, padsize): + # Return s padded with 0 bytes to a multiple of padsize. + padlen = (padsize - (len(s) % padsize)) % padsize + return s + bytes(padlen) + + +def _xorbytes(b1, b2): + # xor two strings together and return the resulting string. + assert len(b1) == len(b2) + return bytes([x ^ y for x, y in zip(b1, b2)]) + + +def _mac_equal(mac1, mac2): + # Constant-time comparison function. (We can't use HMAC.verify + # since we use truncated macs.) + assert len(mac1) == len(mac2) + res = 0 + for x, y in zip(mac1, mac2): + res |= x ^ y + return res == 0 + + +def _nfold(str, nbytes): + # Convert str to a string of length nbytes using the RFC 3961 nfold + # operation. + + # Rotate the bytes in str to the right by nbits bits. + def rotate_right(str, nbits): + nbytes, remain = (nbits//8) % len(str), nbits % 8 + return bytes([(str[i-nbytes] >> remain) | + (str[i-nbytes-1] << (8-remain) & 0xff) + for i in range(len(str))]) + + # Add equal-length strings together with end-around carry. + def add_ones_complement(str1, str2): + n = len(str1) + v = [a + b for a, b in zip(str1, str2)] + # Propagate carry bits to the left until there aren't any left. + while any(x & ~0xff for x in v): + v = [(v[i-n+1]>>8) + (v[i]&0xff) for i in range(n)] + return bytes([x for x in v]) + + # Concatenate copies of str to produce the least common multiple + # of len(str) and nbytes, rotating each copy of str to the right + # by 13 bits times its list position. Decompose the concatenation + # into slices of length nbytes, and add them together as + # big-endian ones' complement integers. + slen = len(str) + lcm = nbytes * slen // gcd(nbytes, slen) + bigstr = b''.join((rotate_right(str, 13 * i) for i in range(lcm // slen))) + slices = (bigstr[p:p+nbytes] for p in range(0, lcm, nbytes)) + return reduce(add_ones_complement, slices) + + +def _is_weak_des_key(keybytes): + return keybytes in (b'\x01\x01\x01\x01\x01\x01\x01\x01', + b'\xFE\xFE\xFE\xFE\xFE\xFE\xFE\xFE', + b'\x1F\x1F\x1F\x1F\x0E\x0E\x0E\x0E', + b'\xE0\xE0\xE0\xE0\xF1\xF1\xF1\xF1', + b'\x01\xFE\x01\xFE\x01\xFE\x01\xFE', + b'\xFE\x01\xFE\x01\xFE\x01\xFE\x01', + b'\x1F\xE0\x1F\xE0\x0E\xF1\x0E\xF1', + b'\xE0\x1F\xE0\x1F\xF1\x0E\xF1\x0E', + b'\x01\xE0\x01\xE0\x01\xF1\x01\xF1', + b'\xE0\x01\xE0\x01\xF1\x01\xF1\x01', + b'\x1F\xFE\x1F\xFE\x0E\xFE\x0E\xFE', + b'\xFE\x1F\xFE\x1F\xFE\x0E\xFE\x0E', + b'\x01\x1F\x01\x1F\x01\x0E\x01\x0E', + b'\x1F\x01\x1F\x01\x0E\x01\x0E\x01', + b'\xE0\xFE\xE0\xFE\xF1\xFE\xF1\xFE', + b'\xFE\xE0\xFE\xE0\xFE\xF1\xFE\xF1') + + +class _EnctypeProfile(object): + # Base class for enctype profiles. Usable enctype classes must define: + # * enctype: enctype number + # * keysize: protocol size of key in bytes + # * seedsize: random_to_key input size in bytes + # * random_to_key (if the keyspace is not dense) + # * string_to_key + # * encrypt + # * decrypt + # * prf + + @classmethod + def random_to_key(cls, seed): + if len(seed) != cls.seedsize: + raise ValueError('Wrong seed length') + return Key(cls.enctype, seed) + + +class _SimplifiedEnctype(_EnctypeProfile): + # Base class for enctypes using the RFC 3961 simplified profile. + # Defines the encrypt, decrypt, and prf methods. Subclasses must + # define: + # * blocksize: Underlying cipher block size in bytes + # * padsize: Underlying cipher padding multiple (1 or blocksize) + # * macsize: Size of integrity MAC in bytes + # * hashmod: PyCrypto hash module for underlying hash function + # * basic_encrypt, basic_decrypt: Underlying CBC/CTS cipher + + @classmethod + def derive(cls, key, constant): + # RFC 3961 only says to n-fold the constant only if it is + # shorter than the cipher block size. But all Unix + # implementations n-fold constants if their length is larger + # than the block size as well, and n-folding when the length + # is equal to the block size is a no-op. + plaintext = _nfold(constant, cls.blocksize) + rndseed = b'' + while len(rndseed) < cls.seedsize: + ciphertext = cls.basic_encrypt(key, plaintext) + rndseed += ciphertext + plaintext = ciphertext + return cls.random_to_key(rndseed[0:cls.seedsize]) + + @classmethod + def encrypt(cls, key, keyusage, plaintext, confounder): + ki = cls.derive(key, pack('>iB', keyusage, 0x55)) + ke = cls.derive(key, pack('>iB', keyusage, 0xAA)) + if confounder is None: + confounder = get_random_bytes(cls.blocksize) + basic_plaintext = confounder + _zeropad(plaintext, cls.padsize) + hmac = HMAC.new(ki.contents, basic_plaintext, cls.hashmod).digest() + return cls.basic_encrypt(ke, basic_plaintext) + hmac[:cls.macsize] + + @classmethod + def decrypt(cls, key, keyusage, ciphertext): + ki = cls.derive(key, pack('>iB', keyusage, 0x55)) + ke = cls.derive(key, pack('>iB', keyusage, 0xAA)) + if len(ciphertext) < cls.blocksize + cls.macsize: + raise ValueError('ciphertext too short') + basic_ctext, mac = ciphertext[:-cls.macsize], ciphertext[-cls.macsize:] + if len(basic_ctext) % cls.padsize != 0: + raise ValueError('ciphertext does not meet padding requirement') + basic_plaintext = cls.basic_decrypt(ke, basic_ctext) + hmac = HMAC.new(ki.contents, basic_plaintext, cls.hashmod).digest() + expmac = hmac[:cls.macsize] + if not _mac_equal(mac, expmac): + raise InvalidChecksum('ciphertext integrity failure') + # Discard the confounder. + return basic_plaintext[cls.blocksize:] + + @classmethod + def prf(cls, key, string): + # Hash the input. RFC 3961 says to truncate to the padding + # size, but implementations truncate to the block size. + hashval = cls.hashmod.new(string).digest() + truncated = hashval[:-(len(hashval) % cls.blocksize)] + # Encrypt the hash with a derived key. + kp = cls.derive(key, b'prf') + return cls.basic_encrypt(kp, truncated) + + +class _DES3CBC(_SimplifiedEnctype): + enctype = Enctype.DES3 + keysize = 24 + seedsize = 21 + blocksize = 8 + padsize = 8 + macsize = 20 + hashmod = SHA + + @classmethod + def random_to_key(cls, seed): + # XXX Maybe reframe as _DESEnctype.random_to_key and use that + # way from DES3 random-to-key when DES is implemented, since + # MIT does this instead of the RFC 3961 random-to-key. + def expand(seed): + def parity(b): + # Return b with the low-order bit set to yield odd parity. + b &= ~1 + return b if bin(b & ~1).count('1') % 2 else b | 1 + assert len(seed) == 7 + firstbytes = [parity(b & ~1) for b in seed] + lastbyte = parity(sum((seed[i]&1) << i+1 for i in range(7))) + keybytes = bytes([b for b in firstbytes + [lastbyte]]) + if _is_weak_des_key(keybytes): + keybytes[7] = bytes([keybytes[7] ^ 0xF0]) + return keybytes + + if len(seed) != 21: + raise ValueError('Wrong seed length') + k1, k2, k3 = expand(seed[:7]), expand(seed[7:14]), expand(seed[14:]) + return Key(cls.enctype, k1 + k2 + k3) + + @classmethod + def string_to_key(cls, string, salt, params): + if params is not None and params != b'': + raise ValueError('Invalid DES3 string-to-key parameters') + k = cls.random_to_key(_nfold(string + salt, 21)) + return cls.derive(k, b'kerberos') + + @classmethod + def basic_encrypt(cls, key, plaintext): + assert len(plaintext) % 8 == 0 + des3 = DES3.new(key.contents, AES.MODE_CBC, bytes(8)) + return des3.encrypt(plaintext) + + @classmethod + def basic_decrypt(cls, key, ciphertext): + assert len(ciphertext) % 8 == 0 + des3 = DES3.new(key.contents, AES.MODE_CBC, bytes(8)) + return des3.decrypt(ciphertext) + + +class _AESEnctype(_SimplifiedEnctype): + # Base class for aes128-cts and aes256-cts. + blocksize = 16 + padsize = 1 + macsize = 12 + hashmod = SHA + + @classmethod + def string_to_key(cls, string, salt, params): + (iterations,) = unpack('>L', params or b'\x00\x00\x10\x00') + prf = lambda p, s: HMAC.new(p, s, SHA).digest() + seed = PBKDF2(string, salt, cls.seedsize, iterations, prf) + tkey = cls.random_to_key(seed) + return cls.derive(tkey, b'kerberos') + + @classmethod + def basic_encrypt(cls, key, plaintext): + assert len(plaintext) >= 16 + aes = AES.new(key.contents, AES.MODE_CBC, bytes(16)) + ctext = aes.encrypt(_zeropad(plaintext, 16)) + if len(plaintext) > 16: + # Swap the last two ciphertext blocks and truncate the + # final block to match the plaintext length. + lastlen = len(plaintext) % 16 or 16 + ctext = ctext[:-32] + ctext[-16:] + ctext[-32:-16][:lastlen] + return ctext + + @classmethod + def basic_decrypt(cls, key, ciphertext): + assert len(ciphertext) >= 16 + aes = AES.new(key.contents, AES.MODE_ECB) + if len(ciphertext) == 16: + return aes.decrypt(ciphertext) + # Split the ciphertext into blocks. The last block may be partial. + cblocks = [ciphertext[p:p+16] for p in range(0, len(ciphertext), 16)] + lastlen = len(cblocks[-1]) + # CBC-decrypt all but the last two blocks. + prev_cblock = bytes(16) + plaintext = b'' + for b in cblocks[:-2]: + plaintext += _xorbytes(aes.decrypt(b), prev_cblock) + prev_cblock = b + # Decrypt the second-to-last cipher block. The left side of + # the decrypted block will be the final block of plaintext + # xor'd with the final partial cipher block; the right side + # will be the omitted bytes of ciphertext from the final + # block. + b = aes.decrypt(cblocks[-2]) + lastplaintext =_xorbytes(b[:lastlen], cblocks[-1]) + omitted = b[lastlen:] + # Decrypt the final cipher block plus the omitted bytes to get + # the second-to-last plaintext block. + plaintext += _xorbytes(aes.decrypt(cblocks[-1] + omitted), prev_cblock) + return plaintext + lastplaintext + + +class _AES128CTS(_AESEnctype): + enctype = Enctype.AES128 + keysize = 16 + seedsize = 16 + + +class _AES256CTS(_AESEnctype): + enctype = Enctype.AES256 + keysize = 32 + seedsize = 32 + + +class _RC4(_EnctypeProfile): + enctype = Enctype.RC4 + keysize = 16 + seedsize = 16 + + @staticmethod + def usage_str(keyusage): + # Return a four-byte string for an RFC 3961 keyusage, using + # the RFC 4757 rules. Per the errata, do not map 9 to 8. + table = {3: 8, 23: 13} + msusage = table[keyusage] if keyusage in table else keyusage + return pack('iB', keyusage, 0x99)) + hmac = HMAC.new(kc.contents, text, cls.enc.hashmod).digest() + return hmac[:cls.macsize] + + @classmethod + def verify(cls, key, keyusage, text, cksum): + if key.enctype != cls.enc.enctype: + raise ValueError('Wrong key type for checksum') + super(_SimplifiedChecksum, cls).verify(key, keyusage, text, cksum) + + +class _SHA1AES128(_SimplifiedChecksum): + macsize = 12 + enc = _AES128CTS + + +class _SHA1AES256(_SimplifiedChecksum): + macsize = 12 + enc = _AES256CTS + + +class _SHA1DES3(_SimplifiedChecksum): + macsize = 20 + enc = _DES3CBC + + +class _HMACMD5(_ChecksumProfile): + @classmethod + def checksum(cls, key, keyusage, text): + ksign = HMAC.new(key.contents, b'signaturekey\0', MD5).digest() + md5hash = MD5.new(_RC4.usage_str(keyusage) + text).digest() + return HMAC.new(ksign, md5hash, MD5).digest() + + @classmethod + def verify(cls, key, keyusage, text, cksum): + if key.enctype != Enctype.RC4: + raise ValueError('Wrong key type for checksum') + super(_HMACMD5, cls).verify(key, keyusage, text, cksum) + + +_enctype_table = { + Enctype.DES3: _DES3CBC, + Enctype.AES128: _AES128CTS, + Enctype.AES256: _AES256CTS, + Enctype.RC4: _RC4 +} + + +_checksum_table = { + Cksumtype.SHA1_DES3: _SHA1DES3, + Cksumtype.SHA1_AES128: _SHA1AES128, + Cksumtype.SHA1_AES256: _SHA1AES256, + Cksumtype.HMAC_MD5: _HMACMD5 +} + + +def _get_enctype_profile(enctype): + if enctype not in _enctype_table: + raise ValueError('Invalid enctype %d' % enctype) + return _enctype_table[enctype] + + +def _get_checksum_profile(cksumtype): + if cksumtype not in _checksum_table: + raise ValueError('Invalid cksumtype %d' % cksumtype) + return _checksum_table[cksumtype] + + +class Key(object): + def __init__(self, enctype, contents): + e = _get_enctype_profile(enctype) + if len(contents) != e.keysize: + raise ValueError('Wrong key length') + self.enctype = enctype + self.contents = contents + + +def seedsize(enctype): + e = _get_enctype_profile(enctype) + return e.seedsize + + +def random_to_key(enctype, seed): + e = _get_enctype_profile(enctype) + if len(seed) != e.seedsize: + raise ValueError('Wrong crypto seed length') + return e.random_to_key(seed) + + +def string_to_key(enctype, string, salt, params=None): + e = _get_enctype_profile(enctype) + return e.string_to_key(string, salt, params) + + +def encrypt(key, keyusage, plaintext, confounder=None): + e = _get_enctype_profile(key.enctype) + return e.encrypt(key, keyusage, plaintext, confounder) + + +def decrypt(key, keyusage, ciphertext): + # Throw InvalidChecksum on checksum failure. Throw ValueError on + # invalid key enctype or malformed ciphertext. + e = _get_enctype_profile(key.enctype) + return e.decrypt(key, keyusage, ciphertext) + + +def prf(key, string): + e = _get_enctype_profile(key.enctype) + return e.prf(key, string) + + +def make_checksum(cksumtype, key, keyusage, text): + c = _get_checksum_profile(cksumtype) + return c.checksum(key, keyusage, text) + + +def verify_checksum(cksumtype, key, keyusage, text, cksum): + # Throw InvalidChecksum exception on checksum failure. Throw + # ValueError on invalid cksumtype, invalid key enctype, or + # malformed checksum. + c = _get_checksum_profile(cksumtype) + c.verify(key, keyusage, text, cksum) + + +def prfplus(key, pepper, l): + # Produce l bytes of output using the RFC 6113 PRF+ function. + out = b'' + count = 1 + while len(out) < l: + out += prf(key, bytes([count]) + pepper) + count += 1 + return out[:l] + + +def cf2(enctype, key1, key2, pepper1, pepper2): + # Combine two keys and two pepper strings to produce a result key + # of type enctype, using the RFC 6113 KRB-FX-CF2 function. + e = _get_enctype_profile(enctype) + return e.random_to_key(_xorbytes(prfplus(key1, pepper1, e.seedsize), + prfplus(key2, pepper2, e.seedsize))) + + +if __name__ == '__main__': + def h(hexstr): + return bytes.fromhex(hexstr) + + # AES128 encrypt and decrypt + kb = h('9062430C8CDA3388922E6D6A509F5B7A') + conf = h('94B491F481485B9A0678CD3C4EA386AD') + keyusage = 2 + plain = b'9 bytesss' + ctxt = h('68FB9679601F45C78857B2BF820FD6E53ECA8D42FD4B1D7024A09205ABB7CD2E' + 'C26C355D2F') + k = Key(Enctype.AES128, kb) + assert(encrypt(k, keyusage, plain, conf) == ctxt) + assert(decrypt(k, keyusage, ctxt) == plain) + + # AES256 encrypt and decrypt + kb = h('F1C795E9248A09338D82C3F8D5B567040B0110736845041347235B1404231398') + conf = h('E45CA518B42E266AD98E165E706FFB60') + keyusage = 4 + plain = b'30 bytes bytes bytes bytes byt' + ctxt = h('D1137A4D634CFECE924DBC3BF6790648BD5CFF7DE0E7B99460211D0DAEF3D79A' + '295C688858F3B34B9CBD6EEBAE81DAF6B734D4D498B6714F1C1D') + k = Key(Enctype.AES256, kb) + assert(encrypt(k, keyusage, plain, conf) == ctxt) + assert(decrypt(k, keyusage, ctxt) == plain) + + # AES128 checksum + kb = h('9062430C8CDA3388922E6D6A509F5B7A') + keyusage = 3 + plain = b'eight nine ten eleven twelve thirteen' + cksum = h('01A4B088D45628F6946614E3') + k = Key(Enctype.AES128, kb) + verify_checksum(Cksumtype.SHA1_AES128, k, keyusage, plain, cksum) + + # AES256 checksum + kb = h('B1AE4CD8462AFF1677053CC9279AAC30B796FB81CE21474DD3DDBCFEA4EC76D7') + keyusage = 4 + plain = b'fourteen' + cksum = h('E08739E3279E2903EC8E3836') + k = Key(Enctype.AES256, kb) + verify_checksum(Cksumtype.SHA1_AES256, k, keyusage, plain, cksum) + + # AES128 string-to-key + string = b'password' + salt = b'ATHENA.MIT.EDUraeburn' + params = h('00000002') + kb = h('C651BF29E2300AC27FA469D693BDDA13') + k = string_to_key(Enctype.AES128, string, salt, params) + assert(k.contents == kb) + + # AES256 string-to-key + string = b'X' * 64 + salt = b'pass phrase equals block size' + params = h('000004B0') + kb = h('89ADEE3608DB8BC71F1BFBFE459486B05618B70CBAE22092534E56C553BA4B34') + k = string_to_key(Enctype.AES256, string, salt, params) + assert(k.contents == kb) + + # AES128 prf + kb = h('77B39A37A868920F2A51F9DD150C5717') + k = string_to_key(Enctype.AES128, b'key1', b'key1') + assert(prf(k, b'\x01\x61') == kb) + + # AES256 prf + kb = h('0D674DD0F9A6806525A4D92E828BD15A') + k = string_to_key(Enctype.AES256, b'key2', b'key2') + assert(prf(k, b'\x02\x62') == kb) + + # AES128 cf2 + kb = h('97DF97E4B798B29EB31ED7280287A92A') + k1 = string_to_key(Enctype.AES128, b'key1', b'key1') + k2 = string_to_key(Enctype.AES128, b'key2', b'key2') + k = cf2(Enctype.AES128, k1, k2, b'a', b'b') + assert(k.contents == kb) + + # AES256 cf2 + kb = h('4D6CA4E629785C1F01BAF55E2E548566B9617AE3A96868C337CB93B5E72B1C7B') + k1 = string_to_key(Enctype.AES256, b'key1', b'key1') + k2 = string_to_key(Enctype.AES256, b'key2', b'key2') + k = cf2(Enctype.AES256, k1, k2, b'a', b'b') + assert(k.contents == kb) + + # DES3 encrypt and decrypt + kb = h('0DD52094E0F41CECCB5BE510A764B35176E3981332F1E598') + conf = h('94690A17B2DA3C9B') + keyusage = 3 + plain = b'13 bytes byte' + ctxt = h('839A17081ECBAFBCDC91B88C6955DD3C4514023CF177B77BF0D0177A16F705E8' + '49CB7781D76A316B193F8D30') + k = Key(Enctype.DES3, kb) + assert(encrypt(k, keyusage, plain, conf) == ctxt) + assert(decrypt(k, keyusage, ctxt) == _zeropad(plain, 8)) + + # DES3 string-to-key + string = b'password' + salt = b'ATHENA.MIT.EDUraeburn' + kb = h('850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E') + k = string_to_key(Enctype.DES3, string, salt) + assert(k.contents == kb) + + # DES3 checksum + kb = h('7A25DF8992296DCEDA0E135BC4046E2375B3C14C98FBC162') + keyusage = 2 + plain = b'six seven' + cksum = h('0EEFC9C3E049AABC1BA5C401677D9AB699082BB4') + k = Key(Enctype.DES3, kb) + verify_checksum(Cksumtype.SHA1_DES3, k, keyusage, plain, cksum) + + # DES3 cf2 + kb = h('E58F9EB643862C13AD38E529313462A7F73E62834FE54A01') + k1 = string_to_key(Enctype.DES3, b'key1', b'key1') + k2 = string_to_key(Enctype.DES3, b'key2', b'key2') + k = cf2(Enctype.DES3, k1, k2, b'a', b'b') + assert(k.contents == kb) + + # RC4 encrypt and decrypt + kb = h('68F263DB3FCE15D031C9EAB02D67107A') + conf = h('37245E73A45FBF72') + keyusage = 4 + plain = b'30 bytes bytes bytes bytes byt' + ctxt = h('95F9047C3AD75891C2E9B04B16566DC8B6EB9CE4231AFB2542EF87A7B5A0F260' + 'A99F0460508DE0CECC632D07C354124E46C5D2234EB8') + k = Key(Enctype.RC4, kb) + assert(encrypt(k, keyusage, plain, conf) == ctxt) + assert(decrypt(k, keyusage, ctxt) == plain) + + # RC4 string-to-key + string = b'foo' + kb = h('AC8E657F83DF82BEEA5D43BDAF7800CC') + k = string_to_key(Enctype.RC4, string, None) + assert(k.contents == kb) + + # RC4 checksum + kb = h('F7D3A155AF5E238A0B7A871A96BA2AB2') + keyusage = 6 + plain = b'seventeen eighteen nineteen twenty' + cksum = h('EB38CC97E2230F59DA4117DC5859D7EC') + k = Key(Enctype.RC4, kb) + verify_checksum(Cksumtype.HMAC_MD5, k, keyusage, plain, cksum) + + # RC4 cf2 + kb = h('24D7F6B6BAE4E5C00D2082C5EBAB3672') + k1 = string_to_key(Enctype.RC4, b'key1', b'key1') + k2 = string_to_key(Enctype.RC4, b'key2', b'key2') + k = cf2(Enctype.RC4, k1, k2, b'a', b'b') + assert(k.contents == kb) diff --git a/python/samba/tests/source.py b/python/samba/tests/source.py index 4bb652c4204..b7608b1bab3 100644 --- a/python/samba/tests/source.py +++ b/python/samba/tests/source.py @@ -90,6 +90,9 @@ class TestSource(TestCase): if "wafsamba" in fname: # FIXME: No copyright headers in wafsamba continue + if fname.endswith("python/samba/tests/krb5/kcrypto.py"): + # Imported from MIT testing repo + continue match = copyright_re.search(text) if not match: incorrect.append((fname, 'no copyright line found\n')) @@ -132,6 +135,9 @@ class TestSource(TestCase): # Imported from subunit/testtools, which are dual # Apache2/BSD-3. continue + if fname.endswith("python/samba/tests/krb5/kcrypto.py"): + # Imported from MIT testing repo + continue if not gpl_re.search(text): incorrect.append(fname) diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 259ec91f66e..06fdc9afacb 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -84,7 +84,8 @@ EXCLUDE_USAGE = { 'selftest/tests.py', 'python/samba/subunit/run.py', 'bin/python/samba/subunit/run.py', - 'python/samba/tests/dcerpc/raw_protocol.py' + 'python/samba/tests/dcerpc/raw_protocol.py', + 'python/samba/tests/krb5/kcrypto.py', } EXCLUDE_HELP = { @@ -101,6 +102,7 @@ EXCLUDE_DIRS = { 'bin/ab', 'bin/python/samba/tests', 'bin/python/samba/tests/dcerpc', + 'bin/python/samba/tests/krb5', } -- 2.25.1 From c0bc4d8fafb7773ce10462f2234b52de5aaff702 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 20 Mar 2020 12:47:39 +0100 Subject: [PATCH 015/380] python/tests/krb5: convert kcrypto.py to python3-cryptography and a few Samba helpers Signed-off-by: Stefan Metzmacher Reviewed-by: Isaac Boukris (cherry picked from commit 8bdd37997686d4ca60584bdfda78440be8432405) --- python/samba/tests/krb5/kcrypto.py | 460 +++++++++++++++++------------ 1 file changed, 273 insertions(+), 187 deletions(-) mode change 100644 => 100755 python/samba/tests/krb5/kcrypto.py diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py old mode 100644 new mode 100755 index 18c0f71c24c..0907d881b68 --- a/python/samba/tests/krb5/kcrypto.py +++ b/python/samba/tests/krb5/kcrypto.py @@ -1,3 +1,5 @@ +#!/usr/bin/env python3 +# # Copyright (C) 2013 by the Massachusetts Institute of Technology. # All rights reserved. # @@ -40,14 +42,26 @@ # - Cipher state only needed for kcmd suite # - Nonstandard enctypes and cksumtypes like des-hmac-sha1 +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + from math import gcd from functools import reduce from struct import pack, unpack -from Crypto.Cipher import AES, DES3, ARC4 -from Crypto.Hash import HMAC, MD4, MD5, SHA -from Crypto.Protocol.KDF import PBKDF2 -from Crypto.Random import get_random_bytes - +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives import hmac +from cryptography.hazmat.primitives.ciphers import algorithms as ciphers +from cryptography.hazmat.primitives.ciphers import modes +from cryptography.hazmat.primitives.ciphers.base import Cipher +from cryptography.hazmat.backends import default_backend +from cryptography.hazmat.primitives.kdf.pbkdf2 import PBKDF2HMAC +from samba.tests import TestCase +from samba.credentials import Credentials +from samba import generate_random_bytes as get_random_bytes +from samba.compat import get_string, get_bytes class Enctype(object): DES_CRC = 1 @@ -97,6 +111,15 @@ def _mac_equal(mac1, mac2): res |= x ^ y return res == 0 +def SIMPLE_HASH(string, algo_cls): + hash_ctx = hashes.Hash(algo_cls(), default_backend()) + hash_ctx.update(string) + return hash_ctx.finalize() + +def HMAC_HASH(key, string, algo_cls): + hmac_ctx = hmac.HMAC(key, algo_cls(), default_backend()) + hmac_ctx.update(string) + return hmac_ctx.finalize() def _nfold(str, nbytes): # Convert str to a string of length nbytes using the RFC 3961 nfold @@ -199,7 +222,7 @@ class _SimplifiedEnctype(_EnctypeProfile): if confounder is None: confounder = get_random_bytes(cls.blocksize) basic_plaintext = confounder + _zeropad(plaintext, cls.padsize) - hmac = HMAC.new(ki.contents, basic_plaintext, cls.hashmod).digest() + hmac = HMAC_HASH(ki.contents, basic_plaintext, cls.hashalgo) return cls.basic_encrypt(ke, basic_plaintext) + hmac[:cls.macsize] @classmethod @@ -212,7 +235,7 @@ class _SimplifiedEnctype(_EnctypeProfile): if len(basic_ctext) % cls.padsize != 0: raise ValueError('ciphertext does not meet padding requirement') basic_plaintext = cls.basic_decrypt(ke, basic_ctext) - hmac = HMAC.new(ki.contents, basic_plaintext, cls.hashmod).digest() + hmac = HMAC_HASH(ki.contents, basic_plaintext, cls.hashalgo) expmac = hmac[:cls.macsize] if not _mac_equal(mac, expmac): raise InvalidChecksum('ciphertext integrity failure') @@ -223,7 +246,7 @@ class _SimplifiedEnctype(_EnctypeProfile): def prf(cls, key, string): # Hash the input. RFC 3961 says to truncate to the padding # size, but implementations truncate to the block size. - hashval = cls.hashmod.new(string).digest() + hashval = SIMPLE_HASH(string, cls.hashalgo) truncated = hashval[:-(len(hashval) % cls.blocksize)] # Encrypt the hash with a derived key. kp = cls.derive(key, b'prf') @@ -237,7 +260,7 @@ class _DES3CBC(_SimplifiedEnctype): blocksize = 8 padsize = 8 macsize = 20 - hashmod = SHA + hashalgo = hashes.SHA1 @classmethod def random_to_key(cls, seed): @@ -272,14 +295,20 @@ class _DES3CBC(_SimplifiedEnctype): @classmethod def basic_encrypt(cls, key, plaintext): assert len(plaintext) % 8 == 0 - des3 = DES3.new(key.contents, AES.MODE_CBC, bytes(8)) - return des3.encrypt(plaintext) + algo = ciphers.TripleDES(key.contents) + cbc = modes.CBC(bytes(8)) + encryptor = Cipher(algo, cbc, default_backend()).encryptor() + ciphertext = encryptor.update(plaintext) + return ciphertext @classmethod def basic_decrypt(cls, key, ciphertext): assert len(ciphertext) % 8 == 0 - des3 = DES3.new(key.contents, AES.MODE_CBC, bytes(8)) - return des3.decrypt(ciphertext) + algo = ciphers.TripleDES(key.contents) + cbc = modes.CBC(bytes(8)) + decryptor = Cipher(algo, cbc, default_backend()).decryptor() + plaintext = decryptor.update(ciphertext) + return plaintext class _AESEnctype(_SimplifiedEnctype): @@ -287,21 +316,35 @@ class _AESEnctype(_SimplifiedEnctype): blocksize = 16 padsize = 1 macsize = 12 - hashmod = SHA + hashalgo = hashes.SHA1 @classmethod def string_to_key(cls, string, salt, params): (iterations,) = unpack('>L', params or b'\x00\x00\x10\x00') - prf = lambda p, s: HMAC.new(p, s, SHA).digest() - seed = PBKDF2(string, salt, cls.seedsize, iterations, prf) + pwbytes = get_bytes(string) + kdf = PBKDF2HMAC(algorithm=hashes.SHA1(), + length=cls.seedsize, + salt=salt, + iterations=iterations, + backend=default_backend()) + seed = kdf.derive(pwbytes) tkey = cls.random_to_key(seed) return cls.derive(tkey, b'kerberos') @classmethod def basic_encrypt(cls, key, plaintext): assert len(plaintext) >= 16 - aes = AES.new(key.contents, AES.MODE_CBC, bytes(16)) - ctext = aes.encrypt(_zeropad(plaintext, 16)) + + algo = ciphers.AES(key.contents) + cbc = modes.CBC(bytes(16)) + aes_ctx = Cipher(algo, cbc, default_backend()) + + def aes_encrypt(plaintext): + encryptor = aes_ctx.encryptor() + ciphertext = encryptor.update(plaintext) + return ciphertext + + ctext = aes_encrypt(_zeropad(plaintext, 16)) if len(plaintext) > 16: # Swap the last two ciphertext blocks and truncate the # final block to match the plaintext length. @@ -312,9 +355,18 @@ class _AESEnctype(_SimplifiedEnctype): @classmethod def basic_decrypt(cls, key, ciphertext): assert len(ciphertext) >= 16 - aes = AES.new(key.contents, AES.MODE_ECB) + + algo = ciphers.AES(key.contents) + cbc = modes.CBC(bytes(16)) + aes_ctx = Cipher(algo, cbc, default_backend()) + + def aes_decrypt(ciphertext): + decryptor = aes_ctx.decryptor() + plaintext = decryptor.update(ciphertext) + return plaintext + if len(ciphertext) == 16: - return aes.decrypt(ciphertext) + return aes_decrypt(ciphertext) # Split the ciphertext into blocks. The last block may be partial. cblocks = [ciphertext[p:p+16] for p in range(0, len(ciphertext), 16)] lastlen = len(cblocks[-1]) @@ -322,19 +374,19 @@ class _AESEnctype(_SimplifiedEnctype): prev_cblock = bytes(16) plaintext = b'' for b in cblocks[:-2]: - plaintext += _xorbytes(aes.decrypt(b), prev_cblock) + plaintext += _xorbytes(aes_decrypt(b), prev_cblock) prev_cblock = b # Decrypt the second-to-last cipher block. The left side of # the decrypted block will be the final block of plaintext # xor'd with the final partial cipher block; the right side # will be the omitted bytes of ciphertext from the final # block. - b = aes.decrypt(cblocks[-2]) + b = aes_decrypt(cblocks[-2]) lastplaintext =_xorbytes(b[:lastlen], cblocks[-1]) omitted = b[lastlen:] # Decrypt the final cipher block plus the omitted bytes to get # the second-to-last plaintext block. - plaintext += _xorbytes(aes.decrypt(cblocks[-1] + omitted), prev_cblock) + plaintext += _xorbytes(aes_decrypt(cblocks[-1] + omitted), prev_cblock) return plaintext + lastplaintext @@ -365,32 +417,43 @@ class _RC4(_EnctypeProfile): @classmethod def string_to_key(cls, string, salt, params): - utf16string = string.decode('UTF-8').encode('UTF-16LE') - return Key(cls.enctype, MD4.new(utf16string).digest()) + utf8string = get_string(string) + tmp = Credentials() + tmp.set_anonymous() + tmp.set_password(utf8string) + nthash = tmp.get_nt_hash() + return Key(cls.enctype, nthash) @classmethod def encrypt(cls, key, keyusage, plaintext, confounder): if confounder is None: confounder = get_random_bytes(8) - ki = HMAC.new(key.contents, cls.usage_str(keyusage), MD5).digest() - cksum = HMAC.new(ki, confounder + plaintext, MD5).digest() - ke = HMAC.new(ki, cksum, MD5).digest() - return cksum + ARC4.new(ke).encrypt(confounder + plaintext) + ki = HMAC_HASH(key.contents, cls.usage_str(keyusage), hashes.MD5) + cksum = HMAC_HASH(ki, confounder + plaintext, hashes.MD5) + ke = HMAC_HASH(ki, cksum, hashes.MD5) + + encryptor = Cipher(ciphers.ARC4(ke), None, default_backend()).encryptor() + ctext = encryptor.update(confounder + plaintext) + + return cksum + ctext @classmethod def decrypt(cls, key, keyusage, ciphertext): if len(ciphertext) < 24: raise ValueError('ciphertext too short') cksum, basic_ctext = ciphertext[:16], ciphertext[16:] - ki = HMAC.new(key.contents, cls.usage_str(keyusage), MD5).digest() - ke = HMAC.new(ki, cksum, MD5).digest() - basic_plaintext = ARC4.new(ke).decrypt(basic_ctext) - exp_cksum = HMAC.new(ki, basic_plaintext, MD5).digest() + ki = HMAC_HASH(key.contents, cls.usage_str(keyusage), hashes.MD5) + ke = HMAC_HASH(ki, cksum, hashes.MD5) + + decryptor = Cipher(ciphers.ARC4(ke), None, default_backend()).decryptor() + basic_plaintext = decryptor.update(basic_ctext) + + exp_cksum = HMAC_HASH(ki, basic_plaintext, hashes.MD5) ok = _mac_equal(cksum, exp_cksum) if not ok and keyusage == 9: # Try again with usage 8, due to RFC 4757 errata. - ki = HMAC.new(key.contents, pack('iB', keyusage, 0x99)) - hmac = HMAC.new(kc.contents, text, cls.enc.hashmod).digest() + hmac = HMAC_HASH(kc.contents, text, cls.enc.hashalgo) return hmac[:cls.macsize] @classmethod @@ -452,9 +515,9 @@ class _SHA1DES3(_SimplifiedChecksum): class _HMACMD5(_ChecksumProfile): @classmethod def checksum(cls, key, keyusage, text): - ksign = HMAC.new(key.contents, b'signaturekey\0', MD5).digest() - md5hash = MD5.new(_RC4.usage_str(keyusage) + text).digest() - return HMAC.new(ksign, md5hash, MD5).digest() + ksign = HMAC_HASH(key.contents, b'signaturekey\0', hashes.MD5) + md5hash = SIMPLE_HASH(_RC4.usage_str(keyusage) + text, hashes.MD5) + return HMAC_HASH(ksign, md5hash, hashes.MD5) @classmethod def verify(cls, key, keyusage, text, cksum): @@ -564,150 +627,173 @@ def cf2(enctype, key1, key2, pepper1, pepper2): return e.random_to_key(_xorbytes(prfplus(key1, pepper1, e.seedsize), prfplus(key2, pepper2, e.seedsize))) - -if __name__ == '__main__': - def h(hexstr): - return bytes.fromhex(hexstr) - - # AES128 encrypt and decrypt - kb = h('9062430C8CDA3388922E6D6A509F5B7A') - conf = h('94B491F481485B9A0678CD3C4EA386AD') - keyusage = 2 - plain = b'9 bytesss' - ctxt = h('68FB9679601F45C78857B2BF820FD6E53ECA8D42FD4B1D7024A09205ABB7CD2E' - 'C26C355D2F') - k = Key(Enctype.AES128, kb) - assert(encrypt(k, keyusage, plain, conf) == ctxt) - assert(decrypt(k, keyusage, ctxt) == plain) - - # AES256 encrypt and decrypt - kb = h('F1C795E9248A09338D82C3F8D5B567040B0110736845041347235B1404231398') - conf = h('E45CA518B42E266AD98E165E706FFB60') - keyusage = 4 - plain = b'30 bytes bytes bytes bytes byt' - ctxt = h('D1137A4D634CFECE924DBC3BF6790648BD5CFF7DE0E7B99460211D0DAEF3D79A' - '295C688858F3B34B9CBD6EEBAE81DAF6B734D4D498B6714F1C1D') - k = Key(Enctype.AES256, kb) - assert(encrypt(k, keyusage, plain, conf) == ctxt) - assert(decrypt(k, keyusage, ctxt) == plain) - - # AES128 checksum - kb = h('9062430C8CDA3388922E6D6A509F5B7A') - keyusage = 3 - plain = b'eight nine ten eleven twelve thirteen' - cksum = h('01A4B088D45628F6946614E3') - k = Key(Enctype.AES128, kb) - verify_checksum(Cksumtype.SHA1_AES128, k, keyusage, plain, cksum) - - # AES256 checksum - kb = h('B1AE4CD8462AFF1677053CC9279AAC30B796FB81CE21474DD3DDBCFEA4EC76D7') - keyusage = 4 - plain = b'fourteen' - cksum = h('E08739E3279E2903EC8E3836') - k = Key(Enctype.AES256, kb) - verify_checksum(Cksumtype.SHA1_AES256, k, keyusage, plain, cksum) - - # AES128 string-to-key - string = b'password' - salt = b'ATHENA.MIT.EDUraeburn' - params = h('00000002') - kb = h('C651BF29E2300AC27FA469D693BDDA13') - k = string_to_key(Enctype.AES128, string, salt, params) - assert(k.contents == kb) - - # AES256 string-to-key - string = b'X' * 64 - salt = b'pass phrase equals block size' - params = h('000004B0') - kb = h('89ADEE3608DB8BC71F1BFBFE459486B05618B70CBAE22092534E56C553BA4B34') - k = string_to_key(Enctype.AES256, string, salt, params) - assert(k.contents == kb) - - # AES128 prf - kb = h('77B39A37A868920F2A51F9DD150C5717') - k = string_to_key(Enctype.AES128, b'key1', b'key1') - assert(prf(k, b'\x01\x61') == kb) - - # AES256 prf - kb = h('0D674DD0F9A6806525A4D92E828BD15A') - k = string_to_key(Enctype.AES256, b'key2', b'key2') - assert(prf(k, b'\x02\x62') == kb) - - # AES128 cf2 - kb = h('97DF97E4B798B29EB31ED7280287A92A') - k1 = string_to_key(Enctype.AES128, b'key1', b'key1') - k2 = string_to_key(Enctype.AES128, b'key2', b'key2') - k = cf2(Enctype.AES128, k1, k2, b'a', b'b') - assert(k.contents == kb) - - # AES256 cf2 - kb = h('4D6CA4E629785C1F01BAF55E2E548566B9617AE3A96868C337CB93B5E72B1C7B') - k1 = string_to_key(Enctype.AES256, b'key1', b'key1') - k2 = string_to_key(Enctype.AES256, b'key2', b'key2') - k = cf2(Enctype.AES256, k1, k2, b'a', b'b') - assert(k.contents == kb) - - # DES3 encrypt and decrypt - kb = h('0DD52094E0F41CECCB5BE510A764B35176E3981332F1E598') - conf = h('94690A17B2DA3C9B') - keyusage = 3 - plain = b'13 bytes byte' - ctxt = h('839A17081ECBAFBCDC91B88C6955DD3C4514023CF177B77BF0D0177A16F705E8' - '49CB7781D76A316B193F8D30') - k = Key(Enctype.DES3, kb) - assert(encrypt(k, keyusage, plain, conf) == ctxt) - assert(decrypt(k, keyusage, ctxt) == _zeropad(plain, 8)) - - # DES3 string-to-key - string = b'password' - salt = b'ATHENA.MIT.EDUraeburn' - kb = h('850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E') - k = string_to_key(Enctype.DES3, string, salt) - assert(k.contents == kb) - - # DES3 checksum - kb = h('7A25DF8992296DCEDA0E135BC4046E2375B3C14C98FBC162') - keyusage = 2 - plain = b'six seven' - cksum = h('0EEFC9C3E049AABC1BA5C401677D9AB699082BB4') - k = Key(Enctype.DES3, kb) - verify_checksum(Cksumtype.SHA1_DES3, k, keyusage, plain, cksum) - - # DES3 cf2 - kb = h('E58F9EB643862C13AD38E529313462A7F73E62834FE54A01') - k1 = string_to_key(Enctype.DES3, b'key1', b'key1') - k2 = string_to_key(Enctype.DES3, b'key2', b'key2') - k = cf2(Enctype.DES3, k1, k2, b'a', b'b') - assert(k.contents == kb) - - # RC4 encrypt and decrypt - kb = h('68F263DB3FCE15D031C9EAB02D67107A') - conf = h('37245E73A45FBF72') - keyusage = 4 - plain = b'30 bytes bytes bytes bytes byt' - ctxt = h('95F9047C3AD75891C2E9B04B16566DC8B6EB9CE4231AFB2542EF87A7B5A0F260' - 'A99F0460508DE0CECC632D07C354124E46C5D2234EB8') - k = Key(Enctype.RC4, kb) - assert(encrypt(k, keyusage, plain, conf) == ctxt) - assert(decrypt(k, keyusage, ctxt) == plain) - - # RC4 string-to-key - string = b'foo' - kb = h('AC8E657F83DF82BEEA5D43BDAF7800CC') - k = string_to_key(Enctype.RC4, string, None) - assert(k.contents == kb) - - # RC4 checksum - kb = h('F7D3A155AF5E238A0B7A871A96BA2AB2') - keyusage = 6 - plain = b'seventeen eighteen nineteen twenty' - cksum = h('EB38CC97E2230F59DA4117DC5859D7EC') - k = Key(Enctype.RC4, kb) - verify_checksum(Cksumtype.HMAC_MD5, k, keyusage, plain, cksum) - - # RC4 cf2 - kb = h('24D7F6B6BAE4E5C00D2082C5EBAB3672') - k1 = string_to_key(Enctype.RC4, b'key1', b'key1') - k2 = string_to_key(Enctype.RC4, b'key2', b'key2') - k = cf2(Enctype.RC4, k1, k2, b'a', b'b') - assert(k.contents == kb) +def h(hexstr): + return bytes.fromhex(hexstr) + +class KcrytoTest(TestCase): + """kcrypto Test case.""" + + def test_aes128_crypr(self): + # AES128 encrypt and decrypt + kb = h('9062430C8CDA3388922E6D6A509F5B7A') + conf = h('94B491F481485B9A0678CD3C4EA386AD') + keyusage = 2 + plain = b'9 bytesss' + ctxt = h('68FB9679601F45C78857B2BF820FD6E53ECA8D42FD4B1D7024A09205ABB7CD2E' + 'C26C355D2F') + k = Key(Enctype.AES128, kb) + self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) + self.assertEqual(decrypt(k, keyusage, ctxt), plain) + + def test_aes256_crypt(self): + # AES256 encrypt and decrypt + kb = h('F1C795E9248A09338D82C3F8D5B567040B0110736845041347235B1404231398') + conf = h('E45CA518B42E266AD98E165E706FFB60') + keyusage = 4 + plain = b'30 bytes bytes bytes bytes byt' + ctxt = h('D1137A4D634CFECE924DBC3BF6790648BD5CFF7DE0E7B99460211D0DAEF3D79A' + '295C688858F3B34B9CBD6EEBAE81DAF6B734D4D498B6714F1C1D') + k = Key(Enctype.AES256, kb) + self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) + self.assertEqual(decrypt(k, keyusage, ctxt), plain) + + def test_aes128_checksum(self): + # AES128 checksum + kb = h('9062430C8CDA3388922E6D6A509F5B7A') + keyusage = 3 + plain = b'eight nine ten eleven twelve thirteen' + cksum = h('01A4B088D45628F6946614E3') + k = Key(Enctype.AES128, kb) + verify_checksum(Cksumtype.SHA1_AES128, k, keyusage, plain, cksum) + + def test_aes256_checksum(self): + # AES256 checksum + kb = h('B1AE4CD8462AFF1677053CC9279AAC30B796FB81CE21474DD3DDBCFEA4EC76D7') + keyusage = 4 + plain = b'fourteen' + cksum = h('E08739E3279E2903EC8E3836') + k = Key(Enctype.AES256, kb) + verify_checksum(Cksumtype.SHA1_AES256, k, keyusage, plain, cksum) + + def test_aes128_string_to_key(self): + # AES128 string-to-key + string = b'password' + salt = b'ATHENA.MIT.EDUraeburn' + params = h('00000002') + kb = h('C651BF29E2300AC27FA469D693BDDA13') + k = string_to_key(Enctype.AES128, string, salt, params) + self.assertEqual(k.contents, kb) + + def test_aes256_string_to_key(self): + # AES256 string-to-key + string = b'X' * 64 + salt = b'pass phrase equals block size' + params = h('000004B0') + kb = h('89ADEE3608DB8BC71F1BFBFE459486B05618B70CBAE22092534E56C553BA4B34') + k = string_to_key(Enctype.AES256, string, salt, params) + self.assertEqual(k.contents, kb) + + def test_aes128_prf(self): + # AES128 prf + kb = h('77B39A37A868920F2A51F9DD150C5717') + k = string_to_key(Enctype.AES128, b'key1', b'key1') + self.assertEqual(prf(k, b'\x01\x61'), kb) + + def test_aes256_prf(self): + # AES256 prf + kb = h('0D674DD0F9A6806525A4D92E828BD15A') + k = string_to_key(Enctype.AES256, b'key2', b'key2') + self.assertEqual(prf(k, b'\x02\x62'), kb) + + def test_aes128_cf2(self): + # AES128 cf2 + kb = h('97DF97E4B798B29EB31ED7280287A92A') + k1 = string_to_key(Enctype.AES128, b'key1', b'key1') + k2 = string_to_key(Enctype.AES128, b'key2', b'key2') + k = cf2(Enctype.AES128, k1, k2, b'a', b'b') + self.assertEqual(k.contents, kb) + + def test_aes256_cf2(self): + # AES256 cf2 + kb = h('4D6CA4E629785C1F01BAF55E2E548566B9617AE3A96868C337CB93B5E72B1C7B') + k1 = string_to_key(Enctype.AES256, b'key1', b'key1') + k2 = string_to_key(Enctype.AES256, b'key2', b'key2') + k = cf2(Enctype.AES256, k1, k2, b'a', b'b') + self.assertEqual(k.contents, kb) + + def test_des3_crypt(self): + # DES3 encrypt and decrypt + kb = h('0DD52094E0F41CECCB5BE510A764B35176E3981332F1E598') + conf = h('94690A17B2DA3C9B') + keyusage = 3 + plain = b'13 bytes byte' + ctxt = h('839A17081ECBAFBCDC91B88C6955DD3C4514023CF177B77BF0D0177A16F705E8' + '49CB7781D76A316B193F8D30') + k = Key(Enctype.DES3, kb) + self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) + self.assertEqual(decrypt(k, keyusage, ctxt), _zeropad(plain, 8)) + + def test_des3_string_to_key(self): + # DES3 string-to-key + string = b'password' + salt = b'ATHENA.MIT.EDUraeburn' + kb = h('850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E') + k = string_to_key(Enctype.DES3, string, salt) + self.assertEqual(k.contents, kb) + + def test_des3_checksum(self): + # DES3 checksum + kb = h('7A25DF8992296DCEDA0E135BC4046E2375B3C14C98FBC162') + keyusage = 2 + plain = b'six seven' + cksum = h('0EEFC9C3E049AABC1BA5C401677D9AB699082BB4') + k = Key(Enctype.DES3, kb) + verify_checksum(Cksumtype.SHA1_DES3, k, keyusage, plain, cksum) + + def test_des3_cf2(self): + # DES3 cf2 + kb = h('E58F9EB643862C13AD38E529313462A7F73E62834FE54A01') + k1 = string_to_key(Enctype.DES3, b'key1', b'key1') + k2 = string_to_key(Enctype.DES3, b'key2', b'key2') + k = cf2(Enctype.DES3, k1, k2, b'a', b'b') + self.assertEqual(k.contents, kb) + + def test_rc4_crypt(self): + # RC4 encrypt and decrypt + kb = h('68F263DB3FCE15D031C9EAB02D67107A') + conf = h('37245E73A45FBF72') + keyusage = 4 + plain = b'30 bytes bytes bytes bytes byt' + ctxt = h('95F9047C3AD75891C2E9B04B16566DC8B6EB9CE4231AFB2542EF87A7B5A0F260' + 'A99F0460508DE0CECC632D07C354124E46C5D2234EB8') + k = Key(Enctype.RC4, kb) + self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) + self.assertEqual(decrypt(k, keyusage, ctxt), plain) + + def test_rc4_string_to_key(self): + # RC4 string-to-key + string = b'foo' + kb = h('AC8E657F83DF82BEEA5D43BDAF7800CC') + k = string_to_key(Enctype.RC4, string, None) + self.assertEqual(k.contents, kb) + + def test_rc4_checksum(self): + # RC4 checksum + kb = h('F7D3A155AF5E238A0B7A871A96BA2AB2') + keyusage = 6 + plain = b'seventeen eighteen nineteen twenty' + cksum = h('EB38CC97E2230F59DA4117DC5859D7EC') + k = Key(Enctype.RC4, kb) + verify_checksum(Cksumtype.HMAC_MD5, k, keyusage, plain, cksum) + + def test_rc4_cf2(self): + # RC4 cf2 + kb = h('24D7F6B6BAE4E5C00D2082C5EBAB3672') + k1 = string_to_key(Enctype.RC4, b'key1', b'key1') + k2 = string_to_key(Enctype.RC4, b'key2', b'key2') + k = cf2(Enctype.RC4, k1, k2, b'a', b'b') + self.assertEqual(k.contents, kb) + +if __name__ == "__main__": + import unittest + unittest.main() -- 2.25.1 From 8c6f3165cef55fc648bc46a9da06660016d50622 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 25 Mar 2020 22:07:39 +0100 Subject: [PATCH 016/380] s4:selftest: run samba.tests.krb5.kcrypto test Signed-off-by: Stefan Metzmacher Reviewed-by: Isaac Boukris (cherry picked from commit 7010a1311d193c78e9f26adeafe98458217edbca) --- source4/selftest/tests.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 7d55aed89b4..9194c9b04f7 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -742,6 +742,8 @@ planoldpythontestsuite("nt4_dc", "samba.tests.netbios", extra_args=['-U"$USERNAM planoldpythontestsuite("ad_dc:local", "samba.tests.gpo", extra_args=['-U"$USERNAME%$PASSWORD"']) planoldpythontestsuite("ad_dc:local", "samba.tests.dckeytab", extra_args=['-U"$USERNAME%$PASSWORD"']) +planoldpythontestsuite("none", "samba.tests.krb5.kcrypto") + for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"']) planoldpythontestsuite(env + ":local", "samba.tests.ntacls_backup", -- 2.25.1 From b01f92a03087aed4bed0686682dea73d99961fea Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 23 Mar 2020 08:53:54 +0100 Subject: [PATCH 017/380] python/tests/krb5: add support for Cksumtype.MD5 Signed-off-by: Stefan Metzmacher Reviewed-by: Isaac Boukris (cherry picked from commit 47385248c8e462162e01afc3d3d68b97dff3542c) --- python/samba/tests/krb5/kcrypto.py | 43 +++++++++++++++++++++++++++++- 1 file changed, 42 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py index 0907d881b68..ed3c84fa186 100755 --- a/python/samba/tests/krb5/kcrypto.py +++ b/python/samba/tests/krb5/kcrypto.py @@ -526,6 +526,13 @@ class _HMACMD5(_ChecksumProfile): super(_HMACMD5, cls).verify(key, keyusage, text, cksum) +class _MD5(_ChecksumProfile): + @classmethod + def checksum(cls, key, keyusage, text): + # This is unkeyed! + return SIMPLE_HASH(text, hashes.MD5) + + _enctype_table = { Enctype.DES3: _DES3CBC, Enctype.AES128: _AES128CTS, @@ -538,7 +545,8 @@ _checksum_table = { Cksumtype.SHA1_DES3: _SHA1DES3, Cksumtype.SHA1_AES128: _SHA1AES128, Cksumtype.SHA1_AES256: _SHA1AES256, - Cksumtype.HMAC_MD5: _HMACMD5 + Cksumtype.HMAC_MD5: _HMACMD5, + Cksumtype.MD5: _MD5, } @@ -794,6 +802,39 @@ class KcrytoTest(TestCase): k = cf2(Enctype.RC4, k1, k2, b'a', b'b') self.assertEqual(k.contents, kb) + def _test_md5_unkeyed_checksum(self, etype, usage): + # MD5 unkeyed checksum + pw = b'pwd' + salt = b'bytes' + key = string_to_key(etype, pw, salt) + plain = b'seventeen eighteen nineteen twenty' + cksum = h('9d9588cdef3a8cefc9d2c208d978f60c') + verify_checksum(Cksumtype.MD5, key, usage, plain, cksum) + + def test_md5_unkeyed_checksum_des3_usage_40(self): + return self._test_md5_unkeyed_checksum(Enctype.DES3, 40) + + def test_md5_unkeyed_checksum_des3_usage_50(self): + return self._test_md5_unkeyed_checksum(Enctype.DES3, 50) + + def test_md5_unkeyed_checksum_rc4_usage_40(self): + return self._test_md5_unkeyed_checksum(Enctype.RC4, 40) + + def test_md5_unkeyed_checksum_rc4_usage_50(self): + return self._test_md5_unkeyed_checksum(Enctype.RC4, 50) + + def test_md5_unkeyed_checksum_aes128_usage_40(self): + return self._test_md5_unkeyed_checksum(Enctype.AES128, 40) + + def test_md5_unkeyed_checksum_aes128_usage_50(self): + return self._test_md5_unkeyed_checksum(Enctype.AES128, 50) + + def test_md5_unkeyed_checksum_aes256_usage_40(self): + return self._test_md5_unkeyed_checksum(Enctype.AES256, 40) + + def test_md5_unkeyed_checksum_aes256_usage_50(self): + return self._test_md5_unkeyed_checksum(Enctype.AES256, 50) + if __name__ == "__main__": import unittest unittest.main() -- 2.25.1 From 86b6a91bd50749cdadc55505c3072cfd02c8aec3 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 13 Feb 2020 16:29:38 +0100 Subject: [PATCH 018/380] python/tests/krb5: add rfc4120.asn1 Signed-off-by: Stefan Metzmacher Reviewed-by: Isaac Boukris (cherry picked from commit a2f75c314e9946f74e9dacceac690295999925b5) --- python/samba/tests/krb5/rfc4120.asn1 | 392 +++++++++++++++++++++++++++ 1 file changed, 392 insertions(+) create mode 100644 python/samba/tests/krb5/rfc4120.asn1 diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 new file mode 100644 index 00000000000..ec44557f45a --- /dev/null +++ b/python/samba/tests/krb5/rfc4120.asn1 @@ -0,0 +1,392 @@ +KerberosV5Spec2 { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) modules(4) krb5spec2(2) +} DEFINITIONS EXPLICIT TAGS ::= BEGIN + +-- OID arc for KerberosV5 +-- +-- This OID may be used to identify Kerberos protocol messages +-- encapsulated in other protocols. +-- +-- This OID also designates the OID arc for KerberosV5-related OIDs. +-- +-- NOTE: RFC 1510 had an incorrect value (5) for "dod" in its OID. +id-krb5 OBJECT IDENTIFIER ::= { + iso(1) identified-organization(3) dod(6) internet(1) + security(5) kerberosV5(2) +} + +Int32 ::= INTEGER (-2147483648..2147483647) + -- signed values representable in 32 bits + +UInt32 ::= INTEGER (0..4294967295) + -- unsigned 32 bit values + +Microseconds ::= INTEGER (0..999999) + -- microseconds + +KerberosString ::= GeneralString (IA5String) + +Realm ::= KerberosString + +PrincipalName ::= SEQUENCE { + name-type [0] Int32, + name-string [1] SEQUENCE OF KerberosString +} + +KerberosTime ::= GeneralizedTime -- with no fractional seconds + +HostAddress ::= SEQUENCE { + addr-type [0] Int32, + address [1] OCTET STRING +} + +-- NOTE: HostAddresses is always used as an OPTIONAL field and +-- should not be empty. +HostAddresses -- NOTE: subtly different from rfc1510, + -- but has a value mapping and encodes the same + ::= SEQUENCE OF HostAddress + +-- NOTE: AuthorizationData is always used as an OPTIONAL field and +-- should not be empty. +AuthorizationData ::= SEQUENCE OF SEQUENCE { + ad-type [0] Int32, + ad-data [1] OCTET STRING +} + +PA-DATA ::= SEQUENCE { + -- NOTE: first tag is [1], not [0] + padata-type [1] Int32, + padata-value [2] OCTET STRING -- might be encoded AP-REQ +} + +KerberosFlags ::= BIT STRING (SIZE (32..MAX)) + -- minimum number of bits shall be sent, + -- but no fewer than 32 + +EncryptedData ::= SEQUENCE { + etype [0] Int32 -- EncryptionType --, + kvno [1] UInt32 OPTIONAL, + cipher [2] OCTET STRING -- ciphertext +} + +EncryptionKey ::= SEQUENCE { + keytype [0] Int32 -- actually encryption type --, + keyvalue [1] OCTET STRING +} + +Checksum ::= SEQUENCE { + cksumtype [0] Int32, + checksum [1] OCTET STRING +} + +Ticket ::= [APPLICATION 1] SEQUENCE { + tkt-vno [0] INTEGER (5), + realm [1] Realm, + sname [2] PrincipalName, + enc-part [3] EncryptedData -- EncTicketPart +} + +-- Encrypted part of ticket +EncTicketPart ::= [APPLICATION 3] SEQUENCE { + flags [0] TicketFlags, + key [1] EncryptionKey, + crealm [2] Realm, + cname [3] PrincipalName, + transited [4] TransitedEncoding, + authtime [5] KerberosTime, + starttime [6] KerberosTime OPTIONAL, + endtime [7] KerberosTime, + renew-till [8] KerberosTime OPTIONAL, + caddr [9] HostAddresses OPTIONAL, + authorization-data [10] AuthorizationData OPTIONAL +} + +-- encoded Transited field +TransitedEncoding ::= SEQUENCE { + tr-type [0] Int32 -- must be registered --, + contents [1] OCTET STRING +} + +TicketFlags ::= KerberosFlags + -- reserved(0), + -- forwardable(1), + -- forwarded(2), + -- proxiable(3), + -- proxy(4), + -- may-postdate(5), + -- postdated(6), + -- invalid(7), + -- renewable(8), + -- initial(9), + -- pre-authent(10), + -- hw-authent(11), +-- the following are new since 1510 + -- transited-policy-checked(12), + -- ok-as-delegate(13) + +AS-REQ ::= [APPLICATION 10] KDC-REQ + +TGS-REQ ::= [APPLICATION 12] KDC-REQ + +KDC-REQ ::= SEQUENCE { + -- NOTE: first tag is [1], not [0] + pvno [1] INTEGER (5) , + msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), + padata [3] SEQUENCE OF PA-DATA OPTIONAL + -- NOTE: not empty --, + req-body [4] KDC-REQ-BODY +} + +KDC-REQ-BODY ::= SEQUENCE { + kdc-options [0] KDCOptions, + cname [1] PrincipalName OPTIONAL + -- Used only in AS-REQ --, + realm [2] Realm + -- Server's realm + -- Also client's in AS-REQ --, + sname [3] PrincipalName OPTIONAL, + from [4] KerberosTime OPTIONAL, + till [5] KerberosTime, + rtime [6] KerberosTime OPTIONAL, + nonce [7] UInt32, + etype [8] SEQUENCE OF Int32 -- EncryptionType + -- in preference order --, + addresses [9] HostAddresses OPTIONAL, + enc-authorization-data [10] EncryptedData OPTIONAL + -- AuthorizationData --, + additional-tickets [11] SEQUENCE OF Ticket OPTIONAL + -- NOTE: not empty +} + +KDCOptions ::= KerberosFlags + -- reserved(0), + -- forwardable(1), + -- forwarded(2), + -- proxiable(3), + -- proxy(4), + -- allow-postdate(5), + -- postdated(6), + -- unused7(7), + -- renewable(8), + -- unused9(9), + -- unused10(10), + -- opt-hardware-auth(11), + -- unused12(12), + -- unused13(13), +-- 15 is reserved for canonicalize + -- unused15(15), +-- 26 was unused in 1510 + -- disable-transited-check(26), +-- + -- renewable-ok(27), + -- enc-tkt-in-skey(28), + -- renew(30), + -- validate(31) + +AS-REP ::= [APPLICATION 11] KDC-REP + +TGS-REP ::= [APPLICATION 13] KDC-REP + +KDC-REP ::= SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (11 -- AS -- | 13 -- TGS --), + padata [2] SEQUENCE OF PA-DATA OPTIONAL + -- NOTE: not empty --, + crealm [3] Realm, + cname [4] PrincipalName, + ticket [5] Ticket, + enc-part [6] EncryptedData + -- EncASRepPart or EncTGSRepPart, + -- as appropriate +} + +EncASRepPart ::= [APPLICATION 25] EncKDCRepPart + +EncTGSRepPart ::= [APPLICATION 26] EncKDCRepPart + +EncKDCRepPart ::= SEQUENCE { + key [0] EncryptionKey, + last-req [1] LastReq, + nonce [2] UInt32, + key-expiration [3] KerberosTime OPTIONAL, + flags [4] TicketFlags, + authtime [5] KerberosTime, + starttime [6] KerberosTime OPTIONAL, + endtime [7] KerberosTime, + renew-till [8] KerberosTime OPTIONAL, + srealm [9] Realm, + sname [10] PrincipalName, + caddr [11] HostAddresses OPTIONAL +} + +LastReq ::= SEQUENCE OF SEQUENCE { + lr-type [0] Int32, + lr-value [1] KerberosTime +} + +AP-REQ ::= [APPLICATION 14] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (14), + ap-options [2] APOptions, + ticket [3] Ticket, + authenticator [4] EncryptedData -- Authenticator +} + +APOptions ::= KerberosFlags + -- reserved(0), + -- use-session-key(1), + -- mutual-required(2) + +-- Unencrypted authenticator +Authenticator ::= [APPLICATION 2] SEQUENCE { + authenticator-vno [0] INTEGER (5), + crealm [1] Realm, + cname [2] PrincipalName, + cksum [3] Checksum OPTIONAL, + cusec [4] Microseconds, + ctime [5] KerberosTime, + subkey [6] EncryptionKey OPTIONAL, + seq-number [7] UInt32 OPTIONAL, + authorization-data [8] AuthorizationData OPTIONAL +} + +AP-REP ::= [APPLICATION 15] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (15), + enc-part [2] EncryptedData -- EncAPRepPart +} + +EncAPRepPart ::= [APPLICATION 27] SEQUENCE { + ctime [0] KerberosTime, + cusec [1] Microseconds, + subkey [2] EncryptionKey OPTIONAL, + seq-number [3] UInt32 OPTIONAL +} + +KRB-SAFE ::= [APPLICATION 20] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (20), + safe-body [2] KRB-SAFE-BODY, + cksum [3] Checksum +} + +KRB-SAFE-BODY ::= SEQUENCE { + user-data [0] OCTET STRING, + timestamp [1] KerberosTime OPTIONAL, + usec [2] Microseconds OPTIONAL, + seq-number [3] UInt32 OPTIONAL, + s-address [4] HostAddress, + r-address [5] HostAddress OPTIONAL +} + +KRB-PRIV ::= [APPLICATION 21] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (21), + -- NOTE: there is no [2] tag + enc-part [3] EncryptedData -- EncKrbPrivPart +} + +EncKrbPrivPart ::= [APPLICATION 28] SEQUENCE { + user-data [0] OCTET STRING, + timestamp [1] KerberosTime OPTIONAL, + usec [2] Microseconds OPTIONAL, + seq-number [3] UInt32 OPTIONAL, + s-address [4] HostAddress -- sender's addr --, + r-address [5] HostAddress OPTIONAL -- recip's addr +} + +KRB-CRED ::= [APPLICATION 22] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (22), + tickets [2] SEQUENCE OF Ticket, + enc-part [3] EncryptedData -- EncKrbCredPart +} + +EncKrbCredPart ::= [APPLICATION 29] SEQUENCE { + ticket-info [0] SEQUENCE OF KrbCredInfo, + nonce [1] UInt32 OPTIONAL, + timestamp [2] KerberosTime OPTIONAL, + usec [3] Microseconds OPTIONAL, + s-address [4] HostAddress OPTIONAL, + r-address [5] HostAddress OPTIONAL +} + +KrbCredInfo ::= SEQUENCE { + key [0] EncryptionKey, + prealm [1] Realm OPTIONAL, + pname [2] PrincipalName OPTIONAL, + flags [3] TicketFlags OPTIONAL, + authtime [4] KerberosTime OPTIONAL, + starttime [5] KerberosTime OPTIONAL, + endtime [6] KerberosTime OPTIONAL, + renew-till [7] KerberosTime OPTIONAL, + srealm [8] Realm OPTIONAL, + sname [9] PrincipalName OPTIONAL, + caddr [10] HostAddresses OPTIONAL +} + +KRB-ERROR ::= [APPLICATION 30] SEQUENCE { + pvno [0] INTEGER (5), + msg-type [1] INTEGER (30), + ctime [2] KerberosTime OPTIONAL, + cusec [3] Microseconds OPTIONAL, + stime [4] KerberosTime, + susec [5] Microseconds, + error-code [6] Int32, + crealm [7] Realm OPTIONAL, + cname [8] PrincipalName OPTIONAL, + realm [9] Realm -- service realm --, + sname [10] PrincipalName -- service name --, + e-text [11] KerberosString OPTIONAL, + e-data [12] OCTET STRING OPTIONAL +} + +METHOD-DATA ::= SEQUENCE OF PA-DATA + +TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { + data-type [0] Int32, + data-value [1] OCTET STRING OPTIONAL +} + +-- preauth stuff follows + +PA-ENC-TIMESTAMP ::= EncryptedData -- PA-ENC-TS-ENC + +PA-ENC-TS-ENC ::= SEQUENCE { + patimestamp [0] KerberosTime -- client's time --, + pausec [1] Microseconds OPTIONAL +} + +ETYPE-INFO-ENTRY ::= SEQUENCE { + etype [0] Int32, + salt [1] OCTET STRING OPTIONAL +} + +ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY + +ETYPE-INFO2-ENTRY ::= SEQUENCE { + etype [0] Int32, + salt [1] KerberosString OPTIONAL, + s2kparams [2] OCTET STRING OPTIONAL +} + +ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY + +AD-IF-RELEVANT ::= AuthorizationData + +AD-KDCIssued ::= SEQUENCE { + ad-checksum [0] Checksum, + i-realm [1] Realm OPTIONAL, + i-sname [2] PrincipalName OPTIONAL, + elements [3] AuthorizationData +} + +AD-AND-OR ::= SEQUENCE { + condition-count [0] Int32, + elements [1] AuthorizationData +} + +AD-MANDATORY-FOR-KDC ::= AuthorizationData + +END -- 2.25.1 From 2e180b414ec501e9b3f48d7a947f86e11f211a7e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 13 Feb 2020 16:29:38 +0100 Subject: [PATCH 019/380] python/tests/krb5: modify rfc4120.asn1 in order to generate pyasn1 code The pyasn1 bindings are generated by pyasn1gen.py from https://github.com/kimgr/asn1ate.git Signed-off-by: Stefan Metzmacher Reviewed-by: Isaac Boukris (cherry picked from commit 94d068427f6cf23ab68c135ed9833db4b9155b65) --- python/samba/tests/krb5/rfc4120.asn1 | 293 +++++- python/samba/tests/krb5/rfc4120_pyasn1.py | 914 ++++++++++++++++++ .../samba/tests/krb5/rfc4120_pyasn1_regen.sh | 41 + python/samba/tests/source.py | 6 + 4 files changed, 1243 insertions(+), 11 deletions(-) create mode 100644 python/samba/tests/krb5/rfc4120_pyasn1.py create mode 100755 python/samba/tests/krb5/rfc4120_pyasn1_regen.sh diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 index ec44557f45a..05b43106034 100644 --- a/python/samba/tests/krb5/rfc4120.asn1 +++ b/python/samba/tests/krb5/rfc4120.asn1 @@ -25,15 +25,23 @@ UInt32 ::= INTEGER (0..4294967295) Microseconds ::= INTEGER (0..999999) -- microseconds -KerberosString ::= GeneralString (IA5String) +-- +-- asn1ate doesn't support 'GeneralString (IA5String)' +-- only 'GeneralString' or 'IA5String', on the wire +-- GeneralString is used. +-- +-- KerberosString ::= GeneralString (IA5String) +KerberosString ::= GeneralString Realm ::= KerberosString PrincipalName ::= SEQUENCE { - name-type [0] Int32, + name-type [0] NameType, -- Int32, name-string [1] SEQUENCE OF KerberosString } +NameType ::= Int32 + KerberosTime ::= GeneralizedTime -- with no fractional seconds HostAddress ::= SEQUENCE { @@ -50,36 +58,48 @@ HostAddresses -- NOTE: subtly different from rfc1510, -- NOTE: AuthorizationData is always used as an OPTIONAL field and -- should not be empty. AuthorizationData ::= SEQUENCE OF SEQUENCE { - ad-type [0] Int32, + ad-type [0] AuthDataType, -- Int32, ad-data [1] OCTET STRING } +AuthDataType ::= Int32 + PA-DATA ::= SEQUENCE { -- NOTE: first tag is [1], not [0] - padata-type [1] Int32, + padata-type [1] PADataType, -- Int32 padata-value [2] OCTET STRING -- might be encoded AP-REQ } -KerberosFlags ::= BIT STRING (SIZE (32..MAX)) +PADataType ::= Int32 + +-- +-- asn1ate doesn't support 'MAX' nor a lower range != 1. +-- We'll use a custom enodeValue() hooks for BitString +-- in order to encode them with at least 32-Bit. +-- +-- KerberosFlags ::= BIT STRING (SIZE (32..MAX)) +KerberosFlags ::= BIT STRING (SIZE (1..32)) -- minimum number of bits shall be sent, -- but no fewer than 32 EncryptedData ::= SEQUENCE { - etype [0] Int32 -- EncryptionType --, + etype [0] EncryptionType, --Int32 EncryptionType -- kvno [1] UInt32 OPTIONAL, cipher [2] OCTET STRING -- ciphertext } EncryptionKey ::= SEQUENCE { - keytype [0] Int32 -- actually encryption type --, + keytype [0] EncryptionType, -- Int32 actually encryption type -- keyvalue [1] OCTET STRING } Checksum ::= SEQUENCE { - cksumtype [0] Int32, + cksumtype [0] ChecksumType, -- Int32, checksum [1] OCTET STRING } +ChecksumType ::= Int32 + Ticket ::= [APPLICATION 1] SEQUENCE { tkt-vno [0] INTEGER (5), realm [1] Realm, @@ -150,7 +170,7 @@ KDC-REQ-BODY ::= SEQUENCE { till [5] KerberosTime, rtime [6] KerberosTime OPTIONAL, nonce [7] UInt32, - etype [8] SEQUENCE OF Int32 -- EncryptionType + etype [8] SEQUENCE OF EncryptionType -- Int32 - EncryptionType -- in preference order --, addresses [9] HostAddresses OPTIONAL, enc-authorization-data [10] EncryptedData OPTIONAL @@ -159,6 +179,8 @@ KDC-REQ-BODY ::= SEQUENCE { -- NOTE: not empty } +EncryptionType ::= Int32 + KDCOptions ::= KerberosFlags -- reserved(0), -- forwardable(1), @@ -344,7 +366,11 @@ KRB-ERROR ::= [APPLICATION 30] SEQUENCE { METHOD-DATA ::= SEQUENCE OF PA-DATA -TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { +-- +-- asn1ate doesn't support 'MAX' +-- +-- TYPED-DATA ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE { +TYPED-DATA ::= SEQUENCE SIZE (1..256) OF SEQUENCE { data-type [0] Int32, data-value [1] OCTET STRING OPTIONAL } @@ -371,7 +397,7 @@ ETYPE-INFO2-ENTRY ::= SEQUENCE { s2kparams [2] OCTET STRING OPTIONAL } -ETYPE-INFO2 ::= SEQUENCE SIZE (1..MAX) OF ETYPE-INFO2-ENTRY +ETYPE-INFO2 ::= SEQUENCE SIZE (1..256) OF ETYPE-INFO2-ENTRY AD-IF-RELEVANT ::= AuthorizationData @@ -389,4 +415,249 @@ AD-AND-OR ::= SEQUENCE { AD-MANDATORY-FOR-KDC ::= AuthorizationData + + + + + +-- +-- +-- prettyPrint values +-- +-- + +NameTypeValues ::= INTEGER { -- Int32 + kRB5-NT-UNKNOWN(0), -- Name type not known + kRB5-NT-PRINCIPAL(1), -- Just the name of the principal as in + kRB5-NT-SRV-INST(2), -- Service and other unique instance (krbtgt) + kRB5-NT-SRV-HST(3), -- Service with host name as instance + kRB5-NT-SRV-XHST(4), -- Service with host as remaining components + kRB5-NT-UID(5), -- Unique ID + kRB5-NT-X500-PRINCIPAL(6), -- PKINIT + kRB5-NT-SMTP-NAME(7), -- Name in form of SMTP email name + kRB5-NT-ENTERPRISE-PRINCIPAL(10), -- Windows 2000 UPN + kRB5-NT-WELLKNOWN(11), -- Wellknown + kRB5-NT-ENT-PRINCIPAL-AND-ID(-130), -- Windows 2000 UPN and SID + kRB5-NT-MS-PRINCIPAL(-128), -- NT 4 style name + kRB5-NT-MS-PRINCIPAL-AND-ID(-129) -- NT style name and SID +} +NameTypeSequence ::= SEQUENCE { + dummy [0] NameTypeValues +} + +TicketFlagsValues ::= BIT STRING { -- KerberosFlags + reserved(0), + forwardable(1), + forwarded(2), + proxiable(3), + proxy(4), + may-postdate(5), + postdated(6), + invalid(7), + renewable(8), + initial(9), + pre-authent(10), + hw-authent(11), +-- the following are new since 1510 + transited-policy-checked(12), + ok-as-delegate(13) +} +TicketFlagsSequence ::= SEQUENCE { + dummy [0] TicketFlagsValues +} + +KDCOptionsValues ::= BIT STRING { -- KerberosFlags + reserved(0), + forwardable(1), + forwarded(2), + proxiable(3), + proxy(4), + allow-postdate(5), + postdated(6), + unused7(7), + renewable(8), + unused9(9), + unused10(10), + opt-hardware-auth(11), + unused12(12), + unused13(13), +-- 15 is reserved for canonicalize + unused15(15), +-- 26 was unused in 1510 + disable-transited-check(26), +-- + renewable-ok(27), + enc-tkt-in-skey(28), + renew(30), + validate(31) +} +KDCOptionsSequence ::= SEQUENCE { + dummy [0] KDCOptionsValues +} + +MessageTypeValues ::= INTEGER { + krb-as-req(10), -- Request for initial authentication + krb-as-rep(11), -- Response to KRB_AS_REQ request + krb-tgs-req(12), -- Request for authentication based on TGT + krb-tgs-rep(13), -- Response to KRB_TGS_REQ request + krb-ap-req(14), -- application request to server + krb-ap-rep(15), -- Response to KRB_AP_REQ_MUTUAL + krb-safe(20), -- Safe (checksummed) application message + krb-priv(21), -- Private (encrypted) application message + krb-cred(22), -- Private (encrypted) message to forward credentials + krb-error(30) -- Error response +} +MessageTypeSequence ::= SEQUENCE { + dummy [0] MessageTypeValues +} + +PADataTypeValues ::= INTEGER { + kRB5-PADATA-NONE(0), + -- kRB5-PADATA-TGS-REQ(1), + -- kRB5-PADATA-AP-REQ(1), + kRB5-PADATA-KDC-REQ(1), + kRB5-PADATA-ENC-TIMESTAMP(2), + kRB5-PADATA-PW-SALT(3), + kRB5-PADATA-ENC-UNIX-TIME(5), + kRB5-PADATA-SANDIA-SECUREID(6), + kRB5-PADATA-SESAME(7), + kRB5-PADATA-OSF-DCE(8), + kRB5-PADATA-CYBERSAFE-SECUREID(9), + kRB5-PADATA-AFS3-SALT(10), + kRB5-PADATA-ETYPE-INFO(11), + kRB5-PADATA-SAM-CHALLENGE(12), -- (sam/otp) + kRB5-PADATA-SAM-RESPONSE(13), -- (sam/otp) + kRB5-PADATA-PK-AS-REQ-19(14), -- (PKINIT-19) + kRB5-PADATA-PK-AS-REP-19(15), -- (PKINIT-19) + -- kRB5-PADATA-PK-AS-REQ-WIN(15), - (PKINIT - old number) + kRB5-PADATA-PK-AS-REQ(16), -- (PKINIT-25) + kRB5-PADATA-PK-AS-REP(17), -- (PKINIT-25) + kRB5-PADATA-PA-PK-OCSP-RESPONSE(18), + kRB5-PADATA-ETYPE-INFO2(19), + -- kRB5-PADATA-USE-SPECIFIED-KVNO(20), + kRB5-PADATA-SVR-REFERRAL-INFO(20), --- old ms referral number + kRB5-PADATA-SAM-REDIRECT(21), -- (sam/otp) + kRB5-PADATA-GET-FROM-TYPED-DATA(22), + kRB5-PADATA-SAM-ETYPE-INFO(23), + kRB5-PADATA-SERVER-REFERRAL(25), + kRB5-PADATA-ALT-PRINC(24), -- (crawdad@fnal.gov) + kRB5-PADATA-SAM-CHALLENGE2(30), -- (kenh@pobox.com) + kRB5-PADATA-SAM-RESPONSE2(31), -- (kenh@pobox.com) + kRB5-PA-EXTRA-TGT(41), -- Reserved extra TGT + kRB5-PADATA-TD-KRB-PRINCIPAL(102), -- PrincipalName + kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS(104), -- PKINIT + kRB5-PADATA-PK-TD-CERTIFICATE-INDEX(105), -- PKINIT + kRB5-PADATA-TD-APP-DEFINED-ERROR(106), -- application specific + kRB5-PADATA-TD-REQ-NONCE(107), -- INTEGER + kRB5-PADATA-TD-REQ-SEQ(108), -- INTEGER + kRB5-PADATA-PA-PAC-REQUEST(128), -- jbrezak@exchange.microsoft.com + kRB5-PADATA-FOR-USER(129), -- MS-KILE + kRB5-PADATA-FOR-X509-USER(130), -- MS-KILE + kRB5-PADATA-FOR-CHECK-DUPS(131), -- MS-KILE + kRB5-PADATA-AS-CHECKSUM(132), -- MS-KILE + -- kRB5-PADATA-PK-AS-09-BINDING(132), - client send this to + -- tell KDC that is supports + -- the asCheckSum in the + -- PK-AS-REP + kRB5-PADATA-FX-COOKIE(133), -- krb-wg-preauth-framework + kRB5-PADATA-AUTHENTICATION-SET(134), -- krb-wg-preauth-framework + kRB5-PADATA-AUTH-SET-SELECTED(135), -- krb-wg-preauth-framework + kRB5-PADATA-FX-FAST(136), -- krb-wg-preauth-framework + kRB5-PADATA-FX-ERROR(137), -- krb-wg-preauth-framework + kRB5-PADATA-ENCRYPTED-CHALLENGE(138), -- krb-wg-preauth-framework + kRB5-PADATA-OTP-CHALLENGE(141), -- (gareth.richards@rsa.com) + kRB5-PADATA-OTP-REQUEST(142), -- (gareth.richards@rsa.com) + kBB5-PADATA-OTP-CONFIRM(143), -- (gareth.richards@rsa.com) + kRB5-PADATA-OTP-PIN-CHANGE(144), -- (gareth.richards@rsa.com) + kRB5-PADATA-EPAK-AS-REQ(145), + kRB5-PADATA-EPAK-AS-REP(146), + kRB5-PADATA-PKINIT-KX(147), -- krb-wg-anon + kRB5-PADATA-PKU2U-NAME(148), -- zhu-pku2u + kRB5-PADATA-REQ-ENC-PA-REP(149), -- + kRB5-PADATA-SUPPORTED-ETYPES(165) -- MS-KILE +} +PADataTypeSequence ::= SEQUENCE { + dummy [0] PADataTypeValues +} + +AuthDataTypeValues ::= INTEGER { + kRB5-AUTHDATA-IF-RELEVANT(1), + kRB5-AUTHDATA-INTENDED-FOR-SERVER(2), + kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS(3), + kRB5-AUTHDATA-KDC-ISSUED(4), + kRB5-AUTHDATA-AND-OR(5), + kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS(6), + kRB5-AUTHDATA-IN-TICKET-EXTENSIONS(7), + kRB5-AUTHDATA-MANDATORY-FOR-KDC(8), + kRB5-AUTHDATA-INITIAL-VERIFIED-CAS(9), + kRB5-AUTHDATA-OSF-DCE(64), + kRB5-AUTHDATA-SESAME(65), + kRB5-AUTHDATA-OSF-DCE-PKI-CERTID(66), + kRB5-AUTHDATA-WIN2K-PAC(128), + kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION(129), -- Authenticator only + kRB5-AUTHDATA-SIGNTICKET-OLDER(-17), + kRB5-AUTHDATA-SIGNTICKET-OLD(142), + kRB5-AUTHDATA-SIGNTICKET(512) +} +AuthDataTypeSequence ::= SEQUENCE { + dummy [0] AuthDataTypeValues +} + +ChecksumTypeValues ::= INTEGER { + kRB5-CKSUMTYPE-NONE(0), + kRB5-CKSUMTYPE-CRC32(1), + kRB5-CKSUMTYPE-RSA-MD4(2), + kRB5-CKSUMTYPE-RSA-MD4-DES(3), + kRB5-CKSUMTYPE-DES-MAC(4), + kRB5-CKSUMTYPE-DES-MAC-K(5), + kRB5-CKSUMTYPE-RSA-MD4-DES-K(6), + kRB5-CKSUMTYPE-RSA-MD5(7), + kRB5-CKSUMTYPE-RSA-MD5-DES(8), + kRB5-CKSUMTYPE-RSA-MD5-DES3(9), + kRB5-CKSUMTYPE-SHA1-OTHER(10), + kRB5-CKSUMTYPE-HMAC-SHA1-DES3(12), + kRB5-CKSUMTYPE-SHA1(14), + kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-128(15), + kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-256(16), + kRB5-CKSUMTYPE-GSSAPI(32771), -- 0x8003 + kRB5-CKSUMTYPE-HMAC-MD5(-138), -- unofficial microsoft number + kRB5-CKSUMTYPE-HMAC-MD5-ENC(-1138) -- even more unofficial +} +ChecksumTypeSequence ::= SEQUENCE { + dummy [0] ChecksumTypeValues +} + +EncryptionTypeValues ::= INTEGER { + kRB5-ENCTYPE-NULL(0), + kRB5-ENCTYPE-DES-CBC-CRC(1), + kRB5-ENCTYPE-DES-CBC-MD4(2), + kRB5-ENCTYPE-DES-CBC-MD5(3), + kRB5-ENCTYPE-DES3-CBC-MD5(5), + kRB5-ENCTYPE-OLD-DES3-CBC-SHA1(7), + kRB5-ENCTYPE-SIGN-DSA-GENERATE(8), + kRB5-ENCTYPE-ENCRYPT-RSA-PRIV(9), + kRB5-ENCTYPE-ENCRYPT-RSA-PUB(10), + kRB5-ENCTYPE-DES3-CBC-SHA1(16), -- with key derivation + kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96(17), + kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96(18), + kRB5-ENCTYPE-ARCFOUR-HMAC-MD5(23), + kRB5-ENCTYPE-ARCFOUR-HMAC-MD5-56(24), + kRB5-ENCTYPE-ENCTYPE-PK-CROSS(48), +-- some "old" windows types + kRB5-ENCTYPE-ARCFOUR-MD4(-128), + kRB5-ENCTYPE-ARCFOUR-HMAC-OLD(-133), + kRB5-ENCTYPE-ARCFOUR-HMAC-OLD-EXP(-135), +-- these are for Heimdal internal use +-- kRB5-ENCTYPE-DES-CBC-NONE(-0x1000), +-- kRB5-ENCTYPE-DES3-CBC-NONE(-0x1001), +-- kRB5-ENCTYPE-DES-CFB64-NONE(-0x1002), +-- kRB5-ENCTYPE-DES-PCBC-NONE(-0x1003), +-- kRB5-ENCTYPE-DIGEST-MD5-NONE(-0x1004), - private use, lukeh@padl.com +-- kRB5-ENCTYPE-CRAM-MD5-NONE(-0x1005) - private use, lukeh@padl.com + kRB5-ENCTYPE-DUMMY(-1111) +} +EncryptionTypeSequence ::= SEQUENCE { + dummy [0] EncryptionTypeValues +} + END diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py new file mode 100644 index 00000000000..b2627aa3dcb --- /dev/null +++ b/python/samba/tests/krb5/rfc4120_pyasn1.py @@ -0,0 +1,914 @@ +# Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 +# (last modified on 2020-03-26 10:28:24.346775) + +# KerberosV5Spec2 +from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful + + +def _OID(*components): + output = [] + for x in tuple(components): + if isinstance(x, univ.ObjectIdentifier): + output.extend(list(x)) + else: + output.append(int(x)) + + return univ.ObjectIdentifier(output) + + +class Int32(univ.Integer): + pass + + +Int32.subtypeSpec = constraint.ValueRangeConstraint(-2147483648, 2147483647) + + +class AuthDataType(Int32): + pass + + +class AuthorizationData(univ.SequenceOf): + pass + + +AuthorizationData.componentType = univ.Sequence(componentType=namedtype.NamedTypes( + namedtype.NamedType('ad-type', AuthDataType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('ad-data', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +)) + + +class AD_AND_OR(univ.Sequence): + pass + + +AD_AND_OR.componentType = namedtype.NamedTypes( + namedtype.NamedType('condition-count', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('elements', AuthorizationData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class AD_IF_RELEVANT(AuthorizationData): + pass + + +class ChecksumType(Int32): + pass + + +class Checksum(univ.Sequence): + pass + + +Checksum.componentType = namedtype.NamedTypes( + namedtype.NamedType('cksumtype', ChecksumType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('checksum', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class KerberosString(char.GeneralString): + pass + + +class NameType(Int32): + pass + + +class PrincipalName(univ.Sequence): + pass + + +PrincipalName.componentType = namedtype.NamedTypes( + namedtype.NamedType('name-type', NameType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('name-string', univ.SequenceOf(componentType=KerberosString()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class Realm(KerberosString): + pass + + +class AD_KDCIssued(univ.Sequence): + pass + + +AD_KDCIssued.componentType = namedtype.NamedTypes( + namedtype.NamedType('ad-checksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))), + namedtype.OptionalNamedType('i-realm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('i-sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), + namedtype.NamedType('elements', AuthorizationData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))) +) + + +class AD_MANDATORY_FOR_KDC(AuthorizationData): + pass + + +class EncryptionType(Int32): + pass + + +class UInt32(univ.Integer): + pass + + +UInt32.subtypeSpec = constraint.ValueRangeConstraint(0, 4294967295) + + +class EncryptedData(univ.Sequence): + pass + + +EncryptedData.componentType = namedtype.NamedTypes( + namedtype.NamedType('etype', EncryptionType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('kvno', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('cipher', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) +) + + +class AP_REP(univ.Sequence): + pass + + +AP_REP.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 15)) +AP_REP.componentType = namedtype.NamedTypes( + namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(15)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('enc-part', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))) +) + + +class KerberosFlags(univ.BitString): + pass + + +KerberosFlags.subtypeSpec=constraint.ValueSizeConstraint(1, 32) + + +class APOptions(KerberosFlags): + pass + + +class Ticket(univ.Sequence): + pass + + +Ticket.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 1)) +Ticket.componentType = namedtype.NamedTypes( + namedtype.NamedType('tkt-vno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('realm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), + namedtype.NamedType('enc-part', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))) +) + + +class AP_REQ(univ.Sequence): + pass + + +AP_REQ.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 14)) +AP_REQ.componentType = namedtype.NamedTypes( + namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(14)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('ap-options', APOptions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.NamedType('ticket', Ticket().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.NamedType('authenticator', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))) +) + + +class PADataType(Int32): + pass + + +class PA_DATA(univ.Sequence): + pass + + +PA_DATA.componentType = namedtype.NamedTypes( + namedtype.NamedType('padata-type', PADataType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('padata-value', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) +) + + +class KDC_REP(univ.Sequence): + pass + + +KDC_REP.componentType = namedtype.NamedTypes( + namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(11, 13)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('padata', univ.SequenceOf(componentType=PA_DATA()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.NamedType('crealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.NamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))), + namedtype.NamedType('ticket', Ticket().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), + namedtype.NamedType('enc-part', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 6))) +) + + +class AS_REP(KDC_REP): + pass + + +AS_REP.tagSet = KDC_REP.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 11)) + + +class HostAddress(univ.Sequence): + pass + + +HostAddress.componentType = namedtype.NamedTypes( + namedtype.NamedType('addr-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('address', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class HostAddresses(univ.SequenceOf): + pass + + +HostAddresses.componentType = HostAddress() + + +class KDCOptions(KerberosFlags): + pass + + +class KerberosTime(useful.GeneralizedTime): + pass + + +class KDC_REQ_BODY(univ.Sequence): + pass + + +KDC_REQ_BODY.componentType = namedtype.NamedTypes( + namedtype.NamedType('kdc-options', KDCOptions().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))), + namedtype.NamedType('realm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.OptionalNamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))), + namedtype.OptionalNamedType('from', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))), + namedtype.NamedType('till', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), + namedtype.OptionalNamedType('rtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))), + namedtype.NamedType('nonce', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), + namedtype.NamedType('etype', univ.SequenceOf(componentType=EncryptionType()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))), + namedtype.OptionalNamedType('addresses', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 9))), + namedtype.OptionalNamedType('enc-authorization-data', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 10))), + namedtype.OptionalNamedType('additional-tickets', univ.SequenceOf(componentType=Ticket()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 11))) +) + + +class KDC_REQ(univ.Sequence): + pass + + +KDC_REQ.componentType = namedtype.NamedTypes( + namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(10, 12)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.OptionalNamedType('padata', univ.SequenceOf(componentType=PA_DATA()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.NamedType('req-body', KDC_REQ_BODY().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))) +) + + +class AS_REQ(KDC_REQ): + pass + + +AS_REQ.tagSet = KDC_REQ.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 10)) + + +class AuthDataTypeValues(univ.Integer): + pass + + +AuthDataTypeValues.namedValues = namedval.NamedValues( + ('kRB5-AUTHDATA-IF-RELEVANT', 1), + ('kRB5-AUTHDATA-INTENDED-FOR-SERVER', 2), + ('kRB5-AUTHDATA-INTENDED-FOR-APPLICATION-CLASS', 3), + ('kRB5-AUTHDATA-KDC-ISSUED', 4), + ('kRB5-AUTHDATA-AND-OR', 5), + ('kRB5-AUTHDATA-MANDATORY-TICKET-EXTENSIONS', 6), + ('kRB5-AUTHDATA-IN-TICKET-EXTENSIONS', 7), + ('kRB5-AUTHDATA-MANDATORY-FOR-KDC', 8), + ('kRB5-AUTHDATA-INITIAL-VERIFIED-CAS', 9), + ('kRB5-AUTHDATA-OSF-DCE', 64), + ('kRB5-AUTHDATA-SESAME', 65), + ('kRB5-AUTHDATA-OSF-DCE-PKI-CERTID', 66), + ('kRB5-AUTHDATA-WIN2K-PAC', 128), + ('kRB5-AUTHDATA-GSS-API-ETYPE-NEGOTIATION', 129), + ('kRB5-AUTHDATA-SIGNTICKET-OLDER', -17), + ('kRB5-AUTHDATA-SIGNTICKET-OLD', 142), + ('kRB5-AUTHDATA-SIGNTICKET', 512) +) + + +class AuthDataTypeSequence(univ.Sequence): + pass + + +AuthDataTypeSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', AuthDataTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + +class EncryptionKey(univ.Sequence): + pass + + +EncryptionKey.componentType = namedtype.NamedTypes( + namedtype.NamedType('keytype', EncryptionType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('keyvalue', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class Microseconds(univ.Integer): + pass + + +Microseconds.subtypeSpec = constraint.ValueRangeConstraint(0, 999999) + + +class Authenticator(univ.Sequence): + pass + + +Authenticator.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 2)) +Authenticator.componentType = namedtype.NamedTypes( + namedtype.NamedType('authenticator-vno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('crealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), + namedtype.OptionalNamedType('cksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))), + namedtype.NamedType('cusec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))), + namedtype.NamedType('ctime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), + namedtype.OptionalNamedType('subkey', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 6))), + namedtype.OptionalNamedType('seq-number', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), + namedtype.OptionalNamedType('authorization-data', AuthorizationData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))) +) + + +class ChecksumTypeValues(univ.Integer): + pass + + +ChecksumTypeValues.namedValues = namedval.NamedValues( + ('kRB5-CKSUMTYPE-NONE', 0), + ('kRB5-CKSUMTYPE-CRC32', 1), + ('kRB5-CKSUMTYPE-RSA-MD4', 2), + ('kRB5-CKSUMTYPE-RSA-MD4-DES', 3), + ('kRB5-CKSUMTYPE-DES-MAC', 4), + ('kRB5-CKSUMTYPE-DES-MAC-K', 5), + ('kRB5-CKSUMTYPE-RSA-MD4-DES-K', 6), + ('kRB5-CKSUMTYPE-RSA-MD5', 7), + ('kRB5-CKSUMTYPE-RSA-MD5-DES', 8), + ('kRB5-CKSUMTYPE-RSA-MD5-DES3', 9), + ('kRB5-CKSUMTYPE-SHA1-OTHER', 10), + ('kRB5-CKSUMTYPE-HMAC-SHA1-DES3', 12), + ('kRB5-CKSUMTYPE-SHA1', 14), + ('kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-128', 15), + ('kRB5-CKSUMTYPE-HMAC-SHA1-96-AES-256', 16), + ('kRB5-CKSUMTYPE-GSSAPI', 32771), + ('kRB5-CKSUMTYPE-HMAC-MD5', -138), + ('kRB5-CKSUMTYPE-HMAC-MD5-ENC', -1138) +) + + +class ChecksumTypeSequence(univ.Sequence): + pass + + +ChecksumTypeSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', ChecksumTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + +class ETYPE_INFO_ENTRY(univ.Sequence): + pass + + +ETYPE_INFO_ENTRY.componentType = namedtype.NamedTypes( + namedtype.NamedType('etype', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('salt', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class ETYPE_INFO(univ.SequenceOf): + pass + + +ETYPE_INFO.componentType = ETYPE_INFO_ENTRY() + + +class ETYPE_INFO2_ENTRY(univ.Sequence): + pass + + +ETYPE_INFO2_ENTRY.componentType = namedtype.NamedTypes( + namedtype.NamedType('etype', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('salt', KerberosString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('s2kparams', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) +) + + +class ETYPE_INFO2(univ.SequenceOf): + pass + + +ETYPE_INFO2.componentType = ETYPE_INFO2_ENTRY() +ETYPE_INFO2.subtypeSpec=constraint.ValueSizeConstraint(1, 256) + + +class EncAPRepPart(univ.Sequence): + pass + + +EncAPRepPart.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 27)) +EncAPRepPart.componentType = namedtype.NamedTypes( + namedtype.NamedType('ctime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('cusec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('subkey', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), + namedtype.OptionalNamedType('seq-number', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))) +) + + +class LastReq(univ.SequenceOf): + pass + + +LastReq.componentType = univ.Sequence(componentType=namedtype.NamedTypes( + namedtype.NamedType('lr-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('lr-value', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +)) + + +class TicketFlags(KerberosFlags): + pass + + +class EncKDCRepPart(univ.Sequence): + pass + + +EncKDCRepPart.componentType = namedtype.NamedTypes( + namedtype.NamedType('key', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))), + namedtype.NamedType('last-req', LastReq().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('nonce', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.OptionalNamedType('key-expiration', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.NamedType('flags', TicketFlags().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))), + namedtype.NamedType('authtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), + namedtype.OptionalNamedType('starttime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))), + namedtype.NamedType('endtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), + namedtype.OptionalNamedType('renew-till', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))), + namedtype.NamedType('srealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 9))), + namedtype.NamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 10))), + namedtype.OptionalNamedType('caddr', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 11))) +) + + +class EncASRepPart(EncKDCRepPart): + pass + + +EncASRepPart.tagSet = EncKDCRepPart.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 25)) + + +class KrbCredInfo(univ.Sequence): + pass + + +KrbCredInfo.componentType = namedtype.NamedTypes( + namedtype.NamedType('key', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 0))), + namedtype.OptionalNamedType('prealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('pname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), + namedtype.OptionalNamedType('flags', TicketFlags().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.OptionalNamedType('authtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))), + namedtype.OptionalNamedType('starttime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), + namedtype.OptionalNamedType('endtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))), + namedtype.OptionalNamedType('renew-till', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), + namedtype.OptionalNamedType('srealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))), + namedtype.OptionalNamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 9))), + namedtype.OptionalNamedType('caddr', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 10))) +) + + +class EncKrbCredPart(univ.Sequence): + pass + + +EncKrbCredPart.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 29)) +EncKrbCredPart.componentType = namedtype.NamedTypes( + namedtype.NamedType('ticket-info', univ.SequenceOf(componentType=KrbCredInfo()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('nonce', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('timestamp', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.OptionalNamedType('usec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.OptionalNamedType('s-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))), + namedtype.OptionalNamedType('r-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 5))) +) + + +class EncKrbPrivPart(univ.Sequence): + pass + + +EncKrbPrivPart.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 28)) +EncKrbPrivPart.componentType = namedtype.NamedTypes( + namedtype.NamedType('user-data', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('timestamp', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('usec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.OptionalNamedType('seq-number', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.NamedType('s-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))), + namedtype.OptionalNamedType('r-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 5))) +) + + +class EncTGSRepPart(EncKDCRepPart): + pass + + +EncTGSRepPart.tagSet = EncKDCRepPart.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 26)) + + +class TransitedEncoding(univ.Sequence): + pass + + +TransitedEncoding.componentType = namedtype.NamedTypes( + namedtype.NamedType('tr-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('contents', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class EncTicketPart(univ.Sequence): + pass + + +EncTicketPart.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 3)) +EncTicketPart.componentType = namedtype.NamedTypes( + namedtype.NamedType('flags', TicketFlags().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('key', EncryptionKey().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 1))), + namedtype.NamedType('crealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.NamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))), + namedtype.NamedType('transited', TransitedEncoding().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))), + namedtype.NamedType('authtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), + namedtype.OptionalNamedType('starttime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))), + namedtype.NamedType('endtime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), + namedtype.OptionalNamedType('renew-till', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))), + namedtype.OptionalNamedType('caddr', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 9))), + namedtype.OptionalNamedType('authorization-data', AuthorizationData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 10))) +) + + +class EncryptionTypeValues(univ.Integer): + pass + + +EncryptionTypeValues.namedValues = namedval.NamedValues( + ('kRB5-ENCTYPE-NULL', 0), + ('kRB5-ENCTYPE-DES-CBC-CRC', 1), + ('kRB5-ENCTYPE-DES-CBC-MD4', 2), + ('kRB5-ENCTYPE-DES-CBC-MD5', 3), + ('kRB5-ENCTYPE-DES3-CBC-MD5', 5), + ('kRB5-ENCTYPE-OLD-DES3-CBC-SHA1', 7), + ('kRB5-ENCTYPE-SIGN-DSA-GENERATE', 8), + ('kRB5-ENCTYPE-ENCRYPT-RSA-PRIV', 9), + ('kRB5-ENCTYPE-ENCRYPT-RSA-PUB', 10), + ('kRB5-ENCTYPE-DES3-CBC-SHA1', 16), + ('kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96', 17), + ('kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96', 18), + ('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5', 23), + ('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5-56', 24), + ('kRB5-ENCTYPE-ENCTYPE-PK-CROSS', 48), + ('kRB5-ENCTYPE-ARCFOUR-MD4', -128), + ('kRB5-ENCTYPE-ARCFOUR-HMAC-OLD', -133), + ('kRB5-ENCTYPE-ARCFOUR-HMAC-OLD-EXP', -135), + ('kRB5-ENCTYPE-DUMMY', -1111) +) + + +class EncryptionTypeSequence(univ.Sequence): + pass + + +EncryptionTypeSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', EncryptionTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + +class KDCOptionsValues(univ.BitString): + pass + + +KDCOptionsValues.namedValues = namedval.NamedValues( + ('reserved', 0), + ('forwardable', 1), + ('forwarded', 2), + ('proxiable', 3), + ('proxy', 4), + ('allow-postdate', 5), + ('postdated', 6), + ('unused7', 7), + ('renewable', 8), + ('unused9', 9), + ('unused10', 10), + ('opt-hardware-auth', 11), + ('unused12', 12), + ('unused13', 13), + ('unused15', 15), + ('disable-transited-check', 26), + ('renewable-ok', 27), + ('enc-tkt-in-skey', 28), + ('renew', 30), + ('validate', 31) +) + + +class KDCOptionsSequence(univ.Sequence): + pass + + +KDCOptionsSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', KDCOptionsValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + +class KRB_CRED(univ.Sequence): + pass + + +KRB_CRED.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 22)) +KRB_CRED.componentType = namedtype.NamedTypes( + namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(22)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('tickets', univ.SequenceOf(componentType=Ticket()).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.NamedType('enc-part', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))) +) + + +class KRB_ERROR(univ.Sequence): + pass + + +KRB_ERROR.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 30)) +KRB_ERROR.componentType = namedtype.NamedTypes( + namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(30)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('ctime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.OptionalNamedType('cusec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.NamedType('stime', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 4))), + namedtype.NamedType('susec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 5))), + namedtype.NamedType('error-code', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 6))), + namedtype.OptionalNamedType('crealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 7))), + namedtype.OptionalNamedType('cname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 8))), + namedtype.NamedType('realm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 9))), + namedtype.NamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 10))), + namedtype.OptionalNamedType('e-text', KerberosString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 11))), + namedtype.OptionalNamedType('e-data', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 12))) +) + + +class KRB_PRIV(univ.Sequence): + pass + + +KRB_PRIV.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 21)) +KRB_PRIV.componentType = namedtype.NamedTypes( + namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(21)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('enc-part', EncryptedData().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))) +) + + +class KRB_SAFE_BODY(univ.Sequence): + pass + + +KRB_SAFE_BODY.componentType = namedtype.NamedTypes( + namedtype.NamedType('user-data', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('timestamp', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('usec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))), + namedtype.OptionalNamedType('seq-number', UInt32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 3))), + namedtype.NamedType('s-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 4))), + namedtype.OptionalNamedType('r-address', HostAddress().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 5))) +) + + +class KRB_SAFE(univ.Sequence): + pass + + +KRB_SAFE.tagSet = univ.Sequence.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 20)) +KRB_SAFE.componentType = namedtype.NamedTypes( + namedtype.NamedType('pvno', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(5)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('msg-type', univ.Integer().subtype(subtypeSpec=constraint.SingleValueConstraint(20)).subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.NamedType('safe-body', KRB_SAFE_BODY().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 2))), + namedtype.NamedType('cksum', Checksum().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 3))) +) + + +class METHOD_DATA(univ.SequenceOf): + pass + + +METHOD_DATA.componentType = PA_DATA() + + +class MessageTypeValues(univ.Integer): + pass + + +MessageTypeValues.namedValues = namedval.NamedValues( + ('krb-as-req', 10), + ('krb-as-rep', 11), + ('krb-tgs-req', 12), + ('krb-tgs-rep', 13), + ('krb-ap-req', 14), + ('krb-ap-rep', 15), + ('krb-safe', 20), + ('krb-priv', 21), + ('krb-cred', 22), + ('krb-error', 30) +) + + +class MessageTypeSequence(univ.Sequence): + pass + + +MessageTypeSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', MessageTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + +class NameTypeValues(univ.Integer): + pass + + +NameTypeValues.namedValues = namedval.NamedValues( + ('kRB5-NT-UNKNOWN', 0), + ('kRB5-NT-PRINCIPAL', 1), + ('kRB5-NT-SRV-INST', 2), + ('kRB5-NT-SRV-HST', 3), + ('kRB5-NT-SRV-XHST', 4), + ('kRB5-NT-UID', 5), + ('kRB5-NT-X500-PRINCIPAL', 6), + ('kRB5-NT-SMTP-NAME', 7), + ('kRB5-NT-ENTERPRISE-PRINCIPAL', 10), + ('kRB5-NT-WELLKNOWN', 11), + ('kRB5-NT-ENT-PRINCIPAL-AND-ID', -130), + ('kRB5-NT-MS-PRINCIPAL', -128), + ('kRB5-NT-MS-PRINCIPAL-AND-ID', -129) +) + + +class NameTypeSequence(univ.Sequence): + pass + + +NameTypeSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', NameTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + +class PA_ENC_TIMESTAMP(EncryptedData): + pass + + +class PA_ENC_TS_ENC(univ.Sequence): + pass + + +PA_ENC_TS_ENC.componentType = namedtype.NamedTypes( + namedtype.NamedType('patimestamp', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('pausec', Microseconds().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class PADataTypeValues(univ.Integer): + pass + + +PADataTypeValues.namedValues = namedval.NamedValues( + ('kRB5-PADATA-NONE', 0), + ('kRB5-PADATA-KDC-REQ', 1), + ('kRB5-PADATA-ENC-TIMESTAMP', 2), + ('kRB5-PADATA-PW-SALT', 3), + ('kRB5-PADATA-ENC-UNIX-TIME', 5), + ('kRB5-PADATA-SANDIA-SECUREID', 6), + ('kRB5-PADATA-SESAME', 7), + ('kRB5-PADATA-OSF-DCE', 8), + ('kRB5-PADATA-CYBERSAFE-SECUREID', 9), + ('kRB5-PADATA-AFS3-SALT', 10), + ('kRB5-PADATA-ETYPE-INFO', 11), + ('kRB5-PADATA-SAM-CHALLENGE', 12), + ('kRB5-PADATA-SAM-RESPONSE', 13), + ('kRB5-PADATA-PK-AS-REQ-19', 14), + ('kRB5-PADATA-PK-AS-REP-19', 15), + ('kRB5-PADATA-PK-AS-REQ', 16), + ('kRB5-PADATA-PK-AS-REP', 17), + ('kRB5-PADATA-PA-PK-OCSP-RESPONSE', 18), + ('kRB5-PADATA-ETYPE-INFO2', 19), + ('kRB5-PADATA-SVR-REFERRAL-INFO', 20), + ('kRB5-PADATA-SAM-REDIRECT', 21), + ('kRB5-PADATA-GET-FROM-TYPED-DATA', 22), + ('kRB5-PADATA-SAM-ETYPE-INFO', 23), + ('kRB5-PADATA-SERVER-REFERRAL', 25), + ('kRB5-PADATA-ALT-PRINC', 24), + ('kRB5-PADATA-SAM-CHALLENGE2', 30), + ('kRB5-PADATA-SAM-RESPONSE2', 31), + ('kRB5-PA-EXTRA-TGT', 41), + ('kRB5-PADATA-TD-KRB-PRINCIPAL', 102), + ('kRB5-PADATA-PK-TD-TRUSTED-CERTIFIERS', 104), + ('kRB5-PADATA-PK-TD-CERTIFICATE-INDEX', 105), + ('kRB5-PADATA-TD-APP-DEFINED-ERROR', 106), + ('kRB5-PADATA-TD-REQ-NONCE', 107), + ('kRB5-PADATA-TD-REQ-SEQ', 108), + ('kRB5-PADATA-PA-PAC-REQUEST', 128), + ('kRB5-PADATA-FOR-USER', 129), + ('kRB5-PADATA-FOR-X509-USER', 130), + ('kRB5-PADATA-FOR-CHECK-DUPS', 131), + ('kRB5-PADATA-AS-CHECKSUM', 132), + ('kRB5-PADATA-FX-COOKIE', 133), + ('kRB5-PADATA-AUTHENTICATION-SET', 134), + ('kRB5-PADATA-AUTH-SET-SELECTED', 135), + ('kRB5-PADATA-FX-FAST', 136), + ('kRB5-PADATA-FX-ERROR', 137), + ('kRB5-PADATA-ENCRYPTED-CHALLENGE', 138), + ('kRB5-PADATA-OTP-CHALLENGE', 141), + ('kRB5-PADATA-OTP-REQUEST', 142), + ('kBB5-PADATA-OTP-CONFIRM', 143), + ('kRB5-PADATA-OTP-PIN-CHANGE', 144), + ('kRB5-PADATA-EPAK-AS-REQ', 145), + ('kRB5-PADATA-EPAK-AS-REP', 146), + ('kRB5-PADATA-PKINIT-KX', 147), + ('kRB5-PADATA-PKU2U-NAME', 148), + ('kRB5-PADATA-REQ-ENC-PA-REP', 149), + ('kRB5-PADATA-SUPPORTED-ETYPES', 165) +) + + +class PADataTypeSequence(univ.Sequence): + pass + + +PADataTypeSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', PADataTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + +class TGS_REP(KDC_REP): + pass + + +TGS_REP.tagSet = KDC_REP.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 13)) + + +class TGS_REQ(KDC_REQ): + pass + + +TGS_REQ.tagSet = KDC_REQ.tagSet.tagExplicitly(tag.Tag(tag.tagClassApplication, tag.tagFormatConstructed, 12)) + + +class TYPED_DATA(univ.SequenceOf): + pass + + +TYPED_DATA.componentType = univ.Sequence(componentType=namedtype.NamedTypes( + namedtype.NamedType('data-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.OptionalNamedType('data-value', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +)) + +TYPED_DATA.subtypeSpec=constraint.ValueSizeConstraint(1, 256) + + +class TicketFlagsValues(univ.BitString): + pass + + +TicketFlagsValues.namedValues = namedval.NamedValues( + ('reserved', 0), + ('forwardable', 1), + ('forwarded', 2), + ('proxiable', 3), + ('proxy', 4), + ('may-postdate', 5), + ('postdated', 6), + ('invalid', 7), + ('renewable', 8), + ('initial', 9), + ('pre-authent', 10), + ('hw-authent', 11), + ('transited-policy-checked', 12), + ('ok-as-delegate', 13) +) + + +class TicketFlagsSequence(univ.Sequence): + pass + + +TicketFlagsSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', TicketFlagsValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + +id_krb5 = _OID(1, 3, 6, 1, 5, 2) + + diff --git a/python/samba/tests/krb5/rfc4120_pyasn1_regen.sh b/python/samba/tests/krb5/rfc4120_pyasn1_regen.sh new file mode 100755 index 00000000000..2e3995688f2 --- /dev/null +++ b/python/samba/tests/krb5/rfc4120_pyasn1_regen.sh @@ -0,0 +1,41 @@ +#!/bin/bash +# + +# +# I used https://github.com/kimgr/asn1ate.git +# to generate pyasn1 bindings for rfc4120.asn1 +# + +PATH_TO_ASN1ATE_CHECKOUT=$1 +PATH_TO_ASN1_INPUT_FILE=$2 + +set -u +set -e + +usage() { + echo "usage: $0 PATH_TO_ASN1ATE_CHECKOUT PATH_TO_ASN1_INPUT_FILE > PATH_TO_PYASN1_OUTPUT_FILE" +} + +test -n "${PATH_TO_ASN1ATE_CHECKOUT}" || { + usage + exit 1 +} +test -n "${PATH_TO_ASN1_INPUT_FILE}" || { + usage + exit 1 +} +test -d "${PATH_TO_ASN1ATE_CHECKOUT}" || { + usage + exit 1 +} +test -f "${PATH_TO_ASN1_INPUT_FILE}" || { + usage + exit 1 +} + +PATH_TO_PYASN1GEN_PY="${PATH_TO_ASN1ATE_CHECKOUT}/asn1ate/pyasn1gen.py" + +PYTHONPATH="${PATH_TO_ASN1ATE_CHECKOUT}:${PYTHONPATH-}" +export PYTHONPATH + +python3 "${PATH_TO_PYASN1GEN_PY}" "${PATH_TO_ASN1_INPUT_FILE}" diff --git a/python/samba/tests/source.py b/python/samba/tests/source.py index b7608b1bab3..cebfb9ae8fb 100644 --- a/python/samba/tests/source.py +++ b/python/samba/tests/source.py @@ -93,6 +93,9 @@ class TestSource(TestCase): if fname.endswith("python/samba/tests/krb5/kcrypto.py"): # Imported from MIT testing repo continue + if fname.endswith("python/samba/tests/krb5/rfc4120_pyasn1.py"): + # Autogenerated + continue match = copyright_re.search(text) if not match: incorrect.append((fname, 'no copyright line found\n')) @@ -138,6 +141,9 @@ class TestSource(TestCase): if fname.endswith("python/samba/tests/krb5/kcrypto.py"): # Imported from MIT testing repo continue + if fname.endswith("python/samba/tests/krb5/rfc4120_pyasn1.py"): + # Autogenerated + continue if not gpl_re.search(text): incorrect.append(fname) -- 2.25.1 From ae39d8c5397cb4a05c6727349f4da26110a27091 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 13 Feb 2020 16:29:38 +0100 Subject: [PATCH 020/380] python/tests/krb5: add raw_testcase.py as the base for our Kerberos protocol testing Pair-Programmed-With: Isaac Boukris Signed-off-by: Stefan Metzmacher Signed-off-by: Isaac Boukris Reviewed-by: Isaac Boukris (cherry picked from commit fb7cba50ae3472b29aa806208badc1ded8979073) --- python/samba/tests/krb5/raw_testcase.py | 869 ++++++++++++++++++++++++ 1 file changed, 869 insertions(+) create mode 100644 python/samba/tests/krb5/raw_testcase.py diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py new file mode 100644 index 00000000000..6c7bcd418a0 --- /dev/null +++ b/python/samba/tests/krb5/raw_testcase.py @@ -0,0 +1,869 @@ +# Unix SMB/CIFS implementation. +# Copyright (C) Isaac Boukris 2020 +# Copyright (C) Stefan Metzmacher 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import socket +import struct +import time +import datetime +import random + +import samba.tests +from samba.credentials import Credentials +from samba.tests import TestCase +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +import samba.tests.krb5.kcrypto as kcrypto + +from pyasn1.codec.der.decoder import decode as pyasn1_der_decode +from pyasn1.codec.der.encoder import encode as pyasn1_der_encode +from pyasn1.codec.native.decoder import decode as pyasn1_native_decode +from pyasn1.codec.native.encoder import encode as pyasn1_native_encode + +from pyasn1.codec.ber.encoder import BitStringEncoder as BitStringEncoder +def BitStringEncoder_encodeValue32(self, value, asn1Spec, encodeFun, **options): + # + # BitStrings like KDCOptions or TicketFlags should at least + # be 32-Bit on the wire + # + if asn1Spec is not None: + # TODO: try to avoid ASN.1 schema instantiation + value = asn1Spec.clone(value) + + valueLength = len(value) + if valueLength % 8: + alignedValue = value << (8 - valueLength % 8) + else: + alignedValue = value + + substrate = alignedValue.asOctets() + length = len(substrate) + # We need at least 32-Bit / 4-Bytes + if length < 4: + padding = 4 - length + else: + padding = 0 + ret = b'\x00' + substrate + (b'\x00' * padding) + return ret, False, True +BitStringEncoder.encodeValue = BitStringEncoder_encodeValue32 + +def BitString_NamedValues_prettyPrint(self, scope=0): + ret = "%s" % self.asBinary() + bits = [] + highest_bit = 32 + for byte in self.asNumbers(): + for bit in [7,6,5,4,3,2,1,0]: + mask = 1 << bit + if byte & mask: + val = 1 + else: + val = 0 + bits.append(val) + if len(bits) < highest_bit: + for bitPosition in range(len(bits), highest_bit): + bits.append(0) + indent = " " * scope + delim = ": (\n%s " % indent + for bitPosition in range(highest_bit): + if bitPosition in self.prettyPrintNamedValues: + name = self.prettyPrintNamedValues[bitPosition] + elif bits[bitPosition] != 0: + name = "unknown-bit-%u" % bitPosition + else: + continue + ret += "%s%s:%u" % (delim, name, bits[bitPosition]) + delim = ",\n%s " % indent + ret += "\n%s)" % indent + return ret +krb5_asn1.TicketFlags.prettyPrintNamedValues = krb5_asn1.TicketFlagsValues.namedValues +krb5_asn1.TicketFlags.namedValues = krb5_asn1.TicketFlagsValues.namedValues +krb5_asn1.TicketFlags.prettyPrint = BitString_NamedValues_prettyPrint +krb5_asn1.KDCOptions.prettyPrintNamedValues = krb5_asn1.KDCOptionsValues.namedValues +krb5_asn1.KDCOptions.namedValues = krb5_asn1.KDCOptionsValues.namedValues +krb5_asn1.KDCOptions.prettyPrint = BitString_NamedValues_prettyPrint + +def Integer_NamedValues_prettyPrint(self, scope=0): + intval = int(self) + if intval in self.prettyPrintNamedValues: + name = self.prettyPrintNamedValues[intval] + else: + name = "<__unknown__>" + ret = "%d (0x%x) %s" % (intval, intval, name) + return ret +krb5_asn1.NameType.prettyPrintNamedValues = krb5_asn1.NameTypeValues.namedValues +krb5_asn1.NameType.prettyPrint = Integer_NamedValues_prettyPrint +krb5_asn1.AuthDataType.prettyPrintNamedValues = krb5_asn1.AuthDataTypeValues.namedValues +krb5_asn1.AuthDataType.prettyPrint = Integer_NamedValues_prettyPrint +krb5_asn1.PADataType.prettyPrintNamedValues = krb5_asn1.PADataTypeValues.namedValues +krb5_asn1.PADataType.prettyPrint = Integer_NamedValues_prettyPrint +krb5_asn1.EncryptionType.prettyPrintNamedValues = krb5_asn1.EncryptionTypeValues.namedValues +krb5_asn1.EncryptionType.prettyPrint = Integer_NamedValues_prettyPrint +krb5_asn1.ChecksumType.prettyPrintNamedValues = krb5_asn1.ChecksumTypeValues.namedValues +krb5_asn1.ChecksumType.prettyPrint = Integer_NamedValues_prettyPrint + +class Krb5EncryptionKey(object): + def __init__(self, key, kvno): + EncTypeChecksum = { + kcrypto.Enctype.AES256: kcrypto.Cksumtype.SHA1_AES256, + kcrypto.Enctype.AES128: kcrypto.Cksumtype.SHA1_AES128, + kcrypto.Enctype.RC4: kcrypto.Cksumtype.HMAC_MD5, + } + self.key = key + self.etype = key.enctype + self.ctype = EncTypeChecksum[self.etype] + self.kvno = kvno + return + + def encrypt(self, usage, plaintext): + ciphertext = kcrypto.encrypt(self.key, usage, plaintext) + return ciphertext + + def decrypt(self, usage, ciphertext): + plaintext = kcrypto.decrypt(self.key, usage, ciphertext) + return plaintext + + def make_checksum(self, usage, plaintext, ctype=None): + if ctype is None: + ctype = self.ctype + cksum = kcrypto.make_checksum(ctype, self.key, usage, plaintext) + return cksum + + def export_obj(self): + EncryptionKey_obj = { + 'keytype': self.etype, + 'keyvalue': self.key.contents, + }; + return EncryptionKey_obj + +class RawKerberosTest(TestCase): + """A raw Kerberos Test case.""" + + def setUp(self): + super(RawKerberosTest, self).setUp() + self.do_asn1_print = False + self.do_hexdump = False + + self.host = samba.tests.env_get_var_value('SERVER') + + self.s = None + + def tearDown(self): + self._disconnect("tearDown") + super(TestCase, self).tearDown() + + def _disconnect(self, reason): + if self.s is None: + return + self.s.close() + self.s = None + if self.do_hexdump: + sys.stderr.write("disconnect[%s]\n" % reason) + + def _connect_tcp(self): + tcp_port = 88 + try: + self.a = socket.getaddrinfo(self.host, tcp_port, socket.AF_UNSPEC, + socket.SOCK_STREAM, socket.SOL_TCP, + 0) + self.s = socket.socket(self.a[0][0], self.a[0][1], self.a[0][2]) + self.s.settimeout(10) + self.s.connect(self.a[0][4]) + except socket.error as e: + self.s.close() + raise + except IOError as e: + self.s.close() + raise + except Exception as e: + raise + finally: + pass + + def connect(self): + self.assertNotConnected() + self._connect_tcp() + if self.do_hexdump: + sys.stderr.write("connected[%s]\n" % self.host) + return + + def get_user_creds(self): + c = Credentials() + c.guess() + domain = samba.tests.env_get_var_value('DOMAIN') + realm = samba.tests.env_get_var_value('REALM') + username = samba.tests.env_get_var_value('USERNAME') + password = samba.tests.env_get_var_value('PASSWORD') + c.set_domain(domain) + c.set_realm(realm) + c.set_username(username) + c.set_password(password) + return c + + def get_service_creds(self, allow_missing_password=False): + c = Credentials() + c.guess() + domain = samba.tests.env_get_var_value('DOMAIN') + realm = samba.tests.env_get_var_value('REALM') + username = samba.tests.env_get_var_value('SERVICE_USERNAME') + password = samba.tests.env_get_var_value('SERVICE_PASSWORD', + allow_missing=allow_missing_password) + c.set_domain(domain) + c.set_realm(realm) + c.set_username(username) + if password is not None: + c.set_password(password) + return c + + def get_anon_creds(self): + c = Credentials() + c.set_anonymous() + return c + + def asn1_dump(self, name, obj, asn1_print=None): + if asn1_print is None: + asn1_print = self.do_asn1_print + if asn1_print: + if name is not None: + sys.stderr.write("%s:\n%s" % (name, obj)) + else: + sys.stderr.write("%s" % (obj)) + + def hex_dump(self, name, blob, hexdump=None): + if hexdump is None: + hexdump = self.do_hexdump + if hexdump: + sys.stderr.write("%s: %d\n%s" % (name, len(blob), self.hexdump(blob))) + + def der_decode(self, blob, asn1Spec=None, native_encode=True, asn1_print=None, hexdump=None): + if asn1Spec is not None: + class_name = type(asn1Spec).__name__.split(':')[0] + else: + class_name = "" + self.hex_dump(class_name, blob, hexdump=hexdump) + obj,_ = pyasn1_der_decode(blob, asn1Spec=asn1Spec) + self.asn1_dump(None, obj, asn1_print=asn1_print) + if native_encode: + obj = pyasn1_native_encode(obj) + return obj + + def der_encode(self, obj, asn1Spec=None, native_decode=True, asn1_print=None, hexdump=None): + if native_decode: + obj = pyasn1_native_decode(obj, asn1Spec=asn1Spec) + class_name = type(obj).__name__.split(':')[0] + if class_name is not None: + self.asn1_dump(None, obj, asn1_print=asn1_print) + blob = pyasn1_der_encode(obj) + if class_name is not None: + self.hex_dump(class_name, blob, hexdump=hexdump) + return blob + + def send_pdu(self, req, asn1_print=None, hexdump=None): + try: + k5_pdu = self.der_encode(req, native_decode=False, asn1_print=asn1_print, hexdump=False) + header = struct.pack('>I', len(k5_pdu)) + req_pdu = header + req_pdu += k5_pdu + self.hex_dump("send_pdu", header, hexdump=hexdump) + self.hex_dump("send_pdu", k5_pdu, hexdump=hexdump) + while True: + sent = self.s.send(req_pdu, 0) + if sent == len(req_pdu): + break + req_pdu = req_pdu[sent:] + except socket.error as e: + self._disconnect("send_pdu: %s" % e) + raise + except IOError as e: + self._disconnect("send_pdu: %s" % e) + raise + finally: + pass + + def recv_raw(self, num_recv=0xffff, hexdump=None, timeout=None): + rep_pdu = None + try: + if timeout is not None: + self.s.settimeout(timeout) + rep_pdu = self.s.recv(num_recv, 0) + self.s.settimeout(10) + if len(rep_pdu) == 0: + self._disconnect("recv_raw: EOF") + return None + self.hex_dump("recv_raw", rep_pdu, hexdump=hexdump) + except socket.timeout as e: + self.s.settimeout(10) + sys.stderr.write("recv_raw: TIMEOUT\n") + pass + except socket.error as e: + self._disconnect("recv_raw: %s" % e) + raise + except IOError as e: + self._disconnect("recv_raw: %s" % e) + raise + finally: + pass + return rep_pdu + + def recv_pdu_raw(self, asn1_print=None, hexdump=None, timeout=None): + rep_pdu = None + rep = None + try: + raw_pdu = self.recv_raw(num_recv=4, hexdump=hexdump, timeout=timeout) + if raw_pdu is None: + return (None, None) + header = struct.unpack(">I", raw_pdu[0:4]) + k5_len = header[0] + if k5_len == 0: + return (None, "") + missing = k5_len + rep_pdu = b'' + while missing > 0: + raw_pdu = self.recv_raw(num_recv=missing, hexdump=hexdump, timeout=timeout) + self.assertGreaterEqual(len(raw_pdu), 1) + rep_pdu += raw_pdu + missing = k5_len - len(rep_pdu) + k5_raw = self.der_decode(rep_pdu, asn1Spec=None, native_encode=False, + asn1_print=False, hexdump=False) + pvno=k5_raw['field-0'] + self.assertEqual(pvno, 5) + msg_type=k5_raw['field-1'] + self.assertIn(msg_type, [11,13,30]) + if msg_type == 11: + asn1Spec=krb5_asn1.AS_REP() + elif msg_type == 13: + asn1Spec=krb5_asn1.TGS_REP() + elif msg_type == 30: + asn1Spec=krb5_asn1.KRB_ERROR() + rep = self.der_decode(rep_pdu, asn1Spec=asn1Spec, + asn1_print=asn1_print, hexdump=False) + finally: + pass + return (rep, rep_pdu) + + def recv_pdu(self, asn1_print=None, hexdump=None, timeout=None): + (rep, rep_pdu) = self.recv_pdu_raw(asn1_print=asn1_print, + hexdump=hexdump, + timeout=timeout) + return rep + + def assertIsConnected(self): + self.assertIsNotNone(self.s, msg="Not connected") + return + + def assertNotConnected(self): + self.assertIsNone(self.s, msg="Is connected") + return + + def send_recv_transaction(self, req, asn1_print=None, hexdump=None, timeout=None): + self.connect() + try: + self.send_pdu(req, asn1_print=asn1_print, hexdump=hexdump) + rep = self.recv_pdu(asn1_print=asn1_print, hexdump=hexdump, timeout=timeout) + except Exception: + self._disconnect("transaction failed") + raise + self._disconnect("transaction done") + return rep + + def assertNoValue(self, value): + self.assertTrue(value.isNoValue) + return + + def assertHasValue(self, value): + self.assertIsNotNone(value) + return + + def assertPrincipalEqual(self, princ1, princ2): + self.assertEqual(princ1['name-type'], princ2['name-type']) + self.assertEqual(len(princ1['name-string']), len(princ2['name-string']), + msg="princ1=%s != princ2=%s" % (princ1, princ2)) + for idx in range(len(princ1['name-string'])): + self.assertEqual(princ1['name-string'][idx], princ2['name-string'][idx], + msg="princ1=%s != princ2=%s" % (princ1, princ2)) + return + + def get_KerberosTimeWithUsec(self, epoch=None, offset=None): + if epoch is None: + epoch = time.time() + if offset is not None: + epoch = epoch + int(offset) + dt = datetime.datetime.fromtimestamp(epoch, tz=datetime.timezone.utc) + return (dt.strftime("%Y%m%d%H%M%SZ"), dt.microsecond) + + def get_KerberosTime(self, epoch=None, offset=None): + (s, _) = self.get_KerberosTimeWithUsec(epoch=epoch, offset=offset) + return s + + def SessionKey_create(self, etype, contents, kvno=None): + key = kcrypto.Key(etype, contents) + return Krb5EncryptionKey(key, kvno) + + def PasswordKey_create(self, etype=None, pwd=None, salt=None, kvno=None): + key = kcrypto.string_to_key(etype, pwd, salt) + return Krb5EncryptionKey(key, kvno) + + def PasswordKey_from_etype_info2(self, creds, etype_info2, kvno=None): + e = etype_info2['etype'] + salt = None + try: + salt = etype_info2['salt'] + except: + pass + + if e == kcrypto.Enctype.RC4: + self.assertIsNone(salt) + nthash = creds.get_nt_hash() + return self.SessionKey_create(etype=e, contents=nthash, kvno=kvno) + + password = creds.get_password() + return self.PasswordKey_create(etype=e, pwd=password, salt=salt, kvno=kvno) + + def RandomKey(self, etype): + e = kcrypto._get_enctype_profile(etype) + contents = samba.generate_random_bytes(e.keysize) + return self.SessionKey_create(etype=etype, contents=contents) + + def EncryptionKey_import(self, EncryptionKey_obj): + return self.SessionKey_create(EncryptionKey_obj['keytype'], + EncryptionKey_obj['keyvalue']) + + def EncryptedData_create(self, key, usage, plaintext): + # EncryptedData ::= SEQUENCE { + # etype [0] Int32 -- EncryptionType --, + # kvno [1] UInt32 OPTIONAL, + # cipher [2] OCTET STRING -- ciphertext + # } + ciphertext = key.encrypt(usage, plaintext) + EncryptedData_obj = { + 'etype': key.etype, + 'cipher': ciphertext + } + if key.kvno is not None: + EncryptedData_obj['kvno'] = key.kvno + return EncryptedData_obj + + def Checksum_create(self, key, usage, plaintext, ctype=None): + #Checksum ::= SEQUENCE { + # cksumtype [0] Int32, + # checksum [1] OCTET STRING + #} + if ctype is None: + ctype = key.ctype + checksum = key.make_checksum(usage, plaintext, ctype=ctype) + Checksum_obj = { + 'cksumtype': ctype, + 'checksum': checksum, + } + return Checksum_obj + + def PrincipalName_create(self, name_type, names): + # PrincipalName ::= SEQUENCE { + # name-type [0] Int32, + # name-string [1] SEQUENCE OF KerberosString + # } + PrincipalName_obj = { + 'name-type': name_type, + 'name-string': names, + } + return PrincipalName_obj + + def PA_DATA_create(self, padata_type, padata_value): + # PA-DATA ::= SEQUENCE { + # -- NOTE: first tag is [1], not [0] + # padata-type [1] Int32, + # padata-value [2] OCTET STRING -- might be encoded AP-REQ + # } + PA_DATA_obj = { + 'padata-type': padata_type, + 'padata-value': padata_value, + } + return PA_DATA_obj + + def PA_ENC_TS_ENC_create(self, ts, usec): + #PA-ENC-TS-ENC ::= SEQUENCE { + # patimestamp[0] KerberosTime, -- client's time + # pausec[1] krb5int32 OPTIONAL + #} + PA_ENC_TS_ENC_obj = { + 'patimestamp': ts, + 'pausec': usec, + } + return PA_ENC_TS_ENC_obj + + def KDC_REQ_BODY_create(self, + kdc_options, + cname, + realm, + sname, + from_time, + till_time, + renew_time, + nonce, + etypes, + addresses, + EncAuthorizationData, + EncAuthorizationData_key, + additional_tickets, + asn1_print=None, + hexdump=None): + #KDC-REQ-BODY ::= SEQUENCE { + # kdc-options [0] KDCOptions, + # cname [1] PrincipalName OPTIONAL + # -- Used only in AS-REQ --, + # realm [2] Realm + # -- Server's realm + # -- Also client's in AS-REQ --, + # sname [3] PrincipalName OPTIONAL, + # from [4] KerberosTime OPTIONAL, + # till [5] KerberosTime, + # rtime [6] KerberosTime OPTIONAL, + # nonce [7] UInt32, + # etype [8] SEQUENCE OF Int32 -- EncryptionType + # -- in preference order --, + # addresses [9] HostAddresses OPTIONAL, + # enc-authorization-data [10] EncryptedData OPTIONAL + # -- AuthorizationData --, + # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL + # -- NOTE: not empty + #} + if EncAuthorizationData is not None: + enc_ad_plain = self.der_encode(EncAuthorizationData, + asn1Spec=krb5_asn1.AuthorizationData(), + asn1_print=asn1_print, + hexdump=hexdump) + enc_ad = self.EncryptedData_create(EncAuthorizationData_key, enc_ad_plain) + else: + enc_ad = None + KDC_REQ_BODY_obj = { + 'kdc-options': kdc_options, + 'realm': realm, + 'till': till_time, + 'nonce': nonce, + 'etype': etypes, + } + if cname is not None: + KDC_REQ_BODY_obj['cname'] = cname + if sname is not None: + KDC_REQ_BODY_obj['sname'] = sname + if from_time is not None: + KDC_REQ_BODY_obj['from'] = from_time + if renew_time is not None: + KDC_REQ_BODY_obj['rtime'] = renew_time + if addresses is not None: + KDC_REQ_BODY_obj['addresses'] = addresses + if enc_ad is not None: + KDC_REQ_BODY_obj['enc-authorization-data'] = enc_ad + if additional_tickets is not None: + KDC_REQ_BODY_obj['additional-tickets'] = additional_tickets + return KDC_REQ_BODY_obj + + def KDC_REQ_create(self, + msg_type, + padata, + kdc_options, + cname, + realm, + sname, + from_time, + till_time, + renew_time, + nonce, + etypes, + addresses, + EncAuthorizationData, + EncAuthorizationData_key, + additional_tickets, + asn1Spec=None, + asn1_print=None, + hexdump=None): + #KDC-REQ ::= SEQUENCE { + # -- NOTE: first tag is [1], not [0] + # pvno [1] INTEGER (5) , + # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), + # padata [3] SEQUENCE OF PA-DATA OPTIONAL + # -- NOTE: not empty --, + # req-body [4] KDC-REQ-BODY + #} + # + KDC_REQ_BODY_obj = self.KDC_REQ_BODY_create(kdc_options, + cname, + realm, + sname, + from_time, + till_time, + renew_time, + nonce, + etypes, + addresses, + EncAuthorizationData, + EncAuthorizationData_key, + additional_tickets, + asn1_print=asn1_print, + hexdump=hexdump) + KDC_REQ_obj = { + 'pvno': 5, + 'msg-type': msg_type, + 'req-body': KDC_REQ_BODY_obj, + } + if padata is not None: + KDC_REQ_obj['padata'] = padata + if asn1Spec is not None: + KDC_REQ_decoded = pyasn1_native_decode(KDC_REQ_obj, asn1Spec=asn1Spec) + else: + KDC_REQ_decoded = None + return KDC_REQ_obj, KDC_REQ_decoded + + def AS_REQ_create(self, + padata, # optional + kdc_options, # required + cname, # optional + realm, # required + sname, # optional + from_time, # optional + till_time, # required + renew_time, # optional + nonce, # required + etypes, # required + addresses, # optional + EncAuthorizationData, + EncAuthorizationData_key, + additional_tickets, + native_decoded_only=True, + asn1_print=None, + hexdump=None): + #KDC-REQ ::= SEQUENCE { + # -- NOTE: first tag is [1], not [0] + # pvno [1] INTEGER (5) , + # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), + # padata [3] SEQUENCE OF PA-DATA OPTIONAL + # -- NOTE: not empty --, + # req-body [4] KDC-REQ-BODY + #} + # + #KDC-REQ-BODY ::= SEQUENCE { + # kdc-options [0] KDCOptions, + # cname [1] PrincipalName OPTIONAL + # -- Used only in AS-REQ --, + # realm [2] Realm + # -- Server's realm + # -- Also client's in AS-REQ --, + # sname [3] PrincipalName OPTIONAL, + # from [4] KerberosTime OPTIONAL, + # till [5] KerberosTime, + # rtime [6] KerberosTime OPTIONAL, + # nonce [7] UInt32, + # etype [8] SEQUENCE OF Int32 -- EncryptionType + # -- in preference order --, + # addresses [9] HostAddresses OPTIONAL, + # enc-authorization-data [10] EncryptedData OPTIONAL + # -- AuthorizationData --, + # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL + # -- NOTE: not empty + #} + obj,decoded = self.KDC_REQ_create(msg_type=10, + padata=padata, + kdc_options=kdc_options, + cname=cname, + realm=realm, + sname=sname, + from_time=from_time, + till_time=till_time, + renew_time=renew_time, + nonce=nonce, + etypes=etypes, + addresses=addresses, + EncAuthorizationData=EncAuthorizationData, + EncAuthorizationData_key=EncAuthorizationData_key, + additional_tickets=additional_tickets, + asn1Spec=krb5_asn1.AS_REQ(), + asn1_print=asn1_print, + hexdump=hexdump) + if native_decoded_only: + return decoded + return decoded, obj + + def AP_REQ_create(self, ap_options, ticket, authenticator): + # AP-REQ ::= [APPLICATION 14] SEQUENCE { + # pvno [0] INTEGER (5), + # msg-type [1] INTEGER (14), + # ap-options [2] APOptions, + # ticket [3] Ticket, + # authenticator [4] EncryptedData -- Authenticator + #} + AP_REQ_obj = { + 'pvno': 5, + 'msg-type': 14, + 'ap-options': ap_options, + 'ticket': ticket, + 'authenticator': authenticator, + } + return AP_REQ_obj + + def Authenticator_create(self, crealm, cname, cksum, cusec, ctime, subkey, seq_number, + authorization_data): + # -- Unencrypted authenticator + # Authenticator ::= [APPLICATION 2] SEQUENCE { + # authenticator-vno [0] INTEGER (5), + # crealm [1] Realm, + # cname [2] PrincipalName, + # cksum [3] Checksum OPTIONAL, + # cusec [4] Microseconds, + # ctime [5] KerberosTime, + # subkey [6] EncryptionKey OPTIONAL, + # seq-number [7] UInt32 OPTIONAL, + # authorization-data [8] AuthorizationData OPTIONAL + #} + Authenticator_obj = { + 'authenticator-vno': 5, + 'crealm': crealm, + 'cname': cname, + 'cusec': cusec, + 'ctime': ctime, + } + if cksum is not None: + Authenticator_obj['cksum'] = cksum + if subkey is not None: + Authenticator_obj['subkey'] = subkey + if seq_number is not None: + Authenticator_obj['seq-number'] = seq_number + if authorization_data is not None: + Authenticator_obj['authorization-data'] = authorization_data + return Authenticator_obj + + def TGS_REQ_create(self, + padata, # optional + cusec, + ctime, + ticket, + kdc_options, # required + cname, # optional + realm, # required + sname, # optional + from_time, # optional + till_time, # required + renew_time, # optional + nonce, # required + etypes, # required + addresses, # optional + EncAuthorizationData, + EncAuthorizationData_key, + additional_tickets, + ticket_session_key, + authenticator_subkey=None, + body_checksum_type=None, + native_decoded_only=True, + asn1_print=None, + hexdump=None): + #KDC-REQ ::= SEQUENCE { + # -- NOTE: first tag is [1], not [0] + # pvno [1] INTEGER (5) , + # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), + # padata [3] SEQUENCE OF PA-DATA OPTIONAL + # -- NOTE: not empty --, + # req-body [4] KDC-REQ-BODY + #} + # + #KDC-REQ-BODY ::= SEQUENCE { + # kdc-options [0] KDCOptions, + # cname [1] PrincipalName OPTIONAL + # -- Used only in AS-REQ --, + # realm [2] Realm + # -- Server's realm + # -- Also client's in AS-REQ --, + # sname [3] PrincipalName OPTIONAL, + # from [4] KerberosTime OPTIONAL, + # till [5] KerberosTime, + # rtime [6] KerberosTime OPTIONAL, + # nonce [7] UInt32, + # etype [8] SEQUENCE OF Int32 -- EncryptionType + # -- in preference order --, + # addresses [9] HostAddresses OPTIONAL, + # enc-authorization-data [10] EncryptedData OPTIONAL + # -- AuthorizationData --, + # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL + # -- NOTE: not empty + #} + + req_body = self.KDC_REQ_BODY_create(kdc_options=kdc_options, + cname=None, + realm=realm, + sname=sname, + from_time=from_time, + till_time=till_time, + renew_time=renew_time, + nonce=nonce, + etypes=etypes, + addresses=addresses, + EncAuthorizationData=EncAuthorizationData, + EncAuthorizationData_key=EncAuthorizationData_key, + additional_tickets=additional_tickets) + req_body = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY(), + asn1_print=asn1_print, hexdump=hexdump) + + req_body_checksum = self.Checksum_create(ticket_session_key, 6, req_body, + ctype=body_checksum_type) + + subkey_obj = None + if authenticator_subkey is not None: + subkey_obj = authenticator_subkey.export_obj() + seq_number = random.randint(0, 0xfffffffe) + authenticator = self.Authenticator_create(crealm=realm, + cname=cname, + cksum=req_body_checksum, + cusec=cusec, + ctime=ctime, + subkey=subkey_obj, + seq_number=seq_number, + authorization_data=None) + authenticator = self.der_encode(authenticator, asn1Spec=krb5_asn1.Authenticator(), + asn1_print=asn1_print, hexdump=hexdump) + + authenticator = self.EncryptedData_create(ticket_session_key, 7, authenticator) + + ap_options = krb5_asn1.APOptions('0') + ap_req = self.AP_REQ_create(ap_options=str(ap_options), + ticket=ticket, + authenticator=authenticator) + ap_req = self.der_encode(ap_req, asn1Spec=krb5_asn1.AP_REQ(), + asn1_print=asn1_print, hexdump=hexdump) + pa_tgs_req = self.PA_DATA_create(1, ap_req) + if padata is not None: + padata.append(pa_tgs_req) + else: + padata = [pa_tgs_req] + + obj,decoded = self.KDC_REQ_create(msg_type=12, + padata=padata, + kdc_options=kdc_options, + cname=None, + realm=realm, + sname=sname, + from_time=from_time, + till_time=till_time, + renew_time=renew_time, + nonce=nonce, + etypes=etypes, + addresses=addresses, + EncAuthorizationData=EncAuthorizationData, + EncAuthorizationData_key=EncAuthorizationData_key, + additional_tickets=additional_tickets, + asn1Spec=krb5_asn1.TGS_REQ(), + asn1_print=asn1_print, + hexdump=hexdump) + if native_decoded_only: + return decoded + return decoded, obj -- 2.25.1 From 5278f81a1563fbe44b9da4657717afc51b9f1bcc Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 13 Feb 2020 16:29:38 +0100 Subject: [PATCH 021/380] python/tests/krb5: add simple_tests.py with the first simple test This just demonstrates that the infrastructure works:-) I'm running this as: SERVER=172.31.9.188 DOMAIN=W2012R2-L6 REALM=W2012R2-L6.BASE \ USERNAME=administrator PASSWORD=A1b2C3d4 SERVICE_USERNAME="w2012r2-188" \ python/samba/tests/krb5/simple_tests.py Pair-Programmed-With: Isaac Boukris Signed-off-by: Stefan Metzmacher Signed-off-by: Isaac Boukris Reviewed-by: Isaac Boukris (cherry picked from commit 4f6d26609a66a42df671a540677af15e67efc0df) --- python/samba/tests/krb5/simple_tests.py | 171 ++++++++++++++++++++++++ python/samba/tests/usage.py | 1 + 2 files changed, 172 insertions(+) create mode 100755 python/samba/tests/krb5/simple_tests.py diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py new file mode 100755 index 00000000000..c9998c4d2db --- /dev/null +++ b/python/samba/tests/krb5/simple_tests.py @@ -0,0 +1,171 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests.krb5.raw_testcase import RawKerberosTest +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 + +global_asn1_print = False +global_hexdump = False + +class SimpleKerberosTests(RawKerberosTest): + + def setUp(self): + super(SimpleKerberosTests, self).setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def test_simple(self): + user_creds = self.get_user_creds() + user = user_creds.get_username() + realm = user_creds.get_realm() + + cname = self.PrincipalName_create(name_type=1, names=[user]) + sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) + + till = self.get_KerberosTime(offset=36000) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + padata = None + + etypes=(18,17,23) + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + self.assertEqual(rep['msg-type'], 30) + self.assertEqual(rep['error-code'], 25) + rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) + + for pa in rep_padata: + if pa['padata-type'] == 19: + etype_info2 = pa['padata-value'] + break + + etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + + key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0]) + + (patime, pausec) = self.get_KerberosTimeWithUsec() + pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + enc_pa_ts_usage = 1 + pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) + + pa_ts = self.PA_DATA_create(2, pa_ts) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + padata = [pa_ts] + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + msg_type = rep['msg-type'] + self.assertEqual(msg_type, 11) + + usage = 3 + enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) + + # TGS Request + service_creds = self.get_service_creds(allow_missing_password=True) + service_name = service_creds.get_username() + + sname = self.PrincipalName_create(name_type=2, names=["host", service_name]) + kdc_options = krb5_asn1.KDCOptions('forwardable') + till = self.get_KerberosTime(offset=36000) + ticket = rep['ticket'] + ticket_session_key = self.EncryptionKey_import(enc_part2['key']) + padata = [] + + subkey = self.RandomKey(ticket_session_key.etype) + subkey_usage = 9 + + (ctime, cusec) = self.get_KerberosTimeWithUsec() + + req = self.TGS_REQ_create(padata=padata, + cusec=cusec, + ctime=ctime, + ticket=ticket, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7ffffffe, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None, + ticket_session_key=ticket_session_key, + authenticator_subkey=subkey) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + msg_type = rep['msg-type'] + self.assertEqual(msg_type, 13) + + enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + + return + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 06fdc9afacb..18e9fad232f 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -86,6 +86,7 @@ EXCLUDE_USAGE = { 'bin/python/samba/subunit/run.py', 'python/samba/tests/dcerpc/raw_protocol.py', 'python/samba/tests/krb5/kcrypto.py', + 'python/samba/tests/krb5/simple_tests.py', } EXCLUDE_HELP = { -- 2.25.1 From 410f981c611ffdd3a0f661208736120a9d86723c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 13 Feb 2020 16:29:38 +0100 Subject: [PATCH 022/380] s4:selftest: run samba.tests.krb5.simple_tests against ad_dc_default Signed-off-by: Stefan Metzmacher Reviewed-by: Isaac Boukris Autobuild-User(master): Stefan Metzmacher Autobuild-Date(master): Fri Mar 27 19:54:25 UTC 2020 on sn-devel-184 (cherry picked from commit c4ccdf4b30de1b1e63d3fd99d33b924b816a5d37) --- source4/selftest/tests.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 9194c9b04f7..693209f2d1e 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -743,6 +743,8 @@ planoldpythontestsuite("ad_dc:local", "samba.tests.gpo", extra_args=['-U"$USERNA planoldpythontestsuite("ad_dc:local", "samba.tests.dckeytab", extra_args=['-U"$USERNAME%$PASSWORD"']) planoldpythontestsuite("none", "samba.tests.krb5.kcrypto") +planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests", + environ={'SERVICE_USERNAME':'$SERVER'}) for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"']) -- 2.25.1 From 6fe467d921213dbc3cd51dd0712197472beb06ea Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 7 May 2020 17:16:53 +0200 Subject: [PATCH 023/380] Revert "selftest: allow any kdc error in mitm-s4u2self test" This reverts commit a53fa8ffe3e36f7921baf5d31a1052747f90aa7d. This allows a clean revert (and so removal) of the test. Signed-off-by: Isaac Boukris Reviewed-by: Andrew Bartlett (cherry picked from commit ce65e8979dda9774b170db7a9fa7ba458af4cee9) --- source4/torture/krb5/kdc-canon-heimdal.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c index 700e1c2b37e..8dc3e24a8d5 100644 --- a/source4/torture/krb5/kdc-canon-heimdal.c +++ b/source4/torture/krb5/kdc-canon-heimdal.c @@ -737,12 +737,13 @@ static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_contex error.pvno, 5, "Got wrong error.pvno"); expected_error = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE; - if (!test_context->test_data->mitm_s4u2self) { - torture_assert_int_equal(test_context->tctx, - error.error_code, - expected_error, - "Got wrong error.error_code"); + if (error.error_code != expected_error && test_context->test_data->mitm_s4u2self) { + expected_error = KRB5KRB_AP_ERR_INAPP_CKSUM - KRB5KDC_ERR_NONE; } + torture_assert_int_equal(test_context->tctx, + error.error_code, + expected_error, + "Got wrong error.error_code"); } else { torture_assert_int_equal(test_context->tctx, decode_TGS_REP(recv_buf->data, recv_buf->length, @@ -2089,7 +2090,8 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * || test_data->upn == false)) { if (test_data->mitm_s4u2self) { - torture_assert_int_not_equal(tctx, k5ret, 0, assertion_message); + torture_assert_int_equal(tctx, k5ret, KRB5KRB_AP_ERR_INAPP_CKSUM, + assertion_message); /* Done testing mitm-s4u2self */ return true; } -- 2.25.1 From 7620840700f6c4810821e821c645542da9279ace Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 7 May 2020 17:17:00 +0200 Subject: [PATCH 024/380] Revert "selftest: mitm-s4u2self: use zlib for CRC32_checksum calc" This reverts commit 151f8c0f31d3d17b9418db3793ec14ba7dbf2143. This allows a clean revert (and so removal) of the test. Signed-off-by: Isaac Boukris Reviewed-by: Andrew Bartlett (cherry picked from commit b5adc112771f22c2d7c4319063c3e89074c4f4ab) --- source4/torture/krb5/kdc-canon-heimdal.c | 19 ++++++------------- 1 file changed, 6 insertions(+), 13 deletions(-) diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c index 8dc3e24a8d5..dffebd74038 100644 --- a/source4/torture/krb5/kdc-canon-heimdal.c +++ b/source4/torture/krb5/kdc-canon-heimdal.c @@ -33,7 +33,6 @@ #include "auth/auth_sam_reply.h" #include "auth/gensec/gensec.h" #include "param/param.h" -#include "zlib.h" #define TEST_CANONICALIZE 0x0000001 #define TEST_ENTERPRISE 0x0000002 @@ -215,17 +214,6 @@ static bool test_accept_ticket(struct torture_context *tctx, return true; } -static void -zCRC32_checksum(const void *data, - size_t len, - Checksum *C) -{ - uint32_t *crc = C->checksum.data; - *crc = ~(crc32(0xffffffff, data, len)); - C->checksum.length = 4; - C->cksumtype = 1; -} - krb5_error_code _krb5_s4u2self_to_checksumdata(krb5_context context, const PA_S4U2Self *self, @@ -264,7 +252,11 @@ static bool change_for_user_principal(struct torture_krb5_context *test_context, torture_assert_int_equal(test_context->tctx, _krb5_s4u2self_to_checksumdata(k5_ctx, &mod_self, &cksum_data), 0, "_krb5_s4u2self_to_checksumdata() failed"); - zCRC32_checksum(cksum_data.data, cksum_data.length, &mod_self.cksum); + torture_assert_int_equal(test_context->tctx, + krb5_create_checksum(k5_ctx, NULL, KRB5_KU_OTHER_CKSUM, + CKSUMTYPE_CRC32, cksum_data.data, + cksum_data.length, &mod_self.cksum), + 0, "krb5_create_checksum() failed"); ASN1_MALLOC_ENCODE(PA_S4U2Self, for_user->padata_value.data, for_user->padata_value.length, &mod_self, &used, ret); @@ -278,6 +270,7 @@ static bool change_for_user_principal(struct torture_krb5_context *test_context, free_PA_S4U2Self(&self); krb5_data_free(&cksum_data); + free_Checksum(&mod_self.cksum); return true; } -- 2.25.1 From 22b18f728ca3e03b27c6324f0d4004a4afafddeb Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 7 May 2020 17:17:12 +0200 Subject: [PATCH 025/380] Revert "CVE-2018-16860 selftest: Add test for S4U2Self with unkeyed checksum" This reverts commit 5639e973c1f6f1b28b122741763f1d05b47bc2d8. This is no longer needed as the next commit includes a Python test for this, without the complexity of being inside krb5.kdc.canon. Signed-off-by: Isaac Boukris Reviewed-by: Andrew Bartlett (cherry picked from commit 19875a37318a7cd5585572616cf12a775591193f) --- source4/torture/krb5/kdc-canon-heimdal.c | 105 +---------------------- 1 file changed, 4 insertions(+), 101 deletions(-) diff --git a/source4/torture/krb5/kdc-canon-heimdal.c b/source4/torture/krb5/kdc-canon-heimdal.c index dffebd74038..9e0808b134c 100644 --- a/source4/torture/krb5/kdc-canon-heimdal.c +++ b/source4/torture/krb5/kdc-canon-heimdal.c @@ -44,8 +44,7 @@ #define TEST_S4U2SELF 0x0000080 #define TEST_REMOVEDOLLAR 0x0000100 #define TEST_AS_REQ_SPN 0x0000200 -#define TEST_MITM_S4U2SELF 0x0000400 -#define TEST_ALL 0x00007FF +#define TEST_ALL 0x00003FF struct test_data { const char *test_name; @@ -63,7 +62,6 @@ struct test_data { bool upn; bool other_upn_suffix; bool s4u2self; - bool mitm_s4u2self; bool removedollar; bool as_req_spn; bool spn_is_upn; @@ -214,67 +212,6 @@ static bool test_accept_ticket(struct torture_context *tctx, return true; } -krb5_error_code -_krb5_s4u2self_to_checksumdata(krb5_context context, - const PA_S4U2Self *self, - krb5_data *data); - -/* Helper function to modify the principal in PA_FOR_USER padata */ -static bool change_for_user_principal(struct torture_krb5_context *test_context, - krb5_data *modified_send_buf) -{ - PA_DATA *for_user; - int i = 0; - size_t used; - krb5_error_code ret; - PA_S4U2Self self, mod_self; - krb5_data cksum_data; - krb5_principal admin; - heim_octet_string orig_padata_value; - krb5_context k5_ctx = test_context->smb_krb5_context->krb5_context; - - for_user = krb5_find_padata(test_context->tgs_req.padata->val, - test_context->tgs_req.padata->len, KRB5_PADATA_FOR_USER, &i); - torture_assert(test_context->tctx, for_user != NULL, "No PA_FOR_USER in s4u2self request"); - orig_padata_value = for_user->padata_value; - - torture_assert_int_equal(test_context->tctx, - krb5_make_principal(k5_ctx, &admin, test_context->test_data->realm, - "Administrator", NULL), - 0, "krb5_make_principal() failed"); - torture_assert_int_equal(test_context->tctx, - decode_PA_S4U2Self(for_user->padata_value.data, - for_user->padata_value.length, &self, NULL), - 0, "decode_PA_S4U2Self() failed"); - mod_self = self; - mod_self.name = admin->name; - - torture_assert_int_equal(test_context->tctx, - _krb5_s4u2self_to_checksumdata(k5_ctx, &mod_self, &cksum_data), - 0, "_krb5_s4u2self_to_checksumdata() failed"); - torture_assert_int_equal(test_context->tctx, - krb5_create_checksum(k5_ctx, NULL, KRB5_KU_OTHER_CKSUM, - CKSUMTYPE_CRC32, cksum_data.data, - cksum_data.length, &mod_self.cksum), - 0, "krb5_create_checksum() failed"); - - ASN1_MALLOC_ENCODE(PA_S4U2Self, for_user->padata_value.data, for_user->padata_value.length, - &mod_self, &used, ret); - torture_assert(test_context->tctx, ret == 0, "Failed to encode PA_S4U2Self ASN1 struct"); - ASN1_MALLOC_ENCODE(TGS_REQ, modified_send_buf->data, modified_send_buf->length, - &test_context->tgs_req, &used, ret); - torture_assert(test_context->tctx, ret == 0, "Failed to encode TGS_REQ ASN1 struct"); - - free(for_user->padata_value.data); - for_user->padata_value = orig_padata_value; - - free_PA_S4U2Self(&self); - krb5_data_free(&cksum_data); - free_Checksum(&mod_self.cksum); - - return true; -} - /* * TEST_AS_REQ and TEST_AS_REQ_SELF - SEND * @@ -694,12 +631,7 @@ static bool torture_krb5_pre_send_tgs_req_canon_test(struct torture_krb5_context } - if (test_context->test_data->mitm_s4u2self) { - torture_assert(test_context->tctx, change_for_user_principal(test_context, modified_send_buf), - "Failed to modify PA_FOR_USER principal name"); - } else { - *modified_send_buf = *send_buf; - } + *modified_send_buf = *send_buf; return true; } @@ -718,7 +650,6 @@ static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_contex { KRB_ERROR error; size_t used; - krb5_error_code expected_error; /* * If this account did not have a servicePrincipalName, then @@ -729,13 +660,9 @@ static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_contex torture_assert_int_equal(test_context->tctx, error.pvno, 5, "Got wrong error.pvno"); - expected_error = KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE; - if (error.error_code != expected_error && test_context->test_data->mitm_s4u2self) { - expected_error = KRB5KRB_AP_ERR_INAPP_CKSUM - KRB5KDC_ERR_NONE; - } torture_assert_int_equal(test_context->tctx, error.error_code, - expected_error, + KRB5KDC_ERR_S_PRINCIPAL_UNKNOWN - KRB5KDC_ERR_NONE, "Got wrong error.error_code"); } else { torture_assert_int_equal(test_context->tctx, @@ -778,8 +705,6 @@ static bool torture_krb5_post_recv_tgs_req_canon_test(struct torture_krb5_contex torture_assert_int_equal(test_context->tctx, *test_context->tgs_rep.ticket.enc_part.kvno & 0xFFFF0000, 0, "Unexpecedly got a RODC number in the KVNO, should just be principal KVNO"); - torture_assert(test_context->tctx, test_context->test_data->mitm_s4u2self == false, - "KDC accepted PA_S4U2Self with unkeyed checksum!"); free_TGS_REP(&test_context->tgs_rep); } torture_assert(test_context->tctx, test_context->packet_count == 0, "too many packets"); @@ -2081,23 +2006,7 @@ static bool torture_krb5_as_req_canon(struct torture_context *tctx, const void * && (test_data->enterprise || test_data->spn_is_upn || test_data->upn == false)) { - - if (test_data->mitm_s4u2self) { - torture_assert_int_equal(tctx, k5ret, KRB5KRB_AP_ERR_INAPP_CKSUM, - assertion_message); - /* Done testing mitm-s4u2self */ - return true; - } - torture_assert_int_equal(tctx, k5ret, 0, assertion_message); - - /* Check that the impersonate principal is not being canonicalized by the KDC. */ - if (test_data->s4u2self) { - torture_assert(tctx, krb5_principal_compare(k5_context, server_creds->client, - principal), - "TGS-REP cname does not match requested client principal"); - } - torture_assert_int_equal(tctx, krb5_cc_store_cred(k5_context, ccache, server_creds), 0, "krb5_cc_store_cred failed"); @@ -2571,7 +2480,7 @@ struct torture_suite *torture_krb5_canon(TALLOC_CTX *mem_ctx) (i & TEST_UPN) ? "upn" : ((i & TEST_AS_REQ_SPN) ? "spn" : ((i & TEST_REMOVEDOLLAR) ? "removedollar" : "samaccountname")), - (i & TEST_S4U2SELF) ? (i & TEST_MITM_S4U2SELF) ? "mitm-s4u2self" : "s4u2self" : "normal"); + (i & TEST_S4U2SELF) ? "s4u2self" : "normal"); struct torture_suite *sub_suite = torture_suite_create(mem_ctx, name); struct test_data *test_data = talloc_zero(suite, struct test_data); @@ -2585,11 +2494,6 @@ struct torture_suite *torture_krb5_canon(TALLOC_CTX *mem_ctx) continue; } } - if (i & TEST_MITM_S4U2SELF) { - if (!(i & TEST_S4U2SELF)) { - continue; - } - } test_data->test_name = name; test_data->real_realm @@ -2610,7 +2514,6 @@ struct torture_suite *torture_krb5_canon(TALLOC_CTX *mem_ctx) test_data->win2k = (i & TEST_WIN2K) != 0; test_data->upn = (i & TEST_UPN) != 0; test_data->s4u2self = (i & TEST_S4U2SELF) != 0; - test_data->mitm_s4u2self = (i & TEST_MITM_S4U2SELF) != 0; test_data->removedollar = (i & TEST_REMOVEDOLLAR) != 0; test_data->as_req_spn = (i & TEST_AS_REQ_SPN) != 0; torture_suite_add_simple_tcase_const(sub_suite, name, torture_krb5_as_req_canon, -- 2.25.1 From 2e6b6ccb8e2b47e883c924738d05559622d4476f Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Mon, 4 May 2020 18:09:53 +0200 Subject: [PATCH 026/380] selftest: add python S4U2Self tests including unkeyed checksums To test the CRC32 I reverted the unkeyed-checksum fix (43958af1) and the weak-crypto fix (389d1b97). Note that the unkeyed-md5 still worked even with weak-crypto disabled, and that the unkeyed-sha1 never worked but I left it anyway. Signed-off-by: Isaac Boukris Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri May 15 12:25:40 UTC 2020 on sn-devel-184 (cherry picked from commit 8b5e7644130146bcc4e5a0dd05da6458a6025dd8) --- python/samba/tests/krb5/kcrypto.py | 85 ++++++++++ python/samba/tests/krb5/raw_testcase.py | 23 +++ python/samba/tests/krb5/rfc4120.asn1 | 8 + python/samba/tests/krb5/rfc4120_pyasn1.py | 14 +- python/samba/tests/krb5/s4u_tests.py | 197 ++++++++++++++++++++++ python/samba/tests/usage.py | 1 + selftest/knownfail | 2 + selftest/skip_mit_kdc | 1 + selftest/target/Samba4.pm | 23 +++ source4/selftest/tests.py | 4 + 10 files changed, 357 insertions(+), 1 deletion(-) create mode 100755 python/samba/tests/krb5/s4u_tests.py diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py index ed3c84fa186..2572fa5bab3 100755 --- a/python/samba/tests/krb5/kcrypto.py +++ b/python/samba/tests/krb5/kcrypto.py @@ -51,6 +51,7 @@ os.environ["PYTHONUNBUFFERED"] = "1" from math import gcd from functools import reduce from struct import pack, unpack +from binascii import crc32 from cryptography.hazmat.primitives import hashes from cryptography.hazmat.primitives import hmac from cryptography.hazmat.primitives.ciphers import algorithms as ciphers @@ -533,6 +534,21 @@ class _MD5(_ChecksumProfile): return SIMPLE_HASH(text, hashes.MD5) +class _SHA1(_ChecksumProfile): + @classmethod + def checksum(cls, key, keyusage, text): + # This is unkeyed! + return SIMPLE_HASH(text, hashes.SHA1) + + +class _CRC32(_ChecksumProfile): + @classmethod + def checksum(cls, key, keyusage, text): + # This is unkeyed! + cksum = (~crc32(text, 0xffffffff)) & 0xffffffff + return pack('. +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests import env_get_var_value +from samba.tests.krb5.kcrypto import Cksumtype +from samba.tests.krb5.raw_testcase import RawKerberosTest +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 + +global_asn1_print = False +global_hexdump = False + +class S4UKerberosTests(RawKerberosTest): + + def setUp(self): + super(S4UKerberosTests, self).setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def _test_s4u2self(self, pa_s4u2self_ctype=None): + service_creds = self.get_service_creds() + service = service_creds.get_username() + realm = service_creds.get_realm() + + cname = self.PrincipalName_create(name_type=1, names=[service]) + sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) + + till = self.get_KerberosTime(offset=36000) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + padata = None + + etypes=(18,17,23) + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + self.assertEqual(rep['msg-type'], 30) + self.assertEqual(rep['error-code'], 25) + rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) + + for pa in rep_padata: + if pa['padata-type'] == 19: + etype_info2 = pa['padata-value'] + break + + etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + + key = self.PasswordKey_from_etype_info2(service_creds, etype_info2[0]) + + (patime, pausec) = self.get_KerberosTimeWithUsec() + pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + enc_pa_ts_usage = 1 + pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) + + pa_ts = self.PA_DATA_create(2, pa_ts) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + padata = [pa_ts] + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + msg_type = rep['msg-type'] + self.assertEqual(msg_type, 11) + + usage = 3 + enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) + + # S4U2Self Request + sname = cname + + for_user_name = env_get_var_value('FOR_USER') + uname = self.PrincipalName_create(name_type=1, names=[for_user_name]) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + till = self.get_KerberosTime(offset=36000) + ticket = rep['ticket'] + ticket_session_key = self.EncryptionKey_import(enc_part2['key']) + pa_s4u = self.PA_S4U2Self_create(name=uname, realm=realm, + tgt_session_key=ticket_session_key, + ctype=pa_s4u2self_ctype) + padata = [pa_s4u] + + subkey = self.RandomKey(ticket_session_key.etype) + subkey_usage = 9 + + (ctime, cusec) = self.get_KerberosTimeWithUsec() + + req = self.TGS_REQ_create(padata=padata, + cusec=cusec, + ctime=ctime, + ticket=ticket, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7ffffffe, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None, + ticket_session_key=ticket_session_key, + authenticator_subkey=subkey) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + msg_type = rep['msg-type'] + if msg_type == 13: + enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + + return msg_type + + # Using the checksum type from the tgt_session_key happens to work everywhere + def test_s4u2self(self): + msg_type = self._test_s4u2self() + self.assertEqual(msg_type, 13) + + # Per spec, the checksum of PA-FOR-USER is HMAC_MD5, see [MS-SFU] 2.2.1 + def test_s4u2self_hmac_md5_checksum(self): + msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.HMAC_MD5) + self.assertEqual(msg_type, 13) + + def test_s4u2self_md5_unkeyed_checksum(self): + msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.MD5) + self.assertEqual(msg_type, 30) + + def test_s4u2self_sha1_unkeyed_checksum(self): + msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.SHA1) + self.assertEqual(msg_type, 30) + + def test_s4u2self_crc32_unkeyed_checksum(self): + msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.CRC32) + self.assertEqual(msg_type, 30) + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 18e9fad232f..58053474e03 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -87,6 +87,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/dcerpc/raw_protocol.py', 'python/samba/tests/krb5/kcrypto.py', 'python/samba/tests/krb5/simple_tests.py', + 'python/samba/tests/krb5/s4u_tests.py', } EXCLUDE_HELP = { diff --git a/selftest/knownfail b/selftest/knownfail index f5466fccd8c..44ab3e59069 100644 --- a/selftest/knownfail +++ b/selftest/knownfail @@ -380,3 +380,5 @@ ^samba.tests.ntlmdisabled.python\(ktest\).python2.ntlmdisabled.NtlmDisabledTests.test_samr_change_password\(ktest\) ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python3.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) ^samba.tests.ntlmdisabled.python\(ad_dc_no_ntlm\).python2.ntlmdisabled.NtlmDisabledTests.test_ntlm_connection\(ad_dc_no_ntlm\) +# Fixed upstream heimdal in PR #439 +^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_hmac_md5_checksum diff --git a/selftest/skip_mit_kdc b/selftest/skip_mit_kdc index 4a51c98ea0b..ea644638c9f 100644 --- a/selftest/skip_mit_kdc +++ b/selftest/skip_mit_kdc @@ -3,3 +3,4 @@ .*RODC ^samba4.ntvfs.cifs.ntlm.base.unlink ^samba4.ntvfs.cifs.krb5.base.unlink +^samba.tests.krb5.s4u_tests diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 860cc06d99b..927638cb7c4 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -895,6 +895,29 @@ sub provision_raw_step2($$$) return undef; } + my $srv_account = "srv_account"; + $samba_tool_cmd = ""; + $samba_tool_cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" "; + $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; + $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool") + . " user create --configfile=$ctx->{smb_conf} $srv_account $ctx->{password}"; + unless (system($samba_tool_cmd) == 0) { + warn("Unable to add $srv_account user: \n$samba_tool_cmd\n"); + return undef; + } + + $samba_tool_cmd = ""; + $samba_tool_cmd .= "RESOLV_CONF=\"$ret->{RESOLV_CONF}\" "; + $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; + $samba_tool_cmd .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; + $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool") + . " spn add HOST/$srv_account --configfile=$ctx->{smb_conf} $srv_account"; + unless (system($samba_tool_cmd) == 0) { + warn("Unable to add spn for $srv_account: \n$samba_tool_cmd\n"); + return undef; + } + my $ldbmodify = ""; $ldbmodify .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" "; $ldbmodify .= "KRB5CCNAME=\"$ret->{KRB5_CCACHE}\" "; diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 693209f2d1e..59b447de40a 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -745,6 +745,10 @@ planoldpythontestsuite("ad_dc:local", "samba.tests.dckeytab", extra_args=['-U"$U planoldpythontestsuite("none", "samba.tests.krb5.kcrypto") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests", environ={'SERVICE_USERNAME':'$SERVER'}) +planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", + environ={'SERVICE_USERNAME':'srv_account', + 'SERVICE_PASSWORD':'$PASSWORD', + 'FOR_USER':'$USERNAME'}) for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"']) -- 2.25.1 From efdad55260a4a5c68ca646a2f101d36013cc3f60 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sun, 19 Jan 2020 16:24:24 +0100 Subject: [PATCH 027/380] selftest: add test for disallowed-forwardable server BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 197f97bc13c513ae6ae2b4129b23489081f63c64) --- selftest/knownfail.d/disallowed_forwardable_server | 1 + testprogs/blackbox/test_s4u_heimdal.sh | 13 +++++++++++-- 2 files changed, 12 insertions(+), 2 deletions(-) create mode 100644 selftest/knownfail.d/disallowed_forwardable_server diff --git a/selftest/knownfail.d/disallowed_forwardable_server b/selftest/knownfail.d/disallowed_forwardable_server new file mode 100644 index 00000000000..2e05909ab89 --- /dev/null +++ b/selftest/knownfail.d/disallowed_forwardable_server @@ -0,0 +1 @@ +^samba4.blackbox.krb5.s4u.test S4U2Proxy using received ticket diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh index 0e12c7ec096..c6ada54e85b 100755 --- a/testprogs/blackbox/test_s4u_heimdal.sh +++ b/testprogs/blackbox/test_s4u_heimdal.sh @@ -54,7 +54,7 @@ testit "set not-delegated flag" $samba_tool user sensitive $princ on || failed=` echo $PASSWORD > $PREFIX/tmppassfile -testit "kinit with password" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1` +testit "kinit impersonator" $samba4kinit -f --password-file=$PREFIX/tmppassfile $impersonator || failed=`expr $failed + 1` testit "test S4U2Self with normal user" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=${USERNAME} $impersonator || failed=`expr $failed + 1` testit "test S4U2Proxy with normal user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` @@ -68,6 +68,15 @@ testit "unset not-delegated flag" $samba_tool user sensitive $princ off || faile testit "test S4U2Self after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --forwardable --impersonate=$princ $impersonator || failed=`expr $failed + 1` testit "test S4U2Proxy after unsetting ND flag" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` +testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` +testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` +testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` -rm -f $ocache $PREFIX/tmpccache tmppassfile +testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=`expr $failed + 1` +testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` +testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` +testit_expect_failure "test S4U2Proxy using received ticket" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + + +rm -f $ocache $PREFIX/tmpccache $PREFIX/tmppassfile exit $failed -- 2.25.1 From 30cacb3e63225077f94578d52f1228a7d690ed7d Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Mon, 13 Jan 2020 23:42:54 +0100 Subject: [PATCH 028/380] heimdal: apply disallow-forwardable on server in TGS request upstream commit: 839b073facd2aecda6740224d73e560bc79965dc BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 8fdff19c5461315556014d25d237a958edeed1a2) --- selftest/knownfail.d/disallowed_forwardable_server | 1 - source4/heimdal/kdc/krb5tgs.c | 6 ++++++ 2 files changed, 6 insertions(+), 1 deletion(-) delete mode 100644 selftest/knownfail.d/disallowed_forwardable_server diff --git a/selftest/knownfail.d/disallowed_forwardable_server b/selftest/knownfail.d/disallowed_forwardable_server deleted file mode 100644 index 2e05909ab89..00000000000 --- a/selftest/knownfail.d/disallowed_forwardable_server +++ /dev/null @@ -1 +0,0 @@ -^samba4.blackbox.krb5.s4u.test S4U2Proxy using received ticket diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c index ee3ac3d8f53..efbdd6ed77f 100644 --- a/source4/heimdal/kdc/krb5tgs.c +++ b/source4/heimdal/kdc/krb5tgs.c @@ -866,6 +866,12 @@ tgs_make_reply(krb5_context context, et.flags.anonymous = tgt->flags.anonymous; et.flags.ok_as_delegate = server->entry.flags.ok_as_delegate; + /* See MS-KILE 3.3.5.1 */ + if (!server->entry.flags.forwardable) + et.flags.forwardable = 0; + if (!server->entry.flags.proxiable) + et.flags.proxiable = 0; + if(rspac->length) { /* * No not need to filter out the any PAC from the -- 2.25.1 From 29ea1a6f61f89680a881f2ab324231872c171477 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 7 May 2020 01:25:36 +0200 Subject: [PATCH 029/380] selftest: allow EncASRepPart to be encoded as EncTGSRepPart that's how MIT kdc encodes it, clients accept both. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit a823cc1e8bc9a68a7e662022705039397a5df7e1) --- python/samba/tests/krb5/simple_tests.py | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py index c9998c4d2db..236fbda1cd5 100755 --- a/python/samba/tests/krb5/simple_tests.py +++ b/python/samba/tests/krb5/simple_tests.py @@ -115,7 +115,12 @@ class SimpleKerberosTests(RawKerberosTest): usage = 3 enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) + + # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 + try: + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) + except Exception: + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) # TGS Request service_creds = self.get_service_creds(allow_missing_password=True) -- 2.25.1 From f879fcbe345da12b1aa610fbd34f9036f53873fb Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 6 May 2020 15:54:55 +0200 Subject: [PATCH 030/380] selftest: test forwardable flag in cross-realm tgt tickets BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett (cherry picked from commit 9b302a57ff0d4c3a373f762f2ad4daf736b0853b) --- python/samba/tests/krb5/xrealm_tests.py | 180 ++++++++++++++++++++++++ python/samba/tests/usage.py | 1 + selftest/knownfail.d/xrealm | 1 + source4/selftest/tests.py | 2 + 4 files changed, 184 insertions(+) create mode 100755 python/samba/tests/krb5/xrealm_tests.py create mode 100644 selftest/knownfail.d/xrealm diff --git a/python/samba/tests/krb5/xrealm_tests.py b/python/samba/tests/krb5/xrealm_tests.py new file mode 100755 index 00000000000..64064b8a670 --- /dev/null +++ b/python/samba/tests/krb5/xrealm_tests.py @@ -0,0 +1,180 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests.krb5.raw_testcase import RawKerberosTest +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +import samba.tests + +global_asn1_print = False +global_hexdump = False + +class XrealmKerberosTests(RawKerberosTest): + + def setUp(self): + super(XrealmKerberosTests, self).setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def test_xrealm(self): + user_creds = self.get_user_creds() + user = user_creds.get_username() + realm = user_creds.get_realm() + + cname = self.PrincipalName_create(name_type=1, names=[user]) + sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) + + till = self.get_KerberosTime(offset=36000) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + padata = None + + etypes=(18,17,23) + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + self.assertEqual(rep['msg-type'], 30) + self.assertEqual(rep['error-code'], 25) + rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) + + for pa in rep_padata: + if pa['padata-type'] == 19: + etype_info2 = pa['padata-value'] + break + + etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + + key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0]) + + (patime, pausec) = self.get_KerberosTimeWithUsec() + pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + enc_pa_ts_usage = 1 + pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) + + pa_ts = self.PA_DATA_create(2, pa_ts) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + padata = [pa_ts] + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + msg_type = rep['msg-type'] + self.assertEqual(msg_type, 11) + + usage = 3 + enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) + + # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 + try: + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) + except Exception: + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + + # TGS Request (for cross-realm TGT) + trust_realm = samba.tests.env_get_var_value('TRUST_REALM') + sname = self.PrincipalName_create(name_type=2, names=["krbtgt", trust_realm]) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + till = self.get_KerberosTime(offset=36000) + ticket = rep['ticket'] + ticket_session_key = self.EncryptionKey_import(enc_part2['key']) + padata = [] + + subkey = self.RandomKey(ticket_session_key.etype) + subkey_usage = 9 + + (ctime, cusec) = self.get_KerberosTimeWithUsec() + + req = self.TGS_REQ_create(padata=padata, + cusec=cusec, + ctime=ctime, + ticket=ticket, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7ffffffe, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None, + ticket_session_key=ticket_session_key, + authenticator_subkey=subkey) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + msg_type = rep['msg-type'] + self.assertEqual(msg_type, 13) + + enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) + enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + + # Check the forwardable flag + fwd_pos = len(tuple(krb5_asn1.TicketFlags('forwardable'))) -1 + assert(krb5_asn1.TicketFlags(enc_part2['flags'])[fwd_pos]) + + return + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 58053474e03..89b5e957407 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -88,6 +88,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/kcrypto.py', 'python/samba/tests/krb5/simple_tests.py', 'python/samba/tests/krb5/s4u_tests.py', + 'python/samba/tests/krb5/xrealm_tests.py', } EXCLUDE_HELP = { diff --git a/selftest/knownfail.d/xrealm b/selftest/knownfail.d/xrealm new file mode 100644 index 00000000000..2e09644b1d8 --- /dev/null +++ b/selftest/knownfail.d/xrealm @@ -0,0 +1 @@ +^samba.tests.krb5.xrealm_tests.samba.tests.krb5.xrealm_tests.XrealmKerberosTests.test_xrealm diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 59b447de40a..52a61a2cced 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -750,6 +750,8 @@ planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", 'SERVICE_PASSWORD':'$PASSWORD', 'FOR_USER':'$USERNAME'}) +planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") + for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"']) planoldpythontestsuite(env + ":local", "samba.tests.ntacls_backup", -- 2.25.1 From a4ffa145736a9a4ba6ad020d27dbbb7fbf32ceac Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 9 May 2020 16:26:45 +0200 Subject: [PATCH 031/380] selftest: test forwardable flag in cross-realm with s4u2proxy Signed-off-by: Isaac Boukris Reviewed-by: Andrew Bartlett (cherry picked from commit fb7dfdbe8f94f7f053d67832e7f28a751136d733) --- selftest/knownfail.d/s4u2p_fwd | 2 ++ source4/selftest/tests.py | 2 +- testprogs/blackbox/test_s4u_heimdal.sh | 17 ++++++++++++++--- 3 files changed, 17 insertions(+), 4 deletions(-) create mode 100644 selftest/knownfail.d/s4u2p_fwd diff --git a/selftest/knownfail.d/s4u2p_fwd b/selftest/knownfail.d/s4u2p_fwd new file mode 100644 index 00000000000..63ade3eece0 --- /dev/null +++ b/selftest/knownfail.d/s4u2p_fwd @@ -0,0 +1,2 @@ +^samba4.blackbox.krb5.s4u.get a ticket to impersonator for trust user +^samba4.blackbox.krb5.s4u.test S4U2Proxy evidence ticket obtained by TGS of trust user diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 52a61a2cced..b10ac26e964 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -482,7 +482,7 @@ if have_heimdal_support: plantestsuite("samba4.blackbox.kinit_trust", "fl2003dc:local", [os.path.join(bbdir, "test_kinit_trusts_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', "external", "arcfour-hmac-md5"]) plantestsuite("samba4.blackbox.export.keytab", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_export_keytab_heimdal.sh"), '$SERVER', '$USERNAME', '$REALM', '$DOMAIN', "$PREFIX", smbclient4]) plantestsuite("samba4.blackbox.kpasswd", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kpasswd_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', "$PREFIX/ad_dc_ntvfs"]) - plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local", [os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', configuration]) + plantestsuite("samba4.blackbox.krb5.s4u", "fl2008r2dc:local", [os.path.join(bbdir, "test_s4u_heimdal.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$TRUST_SERVER', '$TRUST_USERNAME', '$TRUST_PASSWORD', '$TRUST_REALM', '$TRUST_DOMAIN', '$PREFIX', configuration]) else: plantestsuite("samba4.blackbox.kinit", "ad_dc_ntvfs:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient4, configuration]) plantestsuite("samba4.blackbox.kinit", "fl2000dc:local", [os.path.join(bbdir, "test_kinit_mit.sh"), '$SERVER', '$USERNAME', '$PASSWORD', '$REALM', '$DOMAIN', '$PREFIX', smbclient4, configuration]) diff --git a/testprogs/blackbox/test_s4u_heimdal.sh b/testprogs/blackbox/test_s4u_heimdal.sh index c6ada54e85b..c63eeaa2e30 100755 --- a/testprogs/blackbox/test_s4u_heimdal.sh +++ b/testprogs/blackbox/test_s4u_heimdal.sh @@ -12,8 +12,13 @@ USERNAME=$2 PASSWORD=$3 REALM=$4 DOMAIN=$5 -PREFIX=$6 -shift 6 +TRUST_SERVER=$6 +TRUST_USERNAME=$7 +TRUST_PASSWORD=$8 +TRUST_REALM=$9 +TRUST_DOMAIN=${10} +PREFIX=${11} +shift 11 failed=0 @@ -39,7 +44,7 @@ export KRB5CCNAME rm -rf $KRB5CCNAME_PATH princ=test_impersonate_princ -impersonator=test_impersonator +impersonator=test_impersonator.$REALM target="CIFS/$SERVER.$REALM" @@ -72,6 +77,12 @@ testit "kinit user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmp testit "get a ticket to impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` testit "test S4U2Proxy evidence ticket obtained by TGS" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` +echo $TRUST_PASSWORD > $PREFIX/tmppassfile +testit "kinit trust user cache" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $TRUST_USERNAME@$TRUST_REALM || failed=`expr $failed + 1` +testit "get a ticket to impersonator for trust user" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` +testit "test S4U2Proxy evidence ticket obtained by TGS of trust user" $samba4kgetcred --out-cache=$ocache --delegation-credential-cache=${ocache} $target || failed=`expr $failed + 1` + +echo $PASSWORD > $PREFIX/tmppassfile testit "set not-delegated on impersonator" $samba_tool user sensitive $impersonator on || failed=`expr $failed + 1` testit "kinit user cache again" $samba4kinit -c $ocache -f --password-file=$PREFIX/tmppassfile $USERNAME || failed=`expr $failed + 1` testit "get a ticket to sensitive impersonator" $samba4kgetcred -c $ocache --forwardable $impersonator || failed=`expr $failed + 1` -- 2.25.1 From cf78e03fc45ea1e8396751875e26b87926e9b9e9 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 14 Jan 2020 13:16:02 +0100 Subject: [PATCH 032/380] db-glue.c: set forwardable flag on cross-realm tgt tickets BUG: https://bugzilla.samba.org/show_bug.cgi?id=14233 Match Windows behavior and allow the forwardable flag to be set in cross-realm tickets. We used to allow forwardable to any server, but now that we apply disallow-forwardable policy in heimdal we need to explicitly allow in the corss-realm case (and remove the workaround we have for it the MIT plugin). Signed-off-by: Isaac Boukris Reviewed-by: Andreas Schneider Reviewed-by: Andrew Bartlett Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Fri Jun 12 22:10:34 UTC 2020 on sn-devel-184 (cherry picked from commit 7655a0298e5f55582bf48ec776d8cd8b79fb5dd9) --- selftest/knownfail.d/s4u2p_fwd | 2 -- selftest/knownfail.d/xrealm | 1 - source4/kdc/db-glue.c | 3 +++ source4/kdc/mit_samba.c | 5 ----- 4 files changed, 3 insertions(+), 8 deletions(-) delete mode 100644 selftest/knownfail.d/s4u2p_fwd delete mode 100644 selftest/knownfail.d/xrealm diff --git a/selftest/knownfail.d/s4u2p_fwd b/selftest/knownfail.d/s4u2p_fwd deleted file mode 100644 index 63ade3eece0..00000000000 --- a/selftest/knownfail.d/s4u2p_fwd +++ /dev/null @@ -1,2 +0,0 @@ -^samba4.blackbox.krb5.s4u.get a ticket to impersonator for trust user -^samba4.blackbox.krb5.s4u.test S4U2Proxy evidence ticket obtained by TGS of trust user diff --git a/selftest/knownfail.d/xrealm b/selftest/knownfail.d/xrealm deleted file mode 100644 index 2e09644b1d8..00000000000 --- a/selftest/knownfail.d/xrealm +++ /dev/null @@ -1 +0,0 @@ -^samba.tests.krb5.xrealm_tests.samba.tests.krb5.xrealm_tests.XrealmKerberosTests.test_xrealm diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c index d2a79920ab5..5fd0f431cdf 100644 --- a/source4/kdc/db-glue.c +++ b/source4/kdc/db-glue.c @@ -1562,6 +1562,9 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context, entry_ex->entry.max_renew = NULL; + /* Match Windows behavior and allow forwardable flag in cross-realm. */ + entry_ex->entry.flags.forwardable = 1; + ret = samba_kdc_sort_encryption_keys(entry_ex); if (ret != 0) { krb5_clear_error_message(context); diff --git a/source4/kdc/mit_samba.c b/source4/kdc/mit_samba.c index 5a4f6e73e97..54dcd545ea1 100644 --- a/source4/kdc/mit_samba.c +++ b/source4/kdc/mit_samba.c @@ -304,11 +304,6 @@ fetch_referral_principal: sdb_free_entry(&sentry); - if ((kflags & KRB5_KDB_FLAG_CLIENT_REFERRALS_ONLY) == 0) { - kentry->attributes &= ~KRB5_KDB_DISALLOW_FORWARDABLE; - kentry->attributes &= ~KRB5_KDB_DISALLOW_PROXIABLE; - } - done: krb5_free_principal(ctx->context, referral_principal); referral_principal = NULL; -- 2.25.1 From fe2411ad9a1bc5bb734f4c2500d85ff4f326e202 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 3 Nov 2020 09:25:48 +1300 Subject: [PATCH 033/380] selftest: add mit kdc specific known fail Add a MIT kerberos specific known fail, will be needed by subsequent commits. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 04248f5e868d38498bdc8f9705c9a60fcfe79c09) --- selftest/knownfail_mit_kdc | 0 selftest/wscript | 2 ++ 2 files changed, 2 insertions(+) create mode 100644 selftest/knownfail_mit_kdc diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc new file mode 100644 index 00000000000..e69de29bb2d diff --git a/selftest/wscript b/selftest/wscript index 501a5df5824..95086b4f0ed 100644 --- a/selftest/wscript +++ b/selftest/wscript @@ -263,6 +263,8 @@ def cmd_testonly(opt): if CONFIG_GET(opt, 'USING_SYSTEM_KRB5') and CONFIG_GET(opt, 'MIT_KDC_PATH'): env.OPTIONS += " --mitkrb5 --exclude=${srcdir}/selftest/skip_mit_kdc" + env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\ + "knownfail_mit_kdc" if not CONFIG_GET(opt, 'HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X'): # older MIT krb5 libraries (< 1.14) don't have -- 2.25.1 From 415e1ee1929aaef1ebe62ee4d55e2a62cece5795 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 27 Oct 2020 09:29:56 +1300 Subject: [PATCH 034/380] tests python krb5: Make PrincipalName_create a class method Make PrincipalName_create a class method, so it can be used in helper classes. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit b14dca7c1c063e069517ff01b33c63a000d398c3) --- python/samba/tests/krb5/raw_testcase.py | 1 + 1 file changed, 1 insertion(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index f43ce9cbc3c..45e46e0b7ba 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -470,6 +470,7 @@ class RawKerberosTest(TestCase): } return Checksum_obj + @classmethod def PrincipalName_create(self, name_type, names): # PrincipalName ::= SEQUENCE { # name-type [0] Int32, -- 2.25.1 From 7d4dd909317f1c8377771eed129ed95f58f661a5 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 27 Oct 2020 09:31:24 +1300 Subject: [PATCH 035/380] tests python krb5: Add canonicalize flag to ASN1 Add the canonicalize flag to KerberosFlags, so that it can be used in python based canonicalization tests. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 41c8aa4b991aad306d731b08d068c480eb5c7fed) --- python/samba/tests/krb5/rfc4120.asn1 | 8 ++++---- python/samba/tests/krb5/rfc4120_pyasn1.py | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 index 98ba887729d..58e0c1636a1 100644 --- a/python/samba/tests/krb5/rfc4120.asn1 +++ b/python/samba/tests/krb5/rfc4120.asn1 @@ -196,8 +196,8 @@ KDCOptions ::= KerberosFlags -- opt-hardware-auth(11), -- unused12(12), -- unused13(13), --- 15 is reserved for canonicalize - -- unused15(15), +-- Canonicalize is used in RFC 6806 + -- canonicalize(15), -- 26 was unused in 1510 -- disable-transited-check(26), -- @@ -489,8 +489,8 @@ KDCOptionsValues ::= BIT STRING { -- KerberosFlags opt-hardware-auth(11), unused12(12), unused13(13), --- 15 is reserved for canonicalize - unused15(15), +-- Canonicalize is used by RFC 6806 + canonicalize(15), -- 26 was unused in 1510 disable-transited-check(26), -- diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py index 05304a8a099..b4ea678afd8 100644 --- a/python/samba/tests/krb5/rfc4120_pyasn1.py +++ b/python/samba/tests/krb5/rfc4120_pyasn1.py @@ -1,5 +1,5 @@ # Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 -# (last modified on 2020-05-06 17:51:00.323318) +# (last modified on 2020-11-03 14:07:15.270009) # KerberosV5Spec2 from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful @@ -610,7 +610,7 @@ KDCOptionsValues.namedValues = namedval.NamedValues( ('opt-hardware-auth', 11), ('unused12', 12), ('unused13', 13), - ('unused15', 15), + ('canonicalize', 15), ('disable-transited-check', 26), ('renewable-ok', 27), ('enc-tkt-in-skey', 28), -- 2.25.1 From 0e4a44f7e46d4f19d5362411c1c433a56106a77b Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 27 Oct 2020 09:32:21 +1300 Subject: [PATCH 036/380] tests python krb5: Add python kerberos canonicalization tests Add python canonicalization tests, loosely based on the code in source4/torture/krb5/kdc-canon-heimdal.c. The long term goal is to move the integration level tests out of kdc-canon-heimdal, leaving it as a heimdal library unit test. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 005435dc4d7de9d442c7513edec8c782fe20fda3) --- .../tests/krb5/as_canonicalization_tests.py | 499 ++++++++++++++++++ python/samba/tests/usage.py | 1 + selftest/knownfail_mit_kdc | 144 +++++ source4/selftest/tests.py | 1 + 4 files changed, 645 insertions(+) create mode 100755 python/samba/tests/krb5/as_canonicalization_tests.py diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py new file mode 100755 index 00000000000..7b599ad6e44 --- /dev/null +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -0,0 +1,499 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# +# Copyright (C) Catalyst IT Ltd. 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os +from enum import Enum, unique +import pyasn1 + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests.krb5.raw_testcase import RawKerberosTest +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +import samba +from samba.auth import system_session +from samba.credentials import ( + Credentials, + CLI_CRED_NTLMv2_AUTH, + CLI_CRED_NTLM_AUTH, + DONT_USE_KERBEROS) +from samba.dcerpc.misc import SEC_CHAN_WKSTA +from samba.dsdb import ( + UF_WORKSTATION_TRUST_ACCOUNT, + UF_PASSWD_NOTREQD, + UF_NORMAL_ACCOUNT) +from samba.samdb import SamDB +from samba.tests import delete_force, DynamicTestCase + +global_asn1_print = False +global_hexdump = False + + +@unique +class TestOptions(Enum): + Canonicalize = 1 + Enterprise = 2 + UpperRealm = 4 + UpperUserName = 8 + NetbiosRealm = 16 + UPN = 32 + RemoveDollar = 64 + Last = 128 + + def is_set(self, x): + return self.value & x + + +@unique +class CredentialsType(Enum): + User = 1 + Machine = 2 + + def is_set(self, x): + return self.value & x + + +class TestData: + + def __init__(self, options, creds): + self.options = options + self.user_creds = creds + self.user_name = self.get_username(options, creds) + self.realm = self.get_realm(options, creds) + self.cname = RawKerberosTest.PrincipalName_create( + name_type=1, names=[self.user_name]) + self.sname = RawKerberosTest.PrincipalName_create( + name_type=2, names=["krbtgt", self.realm]) + self.canonicalize = TestOptions.Canonicalize.is_set(options) + + def get_realm(self, options, creds): + realm = creds.get_realm() + if TestOptions.NetbiosRealm.is_set(options): + realm = creds.get_domain() + if TestOptions.UpperRealm.is_set(options): + realm = realm.upper() + else: + realm = realm.lower() + return realm + + def get_username(self, options, creds): + name = creds.get_username() + if TestOptions.RemoveDollar.is_set(options) and name.endswith("$"): + name = name[:-1] + if TestOptions.Enterprise.is_set(options): + realm = creds.get_realm() + name = "{0}@{1}".format(name, realm) + if TestOptions.UpperUserName.is_set(options): + name = name.upper() + return name + + def __repr__(self): + rep = "Test Data: " + rep += "options = '" + "{:08b}".format(self.options) + "'" + rep += "user name = '" + self.user_name + "'" + rep += ", realm = '" + self.realm + "'" + rep += ", cname = '" + str(self.cname) + "'" + rep += ", sname = '" + str(self.sname) + "'" + return rep + + +MACHINE_NAME = "tstkrb5cnnusr" +USER_NAME = "tstkrb5cnnmch" + +# Encryption types +AES256_CTS_HMAC_SHA1_96 = int( + krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96')) +AES128_CTS_HMAC_SHA1_96 = int( + krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96')) +ARCFOUR_HMAC_MD5 = int( + krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5')) + +# Message types +KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error')) +KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep')) + +# PAData types +PADATA_ENC_TIMESTAMP = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP')) +PADATA_ETYPE_INFO2 = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2')) + +# Error codes +KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 +KDC_ERR_PREAUTH_REQUIRED = 25 + +# Name types +NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) +NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) +NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) + + +@DynamicTestCase +class KerberosASCanonicalizationTests(RawKerberosTest): + + @classmethod + def setUpDynamicTestCases(cls): + + def skip(ct, options): + ''' Filter out any mutually exclusive test options ''' + if ct != CredentialsType.Machine and\ + TestOptions.RemoveDollar.is_set(options): + return True + return False + + def build_test_name(ct, options): + name = "%sCredentials" % ct.name + for opt in TestOptions: + if opt.is_set(options): + name += ("_%s" % opt.name) + return name + + for ct in CredentialsType: + for x in range(TestOptions.Last.value): + if skip(ct, x): + continue + name = build_test_name(ct, x) + cls.generate_dynamic_test("test", name, x, ct) + + @classmethod + def setUpClass(cls): + cls.lp = cls.get_loadparm(cls) + cls.username = os.environ["USERNAME"] + cls.password = os.environ["PASSWORD"] + cls.domain = os.environ["DOMAIN"] + cls.realm = os.environ["REALM"] + cls.host = os.environ["SERVER"] + + c = Credentials() + c.set_username(cls.username) + c.set_password(cls.password) + c.set_domain(cls.domain) + c.set_realm(cls.realm) + cls.credentials = c + + cls.session = system_session() + cls.ldb = SamDB(url="ldap://%s" % cls.host, + session_info=cls.session, + credentials=cls.credentials, + lp=cls.lp) + cls.create_machine_account() + cls.create_user_account() + + @classmethod + def tearDownClass(cls): + super(KerberosASCanonicalizationTests, cls).tearDownClass() + delete_force(cls.ldb, cls.machine_dn) + delete_force(cls.ldb, cls.user_dn) + + def setUp(self): + super(KerberosASCanonicalizationTests, self).setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + # + # Create a test user account + @classmethod + def create_user_account(cls): + cls.user_pass = samba.generate_random_password(32, 32) + cls.user_name = USER_NAME + cls.user_dn = "cn=%s,%s" % (cls.user_name, cls.ldb.domain_dn()) + + # remove the account if it exists, this will happen if a previous test + # run failed + delete_force(cls.ldb, cls.user_dn) + + utf16pw = ('"%s"' % cls.user_pass).encode('utf-16-le') + cls.ldb.add({ + "dn": cls.user_dn, + "objectclass": "user", + "sAMAccountName": "%s" % cls.user_name, + "userAccountControl": str(UF_NORMAL_ACCOUNT), + "unicodePwd": utf16pw}) + + cls.user_creds = Credentials() + cls.user_creds.guess(cls.lp) + cls.user_creds.set_password(cls.user_pass) + cls.user_creds.set_username(cls.user_name) + cls.user_creds.set_workstation(cls.machine_name) + + # + # Create the machine account + @classmethod + def create_machine_account(cls): + cls.machine_pass = samba.generate_random_password(32, 32) + cls.machine_name = MACHINE_NAME + cls.machine_dn = "cn=%s,%s" % (cls.machine_name, cls.ldb.domain_dn()) + + # remove the account if it exists, this will happen if a previous test + # run failed + delete_force(cls.ldb, cls.machine_dn) + + utf16pw = ('"%s"' % cls.machine_pass).encode('utf-16-le') + cls.ldb.add({ + "dn": cls.machine_dn, + "objectclass": "computer", + "sAMAccountName": "%s$" % cls.machine_name, + "userAccountControl": + str(UF_WORKSTATION_TRUST_ACCOUNT | UF_PASSWD_NOTREQD), + "unicodePwd": utf16pw}) + + cls.machine_creds = Credentials() + cls.machine_creds.guess(cls.lp) + cls.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA) + cls.machine_creds.set_kerberos_state(DONT_USE_KERBEROS) + cls.machine_creds.set_password(cls.machine_pass) + cls.machine_creds.set_username(cls.machine_name + "$") + cls.machine_creds.set_workstation(cls.machine_name) + + def _test_with_args(self, x, ct): + if ct == CredentialsType.User: + creds = self.user_creds + elif ct == CredentialsType.Machine: + creds = self.machine_creds + else: + raise Exception("Unexpected credential type") + data = TestData(x, creds) + + try: + (rep, as_rep) = self.as_req(data) + except pyasn1.error.PyAsn1Error as e: + import traceback + self.fail("ASN1 Error, Options {0:08b}:{1} {2}".format( + traceback.format_exc(), + data.options, + e)) + # If as_req triggered an expected server error response + # No need to test the response data. + if rep is not None: + # The kvno is optional, heimdal includes it + # MIT does not. + if 'kvno' in rep['enc-part']: + kvno = rep['enc-part']['kvno'] + self.check_kvno(kvno, data) + + cname = rep['cname'] + self.check_cname(cname, data) + + crealm = rep['crealm'].decode('ascii') + self.check_crealm(crealm, data) + + sname = as_rep['sname'] + self.check_sname(sname, data) + + srealm = as_rep['srealm'].decode('ascii') + self.check_srealm(srealm, data) + + def as_req(self, data): + user_creds = data.user_creds + realm = data.realm + + cname = data.cname + sname = data.sname + + till = self.get_KerberosTime(offset=36000) + + kdc_options = "0" + if data.canonicalize: + kdc_options = str(krb5_asn1.KDCOptions('canonicalize')) + + padata = None + + # Set the allowable encryption types + etypes = ( + AES256_CTS_HMAC_SHA1_96, + AES128_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5) + + req = self.AS_REQ_create(padata=padata, + kdc_options=kdc_options, + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + # + # Check the protocol version, should be 5 + self.assertEqual( + rep['pvno'], 5, "Data {0}".format(str(data))) + + self.assertEqual( + rep['msg-type'], KRB_ERROR, "Data {0}".format(str(data))) + + # We should get KDC_ERR_PREAUTH_REQUIRED + # unless the RemoveDollar and Enterprise options are set + # then we should get a KDC_ERR_C_PRINCIPAL_UNKNOWN + if TestOptions.RemoveDollar.is_set(data.options) and\ + TestOptions.Enterprise.is_set(data.options): + self.assertEqual( + rep['error-code'], + KDC_ERR_C_PRINCIPAL_UNKNOWN, + "Error code {0}, Data {1}".format(rep['error-code'], str(data))) + return (None, None) + + self.assertEqual( + rep['error-code'], + KDC_ERR_PREAUTH_REQUIRED, + "Error code {0}, Data {1}".format(rep['error-code'], str(data))) + + rep_padata = self.der_decode( + rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) + + for pa in rep_padata: + if pa['padata-type'] == 19: + etype_info2 = pa['padata-value'] + break + + etype_info2 = self.der_decode( + etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + + key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0]) + + (patime, pausec) = self.get_KerberosTimeWithUsec() + pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + enc_pa_ts_usage = 1 + pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) + + pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) + + kdc_options = "0" + if data.canonicalize: + kdc_options = str(krb5_asn1.KDCOptions('canonicalize')) + padata = [pa_ts] + + req = self.AS_REQ_create(padata=padata, + kdc_options=kdc_options, + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + # + # Check the protocol version, should be 5 + self.assertEqual( + rep['pvno'], 5, "Data {0}".format(str(data))) + + msg_type = rep['msg-type'] + # Should not have got an error. + # If we did, fail and print the error code to help debugging + self.assertNotEqual( + msg_type, + KRB_ERROR, + "Error code {0}, Data {1}".format( + rep.get('error-code', ''), + str(data))) + + self.assertEqual(msg_type, KRB_AS_REP, "Data {0}".format(str(data))) + + # Decrypt and decode the EncKdcRepPart + enc = key.decrypt(3, rep['enc-part']['cipher']) + if enc[0] == 0x7A: + # MIT Kerberos Tags the EncASRepPart as a EncKDCRepPart + # i.e. tag number 26 instead of tag number 25 + as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncTGSRepPart()) + else: + as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncASRepPart()) + + return (rep, as_rep) + + def check_cname(self, cname, data): + nt = cname['name-type'] + self.assertEqual( + NT_PRINCIPAL, + nt, + "cname name-type, Options {0:08b}".format(data.options)) + + ns = cname['name-string'] + name = ns[0].decode('ascii') + + expected = data.user_name + if TestOptions.Canonicalize.is_set(data.options): + expected = data.user_creds.get_username() + self.assertEqual( + expected, + name, + "cname principal, Options {0:08b}".format(data.options)) + + def check_crealm(self, crealm, data): + realm = data.user_creds.get_realm() + self.assertEqual( + realm, crealm, "crealm, Options {0:08b}".format(data.options)) + + def check_sname(self, sname, data): + nt = sname['name-type'] + self.assertEqual( + NT_SRV_INST, + nt, + "sname name-type, Options {0:08b}".format(data.options)) + + ns = sname['name-string'] + name = ns[0].decode('ascii') + self.assertEqual( + 'krbtgt', + name, + "sname principal, Options {0:08b}".format(data.options)) + + realm = ns[1].decode('ascii') + expected = data.realm + if TestOptions.Canonicalize.is_set(data.options): + expected = data.user_creds.get_realm().upper() + self.assertEqual( + expected, + realm, + "sname realm, Options {0:08b}".format(data.options)) + + def check_srealm(self, srealm, data): + realm = data.user_creds.get_realm() + self.assertEqual( + realm, srealm, "srealm, Options {0:08b}".format(data.options)) + + def check_kvno(self, kvno, data): + self.assertEqual( + 1, kvno, "kvno, Options {0:08b}".format(data.options)) + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 89b5e957407..2f813760814 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -89,6 +89,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/simple_tests.py', 'python/samba/tests/krb5/s4u_tests.py', 'python/samba/tests/krb5/xrealm_tests.py', + 'python/samba/tests/krb5/as_canonicalization_tests.py', } EXCLUDE_HELP = { diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index e69de29bb2d..96d3e51da5c 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -0,0 +1,144 @@ +# +# Currently MOST but not quite all the Canonicalization tests fail on the +# MIT KDC +# +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_Enterprise_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperRealm_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Canonicalize_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_UPN\( diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index b10ac26e964..78b1a8494f3 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1284,6 +1284,7 @@ for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: '--option=torture:expect_machine_account=true'] + extra_options, "samba4.krb5.kdc with machine account") +planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests") for env in [ 'vampire_dc', -- 2.25.1 From 7189760a7c4bd64e8d360b2e569bd69ad2f92327 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Nov 2020 11:09:13 +1300 Subject: [PATCH 037/380] selftest: Send enterprise principals tagged as such This test passed against Samba but failed against Windows when an enterprise principal (user@domain.com@REALM) was encoded as NT_PRINCIPAL. Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d7f731ed3577b407370d8fe7a62b4c3ee2dd9c75) --- .../tests/krb5/as_canonicalization_tests.py | 24 ++++++-- selftest/knownfail.d/kdc-enterprise | 57 +++++++++++++++++++ selftest/knownfail_mit_kdc | 8 +++ 3 files changed, 84 insertions(+), 5 deletions(-) create mode 100644 selftest/knownfail.d/kdc-enterprise diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index 7b599ad6e44..3f8ed5c5a11 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -77,10 +77,16 @@ class TestData: self.user_creds = creds self.user_name = self.get_username(options, creds) self.realm = self.get_realm(options, creds) + + if TestOptions.Enterprise.is_set(options): + client_name_type = NT_ENTERPRISE_PRINCIPAL + else: + client_name_type = NT_PRINCIPAL + self.cname = RawKerberosTest.PrincipalName_create( - name_type=1, names=[self.user_name]) + name_type=client_name_type, names=[self.user_name]) self.sname = RawKerberosTest.PrincipalName_create( - name_type=2, names=["krbtgt", self.realm]) + name_type=NT_SRV_INST, names=["krbtgt", self.realm]) self.canonicalize = TestOptions.Canonicalize.is_set(options) def get_realm(self, options, creds): @@ -143,6 +149,7 @@ KDC_ERR_PREAUTH_REQUIRED = 25 NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) +NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-ENTERPRISE-PRINCIPAL')) @DynamicTestCase @@ -436,10 +443,17 @@ class KerberosASCanonicalizationTests(RawKerberosTest): return (rep, as_rep) def check_cname(self, cname, data): - nt = cname['name-type'] + if TestOptions.Canonicalize.is_set(data.options): + expected_name_type = NT_PRINCIPAL + elif TestOptions.Enterprise.is_set(data.options): + expected_name_type = NT_ENTERPRISE_PRINCIPAL + else: + expected_name_type = NT_PRINCIPAL + + name_type = cname['name-type'] self.assertEqual( - NT_PRINCIPAL, - nt, + expected_name_type, + name_type, "cname name-type, Options {0:08b}".format(data.options)) ns = cname['name-string'] diff --git a/selftest/knownfail.d/kdc-enterprise b/selftest/knownfail.d/kdc-enterprise new file mode 100644 index 00000000000..4e4f8a93e03 --- /dev/null +++ b/selftest/knownfail.d/kdc-enterprise @@ -0,0 +1,57 @@ +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_UPN\( + diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 96d3e51da5c..9bac4737591 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -142,3 +142,11 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_NetbiosRealm_UPN\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_UPN\( -- 2.25.1 From 31bffef894818d8012876d6b7b8d6d4f54905f2f Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Nov 2020 11:09:59 +1300 Subject: [PATCH 038/380] selftest: Fix flipped machine and user constants This naturally does not change the test, but reduces developer confusion. Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 579a3c641c72b65f6ba39141a55c765b517bd7f8) --- python/samba/tests/krb5/as_canonicalization_tests.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index 3f8ed5c5a11..7cdf614482e 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -120,8 +120,8 @@ class TestData: return rep -MACHINE_NAME = "tstkrb5cnnusr" -USER_NAME = "tstkrb5cnnmch" +MACHINE_NAME = "tstkrb5cnnmch" +USER_NAME = "tstkrb5cnnusr" # Encryption types AES256_CTS_HMAC_SHA1_96 = int( -- 2.25.1 From 5f06624f40f9068f6ea94d585bb381c63c39f91a Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Nov 2020 11:12:13 +1300 Subject: [PATCH 039/380] selftest: Make as_canonicalization_tests.py easier to run outside "make test" This takes the realm from the LDAP base DN and so avoids one easy mistake to make. So far the NT4 domain name is not auto-detected, so much be read from the smb.conf. By using .guess() the smb.conf is read for the unspecified parts (eg workstation for an NTLM login to the LDAP server if the target server is an IP address). Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d85e71f449037fa035fa2fae6b64caf695c53cb3) --- python/samba/tests/krb5/as_canonicalization_tests.py | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index 7cdf614482e..c0c3208d216 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -185,14 +185,20 @@ class KerberosASCanonicalizationTests(RawKerberosTest): cls.username = os.environ["USERNAME"] cls.password = os.environ["PASSWORD"] cls.domain = os.environ["DOMAIN"] - cls.realm = os.environ["REALM"] cls.host = os.environ["SERVER"] c = Credentials() c.set_username(cls.username) c.set_password(cls.password) c.set_domain(cls.domain) - c.set_realm(cls.realm) + try: + realm = os.environ["REALM"] + c.set_realm(realm) + except KeyError: + pass + + c.guess() + cls.credentials = c cls.session = system_session() @@ -236,6 +242,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): cls.user_creds = Credentials() cls.user_creds.guess(cls.lp) + cls.user_creds.set_realm(cls.ldb.domain_dns_name().upper()) cls.user_creds.set_password(cls.user_pass) cls.user_creds.set_username(cls.user_name) cls.user_creds.set_workstation(cls.machine_name) @@ -263,6 +270,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): cls.machine_creds = Credentials() cls.machine_creds.guess(cls.lp) + cls.machine_creds.set_realm(cls.ldb.domain_dns_name().upper()) cls.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA) cls.machine_creds.set_kerberos_state(DONT_USE_KERBEROS) cls.machine_creds.set_password(cls.machine_pass) -- 2.25.1 From d3dd1fdcdf374101f3c9e30a5426fe99b382ecc3 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Nov 2020 13:46:28 +1300 Subject: [PATCH 040/380] samdb: Add samdb.domain_netbios_name() Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 [abartlet@samba.org: Backported from commit d79218dbba3d0f26d6a0e22b3c91b0731bf641dd as this backport to Samba 4.13 does not include 07ce48088824bba2054e029edfa6fbae972c1921 (samba-tool: Create unix user with modified template homedir)] --- python/samba/netcmd/user.py | 10 ++-------- python/samba/samdb.py | 15 +++++++++++++++ python/samba/tests/samdb.py | 13 ++++++++++--- selftest/tests.py | 1 + 4 files changed, 28 insertions(+), 11 deletions(-) diff --git a/python/samba/netcmd/user.py b/python/samba/netcmd/user.py index 26db3105da0..aa8e96a2581 100644 --- a/python/samba/netcmd/user.py +++ b/python/samba/netcmd/user.py @@ -3001,14 +3001,8 @@ The users gecos field will be set to 'User4 test' if unix_home is None: # obtain nETBIOS Domain Name - filter = "(&(objectClass=crossRef)(nETBIOSName=*))" - searchdn = ("CN=Partitions,CN=Configuration," + domaindn) - try: - res = samdb.search(searchdn, - scope=ldb.SCOPE_SUBTREE, - expression=filter) - unix_domain = res[0]["nETBIOSName"][0] - except IndexError: + unix_domain = samdb.domain_netbios_name() + if unix_domain is None: raise CommandError('Unable to find Unix domain') unix_home = "/home/{0}/{1}".format(unix_domain, username) diff --git a/python/samba/samdb.py b/python/samba/samdb.py index d903babb406..e4030099b5c 100644 --- a/python/samba/samdb.py +++ b/python/samba/samdb.py @@ -928,6 +928,21 @@ accountExpires: %u domain_dn = self.get_default_basedn() return domain_dn.canonical_str().split('/')[0] + def domain_netbios_name(self): + """return the NetBIOS name of the domain root""" + domain_dn = self.get_default_basedn() + dns_name = self.domain_dns_name() + filter = "(&(objectClass=crossRef)(nETBIOSName=*)(ncName=%s)(dnsroot=%s))" % (domain_dn, dns_name) + partitions_dn = self.get_partitions_dn() + res = self.search(partitions_dn, + scope=ldb.SCOPE_ONELEVEL, + expression=filter) + try: + netbios_domain = res[0]["nETBIOSName"][0].decode() + except IndexError: + return None + return netbios_domain + def forest_dns_name(self): """return the DNS name of the forest root""" forest_dn = self.get_root_basedn() diff --git a/python/samba/tests/samdb.py b/python/samba/tests/samdb.py index a185a1566e3..834c5a204a6 100644 --- a/python/samba/tests/samdb.py +++ b/python/samba/tests/samdb.py @@ -38,13 +38,13 @@ class SamDBTestCase(TestCaseInTempDir): super(SamDBTestCase, self).setUp() self.session = system_session() logger = logging.getLogger("selftest") - domain = "dsdb" - realm = "dsdb.samba.example.com" + self.domain = "dsdb" + self.realm = "dsdb.samba.example.com" host_name = "test" server_role = "active directory domain controller" self.result = provision(logger, self.session, targetdir=self.tempdir, - realm=realm, domain=domain, + realm=self.realm, domain=self.domain, hostname=host_name, use_ntvfs=True, serverrole=server_role, @@ -61,3 +61,10 @@ class SamDBTestCase(TestCaseInTempDir): shutil.rmtree(os.path.join(self.tempdir, d)) super(SamDBTestCase, self).tearDown() + + +class SamDBTests(SamDBTestCase): + + def test_get_domain(self): + self.assertEqual(self.samdb.domain_dns_name(), self.realm.lower()) + self.assertEqual(self.samdb.domain_netbios_name(), self.domain.upper()) diff --git a/selftest/tests.py b/selftest/tests.py index 91c75b0ebed..b9b95d800cc 100644 --- a/selftest/tests.py +++ b/selftest/tests.py @@ -211,6 +211,7 @@ planpythontestsuite("none", "samba.tests.graph") plantestsuite("wafsamba.duplicate_symbols", "none", [os.path.join(srcdir(), "buildtools/wafsamba/test_duplicate_symbol.sh")]) planpythontestsuite("none", "samba.tests.glue") planpythontestsuite("none", "samba.tests.tdb_util") +planpythontestsuite("none", "samba.tests.samdb") planpythontestsuite("none", "samba.tests.samdb_api") if with_pam: -- 2.25.1 From 8bbaf0e3a3d44ffc727b4288b37bb01583c1adb2 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Nov 2020 13:47:30 +1300 Subject: [PATCH 041/380] selftest: Make as_canonicalization_tests.py auto-detect the NT4 domain name Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 2693f12fbe321e0f4932b1f74d7006dbac140e8e) --- python/samba/tests/krb5/as_canonicalization_tests.py | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index c0c3208d216..221ff486fd8 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -184,18 +184,21 @@ class KerberosASCanonicalizationTests(RawKerberosTest): cls.lp = cls.get_loadparm(cls) cls.username = os.environ["USERNAME"] cls.password = os.environ["PASSWORD"] - cls.domain = os.environ["DOMAIN"] cls.host = os.environ["SERVER"] c = Credentials() c.set_username(cls.username) c.set_password(cls.password) - c.set_domain(cls.domain) try: realm = os.environ["REALM"] c.set_realm(realm) except KeyError: pass + try: + domain = os.environ["DOMAIN"] + c.set_domain(domain) + except KeyError: + pass c.guess() @@ -243,6 +246,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): cls.user_creds = Credentials() cls.user_creds.guess(cls.lp) cls.user_creds.set_realm(cls.ldb.domain_dns_name().upper()) + cls.user_creds.set_domain(cls.ldb.domain_netbios_name().upper()) cls.user_creds.set_password(cls.user_pass) cls.user_creds.set_username(cls.user_name) cls.user_creds.set_workstation(cls.machine_name) @@ -271,6 +275,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): cls.machine_creds = Credentials() cls.machine_creds.guess(cls.lp) cls.machine_creds.set_realm(cls.ldb.domain_dns_name().upper()) + cls.machine_creds.set_domain(cls.ldb.domain_netbios_name().upper()) cls.machine_creds.set_secure_channel_type(SEC_CHAN_WKSTA) cls.machine_creds.set_kerberos_state(DONT_USE_KERBEROS) cls.machine_creds.set_password(cls.machine_pass) -- 2.25.1 From 648c162e4a15a179ca15b294290e0511288bff28 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Nov 2020 11:21:24 +1300 Subject: [PATCH 042/380] selftest: Fix formatting of failure (traceback and options swapped in format string) Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ab8c0a181bebe17a597af49790f6e7b17e13c29b) --- python/samba/tests/krb5/as_canonicalization_tests.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index 221ff486fd8..f0e9f6307f6 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -296,8 +296,8 @@ class KerberosASCanonicalizationTests(RawKerberosTest): except pyasn1.error.PyAsn1Error as e: import traceback self.fail("ASN1 Error, Options {0:08b}:{1} {2}".format( - traceback.format_exc(), data.options, + traceback.format_exc(), e)) # If as_req triggered an expected server error response # No need to test the response data. -- 2.25.1 From 2b43617bc7e44ef231a79dc1e5b51eda9f88d78c Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Nov 2020 11:27:06 +1300 Subject: [PATCH 043/380] selftest: Add in encrypted-pa-data from RFC 6806 This comes from Windows 2019 which supports FAST. Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit fc77ece0e2b5fd324809e17a9b208cc7854cee4b) --- python/samba/tests/krb5/rfc4120.asn1 | 3 ++- python/samba/tests/krb5/rfc4120_pyasn1.py | 19 ++++++++++--------- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 index 58e0c1636a1..654f9788ca7 100644 --- a/python/samba/tests/krb5/rfc4120.asn1 +++ b/python/samba/tests/krb5/rfc4120.asn1 @@ -239,7 +239,8 @@ EncKDCRepPart ::= SEQUENCE { renew-till [8] KerberosTime OPTIONAL, srealm [9] Realm, sname [10] PrincipalName, - caddr [11] HostAddresses OPTIONAL + caddr [11] HostAddresses OPTIONAL, + encrypted-pa-data[12] METHOD-DATA OPTIONAL } LastReq ::= SEQUENCE OF SEQUENCE { diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py index b4ea678afd8..1d89f94adf1 100644 --- a/python/samba/tests/krb5/rfc4120_pyasn1.py +++ b/python/samba/tests/krb5/rfc4120_pyasn1.py @@ -1,5 +1,5 @@ # Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 -# (last modified on 2020-11-03 14:07:15.270009) +# (last modified on 2020-11-06 11:30:42.476808) # KerberosV5Spec2 from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful @@ -438,6 +438,13 @@ LastReq.componentType = univ.Sequence(componentType=namedtype.NamedTypes( )) +class METHOD_DATA(univ.SequenceOf): + pass + + +METHOD_DATA.componentType = PA_DATA() + + class TicketFlags(KerberosFlags): pass @@ -458,7 +465,8 @@ EncKDCRepPart.componentType = namedtype.NamedTypes( namedtype.OptionalNamedType('renew-till', KerberosTime().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 8))), namedtype.NamedType('srealm', Realm().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 9))), namedtype.NamedType('sname', PrincipalName().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatConstructed, 10))), - namedtype.OptionalNamedType('caddr', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 11))) + namedtype.OptionalNamedType('caddr', HostAddresses().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 11))), + namedtype.OptionalNamedType('encrypted-pa-data', METHOD_DATA().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 12))) ) @@ -702,13 +710,6 @@ KRB_SAFE.componentType = namedtype.NamedTypes( ) -class METHOD_DATA(univ.SequenceOf): - pass - - -METHOD_DATA.componentType = PA_DATA() - - class MessageTypeValues(univ.Integer): pass -- 2.25.1 From d8fd226773b933a662943d5200efc67528324354 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Tue, 10 Nov 2020 13:50:37 +1300 Subject: [PATCH 044/380] selftest: Windows 2019 implements the RemoveDollar behaviour for Enterprise principals This is documented in MS-KILE. Signed-off-by: Andrew Bartlett Reviewed-by: Gary Lockyer BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Gary Lockyer Autobuild-Date(master): Wed Nov 11 02:38:46 UTC 2020 on sn-devel-184 (cherry picked from commit f214a3ba5a3e9f129f10062392ae03edd62d8186) --- .../tests/krb5/as_canonicalization_tests.py | 11 ---------- selftest/knownfail.d/kdc-enterprise | 20 ------------------- selftest/knownfail_mit_kdc | 20 +++++++++++++++++++ 3 files changed, 20 insertions(+), 31 deletions(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index f0e9f6307f6..caa186bed41 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -366,17 +366,6 @@ class KerberosASCanonicalizationTests(RawKerberosTest): self.assertEqual( rep['msg-type'], KRB_ERROR, "Data {0}".format(str(data))) - # We should get KDC_ERR_PREAUTH_REQUIRED - # unless the RemoveDollar and Enterprise options are set - # then we should get a KDC_ERR_C_PRINCIPAL_UNKNOWN - if TestOptions.RemoveDollar.is_set(data.options) and\ - TestOptions.Enterprise.is_set(data.options): - self.assertEqual( - rep['error-code'], - KDC_ERR_C_PRINCIPAL_UNKNOWN, - "Error code {0}, Data {1}".format(rep['error-code'], str(data))) - return (None, None) - self.assertEqual( rep['error-code'], KDC_ERR_PREAUTH_REQUIRED, diff --git a/selftest/knownfail.d/kdc-enterprise b/selftest/knownfail.d/kdc-enterprise index 4e4f8a93e03..d15d67c8af6 100644 --- a/selftest/knownfail.d/kdc-enterprise +++ b/selftest/knownfail.d/kdc-enterprise @@ -1,19 +1,3 @@ -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar\( @@ -26,14 +10,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( -samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 9bac4737591..00edbc0c34d 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -150,3 +150,23 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UPN\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperRealm_UpperUserName_UPN\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( +samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( -- 2.25.1 From a87cfead30a4f630aaa5e22ccb8b3646bb94e989 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Wed, 4 Nov 2020 13:54:46 +1300 Subject: [PATCH 045/380] selftest: add heimdal kdc specific known fail Add a heimdal kerberos specific known fail, will be needed by subsequent commits. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 5cb5134377f099353e0f91c44cc11e45d548d40f) --- selftest/knownfail_heimdal_kdc | 0 selftest/wscript | 3 +++ 2 files changed, 3 insertions(+) create mode 100644 selftest/knownfail_heimdal_kdc diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc new file mode 100644 index 00000000000..e69de29bb2d diff --git a/selftest/wscript b/selftest/wscript index 95086b4f0ed..82354071d5b 100644 --- a/selftest/wscript +++ b/selftest/wscript @@ -265,6 +265,9 @@ def cmd_testonly(opt): env.OPTIONS += " --mitkrb5 --exclude=${srcdir}/selftest/skip_mit_kdc" env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\ "knownfail_mit_kdc" + else: + env.FILTER_XFAIL += " --expected-failures=${srcdir}/selftest/"\ + "knownfail_heimdal_kdc" if not CONFIG_GET(opt, 'HAVE_GSS_KRB5_CRED_NO_CI_FLAGS_X'): # older MIT krb5 libraries (< 1.14) don't have -- 2.25.1 From 2fe18d5ebb4af139bed09d9ea8718aac901b9e9b Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Wed, 4 Nov 2020 13:58:24 +1300 Subject: [PATCH 046/380] tests python krb5: Add python kerberos compatability tests Add new python test to document the differences between the MIT and Heimdal Kerberos implementations. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1e1d8b9c83f32c06ecab31214a20b77529ee038e) --- .../samba/tests/krb5/compatability_tests.py | 174 ++++++++++++++++++ python/samba/tests/usage.py | 1 + selftest/knownfail_heimdal_kdc | 4 + selftest/knownfail_mit_kdc | 4 + source4/selftest/tests.py | 1 + 5 files changed, 184 insertions(+) create mode 100755 python/samba/tests/krb5/compatability_tests.py diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py new file mode 100755 index 00000000000..63bd5269c2b --- /dev/null +++ b/python/samba/tests/krb5/compatability_tests.py @@ -0,0 +1,174 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) Catalyst.Net Ltd 2020 +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests.krb5.raw_testcase import RawKerberosTest +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 + +global_asn1_print = False +global_hexdump = False + + +class SimpleKerberosTests(RawKerberosTest): + + def setUp(self): + super(SimpleKerberosTests, self).setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def test_mit_EncASRepPart_tag(self): + creds = self.get_user_creds() + (enc, _) = self.as_req(creds) + self.assertEqual(0x7a, enc[0]) + + def test_heimdal_EncASRepPart_tag(self): + creds = self.get_user_creds() + (enc, _) = self.as_req(creds) + self.assertEqual(0x79, enc[0]) + + def test_mit_EncryptedData_kvno(self): + creds = self.get_user_creds() + (_, enc) = self.as_req(creds) + if 'kvno' in enc: + self.fail("kvno present in EncryptedData") + + def test_heimdal_EncryptedData_kvno(self): + creds = self.get_user_creds() + (_, enc) = self.as_req(creds) + if 'kvno' not in enc: + self.fail("kvno absent in EncryptedData") + + def test_mit_EncASRepPart_FAST_support(self): + creds = self.get_user_creds() + (enc, _) = self.as_req(creds) + self.assertEqual(0x7A, enc[0]) + as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncTGSRepPart()) + flags = int(as_rep['flags'], base=2) + # MIT sets enc-pa-rep, flag bit 15 + # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests + self.assertTrue(0x00010000 & flags) + + def test_heimdal_EncASRepPart_FAST_support(self): + creds = self.get_user_creds() + (enc, _) = self.as_req(creds) + self.assertEqual(0x79, enc[0]) + as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncASRepPart()) + flags = as_rep['flags'] + flags = int(as_rep['flags'], base=2) + # Heimdal does not set enc-pa-rep, flag bit 15 + # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests + self.assertFalse(0x00010000 & flags) + + def as_req(self, creds): + user = creds.get_username() + realm = creds.get_realm() + + cname = self.PrincipalName_create(name_type=1, names=[user]) + sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) + + till = self.get_KerberosTime(offset=36000) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + padata = None + + etypes = (18, 17, 23) + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + self.assertEqual(rep['msg-type'], 30) + self.assertEqual(rep['error-code'], 25) + rep_padata = self.der_decode( + rep['e-data'], + asn1Spec=krb5_asn1.METHOD_DATA()) + + for pa in rep_padata: + if pa['padata-type'] == 19: + etype_info2 = pa['padata-value'] + break + + etype_info2 = self.der_decode( + etype_info2, + asn1Spec=krb5_asn1.ETYPE_INFO2()) + + key = self.PasswordKey_from_etype_info2(creds, etype_info2[0]) + + (patime, pausec) = self.get_KerberosTimeWithUsec() + pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + enc_pa_ts_usage = 1 + pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) + + pa_ts = self.PA_DATA_create(2, pa_ts) + + kdc_options = krb5_asn1.KDCOptions('forwardable') + padata = [pa_ts] + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + msg_type = rep['msg-type'] + self.assertEqual(msg_type, 11) + + usage = 3 + enc_part = rep['enc-part'] + enc_as_rep_part = key.decrypt(usage, rep['enc-part']['cipher']) + return (enc_as_rep_part, enc_part) + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 2f813760814..fbb9a06d99e 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -90,6 +90,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/s4u_tests.py', 'python/samba/tests/krb5/xrealm_tests.py', 'python/samba/tests/krb5/as_canonicalization_tests.py', + 'python/samba/tests/krb5/compatability_tests.py', } EXCLUDE_HELP = { diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index e69de29bb2d..7ab56b6721b 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -0,0 +1,4 @@ +# +# We expect all the MIT specific compatability tests to fail on heimdal +# kerberos +^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_ diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 00edbc0c34d..9953d51f21d 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -1,4 +1,8 @@ # +# We expect all the heimdal specific compatability tests to fail on MIT +# kerberos +^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_heimdal_ +# # Currently MOST but not quite all the Canonicalization tests fail on the # MIT KDC # diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 78b1a8494f3..76828e27d66 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1285,6 +1285,7 @@ for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: "samba4.krb5.kdc with machine account") planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests") +planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests") for env in [ 'vampire_dc', -- 2.25.1 From 03911f9334e64ca0a7412613f5332270a73dd3ee Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 10 Nov 2020 11:19:02 +1300 Subject: [PATCH 047/380] tests python krb5: Add constants module Extract the constants used in the tests into a separate module. To reduce code duplication Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 532c941fbb8fc5fc5da4aa2d0e170229076e9aa7) --- python/samba/tests/krb5/rfc4120_constants.py | 49 ++++++++++++++++++++ python/samba/tests/usage.py | 1 + 2 files changed, 50 insertions(+) create mode 100644 python/samba/tests/krb5/rfc4120_constants.py diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py new file mode 100644 index 00000000000..e939bb75e82 --- /dev/null +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -0,0 +1,49 @@ +# Unix SMB/CIFS implementation. +# Copyright (C) 2020 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 + +# Encryption types +AES256_CTS_HMAC_SHA1_96 = int( + krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96')) +AES128_CTS_HMAC_SHA1_96 = int( + krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96')) +ARCFOUR_HMAC_MD5 = int( + krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5')) + +# Message types +KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error')) +KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep')) + +# PAData types +PADATA_ENC_TIMESTAMP = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP')) +PADATA_ETYPE_INFO2 = int( + krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2')) + +# Error codes +KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 +KDC_ERR_PREAUTH_FAILED = 24 +KDC_ERR_PREAUTH_REQUIRED = 25 +KDC_ERR_SKEW = 37 + +# Name types +NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) +NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) +NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) +NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues( + 'kRB5-NT-ENTERPRISE-PRINCIPAL')) diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index fbb9a06d99e..536721a1f86 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -91,6 +91,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/xrealm_tests.py', 'python/samba/tests/krb5/as_canonicalization_tests.py', 'python/samba/tests/krb5/compatability_tests.py', + 'python/samba/tests/krb5/rfc4120_constants.py', } EXCLUDE_HELP = { -- 2.25.1 From a4f77bd26a05784e93090b3721ebd1529aea2cb4 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 10 Nov 2020 11:20:03 +1300 Subject: [PATCH 048/380] tests python krb5: Refactor canonicalization test constants Modify tests to use the constants defined in rfc4120_constants.py Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 97b830cbcac53fcf49bbcd272812d1ba019bac51) --- .../tests/krb5/as_canonicalization_tests.py | 30 +------------------ 1 file changed, 1 insertion(+), 29 deletions(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index caa186bed41..303788b672e 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -41,6 +41,7 @@ from samba.dsdb import ( UF_NORMAL_ACCOUNT) from samba.samdb import SamDB from samba.tests import delete_force, DynamicTestCase +from samba.tests.krb5.rfc4120_constants import * global_asn1_print = False global_hexdump = False @@ -123,35 +124,6 @@ class TestData: MACHINE_NAME = "tstkrb5cnnmch" USER_NAME = "tstkrb5cnnusr" -# Encryption types -AES256_CTS_HMAC_SHA1_96 = int( - krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES256-CTS-HMAC-SHA1-96')) -AES128_CTS_HMAC_SHA1_96 = int( - krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-AES128-CTS-HMAC-SHA1-96')) -ARCFOUR_HMAC_MD5 = int( - krb5_asn1.EncryptionTypeValues('kRB5-ENCTYPE-ARCFOUR-HMAC-MD5')) - -# Message types -KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error')) -KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep')) - -# PAData types -PADATA_ENC_TIMESTAMP = int( - krb5_asn1.PADataTypeValues('kRB5-PADATA-ENC-TIMESTAMP')) -PADATA_ETYPE_INFO2 = int( - krb5_asn1.PADataTypeValues('kRB5-PADATA-ETYPE-INFO2')) - -# Error codes -KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 -KDC_ERR_PREAUTH_REQUIRED = 25 - -# Name types -NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) -NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) -NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) -NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-ENTERPRISE-PRINCIPAL')) - - @DynamicTestCase class KerberosASCanonicalizationTests(RawKerberosTest): -- 2.25.1 From 93f1e420cf2d6d01aeb96b47fca5c6bea799a6f5 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 10 Nov 2020 11:20:58 +1300 Subject: [PATCH 049/380] tests python krb5: Refactor compatability test constants Modify tests to use the constants defined in rfc4120_constants.py Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 82a413f48b7ef71feb68fc34f7ca753d45eb8974) --- .../samba/tests/krb5/compatability_tests.py | 42 ++++++++++++------- 1 file changed, 28 insertions(+), 14 deletions(-) diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py index 63bd5269c2b..bf561346ab3 100755 --- a/python/samba/tests/krb5/compatability_tests.py +++ b/python/samba/tests/krb5/compatability_tests.py @@ -25,10 +25,17 @@ os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests.krb5.raw_testcase import RawKerberosTest import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +from samba.tests.krb5.rfc4120_constants import * global_asn1_print = False global_hexdump = False +HIEMDAL_ENC_AS_REP_PART_TYPE_TAG = 0x79 +# MIT uses the EncTGSRepPart tag for the EncASRepPart +MIT_ENC_AS_REP_PART_TYPE_TAG = 0x7A + +ENC_PA_REP_FLAG = 0x00010000 + class SimpleKerberosTests(RawKerberosTest): @@ -40,12 +47,12 @@ class SimpleKerberosTests(RawKerberosTest): def test_mit_EncASRepPart_tag(self): creds = self.get_user_creds() (enc, _) = self.as_req(creds) - self.assertEqual(0x7a, enc[0]) + self.assertEqual(MIT_ENC_AS_REP_PART_TYPE_TAG, enc[0]) def test_heimdal_EncASRepPart_tag(self): creds = self.get_user_creds() (enc, _) = self.as_req(creds) - self.assertEqual(0x79, enc[0]) + self.assertEqual(HIEMDAL_ENC_AS_REP_PART_TYPE_TAG, enc[0]) def test_mit_EncryptedData_kvno(self): creds = self.get_user_creds() @@ -62,37 +69,44 @@ class SimpleKerberosTests(RawKerberosTest): def test_mit_EncASRepPart_FAST_support(self): creds = self.get_user_creds() (enc, _) = self.as_req(creds) - self.assertEqual(0x7A, enc[0]) + self.assertEqual(MIT_ENC_AS_REP_PART_TYPE_TAG, enc[0]) as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncTGSRepPart()) flags = int(as_rep['flags'], base=2) # MIT sets enc-pa-rep, flag bit 15 # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests - self.assertTrue(0x00010000 & flags) + self.assertTrue(ENC_PA_REP_FLAG & flags) def test_heimdal_EncASRepPart_FAST_support(self): creds = self.get_user_creds() (enc, _) = self.as_req(creds) - self.assertEqual(0x79, enc[0]) + self.assertEqual(HIEMDAL_ENC_AS_REP_PART_TYPE_TAG, enc[0]) as_rep = self.der_decode(enc, asn1Spec=krb5_asn1.EncASRepPart()) flags = as_rep['flags'] flags = int(as_rep['flags'], base=2) # Heimdal does not set enc-pa-rep, flag bit 15 # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests - self.assertFalse(0x00010000 & flags) + self.assertFalse(ENC_PA_REP_FLAG & flags) def as_req(self, creds): user = creds.get_username() realm = creds.get_realm() - cname = self.PrincipalName_create(name_type=1, names=[user]) - sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[user]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, + names=["krbtgt", realm]) till = self.get_KerberosTime(offset=36000) kdc_options = krb5_asn1.KDCOptions('forwardable') padata = None - etypes = (18, 17, 23) + etypes = ( + AES256_CTS_HMAC_SHA1_96, + AES128_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5) req = self.AS_REQ_create(padata=padata, kdc_options=str(kdc_options), @@ -111,14 +125,14 @@ class SimpleKerberosTests(RawKerberosTest): rep = self.send_recv_transaction(req) self.assertIsNotNone(rep) - self.assertEqual(rep['msg-type'], 30) - self.assertEqual(rep['error-code'], 25) + self.assertEqual(rep['msg-type'], KRB_ERROR) + self.assertEqual(rep['error-code'], KDC_ERR_PREAUTH_REQUIRED) rep_padata = self.der_decode( rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) for pa in rep_padata: - if pa['padata-type'] == 19: + if pa['padata-type'] == PADATA_ETYPE_INFO2: etype_info2 = pa['padata-value'] break @@ -136,7 +150,7 @@ class SimpleKerberosTests(RawKerberosTest): pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) - pa_ts = self.PA_DATA_create(2, pa_ts) + pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) kdc_options = krb5_asn1.KDCOptions('forwardable') padata = [pa_ts] @@ -159,7 +173,7 @@ class SimpleKerberosTests(RawKerberosTest): self.assertIsNotNone(rep) msg_type = rep['msg-type'] - self.assertEqual(msg_type, 11) + self.assertEqual(msg_type, KRB_AS_REP) usage = 3 enc_part = rep['enc-part'] -- 2.25.1 From 0186a9dda5e3b7a4e312efe1742d2f231ebff9b4 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 10 Nov 2020 13:51:39 +1300 Subject: [PATCH 050/380] tests python krb5: raw_testcase permit RC4 salts MIT kerberos returns a salt when ARCFOUR_HMAC_MD5, this commit removes the check that a salt is not returned. A test for the difference between MIT and Heimdal will be added in the subsequent commits. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1bab87c50baf0fecb5d4cd09e1a9896730c6377e) --- python/samba/tests/krb5/raw_testcase.py | 1 - 1 file changed, 1 deletion(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 45e46e0b7ba..e67f5464e59 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -425,7 +425,6 @@ class RawKerberosTest(TestCase): pass if e == kcrypto.Enctype.RC4: - self.assertIsNone(salt) nthash = creds.get_nt_hash() return self.SessionKey_create(etype=e, contents=nthash, kvno=kvno) -- 2.25.1 From 74f23242a07b722a0fe472d23a5b8d609dc532cc Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Fri, 6 Nov 2020 09:07:04 +1300 Subject: [PATCH 051/380] tests python krb5: Convert kdc-heimdal to python Implement the tests in source4/torture/krb5/kdc-heimdal.c in python. The following tests were not re-implemented as they are client side tests for the "Orpheus Lyre" attack: TORTURE_KRB5_TEST_CHANGE_SERVER_OUT TORTURE_KRB5_TEST_CHANGE_SERVER_IN TORTURE_KRB5_TEST_CHANGE_SERVER_BOTH Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit a00a1c9745033dae05eee17cfa4e2c5354a81e68) --- python/samba/tests/krb5/kdc_tests.py | 219 +++++++++++++++++++++++++++ python/samba/tests/usage.py | 1 + source4/selftest/tests.py | 1 + 3 files changed, 221 insertions(+) create mode 100755 python/samba/tests/krb5/kdc_tests.py diff --git a/python/samba/tests/krb5/kdc_tests.py b/python/samba/tests/krb5/kdc_tests.py new file mode 100755 index 00000000000..57a25448965 --- /dev/null +++ b/python/samba/tests/krb5/kdc_tests.py @@ -0,0 +1,219 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2020 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests.krb5.raw_testcase import RawKerberosTest +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +from samba.tests.krb5.rfc4120_constants import * + +global_asn1_print = False +global_hexdump = False + + +class KdcTests(RawKerberosTest): + """ Port of the tests in source4/torture/krb5/kdc-heimdal.c + To python. + """ + + def setUp(self): + super(KdcTests, self).setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def as_req(self, creds, etypes, padata=None): + user = creds.get_username() + realm = creds.get_realm() + + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[user]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, + names=["krbtgt", realm]) + till = self.get_KerberosTime(offset=36000) + + kdc_options = 0 + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + return rep + + def get_pa_data(self, creds, rep, skew=0): + rep_padata = self.der_decode( + rep['e-data'], + asn1Spec=krb5_asn1.METHOD_DATA()) + + for pa in rep_padata: + if pa['padata-type'] == PADATA_ETYPE_INFO2: + etype_info2 = pa['padata-value'] + break + + etype_info2 = self.der_decode( + etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + + key = self.PasswordKey_from_etype_info2(creds, etype_info2[0]) + + (patime, pausec) = self.get_KerberosTimeWithUsec(offset=skew) + pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + enc_pa_ts_usage = 1 + pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) + + pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) + + padata = [pa_ts] + return padata + + def check_pre_authenication(self, rep): + """ Check that the kdc response was pre-authentication required + """ + self.check_error_rep(rep, KDC_ERR_PREAUTH_REQUIRED) + + def check_as_reply(self, rep): + """ Check that the kdc response is an AS-REP and that the + values for: + msg-type + pvno + tkt-pvno + kvno + match the expected values + """ + + # Should have a reply, and it should an AS-REP message. + self.assertIsNotNone(rep) + self.assertEqual(rep['msg-type'], KRB_AS_REP) + + # Protocol version number should be 5 + pvno = int(rep['pvno']) + self.assertEqual(5, pvno) + + # The ticket version number should be 5 + tkt_vno = int(rep['ticket']['tkt-vno']) + self.assertEqual(5, tkt_vno) + + # Check that the kvno is not an RODC kvno + # MIT kerberos does not provide the kvno, so we treat it as optional. + # This is tested in compatability_test.py + if 'kvno' in rep['enc-part']: + kvno = int(rep['enc-part']['kvno']) + # If the high order bits are set this is an RODC kvno. + self.assertEqual(0, kvno & 0xFFFF0000) + + def check_error_rep(self, rep, expected): + """ Check that the reply is an error message, with the expected + error-code specified. + """ + self.assertIsNotNone(rep) + self.assertEqual(rep['msg-type'], KRB_ERROR) + self.assertEqual(rep['error-code'], expected) + + def test_aes256_cts_hmac_sha1_96(self): + creds = self.get_user_creds() + etype = (AES256_CTS_HMAC_SHA1_96,) + + rep = self.as_req(creds, etype) + self.check_pre_authenication(rep) + + padata = self.get_pa_data(creds, rep) + rep = self.as_req(creds, etype, padata=padata) + self.check_as_reply(rep) + + etype = rep['enc-part']['etype'] + self.assertEquals(AES256_CTS_HMAC_SHA1_96, etype) + + def test_arc4_hmac_md5(self): + creds = self.get_user_creds() + etype = (ARCFOUR_HMAC_MD5,) + + rep = self.as_req(creds, etype) + self.check_pre_authenication(rep) + + padata = self.get_pa_data(creds, rep) + rep = self.as_req(creds, etype, padata=padata) + self.check_as_reply(rep) + + etype = rep['enc-part']['etype'] + self.assertEquals(ARCFOUR_HMAC_MD5, etype) + + def test_aes_rc4(self): + creds = self.get_user_creds() + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + + rep = self.as_req(creds, etype) + self.check_pre_authenication(rep) + + padata = self.get_pa_data(creds, rep) + rep = self.as_req(creds, etype, padata=padata) + self.check_as_reply(rep) + + etype = rep['enc-part']['etype'] + self.assertEquals(AES256_CTS_HMAC_SHA1_96, etype) + + def test_clock_skew(self): + creds = self.get_user_creds() + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + + rep = self.as_req(creds, etype) + self.check_pre_authenication(rep) + + padata = self.get_pa_data(creds, rep, skew=3600) + rep = self.as_req(creds, etype, padata=padata) + + self.check_error_rep(rep, KDC_ERR_SKEW) + + def test_invalid_password(self): + creds = self.insta_creds(template=self.get_user_creds()) + creds.set_password("Not the correct password") + + etype = (AES256_CTS_HMAC_SHA1_96,) + + rep = self.as_req(creds, etype) + self.check_pre_authenication(rep) + + padata = self.get_pa_data(creds, rep) + rep = self.as_req(creds, etype, padata=padata) + + self.check_error_rep(rep, KDC_ERR_PREAUTH_FAILED) + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 536721a1f86..35abaf2dafa 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -92,6 +92,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/as_canonicalization_tests.py', 'python/samba/tests/krb5/compatability_tests.py', 'python/samba/tests/krb5/rfc4120_constants.py', + 'python/samba/tests/krb5/kdc_tests.py', } EXCLUDE_HELP = { diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 76828e27d66..f72060e9870 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1286,6 +1286,7 @@ for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests") planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests") +planpythontestsuite("ad_dc", "samba.tests.krb5.kdc_tests") for env in [ 'vampire_dc', -- 2.25.1 From 66c868177ea79fc608f02776f9074fc19f6f3c19 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 10 Nov 2020 16:56:46 +1300 Subject: [PATCH 052/380] tests python krb5: refactor compatability tests Refactor to aid the adding of tests for the inclusion of a salt when ARCFOUR_HMAC_MD5 encryption selected Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d492355f293e2da400318665035b056dfaba852c) --- .../samba/tests/krb5/compatability_tests.py | 24 ++++++++++++++----- 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py index bf561346ab3..5990d2ce8df 100755 --- a/python/samba/tests/krb5/compatability_tests.py +++ b/python/samba/tests/krb5/compatability_tests.py @@ -87,7 +87,7 @@ class SimpleKerberosTests(RawKerberosTest): # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests self.assertFalse(ENC_PA_REP_FLAG & flags) - def as_req(self, creds): + def as_pre_auth_req(self, creds, etypes): user = creds.get_username() realm = creds.get_realm() @@ -103,10 +103,6 @@ class SimpleKerberosTests(RawKerberosTest): kdc_options = krb5_asn1.KDCOptions('forwardable') padata = None - etypes = ( - AES256_CTS_HMAC_SHA1_96, - AES128_CTS_HMAC_SHA1_96, - ARCFOUR_HMAC_MD5) req = self.AS_REQ_create(padata=padata, kdc_options=str(kdc_options), @@ -123,10 +119,16 @@ class SimpleKerberosTests(RawKerberosTest): EncAuthorizationData_key=None, additional_tickets=None) rep = self.send_recv_transaction(req) - self.assertIsNotNone(rep) + return (rep, cname, sname, realm, till) + + def check_preauth_rep(self, rep): + self.assertIsNotNone(rep) self.assertEqual(rep['msg-type'], KRB_ERROR) self.assertEqual(rep['error-code'], KDC_ERR_PREAUTH_REQUIRED) + + def get_etype_info2(self, rep): + rep_padata = self.der_decode( rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) @@ -139,7 +141,17 @@ class SimpleKerberosTests(RawKerberosTest): etype_info2 = self.der_decode( etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + return etype_info2 + + def as_req(self, creds): + etypes = ( + AES256_CTS_HMAC_SHA1_96, + AES128_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5) + (rep, cname, sname, realm, till) = self.as_pre_auth_req(creds, etypes) + self.check_preauth_rep(rep) + etype_info2 = self.get_etype_info2(rep) key = self.PasswordKey_from_etype_info2(creds, etype_info2[0]) (patime, pausec) = self.get_KerberosTimeWithUsec() -- 2.25.1 From cb18851317987279cca0249feeddce85e489710c Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Tue, 10 Nov 2020 16:57:11 +1300 Subject: [PATCH 053/380] tests python krb5: add arcfour salt tests MIT kerberos returns a salt when ARCFOUR_HMAC_MD5 encryption selected, Heimdal does not. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Thu Nov 12 22:54:22 UTC 2020 on sn-devel-184 (cherry picked from commit 2ba6d596ff0a3580eca9285fd83569bcb147ce77) --- .../samba/tests/krb5/compatability_tests.py | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py index 5990d2ce8df..e4b1453e712 100755 --- a/python/samba/tests/krb5/compatability_tests.py +++ b/python/samba/tests/krb5/compatability_tests.py @@ -87,6 +87,26 @@ class SimpleKerberosTests(RawKerberosTest): # RFC 6806 11. Negotiation of FAST and Detecting Modified Requests self.assertFalse(ENC_PA_REP_FLAG & flags) + def test_mit_arcfour_salt(self): + creds = self.get_user_creds() + etypes = (ARCFOUR_HMAC_MD5,) + (rep, *_) = self.as_pre_auth_req(creds, etypes) + self.check_preauth_rep(rep) + etype_info2 = self.get_etype_info2(rep) + if 'salt' not in etype_info2[0]: + self.fail( + "(MIT) Salt not populated for ARCFOUR_HMAC_MD5 encryption") + + def test_heimdal_arcfour_salt(self): + creds = self.get_user_creds() + etypes = (ARCFOUR_HMAC_MD5,) + (rep, *_) = self.as_pre_auth_req(creds, etypes) + self.check_preauth_rep(rep) + etype_info2 = self.get_etype_info2(rep) + if 'salt' in etype_info2[0]: + self.fail( + "(Heimdal) Salt populated for ARCFOUR_HMAC_MD5 encryption") + def as_pre_auth_req(self, creds, etypes): user = creds.get_username() realm = creds.get_realm() -- 2.25.1 From 573e9ad57b84033bf101c5cd3cb2acad4d89ff78 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Wed, 18 Nov 2020 14:49:28 +1300 Subject: [PATCH 054/380] tests python krb5: Extra canonicalization tests Add tests that set the server name to the client name for the machine account in the kerberos AS_REQ. This replicates the TEST_AS_REQ_SELF test phase in source4/torture/krb5/kdc-canon-heimdal.c. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Nov 30 05:21:42 UTC 2020 on sn-devel-184 (cherry picked from commit 7f7e2b0e1e17321d800de787098bb2b2c8259ecd) --- .../tests/krb5/as_canonicalization_tests.py | 74 +++++++++----- selftest/knownfail.d/kdc-enterprise | 26 +++++ selftest/knownfail_mit_kdc | 96 +++++++++++++++++++ 3 files changed, 172 insertions(+), 24 deletions(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index 303788b672e..6ea3ff0491e 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -56,7 +56,8 @@ class TestOptions(Enum): NetbiosRealm = 16 UPN = 32 RemoveDollar = 64 - Last = 128 + AsReqSelf = 128 + Last = 256 def is_set(self, x): return self.value & x @@ -76,8 +77,8 @@ class TestData: def __init__(self, options, creds): self.options = options self.user_creds = creds - self.user_name = self.get_username(options, creds) - self.realm = self.get_realm(options, creds) + self.user_name = self._get_username(options, creds) + self.realm = self._get_realm(options, creds) if TestOptions.Enterprise.is_set(options): client_name_type = NT_ENTERPRISE_PRINCIPAL @@ -86,11 +87,14 @@ class TestData: self.cname = RawKerberosTest.PrincipalName_create( name_type=client_name_type, names=[self.user_name]) - self.sname = RawKerberosTest.PrincipalName_create( - name_type=NT_SRV_INST, names=["krbtgt", self.realm]) + if TestOptions.AsReqSelf.is_set(options): + self.sname = self.cname + else: + self.sname = RawKerberosTest.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", self.realm]) self.canonicalize = TestOptions.Canonicalize.is_set(options) - def get_realm(self, options, creds): + def _get_realm(self, options, creds): realm = creds.get_realm() if TestOptions.NetbiosRealm.is_set(options): realm = creds.get_domain() @@ -100,7 +104,7 @@ class TestData: realm = realm.lower() return realm - def get_username(self, options, creds): + def _get_username(self, options, creds): name = creds.get_username() if TestOptions.RemoveDollar.is_set(options) and name.endswith("$"): name = name[:-1] @@ -135,6 +139,9 @@ class KerberosASCanonicalizationTests(RawKerberosTest): if ct != CredentialsType.Machine and\ TestOptions.RemoveDollar.is_set(options): return True + if ct != CredentialsType.Machine and\ + TestOptions.AsReqSelf.is_set(options): + return True return False def build_test_name(ct, options): @@ -448,26 +455,45 @@ class KerberosASCanonicalizationTests(RawKerberosTest): def check_sname(self, sname, data): nt = sname['name-type'] - self.assertEqual( - NT_SRV_INST, - nt, - "sname name-type, Options {0:08b}".format(data.options)) - ns = sname['name-string'] name = ns[0].decode('ascii') - self.assertEqual( - 'krbtgt', - name, - "sname principal, Options {0:08b}".format(data.options)) - realm = ns[1].decode('ascii') - expected = data.realm - if TestOptions.Canonicalize.is_set(data.options): - expected = data.user_creds.get_realm().upper() - self.assertEqual( - expected, - realm, - "sname realm, Options {0:08b}".format(data.options)) + if TestOptions.AsReqSelf.is_set(data.options): + expected_name_type = NT_PRINCIPAL + if not TestOptions.Canonicalize.is_set(data.options)\ + and TestOptions.Enterprise.is_set(data.options): + + expected_name_type = NT_ENTERPRISE_PRINCIPAL + + self.assertEqual( + expected_name_type, + nt, + "sname name-type, Options {0:08b}".format(data.options)) + expected = data.user_name + if TestOptions.Canonicalize.is_set(data.options): + expected = data.user_creds.get_username() + self.assertEqual( + expected, + name, + "sname principal, Options {0:08b}".format(data.options)) + else: + self.assertEqual( + NT_SRV_INST, + nt, + "sname name-type, Options {0:08b}".format(data.options)) + self.assertEqual( + 'krbtgt', + name, + "sname principal, Options {0:08b}".format(data.options)) + + realm = ns[1].decode('ascii') + expected = data.realm + if TestOptions.Canonicalize.is_set(data.options): + expected = data.user_creds.get_realm().upper() + self.assertEqual( + expected, + realm, + "sname realm, Options {0:08b}".format(data.options)) def check_srealm(self, srealm, data): realm = data.user_creds.get_realm() diff --git a/selftest/knownfail.d/kdc-enterprise b/selftest/knownfail.d/kdc-enterprise index d15d67c8af6..c9b6c98a2ee 100644 --- a/selftest/knownfail.d/kdc-enterprise +++ b/selftest/knownfail.d/kdc-enterprise @@ -35,3 +35,29 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_UserCredentials_Enterprise_UpperUserName_UPN\( + + +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperUserName_UPN_RemoveDollar_AsReqSelf\( diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index 9953d51f21d..f1a4971430e 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -174,3 +174,99 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar\( samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\(ad_dc +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_Enterprise_UpperUserName_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperRealm_UpperUserName_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Canonicalize_UpperUserName_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_Enterprise_UpperRealm_UpperUserName_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperRealm_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_NetbiosRealm_UPN_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_RemoveDollar_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_AsReqSelf\( +^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_RemoveDollar_AsReqSelf\( -- 2.25.1 From 06a7429bd97934a68a916c1a97ce2b9169b624d0 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Thu, 10 Dec 2020 10:15:28 +1300 Subject: [PATCH 055/380] tests python krb5: Add Authorization data ad-type constants Add constants for the Authorization Data Type values. RFC 4120 7.5.4. Authorization Data Types Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d74c9dcf3aaa613abfac49288f427484468bf6e1) --- python/samba/tests/krb5/rfc4120_constants.py | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py index e939bb75e82..e1d0c5baa68 100644 --- a/python/samba/tests/krb5/rfc4120_constants.py +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -47,3 +47,17 @@ NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues( 'kRB5-NT-ENTERPRISE-PRINCIPAL')) + +# Authorization data ad-type values + +AD_IF_RELEVANT = 1 +AD_INTENDED_FOR_SERVER = 2 +AD_INTENDED_FOR_APPLICATION_CLASS = 3 +AD_KDC_ISSUED = 4 +AD_AND_OR = 5 +AD_MANDATORY_TICKET_EXTENSIONS = 6 +AD_IN_TICKET_EXTENSIONS = 7 +AD_MANDATORY_FOR_KDC = 8 +AD_INITIAL_VERIFIED_CAS = 9 +AD_WIN2K_PAC = 128 +AD_SIGNTICKET = 512 -- 2.25.1 From 6b873cf67d374902b8482f41a42bf9bd8f714d20 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Mon, 30 Nov 2020 14:16:28 +1300 Subject: [PATCH 056/380] tests python krb5: add test base class Add a base class for the KDC tests to reduce the amount of code duplication in the tests. Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 0f232ed42fb2671d025643cafb19891373562e4a) --- python/samba/tests/krb5/kdc_base_test.py | 419 +++++++++++++++++++++++ 1 file changed, 419 insertions(+) create mode 100755 python/samba/tests/krb5/kdc_base_test.py diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py new file mode 100755 index 00000000000..4fc7ee85ba9 --- /dev/null +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -0,0 +1,419 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2020 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" +from collections import namedtuple +from ldb import SCOPE_BASE +from samba import generate_random_password +from samba.auth import system_session +from samba.credentials import Credentials +from samba.dcerpc import krb5pac +from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_NORMAL_ACCOUNT +from samba.ndr import ndr_unpack +from samba.samdb import SamDB + +from samba.tests import delete_force +from samba.tests.krb5.raw_testcase import RawKerberosTest +import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +from samba.tests.krb5.rfc4120_constants import ( + AD_IF_RELEVANT, + AD_WIN2K_PAC, + KDC_ERR_PREAUTH_REQUIRED, + KRB_AS_REP, + KRB_TGS_REP, + KRB_ERROR, + PADATA_ENC_TIMESTAMP, + PADATA_ETYPE_INFO2, +) + +global_asn1_print = False +global_hexdump = False + + +class KDCBaseTest(RawKerberosTest): + """ Base class for KDC tests. + """ + + @classmethod + def setUpClass(cls): + cls.lp = cls.get_loadparm(cls) + cls.username = os.environ["USERNAME"] + cls.password = os.environ["PASSWORD"] + cls.host = os.environ["SERVER"] + + c = Credentials() + c.set_username(cls.username) + c.set_password(cls.password) + try: + realm = os.environ["REALM"] + c.set_realm(realm) + except KeyError: + pass + try: + domain = os.environ["DOMAIN"] + c.set_domain(domain) + except KeyError: + pass + + c.guess() + + cls.credentials = c + + cls.session = system_session() + cls.ldb = SamDB(url="ldap://%s" % cls.host, + session_info=cls.session, + credentials=cls.credentials, + lp=cls.lp) + # fetch the dnsHostName from the RootDse + res = cls.ldb.search( + base="", expression="", scope=SCOPE_BASE, attrs=["dnsHostName"]) + cls.dns_host_name = str(res[0]['dnsHostName']) + + def setUp(self): + super().setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + self.accounts = [] + + def tearDown(self): + # Clean up any accounts created by create_account + for dn in self.accounts: + delete_force(self.ldb, dn) + + def create_account(self, name, machine_account=False, spn=None): + '''Create an account for testing. + The dn of the created account is added to self.accounts, + which is used by tearDown to clean up the created accounts. + ''' + dn = "cn=%s,%s" % (name, self.ldb.domain_dn()) + + # remove the account if it exists, this will happen if a previous test + # run failed + delete_force(self.ldb, dn) + if machine_account: + object_class = "computer" + account_name = "%s$" % name + account_control = str(UF_WORKSTATION_TRUST_ACCOUNT) + else: + object_class = "user" + account_name = name + account_control = str(UF_NORMAL_ACCOUNT) + + password = generate_random_password(32, 32) + utf16pw = ('"%s"' % password).encode('utf-16-le') + + details = { + "dn": dn, + "objectclass": object_class, + "sAMAccountName": account_name, + "userAccountControl": account_control, + "unicodePwd": utf16pw} + if spn is not None: + details["servicePrincipalName"] = spn + self.ldb.add(details) + + creds = Credentials() + creds.guess(self.lp) + creds.set_realm(self.ldb.domain_dns_name().upper()) + creds.set_domain(self.ldb.domain_netbios_name().upper()) + creds.set_password(password) + creds.set_username(account_name) + if machine_account: + creds.set_workstation(name) + # + # Save the account name so it can be deleted in the tearDown + self.accounts.append(dn) + + return (creds, dn) + + def as_req(self, cname, sname, realm, etypes, padata=None): + '''Send a Kerberos AS_REQ, returns the undecoded response + ''' + + till = self.get_KerberosTime(offset=36000) + kdc_options = 0 + + req = self.AS_REQ_create(padata=padata, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7fffffff, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None) + rep = self.send_recv_transaction(req) + return rep + + def get_as_rep_key(self, creds, rep): + '''Extract the session key from an AS-REP + ''' + rep_padata = self.der_decode( + rep['e-data'], + asn1Spec=krb5_asn1.METHOD_DATA()) + + for pa in rep_padata: + if pa['padata-type'] == PADATA_ETYPE_INFO2: + padata_value = pa['padata-value'] + break + + etype_info2 = self.der_decode( + padata_value, asn1Spec=krb5_asn1.ETYPE_INFO2()) + + key = self.PasswordKey_from_etype_info2(creds, etype_info2[0]) + return key + + def get_pa_data(self, creds, rep, skew=0): + '''generate the pa_data data element for an AS-REQ + ''' + key = self.get_as_rep_key(creds, rep) + + (patime, pausec) = self.get_KerberosTimeWithUsec(offset=skew) + padata = self.PA_ENC_TS_ENC_create(patime, pausec) + padata = self.der_encode(padata, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) + + usage = 1 + padata = self.EncryptedData_create(key, usage, padata) + padata = self.der_encode(padata, asn1Spec=krb5_asn1.EncryptedData()) + + padata = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, padata) + + return [padata] + + def get_as_rep_enc_data(self, key, rep): + ''' Decrypt and Decode the encrypted data in an AS-REP + ''' + usage = 3 + enc_part = key.decrypt(usage, rep['enc-part']['cipher']) + # MIT KDC encodes both EncASRepPart and EncTGSRepPart with + # application tag 26 + try: + enc_part = self.der_decode( + enc_part, asn1Spec=krb5_asn1.EncASRepPart()) + except Exception: + enc_part = self.der_decode( + enc_part, asn1Spec=krb5_asn1.EncTGSRepPart()) + + return enc_part + + def check_pre_authenication(self, rep): + """ Check that the kdc response was pre-authentication required + """ + self.check_error_rep(rep, KDC_ERR_PREAUTH_REQUIRED) + + def check_as_reply(self, rep): + """ Check that the kdc response is an AS-REP and that the + values for: + msg-type + pvno + tkt-pvno + kvno + match the expected values + """ + + # Should have a reply, and it should an AS-REP message. + self.assertIsNotNone(rep) + self.assertEqual(rep['msg-type'], KRB_AS_REP, "rep = {%s}" % rep) + + # Protocol version number should be 5 + pvno = int(rep['pvno']) + self.assertEqual(5, pvno, "rep = {%s}" % rep) + + # The ticket version number should be 5 + tkt_vno = int(rep['ticket']['tkt-vno']) + self.assertEqual(5, tkt_vno, "rep = {%s}" % rep) + + # Check that the kvno is not an RODC kvno + # MIT kerberos does not provide the kvno, so we treat it as optional. + # This is tested in compatability_test.py + if 'kvno' in rep['enc-part']: + kvno = int(rep['enc-part']['kvno']) + # If the high order bits are set this is an RODC kvno. + self.assertEqual(0, kvno & 0xFFFF0000, "rep = {%s}" % rep) + + def check_tgs_reply(self, rep): + """ Check that the kdc response is an TGS-REP and that the + values for: + msg-type + pvno + tkt-pvno + kvno + match the expected values + """ + + # Should have a reply, and it should an TGS-REP message. + self.assertIsNotNone(rep) + self.assertEqual(rep['msg-type'], KRB_TGS_REP, "rep = {%s}" % rep) + + # Protocol version number should be 5 + pvno = int(rep['pvno']) + self.assertEqual(5, pvno, "rep = {%s}" % rep) + + # The ticket version number should be 5 + tkt_vno = int(rep['ticket']['tkt-vno']) + self.assertEqual(5, tkt_vno, "rep = {%s}" % rep) + + # Check that the kvno is not an RODC kvno + # MIT kerberos does not provide the kvno, so we treat it as optional. + # This is tested in compatability_test.py + if 'kvno' in rep['enc-part']: + kvno = int(rep['enc-part']['kvno']) + # If the high order bits are set this is an RODC kvno. + self.assertEqual(0, kvno & 0xFFFF0000, "rep = {%s}" % rep) + + def check_error_rep(self, rep, expected): + """ Check that the reply is an error message, with the expected + error-code specified. + """ + self.assertIsNotNone(rep) + self.assertEqual(rep['msg-type'], KRB_ERROR, "rep = {%s}" % rep) + self.assertEqual(rep['error-code'], expected, "rep = {%s}" % rep) + + def tgs_req(self, cname, sname, realm, ticket, key, etypes): + '''Send a TGS-REQ, returns the response and the decrypted and + decoded enc-part + ''' + + kdc_options = "0" + till = self.get_KerberosTime(offset=36000) + padata = [] + + subkey = self.RandomKey(key.etype) + subkey_usage = 9 + + (ctime, cusec) = self.get_KerberosTimeWithUsec() + + req = self.TGS_REQ_create(padata=padata, + cusec=cusec, + ctime=ctime, + ticket=ticket, + kdc_options=str(kdc_options), + cname=cname, + realm=realm, + sname=sname, + from_time=None, + till_time=till, + renew_time=None, + nonce=0x7ffffffe, + etypes=etypes, + addresses=None, + EncAuthorizationData=None, + EncAuthorizationData_key=None, + additional_tickets=None, + ticket_session_key=key, + authenticator_subkey=subkey) + rep = self.send_recv_transaction(req) + self.assertIsNotNone(rep) + + msg_type = rep['msg-type'] + enc_part = None + if msg_type == KRB_TGS_REP: + enc_part = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) + enc_part = self.der_decode( + enc_part, asn1Spec=krb5_asn1.EncTGSRepPart()) + return (rep, enc_part) + + # Named tuple to contain values of interest when the PAC is decoded. + PacData = namedtuple( + "PacData", + "account_name account_sid logon_name upn domain_name") + PAC_LOGON_INFO = 1 + PAC_CREDENTIAL_INFO = 2 + PAC_SRV_CHECKSUM = 6 + PAC_KDC_CHECKSUM = 7 + PAC_LOGON_NAME = 10 + PAC_CONSTRAINED_DELEGATION = 11 + PAC_UPN_DNS_INFO = 12 + + def get_pac_data(self, authorization_data): + '''Decode the PAC element contained in the authorization-data element + ''' + account_name = None + user_sid = None + logon_name = None + upn = None + domain_name = None + + # The PAC data will be wrapped in an AD_IF_RELEVANT element + ad_if_relevant_elements = ( + x for x in authorization_data if x['ad-type'] == AD_IF_RELEVANT) + for dt in ad_if_relevant_elements: + buf = self.der_decode( + dt['ad-data'], asn1Spec=krb5_asn1.AD_IF_RELEVANT()) + # The PAC data is further wrapped in a AD_WIN2K_PAC element + for ad in (x for x in buf if x['ad-type'] == AD_WIN2K_PAC): + pb = ndr_unpack(krb5pac.PAC_DATA, ad['ad-data']) + for pac in pb.buffers: + if pac.type == self.PAC_LOGON_INFO: + account_name = ( + pac.info.info.info3.base.account_name) + user_sid = ( + str(pac.info.info.info3.base.domain_sid) + + "-" + str(pac.info.info.info3.base.rid)) + elif pac.type == self.PAC_LOGON_NAME: + logon_name = pac.info.account_name + elif pac.type == self.PAC_UPN_DNS_INFO: + upn = pac.info.upn_name + domain_name = pac.info.dns_domain_name + + return self.PacData( + account_name, + user_sid, + logon_name, + upn, + domain_name) + + def decode_service_ticket(self, creds, ticket): + '''Decrypt and decode a service ticket + ''' + + name = creds.get_username() + if name.endswith('$'): + name = name[:-1] + realm = creds.get_realm() + salt = "%s.%s@%s" % (name, realm.lower(), realm.upper()) + + key = self.PasswordKey_create( + ticket['enc-part']['etype'], + creds.get_password(), + salt, + ticket['enc-part']['kvno']) + + enc_part = key.decrypt(2, ticket['enc-part']['cipher']) + enc_ticket_part = self.der_decode( + enc_part, asn1Spec=krb5_asn1.EncTicketPart()) + return enc_ticket_part + + def get_objectSid(self, dn): + ''' Get the objectSID for a DN + Note: performs an Ldb query. + ''' + res = self.ldb.search(dn, scope=SCOPE_BASE, attrs=["objectSID"]) + self.assertTrue(len(res) == 1, "did not get objectSid for %s" % dn) + sid = self.ldb.schema_format_value("objectSID", res[0]["objectSID"][0]) + return sid.decode('utf8') -- 2.25.1 From c23166453f549e089d3270ec6d9184a0695a4c40 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Mon, 30 Nov 2020 14:19:15 +1300 Subject: [PATCH 057/380] tests python krb5: initial TGS tests Initial tests on the KDC TGS Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1ed461a142f68f5de5e21b873ebddfcf5ae0ca1e) --- python/samba/tests/krb5/kdc_base_test.py | 1 - python/samba/tests/krb5/kdc_tgs_tests.py | 210 +++++++++++++++++++ python/samba/tests/krb5/rfc4120_constants.py | 2 + python/samba/tests/usage.py | 2 + selftest/knownfail_mit_kdc | 5 + source4/selftest/tests.py | 3 + 6 files changed, 222 insertions(+), 1 deletion(-) mode change 100755 => 100644 python/samba/tests/krb5/kdc_base_test.py create mode 100755 python/samba/tests/krb5/kdc_tgs_tests.py diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py old mode 100755 new mode 100644 index 4fc7ee85ba9..1a823d173e3 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -1,4 +1,3 @@ -#!/usr/bin/env python3 # Unix SMB/CIFS implementation. # Copyright (C) Stefan Metzmacher 2020 # Copyright (C) 2020 Catalyst.Net Ltd diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py new file mode 100755 index 00000000000..23a1d868a79 --- /dev/null +++ b/python/samba/tests/krb5/kdc_tgs_tests.py @@ -0,0 +1,210 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2020 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.tests.krb5.kdc_base_test import KDCBaseTest +from samba.tests.krb5.rfc4120_constants import ( + AES256_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5, + KRB_ERROR, + KDC_ERR_BADMATCH, + NT_PRINCIPAL, + NT_SRV_INST, +) + +global_asn1_print = False +global_hexdump = False + + +class KdcTgsTests(KDCBaseTest): + + def setUp(self): + super().setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def test_tgs_req_cname_does_not_not_match_authenticator_cname(self): + ''' Try and obtain a ticket from the TGS, but supply a cname + that differs from that provided to the krbtgt + ''' + # Create the user account + user_name = "tsttktusr" + (uc, _) = self.create_account(user_name) + realm = uc.get_realm().lower() + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96,) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a service ticket, but use a cname that does not match + # that in the original AS-REQ + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + ticket = rep['ticket'] + + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=["Administrator"]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=["host", self.dns_host_name]) + + (rep, enc_part) = self.tgs_req(cname, sname, realm, ticket, key, etype) + + self.assertIsNone( + enc_part, + "rep = {%s}, enc_part = {%s}" % (rep, enc_part)) + self.assertEqual(KRB_ERROR, rep['msg-type'], "rep = {%s}" % rep) + self.assertEqual( + KDC_ERR_BADMATCH, + rep['error-code'], + "rep = {%s}" % rep) + + def test_ldap_service_ticket(self): + '''Get a ticket to the ldap service + ''' + # Create the user account + user_name = "tsttktusr" + (uc, _) = self.create_account(user_name) + realm = uc.get_realm().lower() + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96,) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + ticket = rep['ticket'] + + # Request a ticket to the ldap service + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, + names=["ldap", self.dns_host_name]) + + (rep, _) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + + self.check_tgs_reply(rep) + + def test_get_ticket_for_host_service_of_machine_account(self): + + # Create a user and machine account for the test. + # + user_name = "tsttktusr" + (uc, dn) = self.create_account(user_name) + (mc, _) = self.create_account("tsttktmac", machine_account=True) + realm = uc.get_realm().lower() + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the service ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + + pac_data = self.get_pac_data(enc_part['authorization-data']) + sid = self.get_objectSid(dn) + upn = "%s@%s" % (uc.get_username(), realm) + self.assertEqual( + uc.get_username(), + str(pac_data.account_name), + "rep = {%s},%s" % (rep, pac_data)) + self.assertEqual( + uc.get_username(), + pac_data.logon_name, + "rep = {%s},%s" % (rep, pac_data)) + self.assertEqual( + uc.get_realm(), + pac_data.domain_name, + "rep = {%s},%s" % (rep, pac_data)) + self.assertEqual( + upn, + pac_data.upn, + "rep = {%s},%s" % (rep, pac_data)) + self.assertEqual( + sid, + pac_data.account_sid, + "rep = {%s},%s" % (rep, pac_data)) + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py index e1d0c5baa68..19bb6691d43 100644 --- a/python/samba/tests/krb5/rfc4120_constants.py +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -28,6 +28,7 @@ ARCFOUR_HMAC_MD5 = int( # Message types KRB_ERROR = int(krb5_asn1.MessageTypeValues('krb-error')) KRB_AS_REP = int(krb5_asn1.MessageTypeValues('krb-as-rep')) +KRB_TGS_REP = int(krb5_asn1.MessageTypeValues('krb-tgs-rep')) # PAData types PADATA_ENC_TIMESTAMP = int( @@ -39,6 +40,7 @@ PADATA_ETYPE_INFO2 = int( KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 KDC_ERR_PREAUTH_FAILED = 24 KDC_ERR_PREAUTH_REQUIRED = 25 +KDC_ERR_BADMATCH = 36 KDC_ERR_SKEW = 37 # Name types diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 35abaf2dafa..222d1dbfa41 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -93,6 +93,8 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/compatability_tests.py', 'python/samba/tests/krb5/rfc4120_constants.py', 'python/samba/tests/krb5/kdc_tests.py', + 'python/samba/tests/krb5/kdc_base_test.py', + 'python/samba/tests/krb5/kdc_tgs_tests.py', } EXCLUDE_HELP = { diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index f1a4971430e..e64303c6b0f 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -270,3 +270,8 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_RemoveDollar_AsReqSelf\( ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_AsReqSelf\( ^samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_tests.KerberosASCanonicalizationTests.test_MachineCredentials_UpperUserName_UPN_RemoveDollar_AsReqSelf\( +# +# MIT currently returns an error code of 12 KRB5KDC_ERR_POLICY: KDC policy rejects request, to the +# following tests +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_ldap_service_ticket\(ad_dc\) +^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_get_ticket_for_host_service_of_machine_account\(ad_dc\) diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index f72060e9870..b2a09b3ecb2 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1287,6 +1287,9 @@ for env in ["rodc", "promoted_dc", "fl2000dc", "fl2008r2dc"]: planpythontestsuite("ad_dc", "samba.tests.krb5.as_canonicalization_tests") planpythontestsuite("ad_dc", "samba.tests.krb5.compatability_tests") planpythontestsuite("ad_dc", "samba.tests.krb5.kdc_tests") +planpythontestsuite( + "ad_dc", + "samba.tests.krb5.kdc_tgs_tests") for env in [ 'vampire_dc', -- 2.25.1 From 92d6db2c1ac72eead9a6b5b385152c451b02f140 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Thu, 10 Dec 2020 16:26:06 +1300 Subject: [PATCH 058/380] tests python krb5: Add key usage constants Signed-off-by: Gary Lockyer Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d8ed73b75ad67da99be392b2db18fe2e1ffed87f) --- python/samba/tests/krb5/rfc4120_constants.py | 50 ++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py index 19bb6691d43..9de56578c99 100644 --- a/python/samba/tests/krb5/rfc4120_constants.py +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -63,3 +63,53 @@ AD_MANDATORY_FOR_KDC = 8 AD_INITIAL_VERIFIED_CAS = 9 AD_WIN2K_PAC = 128 AD_SIGNTICKET = 512 + +# Key usage numbers +# RFC 4120 Section 7.5.1. Key Usage Numbers +KU_PA_ENC_TIMESTAMP = 1 +''' AS-REQ PA-ENC-TIMESTAMP padata timestamp, encrypted with the + client key (section 5.2.7.2) ''' +KU_TICKET = 2 +''' AS-REP Ticket and TGS-REP Ticket (includes tgs session key or + application session key), encrypted with the service key + (section 5.3) ''' +KU_AS_REP_ENC_PART = 3 +''' AS-REP encrypted part (includes tgs session key or application + session key), encrypted with the client key (section 5.4.2) ''' +KU_TGS_REQ_AUTH_DAT_SESSION = 4 +''' TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs + session key (section 5.4.1) ''' +KU_TGS_REQ_AUTH_DAT_SUBKEY = 5 +''' TGS-REQ KDC-REQ-BODY AuthorizationData, encrypted with the tgs + authenticator subkey (section 5.4.1) ''' +KU_TGS_REQ_AUTH_CKSUM = 6 +''' TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator cksum, keyed + with the tgs session key (section 5.5.1) ''' +KU_TGS_REQ_AUTH = 7 +''' TGS-REQ PA-TGS-REQ padata AP-REQ Authenticator (includes tgs + authenticator subkey), encrypted with the tgs session key + (section 5.5.1) ''' +KU_TGS_REP_ENC_PART_SESSION = 8 +''' TGS-REP encrypted part (includes application session key), + encrypted with the tgs session key (section 5.4.2) ''' +KU_TGS_REP_ENC_PART_SUB_KEY = 9 +''' TGS-REP encrypted part (includes application session key), + encrypted with the tgs authenticator subkey (section 5.4.2) ''' +KU_AP_REQ_AUTH_CKSUM = 10 +''' AP-REQ Authenticator cksum, keyed with the application session + key (section 5.5.1) ''' +KU_AP_REQ_AUTH = 11 +''' AP-REQ Authenticator (includes application authenticator + subkey), encrypted with the application session key (section 5.5.1) ''' +KU_AP_REQ_ENC_PART = 12 +''' AP-REP encrypted part (includes application session subkey), + encrypted with the application session key (section 5.5.2) ''' +KU_KRB_PRIV = 13 +''' KRB-PRIV encrypted part, encrypted with a key chosen by the + application (section 5.7.1) ''' +KU_KRB_CRED = 14 +''' KRB-CRED encrypted part, encrypted with a key chosen by the + application (section 5.8.1) ''' +KU_KRB_SAFE_CKSUM = 15 +''' KRB-SAFE cksum, keyed with a key chosen by the application + (section 5.6.1) ''' -- 2.25.1 From 827e21e2653310af463dd1df186065d6b16a74c1 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Thu, 10 Dec 2020 16:27:17 +1300 Subject: [PATCH 059/380] tests python krb5: use key usage constants Signed-off-by: Gary Lockyer Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 03676a4a5c55ab5f4958a86cbd4d7be0f0a8a294) --- .../tests/krb5/as_canonicalization_tests.py | 5 ++--- python/samba/tests/krb5/compatability_tests.py | 7 +++---- python/samba/tests/krb5/kdc_base_test.py | 16 +++++++++------- python/samba/tests/krb5/kdc_tests.py | 3 +-- python/samba/tests/krb5/s4u_tests.py | 15 +++++++++------ python/samba/tests/krb5/simple_tests.py | 15 +++++++++------ python/samba/tests/krb5/xrealm_tests.py | 15 +++++++++------ 7 files changed, 42 insertions(+), 34 deletions(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index 6ea3ff0491e..e89b40eab8f 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -367,8 +367,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) - enc_pa_ts_usage = 1 - pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) @@ -413,7 +412,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): self.assertEqual(msg_type, KRB_AS_REP, "Data {0}".format(str(data))) # Decrypt and decode the EncKdcRepPart - enc = key.decrypt(3, rep['enc-part']['cipher']) + enc = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) if enc[0] == 0x7A: # MIT Kerberos Tags the EncASRepPart as a EncKDCRepPart # i.e. tag number 26 instead of tag number 25 diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py index e4b1453e712..0b3701cd60d 100755 --- a/python/samba/tests/krb5/compatability_tests.py +++ b/python/samba/tests/krb5/compatability_tests.py @@ -178,8 +178,7 @@ class SimpleKerberosTests(RawKerberosTest): pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) - enc_pa_ts_usage = 1 - pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) @@ -207,9 +206,9 @@ class SimpleKerberosTests(RawKerberosTest): msg_type = rep['msg-type'] self.assertEqual(msg_type, KRB_AS_REP) - usage = 3 enc_part = rep['enc-part'] - enc_as_rep_part = key.decrypt(usage, rep['enc-part']['cipher']) + enc_as_rep_part = key.decrypt( + KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) return (enc_as_rep_part, enc_part) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 1a823d173e3..e835d389f1c 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -41,6 +41,10 @@ from samba.tests.krb5.rfc4120_constants import ( KRB_AS_REP, KRB_TGS_REP, KRB_ERROR, + KU_AS_REP_ENC_PART, + KU_PA_ENC_TIMESTAMP, + KU_TGS_REP_ENC_PART_SUB_KEY, + KU_TICKET, PADATA_ENC_TIMESTAMP, PADATA_ETYPE_INFO2, ) @@ -196,8 +200,7 @@ class KDCBaseTest(RawKerberosTest): padata = self.PA_ENC_TS_ENC_create(patime, pausec) padata = self.der_encode(padata, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) - usage = 1 - padata = self.EncryptedData_create(key, usage, padata) + padata = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, padata) padata = self.der_encode(padata, asn1Spec=krb5_asn1.EncryptedData()) padata = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, padata) @@ -207,8 +210,7 @@ class KDCBaseTest(RawKerberosTest): def get_as_rep_enc_data(self, key, rep): ''' Decrypt and Decode the encrypted data in an AS-REP ''' - usage = 3 - enc_part = key.decrypt(usage, rep['enc-part']['cipher']) + enc_part = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) # MIT KDC encodes both EncASRepPart and EncTGSRepPart with # application tag 26 try: @@ -303,7 +305,6 @@ class KDCBaseTest(RawKerberosTest): padata = [] subkey = self.RandomKey(key.etype) - subkey_usage = 9 (ctime, cusec) = self.get_KerberosTimeWithUsec() @@ -332,7 +333,8 @@ class KDCBaseTest(RawKerberosTest): msg_type = rep['msg-type'] enc_part = None if msg_type == KRB_TGS_REP: - enc_part = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) + enc_part = subkey.decrypt( + KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) enc_part = self.der_decode( enc_part, asn1Spec=krb5_asn1.EncTGSRepPart()) return (rep, enc_part) @@ -403,7 +405,7 @@ class KDCBaseTest(RawKerberosTest): salt, ticket['enc-part']['kvno']) - enc_part = key.decrypt(2, ticket['enc-part']['cipher']) + enc_part = key.decrypt(KU_TICKET, ticket['enc-part']['cipher']) enc_ticket_part = self.der_decode( enc_part, asn1Spec=krb5_asn1.EncTicketPart()) return enc_ticket_part diff --git a/python/samba/tests/krb5/kdc_tests.py b/python/samba/tests/krb5/kdc_tests.py index 57a25448965..17b9d154bd9 100755 --- a/python/samba/tests/krb5/kdc_tests.py +++ b/python/samba/tests/krb5/kdc_tests.py @@ -91,8 +91,7 @@ class KdcTests(RawKerberosTest): pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) - enc_pa_ts_usage = 1 - pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) pa_ts = self.PA_DATA_create(PADATA_ENC_TIMESTAMP, pa_ts) diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index ae38635c53b..2e1bd3fbe1f 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -25,6 +25,11 @@ os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests import env_get_var_value from samba.tests.krb5.kcrypto import Cksumtype from samba.tests.krb5.raw_testcase import RawKerberosTest +from samba.tests.krb5.rfc4120_constants import ( + KU_PA_ENC_TIMESTAMP, + KU_AS_REP_ENC_PART, + KU_TGS_REP_ENC_PART_SUB_KEY, +) import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 global_asn1_print = False @@ -86,8 +91,7 @@ class S4UKerberosTests(RawKerberosTest): pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) - enc_pa_ts_usage = 1 - pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) pa_ts = self.PA_DATA_create(2, pa_ts) @@ -115,8 +119,7 @@ class S4UKerberosTests(RawKerberosTest): msg_type = rep['msg-type'] self.assertEqual(msg_type, 11) - usage = 3 - enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) + enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) # S4U2Self Request @@ -135,7 +138,6 @@ class S4UKerberosTests(RawKerberosTest): padata = [pa_s4u] subkey = self.RandomKey(ticket_session_key.etype) - subkey_usage = 9 (ctime, cusec) = self.get_KerberosTimeWithUsec() @@ -163,7 +165,8 @@ class S4UKerberosTests(RawKerberosTest): msg_type = rep['msg-type'] if msg_type == 13: - enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) + enc_part2 = subkey.decrypt( + KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) return msg_type diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py index 236fbda1cd5..6c090af3d46 100755 --- a/python/samba/tests/krb5/simple_tests.py +++ b/python/samba/tests/krb5/simple_tests.py @@ -23,6 +23,11 @@ sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests.krb5.raw_testcase import RawKerberosTest +from samba.tests.krb5.rfc4120_constants import ( + KU_AS_REP_ENC_PART, + KU_PA_ENC_TIMESTAMP, + KU_TGS_REP_ENC_PART_SUB_KEY, +) import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 global_asn1_print = False @@ -84,8 +89,7 @@ class SimpleKerberosTests(RawKerberosTest): pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) - enc_pa_ts_usage = 1 - pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) pa_ts = self.PA_DATA_create(2, pa_ts) @@ -113,8 +117,7 @@ class SimpleKerberosTests(RawKerberosTest): msg_type = rep['msg-type'] self.assertEqual(msg_type, 11) - usage = 3 - enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) + enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 try: @@ -134,7 +137,6 @@ class SimpleKerberosTests(RawKerberosTest): padata = [] subkey = self.RandomKey(ticket_session_key.etype) - subkey_usage = 9 (ctime, cusec) = self.get_KerberosTimeWithUsec() @@ -163,7 +165,8 @@ class SimpleKerberosTests(RawKerberosTest): msg_type = rep['msg-type'] self.assertEqual(msg_type, 13) - enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) + enc_part2 = subkey.decrypt( + KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) return diff --git a/python/samba/tests/krb5/xrealm_tests.py b/python/samba/tests/krb5/xrealm_tests.py index 64064b8a670..b4a02bff33a 100755 --- a/python/samba/tests/krb5/xrealm_tests.py +++ b/python/samba/tests/krb5/xrealm_tests.py @@ -23,6 +23,11 @@ sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests.krb5.raw_testcase import RawKerberosTest +from samba.tests.krb5.rfc4120_constants import ( + KU_PA_ENC_TIMESTAMP, + KU_AS_REP_ENC_PART, + KU_TGS_REP_ENC_PART_SUB_KEY, +) import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 import samba.tests @@ -85,8 +90,7 @@ class XrealmKerberosTests(RawKerberosTest): pa_ts = self.PA_ENC_TS_ENC_create(patime, pausec) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.PA_ENC_TS_ENC()) - enc_pa_ts_usage = 1 - pa_ts = self.EncryptedData_create(key, enc_pa_ts_usage, pa_ts) + pa_ts = self.EncryptedData_create(key, KU_PA_ENC_TIMESTAMP, pa_ts) pa_ts = self.der_encode(pa_ts, asn1Spec=krb5_asn1.EncryptedData()) pa_ts = self.PA_DATA_create(2, pa_ts) @@ -114,8 +118,7 @@ class XrealmKerberosTests(RawKerberosTest): msg_type = rep['msg-type'] self.assertEqual(msg_type, 11) - usage = 3 - enc_part2 = key.decrypt(usage, rep['enc-part']['cipher']) + enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 try: @@ -134,7 +137,6 @@ class XrealmKerberosTests(RawKerberosTest): padata = [] subkey = self.RandomKey(ticket_session_key.etype) - subkey_usage = 9 (ctime, cusec) = self.get_KerberosTimeWithUsec() @@ -163,7 +165,8 @@ class XrealmKerberosTests(RawKerberosTest): msg_type = rep['msg-type'] self.assertEqual(msg_type, 13) - enc_part2 = subkey.decrypt(subkey_usage, rep['enc-part']['cipher']) + enc_part2 = subkey.decrypt( + KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) # Check the forwardable flag -- 2.25.1 From c139411bf2beeb3e95025c8ec29788dea7ba006c Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Fri, 11 Dec 2020 11:55:01 +1300 Subject: [PATCH 060/380] tests python krb5: PEP8 cleanups Fix all the PEP8 warnings in samba/tests/krb5. With the exception of rfc4120_pyasn1.py, which is generated from rfc4120.asn1. As these tests are new, it makes sense to ensure that they conform to PEP8. And set an aspirational goal for the rest of our python code. Signed-off-by: Gary Lockyer Reviewed-by: Andreas Schneider BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Gary Lockyer Autobuild-Date(master): Mon Dec 21 21:29:28 UTC 2020 on sn-devel-184 (cherry picked from commit c00d537526ca881c540ff66e703ad9c96dd1face) --- .../tests/krb5/as_canonicalization_tests.py | 54 ++- .../samba/tests/krb5/compatability_tests.py | 24 +- python/samba/tests/krb5/kcrypto.py | 67 +-- python/samba/tests/krb5/kdc_base_test.py | 4 +- python/samba/tests/krb5/kdc_tests.py | 17 +- python/samba/tests/krb5/raw_testcase.py | 409 +++++++++++------- python/samba/tests/krb5/rfc4120_constants.py | 32 +- python/samba/tests/krb5/s4u_tests.py | 19 +- python/samba/tests/krb5/simple_tests.py | 24 +- python/samba/tests/krb5/xrealm_tests.py | 26 +- 10 files changed, 413 insertions(+), 263 deletions(-) diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py index e89b40eab8f..43f532dc483 100755 --- a/python/samba/tests/krb5/as_canonicalization_tests.py +++ b/python/samba/tests/krb5/as_canonicalization_tests.py @@ -31,8 +31,6 @@ import samba from samba.auth import system_session from samba.credentials import ( Credentials, - CLI_CRED_NTLMv2_AUTH, - CLI_CRED_NTLM_AUTH, DONT_USE_KERBEROS) from samba.dcerpc.misc import SEC_CHAN_WKSTA from samba.dsdb import ( @@ -41,7 +39,20 @@ from samba.dsdb import ( UF_NORMAL_ACCOUNT) from samba.samdb import SamDB from samba.tests import delete_force, DynamicTestCase -from samba.tests.krb5.rfc4120_constants import * +from samba.tests.krb5.rfc4120_constants import ( + AES256_CTS_HMAC_SHA1_96, + AES128_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5, + KDC_ERR_PREAUTH_REQUIRED, + KRB_AS_REP, + KU_AS_REP_ENC_PART, + KRB_ERROR, + KU_PA_ENC_TIMESTAMP, + PADATA_ENC_TIMESTAMP, + NT_ENTERPRISE_PRINCIPAL, + NT_PRINCIPAL, + NT_SRV_INST, +) global_asn1_print = False global_hexdump = False @@ -49,15 +60,15 @@ global_hexdump = False @unique class TestOptions(Enum): - Canonicalize = 1 - Enterprise = 2 - UpperRealm = 4 - UpperUserName = 8 - NetbiosRealm = 16 - UPN = 32 - RemoveDollar = 64 - AsReqSelf = 128 - Last = 256 + Canonicalize = 1 + Enterprise = 2 + UpperRealm = 4 + UpperUserName = 8 + NetbiosRealm = 16 + UPN = 32 + RemoveDollar = 64 + AsReqSelf = 128 + Last = 256 def is_set(self, x): return self.value & x @@ -65,7 +76,7 @@ class TestOptions(Enum): @unique class CredentialsType(Enum): - User = 1 + User = 1 Machine = 2 def is_set(self, x): @@ -126,7 +137,8 @@ class TestData: MACHINE_NAME = "tstkrb5cnnmch" -USER_NAME = "tstkrb5cnnusr" +USER_NAME = "tstkrb5cnnusr" + @DynamicTestCase class KerberosASCanonicalizationTests(RawKerberosTest): @@ -160,21 +172,21 @@ class KerberosASCanonicalizationTests(RawKerberosTest): @classmethod def setUpClass(cls): - cls.lp = cls.get_loadparm(cls) + cls.lp = cls.get_loadparm(cls) cls.username = os.environ["USERNAME"] cls.password = os.environ["PASSWORD"] - cls.host = os.environ["SERVER"] + cls.host = os.environ["SERVER"] c = Credentials() c.set_username(cls.username) c.set_password(cls.password) try: - realm = os.environ["REALM"] + realm = os.environ["REALM"] c.set_realm(realm) except KeyError: pass try: - domain = os.environ["DOMAIN"] + domain = os.environ["DOMAIN"] c.set_domain(domain) except KeyError: pass @@ -200,7 +212,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): def setUp(self): super(KerberosASCanonicalizationTests, self).setUp() self.do_asn1_print = global_asn1_print - self.do_hexdump = global_hexdump + self.do_hexdump = global_hexdump # # Create a test user account @@ -340,7 +352,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): # # Check the protocol version, should be 5 self.assertEqual( - rep['pvno'], 5, "Data {0}".format(str(data))) + rep['pvno'], 5, "Data {0}".format(str(data))) self.assertEqual( rep['msg-type'], KRB_ERROR, "Data {0}".format(str(data))) @@ -397,7 +409,7 @@ class KerberosASCanonicalizationTests(RawKerberosTest): # # Check the protocol version, should be 5 self.assertEqual( - rep['pvno'], 5, "Data {0}".format(str(data))) + rep['pvno'], 5, "Data {0}".format(str(data))) msg_type = rep['msg-type'] # Should not have got an error. diff --git a/python/samba/tests/krb5/compatability_tests.py b/python/samba/tests/krb5/compatability_tests.py index 0b3701cd60d..5a1ef02ef80 100755 --- a/python/samba/tests/krb5/compatability_tests.py +++ b/python/samba/tests/krb5/compatability_tests.py @@ -25,7 +25,20 @@ os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests.krb5.raw_testcase import RawKerberosTest import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 -from samba.tests.krb5.rfc4120_constants import * +from samba.tests.krb5.rfc4120_constants import ( + AES128_CTS_HMAC_SHA1_96, + AES256_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5, + KDC_ERR_PREAUTH_REQUIRED, + KRB_AS_REP, + KRB_ERROR, + KU_AS_REP_ENC_PART, + KU_PA_ENC_TIMESTAMP, + PADATA_ENC_TIMESTAMP, + PADATA_ETYPE_INFO2, + NT_PRINCIPAL, + NT_SRV_INST, +) global_asn1_print = False global_hexdump = False @@ -112,18 +125,17 @@ class SimpleKerberosTests(RawKerberosTest): realm = creds.get_realm() cname = self.PrincipalName_create( - name_type=NT_PRINCIPAL, - names=[user]) + name_type=NT_PRINCIPAL, + names=[user]) sname = self.PrincipalName_create( - name_type=NT_SRV_INST, - names=["krbtgt", realm]) + name_type=NT_SRV_INST, + names=["krbtgt", realm]) till = self.get_KerberosTime(offset=36000) kdc_options = krb5_asn1.KDCOptions('forwardable') padata = None - req = self.AS_REQ_create(padata=padata, kdc_options=str(kdc_options), cname=cname, diff --git a/python/samba/tests/krb5/kcrypto.py b/python/samba/tests/krb5/kcrypto.py index 2572fa5bab3..23502d7bb62 100755 --- a/python/samba/tests/krb5/kcrypto.py +++ b/python/samba/tests/krb5/kcrypto.py @@ -64,6 +64,7 @@ from samba.credentials import Credentials from samba import generate_random_bytes as get_random_bytes from samba.compat import get_string, get_bytes + class Enctype(object): DES_CRC = 1 DES_MD4 = 2 @@ -112,26 +113,30 @@ def _mac_equal(mac1, mac2): res |= x ^ y return res == 0 + def SIMPLE_HASH(string, algo_cls): hash_ctx = hashes.Hash(algo_cls(), default_backend()) hash_ctx.update(string) return hash_ctx.finalize() + def HMAC_HASH(key, string, algo_cls): hmac_ctx = hmac.HMAC(key, algo_cls(), default_backend()) hmac_ctx.update(string) return hmac_ctx.finalize() + def _nfold(str, nbytes): # Convert str to a string of length nbytes using the RFC 3961 nfold # operation. # Rotate the bytes in str to the right by nbits bits. def rotate_right(str, nbits): - nbytes, remain = (nbits//8) % len(str), nbits % 8 - return bytes([(str[i-nbytes] >> remain) | - (str[i-nbytes-1] << (8-remain) & 0xff) - for i in range(len(str))]) + nbytes, remain = (nbits // 8) % len(str), nbits % 8 + return bytes([ + (str[i - nbytes] >> remain) + | (str[i - nbytes - 1] << (8 - remain) & 0xff) + for i in range(len(str))]) # Add equal-length strings together with end-around carry. def add_ones_complement(str1, str2): @@ -139,7 +144,7 @@ def _nfold(str, nbytes): v = [a + b for a, b in zip(str1, str2)] # Propagate carry bits to the left until there aren't any left. while any(x & ~0xff for x in v): - v = [(v[i-n+1]>>8) + (v[i]&0xff) for i in range(n)] + v = [(v[i - n + 1] >> 8) + (v[i] & 0xff) for i in range(n)] return bytes([x for x in v]) # Concatenate copies of str to produce the least common multiple @@ -150,7 +155,7 @@ def _nfold(str, nbytes): slen = len(str) lcm = nbytes * slen // gcd(nbytes, slen) bigstr = b''.join((rotate_right(str, 13 * i) for i in range(lcm // slen))) - slices = (bigstr[p:p+nbytes] for p in range(0, lcm, nbytes)) + slices = (bigstr[p:p + nbytes] for p in range(0, lcm, nbytes)) return reduce(add_ones_complement, slices) @@ -275,7 +280,7 @@ class _DES3CBC(_SimplifiedEnctype): return b if bin(b & ~1).count('1') % 2 else b | 1 assert len(seed) == 7 firstbytes = [parity(b & ~1) for b in seed] - lastbyte = parity(sum((seed[i]&1) << i+1 for i in range(7))) + lastbyte = parity(sum((seed[i] & 1) << i + 1 for i in range(7))) keybytes = bytes([b for b in firstbytes + [lastbyte]]) if _is_weak_des_key(keybytes): keybytes[7] = bytes([keybytes[7] ^ 0xF0]) @@ -369,7 +374,7 @@ class _AESEnctype(_SimplifiedEnctype): if len(ciphertext) == 16: return aes_decrypt(ciphertext) # Split the ciphertext into blocks. The last block may be partial. - cblocks = [ciphertext[p:p+16] for p in range(0, len(ciphertext), 16)] + cblocks = [ciphertext[p:p + 16] for p in range(0, len(ciphertext), 16)] lastlen = len(cblocks[-1]) # CBC-decrypt all but the last two blocks. prev_cblock = bytes(16) @@ -383,7 +388,7 @@ class _AESEnctype(_SimplifiedEnctype): # will be the omitted bytes of ciphertext from the final # block. b = aes_decrypt(cblocks[-2]) - lastplaintext =_xorbytes(b[:lastlen], cblocks[-1]) + lastplaintext = _xorbytes(b[:lastlen], cblocks[-1]) omitted = b[lastlen:] # Decrypt the final cipher block plus the omitted bytes to get # the second-to-last plaintext block. @@ -433,7 +438,8 @@ class _RC4(_EnctypeProfile): cksum = HMAC_HASH(ki, confounder + plaintext, hashes.MD5) ke = HMAC_HASH(ki, cksum, hashes.MD5) - encryptor = Cipher(ciphers.ARC4(ke), None, default_backend()).encryptor() + encryptor = Cipher( + ciphers.ARC4(ke), None, default_backend()).encryptor() ctext = encryptor.update(confounder + plaintext) return cksum + ctext @@ -446,7 +452,8 @@ class _RC4(_EnctypeProfile): ki = HMAC_HASH(key.contents, cls.usage_str(keyusage), hashes.MD5) ke = HMAC_HASH(ki, cksum, hashes.MD5) - decryptor = Cipher(ciphers.ARC4(ke), None, default_backend()).decryptor() + decryptor = Cipher( + ciphers.ARC4(ke), None, default_backend()).decryptor() basic_plaintext = decryptor.update(basic_ctext) exp_cksum = HMAC_HASH(ki, basic_plaintext, hashes.MD5) @@ -636,14 +643,14 @@ def verify_checksum(cksumtype, key, keyusage, text, cksum): c.verify(key, keyusage, text, cksum) -def prfplus(key, pepper, l): - # Produce l bytes of output using the RFC 6113 PRF+ function. +def prfplus(key, pepper, ln): + # Produce ln bytes of output using the RFC 6113 PRF+ function. out = b'' count = 1 - while len(out) < l: + while len(out) < ln: out += prf(key, bytes([count]) + pepper) count += 1 - return out[:l] + return out[:ln] def cf2(enctype, key1, key2, pepper1, pepper2): @@ -653,9 +660,11 @@ def cf2(enctype, key1, key2, pepper1, pepper2): return e.random_to_key(_xorbytes(prfplus(key1, pepper1, e.seedsize), prfplus(key2, pepper2, e.seedsize))) + def h(hexstr): return bytes.fromhex(hexstr) + class KcrytoTest(TestCase): """kcrypto Test case.""" @@ -665,20 +674,21 @@ class KcrytoTest(TestCase): conf = h('94B491F481485B9A0678CD3C4EA386AD') keyusage = 2 plain = b'9 bytesss' - ctxt = h('68FB9679601F45C78857B2BF820FD6E53ECA8D42FD4B1D7024A09205ABB7CD2E' - 'C26C355D2F') + ctxt = h('68FB9679601F45C78857B2BF820FD6E53ECA8D42FD4B1D7024A09205ABB7' + 'CD2EC26C355D2F') k = Key(Enctype.AES128, kb) self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) self.assertEqual(decrypt(k, keyusage, ctxt), plain) def test_aes256_crypt(self): # AES256 encrypt and decrypt - kb = h('F1C795E9248A09338D82C3F8D5B567040B0110736845041347235B1404231398') + kb = h('F1C795E9248A09338D82C3F8D5B567040B0110736845041347235B14042313' + '98') conf = h('E45CA518B42E266AD98E165E706FFB60') keyusage = 4 plain = b'30 bytes bytes bytes bytes byt' - ctxt = h('D1137A4D634CFECE924DBC3BF6790648BD5CFF7DE0E7B99460211D0DAEF3D79A' - '295C688858F3B34B9CBD6EEBAE81DAF6B734D4D498B6714F1C1D') + ctxt = h('D1137A4D634CFECE924DBC3BF6790648BD5CFF7DE0E7B99460211D0DAEF3' + 'D79A295C688858F3B34B9CBD6EEBAE81DAF6B734D4D498B6714F1C1D') k = Key(Enctype.AES256, kb) self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) self.assertEqual(decrypt(k, keyusage, ctxt), plain) @@ -694,7 +704,8 @@ class KcrytoTest(TestCase): def test_aes256_checksum(self): # AES256 checksum - kb = h('B1AE4CD8462AFF1677053CC9279AAC30B796FB81CE21474DD3DDBCFEA4EC76D7') + kb = h('B1AE4CD8462AFF1677053CC9279AAC30B796FB81CE21474DD3DDBC' + 'FEA4EC76D7') keyusage = 4 plain = b'fourteen' cksum = h('E08739E3279E2903EC8E3836') @@ -715,7 +726,8 @@ class KcrytoTest(TestCase): string = b'X' * 64 salt = b'pass phrase equals block size' params = h('000004B0') - kb = h('89ADEE3608DB8BC71F1BFBFE459486B05618B70CBAE22092534E56C553BA4B34') + kb = h('89ADEE3608DB8BC71F1BFBFE459486B05618B70CBAE22092534E56' + 'C553BA4B34') k = string_to_key(Enctype.AES256, string, salt, params) self.assertEqual(k.contents, kb) @@ -741,7 +753,8 @@ class KcrytoTest(TestCase): def test_aes256_cf2(self): # AES256 cf2 - kb = h('4D6CA4E629785C1F01BAF55E2E548566B9617AE3A96868C337CB93B5E72B1C7B') + kb = h('4D6CA4E629785C1F01BAF55E2E548566B9617AE3A96868C337CB93B5' + 'E72B1C7B') k1 = string_to_key(Enctype.AES256, b'key1', b'key1') k2 = string_to_key(Enctype.AES256, b'key2', b'key2') k = cf2(Enctype.AES256, k1, k2, b'a', b'b') @@ -753,8 +766,8 @@ class KcrytoTest(TestCase): conf = h('94690A17B2DA3C9B') keyusage = 3 plain = b'13 bytes byte' - ctxt = h('839A17081ECBAFBCDC91B88C6955DD3C4514023CF177B77BF0D0177A16F705E8' - '49CB7781D76A316B193F8D30') + ctxt = h('839A17081ECBAFBCDC91B88C6955DD3C4514023CF177B77BF0D0177A16F7' + '05E849CB7781D76A316B193F8D30') k = Key(Enctype.DES3, kb) self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) self.assertEqual(decrypt(k, keyusage, ctxt), _zeropad(plain, 8)) @@ -790,8 +803,8 @@ class KcrytoTest(TestCase): conf = h('37245E73A45FBF72') keyusage = 4 plain = b'30 bytes bytes bytes bytes byt' - ctxt = h('95F9047C3AD75891C2E9B04B16566DC8B6EB9CE4231AFB2542EF87A7B5A0F260' - 'A99F0460508DE0CECC632D07C354124E46C5D2234EB8') + ctxt = h('95F9047C3AD75891C2E9B04B16566DC8B6EB9CE4231AFB2542EF87A7B5A0' + 'F260A99F0460508DE0CECC632D07C354124E46C5D2234EB8') k = Key(Enctype.RC4, kb) self.assertEqual(encrypt(k, keyusage, plain, conf), ctxt) self.assertEqual(decrypt(k, keyusage, ctxt), plain) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index e835d389f1c..bef5458c881 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -374,8 +374,8 @@ class KDCBaseTest(RawKerberosTest): account_name = ( pac.info.info.info3.base.account_name) user_sid = ( - str(pac.info.info.info3.base.domain_sid) + - "-" + str(pac.info.info.info3.base.rid)) + str(pac.info.info.info3.base.domain_sid) + + "-" + str(pac.info.info.info3.base.rid)) elif pac.type == self.PAC_LOGON_NAME: logon_name = pac.info.account_name elif pac.type == self.PAC_UPN_DNS_INFO: diff --git a/python/samba/tests/krb5/kdc_tests.py b/python/samba/tests/krb5/kdc_tests.py index 17b9d154bd9..c7c53953a86 100755 --- a/python/samba/tests/krb5/kdc_tests.py +++ b/python/samba/tests/krb5/kdc_tests.py @@ -25,7 +25,20 @@ os.environ["PYTHONUNBUFFERED"] = "1" from samba.tests.krb5.raw_testcase import RawKerberosTest import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 -from samba.tests.krb5.rfc4120_constants import * +from samba.tests.krb5.rfc4120_constants import ( + AES256_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5, + KDC_ERR_PREAUTH_FAILED, + KDC_ERR_PREAUTH_REQUIRED, + KDC_ERR_SKEW, + KRB_AS_REP, + KRB_ERROR, + KU_PA_ENC_TIMESTAMP, + PADATA_ENC_TIMESTAMP, + PADATA_ETYPE_INFO2, + NT_PRINCIPAL, + NT_SRV_INST, +) global_asn1_print = False global_hexdump = False @@ -83,7 +96,7 @@ class KdcTests(RawKerberosTest): break etype_info2 = self.der_decode( - etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) key = self.PasswordKey_from_etype_info2(creds, etype_info2[0]) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index e67f5464e59..82e68ee7019 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -35,7 +35,10 @@ from pyasn1.codec.native.decoder import decode as pyasn1_native_decode from pyasn1.codec.native.encoder import encode as pyasn1_native_encode from pyasn1.codec.ber.encoder import BitStringEncoder as BitStringEncoder -def BitStringEncoder_encodeValue32(self, value, asn1Spec, encodeFun, **options): + + +def BitStringEncoder_encodeValue32( + self, value, asn1Spec, encodeFun, **options): # # BitStrings like KDCOptions or TicketFlags should at least # be 32-Bit on the wire @@ -59,14 +62,17 @@ def BitStringEncoder_encodeValue32(self, value, asn1Spec, encodeFun, **options): padding = 0 ret = b'\x00' + substrate + (b'\x00' * padding) return ret, False, True + + BitStringEncoder.encodeValue = BitStringEncoder_encodeValue32 + def BitString_NamedValues_prettyPrint(self, scope=0): ret = "%s" % self.asBinary() bits = [] highest_bit = 32 for byte in self.asNumbers(): - for bit in [7,6,5,4,3,2,1,0]: + for bit in [7, 6, 5, 4, 3, 2, 1, 0]: mask = 1 << bit if byte & mask: val = 1 @@ -89,12 +95,21 @@ def BitString_NamedValues_prettyPrint(self, scope=0): delim = ",\n%s " % indent ret += "\n%s)" % indent return ret -krb5_asn1.TicketFlags.prettyPrintNamedValues = krb5_asn1.TicketFlagsValues.namedValues -krb5_asn1.TicketFlags.namedValues = krb5_asn1.TicketFlagsValues.namedValues -krb5_asn1.TicketFlags.prettyPrint = BitString_NamedValues_prettyPrint -krb5_asn1.KDCOptions.prettyPrintNamedValues = krb5_asn1.KDCOptionsValues.namedValues -krb5_asn1.KDCOptions.namedValues = krb5_asn1.KDCOptionsValues.namedValues -krb5_asn1.KDCOptions.prettyPrint = BitString_NamedValues_prettyPrint + + +krb5_asn1.TicketFlags.prettyPrintNamedValues =\ + krb5_asn1.TicketFlagsValues.namedValues +krb5_asn1.TicketFlags.namedValues =\ + krb5_asn1.TicketFlagsValues.namedValues +krb5_asn1.TicketFlags.prettyPrint =\ + BitString_NamedValues_prettyPrint +krb5_asn1.KDCOptions.prettyPrintNamedValues =\ + krb5_asn1.KDCOptionsValues.namedValues +krb5_asn1.KDCOptions.namedValues =\ + krb5_asn1.KDCOptionsValues.namedValues +krb5_asn1.KDCOptions.prettyPrint =\ + BitString_NamedValues_prettyPrint + def Integer_NamedValues_prettyPrint(self, scope=0): intval = int(self) @@ -104,16 +119,29 @@ def Integer_NamedValues_prettyPrint(self, scope=0): name = "<__unknown__>" ret = "%d (0x%x) %s" % (intval, intval, name) return ret -krb5_asn1.NameType.prettyPrintNamedValues = krb5_asn1.NameTypeValues.namedValues -krb5_asn1.NameType.prettyPrint = Integer_NamedValues_prettyPrint -krb5_asn1.AuthDataType.prettyPrintNamedValues = krb5_asn1.AuthDataTypeValues.namedValues -krb5_asn1.AuthDataType.prettyPrint = Integer_NamedValues_prettyPrint -krb5_asn1.PADataType.prettyPrintNamedValues = krb5_asn1.PADataTypeValues.namedValues -krb5_asn1.PADataType.prettyPrint = Integer_NamedValues_prettyPrint -krb5_asn1.EncryptionType.prettyPrintNamedValues = krb5_asn1.EncryptionTypeValues.namedValues -krb5_asn1.EncryptionType.prettyPrint = Integer_NamedValues_prettyPrint -krb5_asn1.ChecksumType.prettyPrintNamedValues = krb5_asn1.ChecksumTypeValues.namedValues -krb5_asn1.ChecksumType.prettyPrint = Integer_NamedValues_prettyPrint + + +krb5_asn1.NameType.prettyPrintNamedValues =\ + krb5_asn1.NameTypeValues.namedValues +krb5_asn1.NameType.prettyPrint =\ + Integer_NamedValues_prettyPrint +krb5_asn1.AuthDataType.prettyPrintNamedValues =\ + krb5_asn1.AuthDataTypeValues.namedValues +krb5_asn1.AuthDataType.prettyPrint =\ + Integer_NamedValues_prettyPrint +krb5_asn1.PADataType.prettyPrintNamedValues =\ + krb5_asn1.PADataTypeValues.namedValues +krb5_asn1.PADataType.prettyPrint =\ + Integer_NamedValues_prettyPrint +krb5_asn1.EncryptionType.prettyPrintNamedValues =\ + krb5_asn1.EncryptionTypeValues.namedValues +krb5_asn1.EncryptionType.prettyPrint =\ + Integer_NamedValues_prettyPrint +krb5_asn1.ChecksumType.prettyPrintNamedValues =\ + krb5_asn1.ChecksumTypeValues.namedValues +krb5_asn1.ChecksumType.prettyPrint =\ + Integer_NamedValues_prettyPrint + class Krb5EncryptionKey(object): def __init__(self, key, kvno): @@ -146,9 +174,10 @@ class Krb5EncryptionKey(object): EncryptionKey_obj = { 'keytype': self.etype, 'keyvalue': self.key.contents, - }; + } return EncryptionKey_obj + class RawKerberosTest(TestCase): """A raw Kerberos Test case.""" @@ -182,13 +211,13 @@ class RawKerberosTest(TestCase): self.s = socket.socket(self.a[0][0], self.a[0][1], self.a[0][2]) self.s.settimeout(10) self.s.connect(self.a[0][4]) - except socket.error as e: + except socket.error: self.s.close() raise - except IOError as e: + except IOError: self.s.close() raise - except Exception as e: + except Exception: raise finally: pass @@ -219,8 +248,9 @@ class RawKerberosTest(TestCase): domain = samba.tests.env_get_var_value('DOMAIN') realm = samba.tests.env_get_var_value('REALM') username = samba.tests.env_get_var_value('SERVICE_USERNAME') - password = samba.tests.env_get_var_value('SERVICE_PASSWORD', - allow_missing=allow_missing_password) + password = samba.tests.env_get_var_value( + 'SERVICE_PASSWORD', + allow_missing=allow_missing_password) c.set_domain(domain) c.set_realm(realm) c.set_username(username) @@ -246,21 +276,34 @@ class RawKerberosTest(TestCase): if hexdump is None: hexdump = self.do_hexdump if hexdump: - sys.stderr.write("%s: %d\n%s" % (name, len(blob), self.hexdump(blob))) - - def der_decode(self, blob, asn1Spec=None, native_encode=True, asn1_print=None, hexdump=None): + sys.stderr.write( + "%s: %d\n%s" % (name, len(blob), self.hexdump(blob))) + + def der_decode( + self, + blob, + asn1Spec=None, + native_encode=True, + asn1_print=None, + hexdump=None): if asn1Spec is not None: class_name = type(asn1Spec).__name__.split(':')[0] else: class_name = "" self.hex_dump(class_name, blob, hexdump=hexdump) - obj,_ = pyasn1_der_decode(blob, asn1Spec=asn1Spec) + obj, _ = pyasn1_der_decode(blob, asn1Spec=asn1Spec) self.asn1_dump(None, obj, asn1_print=asn1_print) if native_encode: obj = pyasn1_native_encode(obj) return obj - def der_encode(self, obj, asn1Spec=None, native_decode=True, asn1_print=None, hexdump=None): + def der_encode( + self, + obj, + asn1Spec=None, + native_decode=True, + asn1_print=None, + hexdump=None): if native_decode: obj = pyasn1_native_decode(obj, asn1Spec=asn1Spec) class_name = type(obj).__name__.split(':')[0] @@ -273,7 +316,8 @@ class RawKerberosTest(TestCase): def send_pdu(self, req, asn1_print=None, hexdump=None): try: - k5_pdu = self.der_encode(req, native_decode=False, asn1_print=asn1_print, hexdump=False) + k5_pdu = self.der_encode( + req, native_decode=False, asn1_print=asn1_print, hexdump=False) header = struct.pack('>I', len(k5_pdu)) req_pdu = header req_pdu += k5_pdu @@ -304,7 +348,7 @@ class RawKerberosTest(TestCase): self._disconnect("recv_raw: EOF") return None self.hex_dump("recv_raw", rep_pdu, hexdump=hexdump) - except socket.timeout as e: + except socket.timeout: self.s.settimeout(10) sys.stderr.write("recv_raw: TIMEOUT\n") pass @@ -322,7 +366,8 @@ class RawKerberosTest(TestCase): rep_pdu = None rep = None try: - raw_pdu = self.recv_raw(num_recv=4, hexdump=hexdump, timeout=timeout) + raw_pdu = self.recv_raw( + num_recv=4, hexdump=hexdump, timeout=timeout) if raw_pdu is None: return (None, None) header = struct.unpack(">I", raw_pdu[0:4]) @@ -332,22 +377,27 @@ class RawKerberosTest(TestCase): missing = k5_len rep_pdu = b'' while missing > 0: - raw_pdu = self.recv_raw(num_recv=missing, hexdump=hexdump, timeout=timeout) + raw_pdu = self.recv_raw( + num_recv=missing, hexdump=hexdump, timeout=timeout) self.assertGreaterEqual(len(raw_pdu), 1) rep_pdu += raw_pdu missing = k5_len - len(rep_pdu) - k5_raw = self.der_decode(rep_pdu, asn1Spec=None, native_encode=False, - asn1_print=False, hexdump=False) - pvno=k5_raw['field-0'] + k5_raw = self.der_decode( + rep_pdu, + asn1Spec=None, + native_encode=False, + asn1_print=False, + hexdump=False) + pvno = k5_raw['field-0'] self.assertEqual(pvno, 5) - msg_type=k5_raw['field-1'] - self.assertIn(msg_type, [11,13,30]) + msg_type = k5_raw['field-1'] + self.assertIn(msg_type, [11, 13, 30]) if msg_type == 11: - asn1Spec=krb5_asn1.AS_REP() + asn1Spec = krb5_asn1.AS_REP() elif msg_type == 13: - asn1Spec=krb5_asn1.TGS_REP() + asn1Spec = krb5_asn1.TGS_REP() elif msg_type == 30: - asn1Spec=krb5_asn1.KRB_ERROR() + asn1Spec = krb5_asn1.KRB_ERROR() rep = self.der_decode(rep_pdu, asn1Spec=asn1Spec, asn1_print=asn1_print, hexdump=False) finally: @@ -368,11 +418,17 @@ class RawKerberosTest(TestCase): self.assertIsNone(self.s, msg="Is connected") return - def send_recv_transaction(self, req, asn1_print=None, hexdump=None, timeout=None): + def send_recv_transaction( + self, + req, + asn1_print=None, + hexdump=None, + timeout=None): self.connect() try: self.send_pdu(req, asn1_print=asn1_print, hexdump=hexdump) - rep = self.recv_pdu(asn1_print=asn1_print, hexdump=hexdump, timeout=timeout) + rep = self.recv_pdu( + asn1_print=asn1_print, hexdump=hexdump, timeout=timeout) except Exception: self._disconnect("transaction failed") raise @@ -389,11 +445,15 @@ class RawKerberosTest(TestCase): def assertPrincipalEqual(self, princ1, princ2): self.assertEqual(princ1['name-type'], princ2['name-type']) - self.assertEqual(len(princ1['name-string']), len(princ2['name-string']), - msg="princ1=%s != princ2=%s" % (princ1, princ2)) + self.assertEqual( + len(princ1['name-string']), + len(princ2['name-string']), + msg="princ1=%s != princ2=%s" % (princ1, princ2)) for idx in range(len(princ1['name-string'])): - self.assertEqual(princ1['name-string'][idx], princ2['name-string'][idx], - msg="princ1=%s != princ2=%s" % (princ1, princ2)) + self.assertEqual( + princ1['name-string'][idx], + princ2['name-string'][idx], + msg="princ1=%s != princ2=%s" % (princ1, princ2)) return def get_KerberosTimeWithUsec(self, epoch=None, offset=None): @@ -421,7 +481,7 @@ class RawKerberosTest(TestCase): salt = None try: salt = etype_info2['salt'] - except: + except Exception: pass if e == kcrypto.Enctype.RC4: @@ -429,7 +489,8 @@ class RawKerberosTest(TestCase): return self.SessionKey_create(etype=e, contents=nthash, kvno=kvno) password = creds.get_password() - return self.PasswordKey_create(etype=e, pwd=password, salt=salt, kvno=kvno) + return self.PasswordKey_create( + etype=e, pwd=password, salt=salt, kvno=kvno) def RandomKey(self, etype): e = kcrypto._get_enctype_profile(etype) @@ -452,14 +513,14 @@ class RawKerberosTest(TestCase): 'cipher': ciphertext } if key.kvno is not None: - EncryptedData_obj['kvno'] = key.kvno + EncryptedData_obj['kvno'] = key.kvno return EncryptedData_obj def Checksum_create(self, key, usage, plaintext, ctype=None): - #Checksum ::= SEQUENCE { + # Checksum ::= SEQUENCE { # cksumtype [0] Int32, # checksum [1] OCTET STRING - #} + # } if ctype is None: ctype = key.ctype checksum = key.make_checksum(usage, plaintext, ctype=ctype) @@ -494,10 +555,10 @@ class RawKerberosTest(TestCase): return PA_DATA_obj def PA_ENC_TS_ENC_create(self, ts, usec): - #PA-ENC-TS-ENC ::= SEQUENCE { + # PA-ENC-TS-ENC ::= SEQUENCE { # patimestamp[0] KerberosTime, -- client's time # pausec[1] krb5int32 OPTIONAL - #} + # } PA_ENC_TS_ENC_obj = { 'patimestamp': ts, 'pausec': usec, @@ -520,7 +581,7 @@ class RawKerberosTest(TestCase): additional_tickets, asn1_print=None, hexdump=None): - #KDC-REQ-BODY ::= SEQUENCE { + # KDC-REQ-BODY ::= SEQUENCE { # kdc-options [0] KDCOptions, # cname [1] PrincipalName OPTIONAL # -- Used only in AS-REQ --, @@ -532,20 +593,23 @@ class RawKerberosTest(TestCase): # till [5] KerberosTime, # rtime [6] KerberosTime OPTIONAL, # nonce [7] UInt32, - # etype [8] SEQUENCE OF Int32 -- EncryptionType + # etype [8] SEQUENCE OF Int32 + # -- EncryptionType # -- in preference order --, # addresses [9] HostAddresses OPTIONAL, # enc-authorization-data [10] EncryptedData OPTIONAL # -- AuthorizationData --, # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL # -- NOTE: not empty - #} + # } if EncAuthorizationData is not None: - enc_ad_plain = self.der_encode(EncAuthorizationData, - asn1Spec=krb5_asn1.AuthorizationData(), - asn1_print=asn1_print, - hexdump=hexdump) - enc_ad = self.EncryptedData_create(EncAuthorizationData_key, enc_ad_plain) + enc_ad_plain = self.der_encode( + EncAuthorizationData, + asn1Spec=krb5_asn1.AuthorizationData(), + asn1_print=asn1_print, + hexdump=hexdump) + enc_ad = self.EncryptedData_create( + EncAuthorizationData_key, enc_ad_plain) else: enc_ad = None KDC_REQ_BODY_obj = { @@ -590,14 +654,14 @@ class RawKerberosTest(TestCase): asn1Spec=None, asn1_print=None, hexdump=None): - #KDC-REQ ::= SEQUENCE { + # KDC-REQ ::= SEQUENCE { # -- NOTE: first tag is [1], not [0] # pvno [1] INTEGER (5) , # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), # padata [3] SEQUENCE OF PA-DATA OPTIONAL # -- NOTE: not empty --, # req-body [4] KDC-REQ-BODY - #} + # } # KDC_REQ_BODY_obj = self.KDC_REQ_BODY_create(kdc_options, cname, @@ -622,39 +686,40 @@ class RawKerberosTest(TestCase): if padata is not None: KDC_REQ_obj['padata'] = padata if asn1Spec is not None: - KDC_REQ_decoded = pyasn1_native_decode(KDC_REQ_obj, asn1Spec=asn1Spec) + KDC_REQ_decoded = pyasn1_native_decode( + KDC_REQ_obj, asn1Spec=asn1Spec) else: KDC_REQ_decoded = None return KDC_REQ_obj, KDC_REQ_decoded def AS_REQ_create(self, - padata, # optional - kdc_options, # required - cname, # optional - realm, # required - sname, # optional - from_time, # optional - till_time, # required - renew_time, # optional - nonce, # required - etypes, # required - addresses, # optional + padata, # optional + kdc_options, # required + cname, # optional + realm, # required + sname, # optional + from_time, # optional + till_time, # required + renew_time, # optional + nonce, # required + etypes, # required + addresses, # optional EncAuthorizationData, EncAuthorizationData_key, additional_tickets, native_decoded_only=True, asn1_print=None, hexdump=None): - #KDC-REQ ::= SEQUENCE { + # KDC-REQ ::= SEQUENCE { # -- NOTE: first tag is [1], not [0] # pvno [1] INTEGER (5) , # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), # padata [3] SEQUENCE OF PA-DATA OPTIONAL # -- NOTE: not empty --, # req-body [4] KDC-REQ-BODY - #} + # } # - #KDC-REQ-BODY ::= SEQUENCE { + # KDC-REQ-BODY ::= SEQUENCE { # kdc-options [0] KDCOptions, # cname [1] PrincipalName OPTIONAL # -- Used only in AS-REQ --, @@ -666,32 +731,34 @@ class RawKerberosTest(TestCase): # till [5] KerberosTime, # rtime [6] KerberosTime OPTIONAL, # nonce [7] UInt32, - # etype [8] SEQUENCE OF Int32 -- EncryptionType + # etype [8] SEQUENCE OF Int32 + # -- EncryptionType # -- in preference order --, # addresses [9] HostAddresses OPTIONAL, # enc-authorization-data [10] EncryptedData OPTIONAL # -- AuthorizationData --, # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL # -- NOTE: not empty - #} - obj,decoded = self.KDC_REQ_create(msg_type=10, - padata=padata, - kdc_options=kdc_options, - cname=cname, - realm=realm, - sname=sname, - from_time=from_time, - till_time=till_time, - renew_time=renew_time, - nonce=nonce, - etypes=etypes, - addresses=addresses, - EncAuthorizationData=EncAuthorizationData, - EncAuthorizationData_key=EncAuthorizationData_key, - additional_tickets=additional_tickets, - asn1Spec=krb5_asn1.AS_REQ(), - asn1_print=asn1_print, - hexdump=hexdump) + # } + obj, decoded = self.KDC_REQ_create( + msg_type=10, + padata=padata, + kdc_options=kdc_options, + cname=cname, + realm=realm, + sname=sname, + from_time=from_time, + till_time=till_time, + renew_time=renew_time, + nonce=nonce, + etypes=etypes, + addresses=addresses, + EncAuthorizationData=EncAuthorizationData, + EncAuthorizationData_key=EncAuthorizationData_key, + additional_tickets=additional_tickets, + asn1Spec=krb5_asn1.AS_REQ(), + asn1_print=asn1_print, + hexdump=hexdump) if native_decoded_only: return decoded return decoded, obj @@ -703,7 +770,7 @@ class RawKerberosTest(TestCase): # ap-options [2] APOptions, # ticket [3] Ticket, # authenticator [4] EncryptedData -- Authenticator - #} + # } AP_REQ_obj = { 'pvno': 5, 'msg-type': 14, @@ -713,8 +780,9 @@ class RawKerberosTest(TestCase): } return AP_REQ_obj - def Authenticator_create(self, crealm, cname, cksum, cusec, ctime, subkey, seq_number, - authorization_data): + def Authenticator_create( + self, crealm, cname, cksum, cusec, ctime, subkey, seq_number, + authorization_data): # -- Unencrypted authenticator # Authenticator ::= [APPLICATION 2] SEQUENCE { # authenticator-vno [0] INTEGER (5), @@ -726,7 +794,7 @@ class RawKerberosTest(TestCase): # subkey [6] EncryptionKey OPTIONAL, # seq-number [7] UInt32 OPTIONAL, # authorization-data [8] AuthorizationData OPTIONAL - #} + # } Authenticator_obj = { 'authenticator-vno': 5, 'crealm': crealm, @@ -745,20 +813,20 @@ class RawKerberosTest(TestCase): return Authenticator_obj def TGS_REQ_create(self, - padata, # optional + padata, # optional cusec, ctime, ticket, - kdc_options, # required - cname, # optional - realm, # required - sname, # optional - from_time, # optional - till_time, # required - renew_time, # optional - nonce, # required - etypes, # required - addresses, # optional + kdc_options, # required + cname, # optional + realm, # required + sname, # optional + from_time, # optional + till_time, # required + renew_time, # optional + nonce, # required + etypes, # required + addresses, # optional EncAuthorizationData, EncAuthorizationData_key, additional_tickets, @@ -768,16 +836,16 @@ class RawKerberosTest(TestCase): native_decoded_only=True, asn1_print=None, hexdump=None): - #KDC-REQ ::= SEQUENCE { + # KDC-REQ ::= SEQUENCE { # -- NOTE: first tag is [1], not [0] # pvno [1] INTEGER (5) , # msg-type [2] INTEGER (10 -- AS -- | 12 -- TGS --), # padata [3] SEQUENCE OF PA-DATA OPTIONAL # -- NOTE: not empty --, # req-body [4] KDC-REQ-BODY - #} + # } # - #KDC-REQ-BODY ::= SEQUENCE { + # KDC-REQ-BODY ::= SEQUENCE { # kdc-options [0] KDCOptions, # cname [1] PrincipalName OPTIONAL # -- Used only in AS-REQ --, @@ -789,50 +857,57 @@ class RawKerberosTest(TestCase): # till [5] KerberosTime, # rtime [6] KerberosTime OPTIONAL, # nonce [7] UInt32, - # etype [8] SEQUENCE OF Int32 -- EncryptionType + # etype [8] SEQUENCE OF Int32 + # -- EncryptionType # -- in preference order --, # addresses [9] HostAddresses OPTIONAL, # enc-authorization-data [10] EncryptedData OPTIONAL # -- AuthorizationData --, # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL # -- NOTE: not empty - #} - - req_body = self.KDC_REQ_BODY_create(kdc_options=kdc_options, - cname=None, - realm=realm, - sname=sname, - from_time=from_time, - till_time=till_time, - renew_time=renew_time, - nonce=nonce, - etypes=etypes, - addresses=addresses, - EncAuthorizationData=EncAuthorizationData, - EncAuthorizationData_key=EncAuthorizationData_key, - additional_tickets=additional_tickets) + # } + + req_body = self.KDC_REQ_BODY_create( + kdc_options=kdc_options, + cname=None, + realm=realm, + sname=sname, + from_time=from_time, + till_time=till_time, + renew_time=renew_time, + nonce=nonce, + etypes=etypes, + addresses=addresses, + EncAuthorizationData=EncAuthorizationData, + EncAuthorizationData_key=EncAuthorizationData_key, + additional_tickets=additional_tickets) req_body = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY(), asn1_print=asn1_print, hexdump=hexdump) - req_body_checksum = self.Checksum_create(ticket_session_key, 6, req_body, - ctype=body_checksum_type) + req_body_checksum = self.Checksum_create( + ticket_session_key, 6, req_body, ctype=body_checksum_type) subkey_obj = None if authenticator_subkey is not None: subkey_obj = authenticator_subkey.export_obj() seq_number = random.randint(0, 0xfffffffe) - authenticator = self.Authenticator_create(crealm=realm, - cname=cname, - cksum=req_body_checksum, - cusec=cusec, - ctime=ctime, - subkey=subkey_obj, - seq_number=seq_number, - authorization_data=None) - authenticator = self.der_encode(authenticator, asn1Spec=krb5_asn1.Authenticator(), - asn1_print=asn1_print, hexdump=hexdump) - - authenticator = self.EncryptedData_create(ticket_session_key, 7, authenticator) + authenticator = self.Authenticator_create( + crealm=realm, + cname=cname, + cksum=req_body_checksum, + cusec=cusec, + ctime=ctime, + subkey=subkey_obj, + seq_number=seq_number, + authorization_data=None) + authenticator = self.der_encode( + authenticator, + asn1Spec=krb5_asn1.Authenticator(), + asn1_print=asn1_print, + hexdump=hexdump) + + authenticator = self.EncryptedData_create( + ticket_session_key, 7, authenticator) ap_options = krb5_asn1.APOptions('0') ap_req = self.AP_REQ_create(ap_options=str(ap_options), @@ -846,24 +921,25 @@ class RawKerberosTest(TestCase): else: padata = [pa_tgs_req] - obj,decoded = self.KDC_REQ_create(msg_type=12, - padata=padata, - kdc_options=kdc_options, - cname=None, - realm=realm, - sname=sname, - from_time=from_time, - till_time=till_time, - renew_time=renew_time, - nonce=nonce, - etypes=etypes, - addresses=addresses, - EncAuthorizationData=EncAuthorizationData, - EncAuthorizationData_key=EncAuthorizationData_key, - additional_tickets=additional_tickets, - asn1Spec=krb5_asn1.TGS_REQ(), - asn1_print=asn1_print, - hexdump=hexdump) + obj, decoded = self.KDC_REQ_create( + msg_type=12, + padata=padata, + kdc_options=kdc_options, + cname=None, + realm=realm, + sname=sname, + from_time=from_time, + till_time=till_time, + renew_time=renew_time, + nonce=nonce, + etypes=etypes, + addresses=addresses, + EncAuthorizationData=EncAuthorizationData, + EncAuthorizationData_key=EncAuthorizationData_key, + additional_tickets=additional_tickets, + asn1Spec=krb5_asn1.TGS_REQ(), + asn1_print=asn1_print, + hexdump=hexdump) if native_decoded_only: return decoded return decoded, obj @@ -888,5 +964,6 @@ class RawKerberosTest(TestCase): 'cksum': cksum, 'auth': "Kerberos", } - pa_s4u2self = self.der_encode(PA_S4U2Self_obj, asn1Spec=krb5_asn1.PA_S4U2Self()) + pa_s4u2self = self.der_encode( + PA_S4U2Self_obj, asn1Spec=krb5_asn1.PA_S4U2Self()) return self.PA_DATA_create(129, pa_s4u2self) diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py index 9de56578c99..5bbf1229d09 100644 --- a/python/samba/tests/krb5/rfc4120_constants.py +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -38,31 +38,31 @@ PADATA_ETYPE_INFO2 = int( # Error codes KDC_ERR_C_PRINCIPAL_UNKNOWN = 6 -KDC_ERR_PREAUTH_FAILED = 24 -KDC_ERR_PREAUTH_REQUIRED = 25 -KDC_ERR_BADMATCH = 36 -KDC_ERR_SKEW = 37 +KDC_ERR_PREAUTH_FAILED = 24 +KDC_ERR_PREAUTH_REQUIRED = 25 +KDC_ERR_BADMATCH = 36 +KDC_ERR_SKEW = 37 # Name types -NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) +NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) -NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) +NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues( 'kRB5-NT-ENTERPRISE-PRINCIPAL')) # Authorization data ad-type values -AD_IF_RELEVANT = 1 -AD_INTENDED_FOR_SERVER = 2 +AD_IF_RELEVANT = 1 +AD_INTENDED_FOR_SERVER = 2 AD_INTENDED_FOR_APPLICATION_CLASS = 3 -AD_KDC_ISSUED = 4 -AD_AND_OR = 5 -AD_MANDATORY_TICKET_EXTENSIONS = 6 -AD_IN_TICKET_EXTENSIONS = 7 -AD_MANDATORY_FOR_KDC = 8 -AD_INITIAL_VERIFIED_CAS = 9 -AD_WIN2K_PAC = 128 -AD_SIGNTICKET = 512 +AD_KDC_ISSUED = 4 +AD_AND_OR = 5 +AD_MANDATORY_TICKET_EXTENSIONS = 6 +AD_IN_TICKET_EXTENSIONS = 7 +AD_MANDATORY_FOR_KDC = 8 +AD_INITIAL_VERIFIED_CAS = 9 +AD_WIN2K_PAC = 128 +AD_SIGNTICKET = 512 # Key usage numbers # RFC 4120 Section 7.5.1. Key Usage Numbers diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py index 2e1bd3fbe1f..30a58d6345a 100755 --- a/python/samba/tests/krb5/s4u_tests.py +++ b/python/samba/tests/krb5/s4u_tests.py @@ -35,6 +35,7 @@ import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 global_asn1_print = False global_hexdump = False + class S4UKerberosTests(RawKerberosTest): def setUp(self): @@ -55,7 +56,7 @@ class S4UKerberosTests(RawKerberosTest): kdc_options = krb5_asn1.KDCOptions('forwardable') padata = None - etypes=(18,17,23) + etypes = (18, 17, 23) req = self.AS_REQ_create(padata=padata, kdc_options=str(kdc_options), @@ -76,14 +77,16 @@ class S4UKerberosTests(RawKerberosTest): self.assertEqual(rep['msg-type'], 30) self.assertEqual(rep['error-code'], 25) - rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) + rep_padata = self.der_decode( + rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) for pa in rep_padata: if pa['padata-type'] == 19: etype_info2 = pa['padata-value'] break - etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + etype_info2 = self.der_decode( + etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) key = self.PasswordKey_from_etype_info2(service_creds, etype_info2[0]) @@ -120,7 +123,8 @@ class S4UKerberosTests(RawKerberosTest): self.assertEqual(msg_type, 11) enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) + enc_part2 = self.der_decode( + enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) # S4U2Self Request sname = cname @@ -167,11 +171,13 @@ class S4UKerberosTests(RawKerberosTest): if msg_type == 13: enc_part2 = subkey.decrypt( KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + enc_part2 = self.der_decode( + enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) return msg_type - # Using the checksum type from the tgt_session_key happens to work everywhere + # Using the checksum type from the tgt_session_key happens to work + # everywhere def test_s4u2self(self): msg_type = self._test_s4u2self() self.assertEqual(msg_type, 13) @@ -193,6 +199,7 @@ class S4UKerberosTests(RawKerberosTest): msg_type = self._test_s4u2self(pa_s4u2self_ctype=Cksumtype.CRC32) self.assertEqual(msg_type, 30) + if __name__ == "__main__": global_asn1_print = True global_hexdump = True diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py index 6c090af3d46..889b91a9bf0 100755 --- a/python/samba/tests/krb5/simple_tests.py +++ b/python/samba/tests/krb5/simple_tests.py @@ -33,6 +33,7 @@ import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 global_asn1_print = False global_hexdump = False + class SimpleKerberosTests(RawKerberosTest): def setUp(self): @@ -53,7 +54,7 @@ class SimpleKerberosTests(RawKerberosTest): kdc_options = krb5_asn1.KDCOptions('forwardable') padata = None - etypes=(18,17,23) + etypes = (18, 17, 23) req = self.AS_REQ_create(padata=padata, kdc_options=str(kdc_options), @@ -74,14 +75,16 @@ class SimpleKerberosTests(RawKerberosTest): self.assertEqual(rep['msg-type'], 30) self.assertEqual(rep['error-code'], 25) - rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) + rep_padata = self.der_decode( + rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) for pa in rep_padata: if pa['padata-type'] == 19: etype_info2 = pa['padata-value'] break - etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + etype_info2 = self.der_decode( + etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0]) @@ -119,17 +122,21 @@ class SimpleKerberosTests(RawKerberosTest): enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) - # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 + # MIT KDC encodes both EncASRepPart and EncTGSRepPart with + # application tag 26 try: - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) + enc_part2 = self.der_decode( + enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) except Exception: - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + enc_part2 = self.der_decode( + enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) # TGS Request service_creds = self.get_service_creds(allow_missing_password=True) service_name = service_creds.get_username() - sname = self.PrincipalName_create(name_type=2, names=["host", service_name]) + sname = self.PrincipalName_create( + name_type=2, names=["host", service_name]) kdc_options = krb5_asn1.KDCOptions('forwardable') till = self.get_KerberosTime(offset=36000) ticket = rep['ticket'] @@ -167,7 +174,8 @@ class SimpleKerberosTests(RawKerberosTest): enc_part2 = subkey.decrypt( KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + enc_part2 = self.der_decode( + enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) return diff --git a/python/samba/tests/krb5/xrealm_tests.py b/python/samba/tests/krb5/xrealm_tests.py index b4a02bff33a..efb953bdf7e 100755 --- a/python/samba/tests/krb5/xrealm_tests.py +++ b/python/samba/tests/krb5/xrealm_tests.py @@ -34,6 +34,7 @@ import samba.tests global_asn1_print = False global_hexdump = False + class XrealmKerberosTests(RawKerberosTest): def setUp(self): @@ -54,7 +55,7 @@ class XrealmKerberosTests(RawKerberosTest): kdc_options = krb5_asn1.KDCOptions('forwardable') padata = None - etypes=(18,17,23) + etypes = (18, 17, 23) req = self.AS_REQ_create(padata=padata, kdc_options=str(kdc_options), @@ -75,14 +76,16 @@ class XrealmKerberosTests(RawKerberosTest): self.assertEqual(rep['msg-type'], 30) self.assertEqual(rep['error-code'], 25) - rep_padata = self.der_decode(rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) + rep_padata = self.der_decode( + rep['e-data'], asn1Spec=krb5_asn1.METHOD_DATA()) for pa in rep_padata: if pa['padata-type'] == 19: etype_info2 = pa['padata-value'] break - etype_info2 = self.der_decode(etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) + etype_info2 = self.der_decode( + etype_info2, asn1Spec=krb5_asn1.ETYPE_INFO2()) key = self.PasswordKey_from_etype_info2(user_creds, etype_info2[0]) @@ -120,15 +123,19 @@ class XrealmKerberosTests(RawKerberosTest): enc_part2 = key.decrypt(KU_AS_REP_ENC_PART, rep['enc-part']['cipher']) - # MIT KDC encodes both EncASRepPart and EncTGSRepPart with application tag 26 + # MIT KDC encodes both EncASRepPart and EncTGSRepPart with + # application tag 26 try: - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) + enc_part2 = self.der_decode( + enc_part2, asn1Spec=krb5_asn1.EncASRepPart()) except Exception: - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + enc_part2 = self.der_decode( + enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) # TGS Request (for cross-realm TGT) trust_realm = samba.tests.env_get_var_value('TRUST_REALM') - sname = self.PrincipalName_create(name_type=2, names=["krbtgt", trust_realm]) + sname = self.PrincipalName_create( + name_type=2, names=["krbtgt", trust_realm]) kdc_options = krb5_asn1.KDCOptions('forwardable') till = self.get_KerberosTime(offset=36000) @@ -167,10 +174,11 @@ class XrealmKerberosTests(RawKerberosTest): enc_part2 = subkey.decrypt( KU_TGS_REP_ENC_PART_SUB_KEY, rep['enc-part']['cipher']) - enc_part2 = self.der_decode(enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) + enc_part2 = self.der_decode( + enc_part2, asn1Spec=krb5_asn1.EncTGSRepPart()) # Check the forwardable flag - fwd_pos = len(tuple(krb5_asn1.TicketFlags('forwardable'))) -1 + fwd_pos = len(tuple(krb5_asn1.TicketFlags('forwardable'))) - 1 assert(krb5_asn1.TicketFlags(enc_part2['flags'])[fwd_pos]) return -- 2.25.1 From 02edeb45860dc5676003dcca9629d7eea96c75ec Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Fri, 16 Apr 2021 17:22:12 +0200 Subject: [PATCH 061/380] librpc: Add py_descriptor_richcmp() equality function Only a python3 version. Do we still need the python2 flavor? Signed-off-by: Volker Lendecke Reviewed-by: Jeremy Allison BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 439b7ccdc1b1c91c66c1a7c83e340fa044c26377) --- source4/librpc/ndr/py_security.c | 37 ++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/source4/librpc/ndr/py_security.c b/source4/librpc/ndr/py_security.c index 26989c1a433..0b8a1c66b7a 100644 --- a/source4/librpc/ndr/py_security.c +++ b/source4/librpc/ndr/py_security.c @@ -309,9 +309,46 @@ static PyMethodDef py_descriptor_extra_methods[] = { { NULL } }; +static PyObject *py_descriptor_richcmp( + PyObject *py_self, PyObject *py_other, int op) +{ + struct security_descriptor *self = pytalloc_get_ptr(py_self); + struct security_descriptor *other = pytalloc_get_ptr(py_other); + bool eq; + + if (other == NULL) { + Py_INCREF(Py_NotImplemented); + return Py_NotImplemented; + } + + eq = security_descriptor_equal(self, other); + + switch(op) { + case Py_EQ: + if (eq) { + Py_RETURN_TRUE; + } else { + Py_RETURN_FALSE; + } + break; + case Py_NE: + if (eq) { + Py_RETURN_FALSE; + } else { + Py_RETURN_TRUE; + } + break; + default: + break; + } + + return Py_NotImplemented; +} + static void py_descriptor_patch(PyTypeObject *type) { type->tp_new = py_descriptor_new; + type->tp_richcompare = py_descriptor_richcmp; PyType_AddMethods(type, py_descriptor_extra_methods); } -- 2.25.1 From 1590663c4b1971ba1ae7d6636ada646dd6619345 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Wed, 17 Feb 2021 12:15:50 +1300 Subject: [PATCH 062/380] tests python krb5: MS-KILE client principal look-up Tests of [MS-KILE]: Kerberos Protocol Extensions section 3.3.5.6.1 Client Principal Lookup Signed-off-by: Gary Lockyer Reviewed-by: Andrew Bartlett Reviewed-by: Isaac Boukris BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Andrew Bartlett Autobuild-Date(master): Mon Apr 12 00:38:26 UTC 2021 on sn-devel-184 (cherry picked from commit 768d48fca9f8c7527c0d12e7acc8942b5fd36ac2) --- python/samba/tests/krb5/kdc_base_test.py | 29 +- .../ms_kile_client_principal_lookup_tests.py | 814 ++++++++++++++++++ python/samba/tests/usage.py | 1 + selftest/knownfail_heimdal_kdc | 12 + selftest/knownfail_mit_kdc | 16 + source4/selftest/tests.py | 3 + 6 files changed, 874 insertions(+), 1 deletion(-) create mode 100755 python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index bef5458c881..1c7f05dda6d 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -22,6 +22,7 @@ import os sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" from collections import namedtuple +import ldb from ldb import SCOPE_BASE from samba import generate_random_password from samba.auth import system_session @@ -103,7 +104,7 @@ class KDCBaseTest(RawKerberosTest): for dn in self.accounts: delete_force(self.ldb, dn) - def create_account(self, name, machine_account=False, spn=None): + def create_account(self, name, machine_account=False, spn=None, upn=None): '''Create an account for testing. The dn of the created account is added to self.accounts, which is used by tearDown to clean up the created accounts. @@ -133,6 +134,8 @@ class KDCBaseTest(RawKerberosTest): "unicodePwd": utf16pw} if spn is not None: details["servicePrincipalName"] = spn + if upn is not None: + details["userPrincipalName"] = upn self.ldb.add(details) creds = Credentials() @@ -418,3 +421,27 @@ class KDCBaseTest(RawKerberosTest): self.assertTrue(len(res) == 1, "did not get objectSid for %s" % dn) sid = self.ldb.schema_format_value("objectSID", res[0]["objectSID"][0]) return sid.decode('utf8') + + def add_attribute(self, dn_str, name, value): + if isinstance(value, list): + values = value + else: + values = [value] + flag = ldb.FLAG_MOD_ADD + + dn = ldb.Dn(self.ldb, dn_str) + msg = ldb.Message(dn) + msg[name] = ldb.MessageElement(values, flag, name) + self.ldb.modify(msg) + + def modify_attribute(self, dn_str, name, value): + if isinstance(value, list): + values = value + else: + values = [value] + flag = ldb.FLAG_MOD_REPLACE + + dn = ldb.Dn(self.ldb, dn_str) + msg = ldb.Message(dn) + msg[name] = ldb.MessageElement(values, flag, name) + self.ldb.modify(msg) diff --git a/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py new file mode 100755 index 00000000000..356a25f8e18 --- /dev/null +++ b/python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py @@ -0,0 +1,814 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2020 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +from samba.dsdb import UF_NORMAL_ACCOUNT, UF_DONT_REQUIRE_PREAUTH +from samba.tests.krb5.kdc_base_test import KDCBaseTest +from samba.tests.krb5.rfc4120_constants import ( + AES256_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5, + NT_ENTERPRISE_PRINCIPAL, + NT_PRINCIPAL, + NT_SRV_INST, + KDC_ERR_C_PRINCIPAL_UNKNOWN, +) + +global_asn1_print = False +global_hexdump = False + + +class MS_Kile_Client_Principal_Lookup_Tests(KDCBaseTest): + ''' Tests for MS-KILE client principal look-up + See [MS-KILE]: Kerberos Protocol Extensions + secion 3.3.5.6.1 Client Principal Lookup + ''' + + def setUp(self): + super().setUp() + self.do_asn1_print = global_asn1_print + self.do_hexdump = global_hexdump + + def check_pac(self, auth_data, dn, uc, name, upn=None): + + pac_data = self.get_pac_data(auth_data) + sid = self.get_objectSid(dn) + if upn is None: + upn = "%s@%s" % (name, uc.get_realm().lower()) + if name.endswith('$'): + name = name[:-1] + + self.assertEqual( + uc.get_username(), + str(pac_data.account_name), + "pac_data = {%s}" % str(pac_data)) + self.assertEqual( + name, + pac_data.logon_name, + "pac_data = {%s}" % str(pac_data)) + self.assertEqual( + uc.get_realm(), + pac_data.domain_name, + "pac_data = {%s}" % str(pac_data)) + self.assertEqual( + upn, + pac_data.upn, + "pac_data = {%s}" % str(pac_data)) + self.assertEqual( + sid, + pac_data.account_sid, + "pac_data = {%s}" % str(pac_data)) + + def test_nt_principal_step_1(self): + ''' Step 1 + For an NT_PRINCIPAL cname with no realm or the realm matches the + DC's domain + search for an account with the + sAMAccountName matching the cname. + ''' + + # Create user and machine accounts for the test. + # + user_name = "mskileusr" + (uc, dn) = self.create_account(user_name) + realm = uc.get_realm().lower() + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the pac, and the ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + self.check_pac(enc_part['authorization-data'], dn, uc, user_name) + # check the crealm and cname + cname = enc_part['cname'] + self.assertEqual(NT_PRINCIPAL, cname['name-type']) + self.assertEqual(user_name.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) + + def test_nt_principal_step_2(self): + ''' Step 2 + If not found + search for sAMAccountName equal to the cname + "$" + + ''' + + # Create a machine account for the test. + # + user_name = "mskilemac" + (mc, dn) = self.create_account(user_name, machine_account=True) + realm = mc.get_realm().lower() + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(mc, rep) + key = self.get_as_rep_key(mc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, mc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the pac, and the ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + self.check_pac(enc_part['authorization-data'], dn, mc, mach_name + '$') + # check the crealm and cname + cname = enc_part['cname'] + self.assertEqual(NT_PRINCIPAL, cname['name-type']) + self.assertEqual(user_name.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) + + def test_nt_principal_step_3(self): + ''' Step 3 + + If not found + search for a matching UPN name where the UPN is set to + cname@realm or cname@DC's domain name + + ''' + # Create a user account for the test. + # + user_name = "mskileusr" + upn_name = "mskileupn" + upn = upn_name + "@" + self.credentials.get_realm().lower() + (uc, dn) = self.create_account(user_name, upn=upn) + realm = uc.get_realm().lower() + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[upn_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[upn_name]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the service ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + self.check_pac(enc_part['authorization-data'], dn, uc, upn_name) + # check the crealm and cname + cname = enc_part['cname'] + self.assertEqual(NT_PRINCIPAL, cname['name-type']) + self.assertEqual(upn_name.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) + + def test_nt_principal_step_4_a(self): + ''' Step 4, no pre-authentication + If not found and no pre-authentication + search for a matching altSecurityIdentity + ''' + # Create a user account for the test. + # with an altSecurityIdentity, and with UF_DONT_REQUIRE_PREAUTH + # set. + # + # note that in this case IDL_DRSCrackNames is called with + # pmsgIn.formatOffered set to + # DS_USER_PRINCIPAL_NAME_AND_ALTSECID + # + # setting UF_DONT_REQUIRE_PREAUTH seems to be the only way + # to trigger the no pre-auth step + + user_name = "mskileusr" + alt_name = "mskilealtsec" + (uc, dn) = self.create_account(user_name) + realm = uc.get_realm().lower() + alt_sec = "Kerberos:%s@%s" % (alt_name, realm) + self.add_attribute(dn, "altSecurityIdentities", alt_sec) + self.modify_attribute( + dn, + "userAccountControl", + str(UF_NORMAL_ACCOUNT | UF_DONT_REQUIRE_PREAUTH)) + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, as we've set UF_DONT_REQUIRE_PREAUTH + # we should get a valid AS-RESP + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[alt_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_as_reply(rep) + salt = "%s%s" % (realm.upper(), user_name) + key = self.PasswordKey_create( + rep['enc-part']['etype'], + uc.get_password(), + salt.encode('UTF8'), + rep['enc-part']['kvno']) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[alt_name]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the service ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + # + # We get an empty authorization-data element in the ticket. + # i.e. no PAC + self.assertEqual([], enc_part['authorization-data']) + # check the crealm and cname + cname = enc_part['cname'] + self.assertEqual(NT_PRINCIPAL, cname['name-type']) + self.assertEqual(alt_name.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) + + def test_nt_principal_step_4_b(self): + ''' Step 4, pre-authentication + If not found and pre-authentication + search for a matching user principal name + ''' + + # Create user and machine accounts for the test. + # + user_name = "mskileusr" + alt_name = "mskilealtsec" + (uc, dn) = self.create_account(user_name) + realm = uc.get_realm().lower() + alt_sec = "Kerberos:%s@%s" % (alt_name, realm) + self.add_attribute(dn, "altSecurityIdentities", alt_sec) + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[alt_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + # Note: although we used the alt security id for the pre-auth + # we need to use the username for the auth + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[user_name]) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[user_name]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the pac, and the ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + self.check_pac(enc_part['authorization-data'], dn, uc, user_name) + # check the crealm and cname + cname = enc_part['cname'] + self.assertEqual(NT_PRINCIPAL, cname['name-type']) + self.assertEqual(user_name.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) + + def test_nt_principal_step_4_c(self): + ''' Step 4, pre-authentication + If not found and pre-authentication + search for a matching user principal name + + This test uses the altsecid, so the AS-REQ should fail. + ''' + + # Create user and machine accounts for the test. + # + user_name = "mskileusr" + alt_name = "mskilealtsec" + (uc, dn) = self.create_account(user_name) + realm = uc.get_realm().lower() + alt_sec = "Kerberos:%s@%s" % (alt_name, realm) + self.add_attribute(dn, "altSecurityIdentities", alt_sec) + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[alt_name]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + # Use the alternate security identifier + # this should fail + cname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, names=[alt_sec]) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN) + + def test_enterprise_principal_step_1_3(self): + ''' Steps 1-3 + For an NT_ENTERPRISE_PRINCIPAL cname + search for a user principal name matching the cname + + ''' + + # Create a user account for the test. + # + user_name = "mskileusr" + upn_name = "mskileupn" + upn = upn_name + "@" + self.credentials.get_realm().lower() + (uc, dn) = self.create_account(user_name, upn=upn) + realm = uc.get_realm().lower() + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[upn]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[upn]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the pac, and the ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + self.check_pac( + enc_part['authorization-data'], dn, uc, upn, upn=upn) + # check the crealm and cname + cname = enc_part['cname'] + crealm = enc_part['crealm'] + self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) + self.assertEqual(upn.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), crealm) + + def test_enterprise_principal_step_4(self): + ''' Step 4 + + If that fails + search for an account where the sAMAccountName matches + the name before the @ + + ''' + + # Create a user account for the test. + # + user_name = "mskileusr" + (uc, dn) = self.create_account(user_name) + realm = uc.get_realm().lower() + ename = user_name + "@" + realm + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the pac, and the ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + self.check_pac( + enc_part['authorization-data'], dn, uc, ename, upn=ename) + # check the crealm and cname + cname = enc_part['cname'] + crealm = enc_part['crealm'] + self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) + self.assertEqual(ename.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), crealm) + + def test_enterprise_principal_step_5(self): + ''' Step 5 + + If that fails + search for an account where the sAMAccountName matches + the name before the @ with a $ appended. + + ''' + + # Create a user account for the test. + # + user_name = "mskileusr" + (uc, _) = self.create_account(user_name) + realm = uc.get_realm().lower() + + mach_name = "mskilemac" + (mc, dn) = self.create_account(mach_name, machine_account=True) + ename = mach_name + "@" + realm + uname = mach_name + "$@" + realm + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(mc, rep) + key = self.get_as_rep_key(mc, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the pac, and the ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + self.check_pac( + enc_part['authorization-data'], dn, mc, ename, upn=uname) + # check the crealm and cname + cname = enc_part['cname'] + crealm = enc_part['crealm'] + self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) + self.assertEqual(ename.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), crealm) + + def test_enterprise_principal_step_6_a(self): + ''' Step 6, no pre-authentication + If not found and no pre-authentication + search for a matching altSecurityIdentity + ''' + # Create a user account for the test. + # with an altSecurityIdentity, and with UF_DONT_REQUIRE_PREAUTH + # set. + # + # note that in this case IDL_DRSCrackNames is called with + # pmsgIn.formatOffered set to + # DS_USER_PRINCIPAL_NAME_AND_ALTSECID + # + # setting UF_DONT_REQUIRE_PREAUTH seems to be the only way + # to trigger the no pre-auth step + + user_name = "mskileusr" + alt_name = "mskilealtsec" + (uc, dn) = self.create_account(user_name) + realm = uc.get_realm().lower() + alt_sec = "Kerberos:%s@%s" % (alt_name, realm) + self.add_attribute(dn, "altSecurityIdentities", alt_sec) + self.modify_attribute( + dn, + "userAccountControl", + str(UF_NORMAL_ACCOUNT | UF_DONT_REQUIRE_PREAUTH)) + ename = alt_name + "@" + realm + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, as we've set UF_DONT_REQUIRE_PREAUTH + # we should get a valid AS-RESP + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_as_reply(rep) + salt = "%s%s" % (realm.upper(), user_name) + key = self.PasswordKey_create( + rep['enc-part']['etype'], + uc.get_password(), + salt.encode('UTF8'), + rep['enc-part']['kvno']) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the service ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + # + # We get an empty authorization-data element in the ticket. + # i.e. no PAC + self.assertEqual([], enc_part['authorization-data']) + # check the crealm and cname + cname = enc_part['cname'] + self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) + self.assertEqual(ename.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) + + def test_nt_enterprise_principal_step_6_b(self): + ''' Step 4, pre-authentication + If not found and pre-authentication + search for a matching user principal name + ''' + + # Create user and machine accounts for the test. + # + user_name = "mskileusr" + alt_name = "mskilealtsec" + (uc, dn) = self.create_account(user_name) + realm = uc.get_realm().lower() + alt_sec = "Kerberos:%s@%s" % (alt_name, realm) + self.add_attribute(dn, "altSecurityIdentities", alt_sec) + ename = alt_name + "@" + realm + uname = user_name + "@" + realm + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + key = self.get_as_rep_key(uc, rep) + # Note: although we used the alt security id for the pre-auth + # we need to use the username for the auth + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[uname]) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part2 = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part2['key']) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, + names=[uname]) + sname = self.PrincipalName_create( + name_type=NT_PRINCIPAL, + names=[mc.get_username()]) + + (rep, enc_part) = self.tgs_req( + cname, sname, uc.get_realm(), ticket, key, etype) + self.check_tgs_reply(rep) + + # Check the contents of the pac, and the ticket + ticket = rep['ticket'] + enc_part = self.decode_service_ticket(mc, ticket) + self.check_pac( + enc_part['authorization-data'], dn, uc, uname, upn=uname) + # check the crealm and cname + cname = enc_part['cname'] + self.assertEqual(NT_ENTERPRISE_PRINCIPAL, cname['name-type']) + self.assertEqual(uname.encode('UTF8'), cname['name-string'][0]) + self.assertEqual(realm.upper().encode('UTF8'), enc_part['crealm']) + + def test_nt_principal_step_6_c(self): + ''' Step 4, pre-authentication + If not found and pre-authentication + search for a matching user principal name + + This test uses the altsecid, so the AS-REQ should fail. + ''' + + # Create user and machine accounts for the test. + # + user_name = "mskileusr" + alt_name = "mskilealtsec" + (uc, dn) = self.create_account(user_name) + realm = uc.get_realm().lower() + alt_sec = "Kerberos:%s@%s" % (alt_name, realm) + self.add_attribute(dn, "altSecurityIdentities", alt_sec) + ename = alt_name + "@" + realm + + mach_name = "mskilemac" + (mc, _) = self.create_account(mach_name, machine_account=True) + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + sname = self.PrincipalName_create( + name_type=NT_SRV_INST, names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(uc, rep) + # Use the alternate security identifier + # this should fail + cname = self.PrincipalName_create( + name_type=NT_ENTERPRISE_PRINCIPAL, names=[ename]) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_error_rep(rep, KDC_ERR_C_PRINCIPAL_UNKNOWN) + + +if __name__ == "__main__": + global_asn1_print = False + global_hexdump = False + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 222d1dbfa41..1b22461c735 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -95,6 +95,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/kdc_tests.py', 'python/samba/tests/krb5/kdc_base_test.py', 'python/samba/tests/krb5/kdc_tgs_tests.py', + 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', } EXCLUDE_HELP = { diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc index 7ab56b6721b..4e6ee93ce96 100644 --- a/selftest/knownfail_heimdal_kdc +++ b/selftest/knownfail_heimdal_kdc @@ -2,3 +2,15 @@ # We expect all the MIT specific compatability tests to fail on heimdal # kerberos ^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_mit_ +# +# Heimdal currently fails the following MS-KILE client principal lookup +# tests +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_1_3 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_4 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_5 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_6_a +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_enterprise_principal_step_6_b +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_a +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_b +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_c +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_6_c diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc index e64303c6b0f..2c2a643944c 100644 --- a/selftest/knownfail_mit_kdc +++ b/selftest/knownfail_mit_kdc @@ -275,3 +275,19 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_ # following tests ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_ldap_service_ticket\(ad_dc\) ^samba.tests.krb5.kdc_tgs_tests.samba.tests.krb5.kdc_tgs_tests.KdcTgsTests.test_get_ticket_for_host_service_of_machine_account\(ad_dc\) +# +# MIT currently fails the following MS-KILE tests. +# +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_1_3 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_4 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_5 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_enterprise_principal_step_6_a +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_enterprise_principal_step_6_b +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_1 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_2 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_3 +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_a +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_b +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_4_c +^samba.tests.krb5.ms_kile_client_principal_lookup_tests.samba.tests.krb5.ms_kile_client_principal_lookup_tests.MS_Kile_Client_Principal_Lookup_Tests.test_nt_principal_step_6_c + diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index b2a09b3ecb2..9bb2ff2e1ed 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -1290,6 +1290,9 @@ planpythontestsuite("ad_dc", "samba.tests.krb5.kdc_tests") planpythontestsuite( "ad_dc", "samba.tests.krb5.kdc_tgs_tests") +planpythontestsuite( + "ad_dc", + "samba.tests.krb5.ms_kile_client_principal_lookup_tests") for env in [ 'vampire_dc', -- 2.25.1 From 7e880971d6fee4ab24b3b23419fa9576397eafbf Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Apr 2021 10:54:05 +1200 Subject: [PATCH 063/380] auth:creds: Remove unused variable Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1ea2de561839ad948efab5112fbe4c1eae44d9ee) --- auth/credentials/pycredentials.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index 7427e286dca..1edb22bd867 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -603,8 +603,6 @@ static PyObject *py_creds_get_forced_sasl_mech(PyObject *self, PyObject *unused) static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args) { char *newval; - enum credentials_obtained obt = CRED_SPECIFIED; - int _obt = obt; struct cli_credentials *creds = PyCredentials_AsCliCredentials(self); if (creds == NULL) { PyErr_Format(PyExc_TypeError, "Credentials expected"); @@ -614,7 +612,6 @@ static PyObject *py_creds_set_forced_sasl_mech(PyObject *self, PyObject *args) if (!PyArg_ParseTuple(args, "s", &newval)) { return NULL; } - obt = _obt; cli_credentials_set_forced_sasl_mech(creds, newval); Py_RETURN_NONE; -- 2.25.1 From f7227612a89022789ba48e7cb87ca5dd7629acde Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Apr 2021 10:55:13 +1200 Subject: [PATCH 064/380] auth:creds: Fix parameter in creds.set_named_ccache() Use the passed-in value for 'obtained' rather than always using CRED_SPECIFIED. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 2d05268aa0904221c452fc650fcdfb680efc20bb) --- auth/credentials/pycredentials.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index 1edb22bd867..314f0eba894 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -763,6 +763,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args) if (!PyArg_ParseTuple(args, "s|iO", &newval, &_obt, &py_lp_ctx)) return NULL; + obt = _obt; mem_ctx = talloc_new(NULL); if (mem_ctx == NULL) { @@ -778,7 +779,7 @@ static PyObject *py_creds_set_named_ccache(PyObject *self, PyObject *args) ret = cli_credentials_set_ccache(creds, lp_ctx, - newval, CRED_SPECIFIED, + newval, obt, &error_string); if (ret != 0) { -- 2.25.1 From bbe01ec142411b2b970fb5fe0fa4ffb2d2491773 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Apr 2021 11:07:22 +1200 Subject: [PATCH 065/380] pygensec: Fix method documentation This changes the docstrings to use the correct method names. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 50ade4cadc766a196316fd5c5a57f8c502f0ea22) --- source4/auth/gensec/pygensec.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c index 986f32904e7..35b3307ab8f 100644 --- a/source4/auth/gensec/pygensec.c +++ b/source4/auth/gensec/pygensec.c @@ -654,13 +654,13 @@ static PyMethodDef py_gensec_security_methods[] = { METH_VARARGS|METH_KEYWORDS|METH_CLASS, "S.start_server(auth_ctx, settings) -> gensec" }, { "set_credentials", (PyCFunction)py_gensec_set_credentials, METH_VARARGS, - "S.start_client(credentials)" }, + "S.set_credentials(credentials)" }, { "set_target_hostname", (PyCFunction)py_gensec_set_target_hostname, METH_VARARGS, - "S.start_target_hostname(target_hostname) \n This sets the Kerberos target hostname to obtain a ticket for." }, + "S.set_target_hostname(target_hostname) \n This sets the Kerberos target hostname to obtain a ticket for." }, { "set_target_service", (PyCFunction)py_gensec_set_target_service, METH_VARARGS, - "S.start_target_service(target_service) \n This sets the Kerberos target service to obtain a ticket for. The default value is 'host'" }, + "S.set_target_service(target_service) \n This sets the Kerberos target service to obtain a ticket for. The default value is 'host'" }, { "set_target_service_description", (PyCFunction)py_gensec_set_target_service_description, METH_VARARGS, - "S.start_target_service_description(target_service_description) \n This description is set server-side and used in authentication and authorization logs. The default value is that provided to set_target_service() or None."}, + "S.set_target_service_description(target_service_description) \n This description is set server-side and used in authentication and authorization logs. The default value is that provided to set_target_service() or None."}, { "session_info", (PyCFunction)py_gensec_session_info, METH_NOARGS, "S.session_info() -> info" }, { "session_key", (PyCFunction)py_gensec_session_key, METH_NOARGS, -- 2.25.1 From 19b36346d7498f512295df0e45974ffaec637c40 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 15 Apr 2021 10:32:41 +1200 Subject: [PATCH 066/380] Revert "s4-test: fixed ndrdump test for top level build" This essentially reverts commit b84c0a9ed6d556eb2d3797d606edcd03f9766606, but the datapath is now in the source4 directory. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 6f144d49b5281a08bf7be550b949f4d91e8fe19b) --- python/samba/tests/blackbox/ndrdump.py | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/python/samba/tests/blackbox/ndrdump.py b/python/samba/tests/blackbox/ndrdump.py index 6795aed41b7..f9a3bd98862 100644 --- a/python/samba/tests/blackbox/ndrdump.py +++ b/python/samba/tests/blackbox/ndrdump.py @@ -24,13 +24,7 @@ from __future__ import print_function import os from samba.tests import BlackboxTestCase, BlackboxProcessError -for p in ["../../../../../source4/librpc/tests", - "../../../../../librpc/tests"]: - data_path_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), p)) - print(data_path_dir) - if os.path.exists(data_path_dir): - break - +data_path_dir = os.path.abspath(os.path.join(os.path.dirname(__file__), "../../../../../source4/librpc/tests")) class NdrDumpTests(BlackboxTestCase): """Blackbox tests for ndrdump.""" -- 2.25.1 From 4bc1f4d789dae7f6bdb7b50c01ec950ffa2e7c3c Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Apr 2021 10:57:00 +1200 Subject: [PATCH 067/380] krb5ccache.idl: Add definition for a Kerberos credentials cache Based on specifications found at https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html This is primarily designed for parsing and storing a single Kerberos ticket, due to the limitations of PIDL. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 74fb2cc473cea0eebf641fc4d32d706bac8aa6f2) --- librpc/idl/krb5ccache.idl | 115 +++++++++++++++++++++++++++++++++++ librpc/idl/wscript_build | 1 + librpc/wscript_build | 8 ++- source4/librpc/wscript_build | 7 +++ 4 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 librpc/idl/krb5ccache.idl diff --git a/librpc/idl/krb5ccache.idl b/librpc/idl/krb5ccache.idl new file mode 100644 index 00000000000..1f0cfa752a9 --- /dev/null +++ b/librpc/idl/krb5ccache.idl @@ -0,0 +1,115 @@ +/* + krb5 credentials cache (version 3 or 4) + specification: https://web.mit.edu/kerberos/krb5-devel/doc/formats/ccache_file_format.html +*/ + +#include "idl_types.h" + +[ + uuid("1702b695-99ca-4f32-93e4-1e1c4d5ddb53"), + version(0.0), + pointer_default(unique), + helpstring("KRB5 credentials cache") +] +interface krb5ccache +{ + typedef struct { + uint32 name_type; + uint32 component_count; + [flag(STR_SIZE4|STR_NOTERM|STR_UTF8)] string realm; + [flag(STR_SIZE4|STR_NOTERM|STR_UTF8)] string components[component_count]; + } PRINCIPAL; + + typedef struct { + uint16 enctype; + DATA_BLOB data; + } KEYBLOCK; + + typedef struct { + uint16 addrtype; + DATA_BLOB data; + } ADDRESS; + + typedef struct { + uint32 count; + ADDRESS data[count]; + } ADDRESSES; + + typedef struct { + uint16 ad_type; + DATA_BLOB data; + } AUTHDATUM; + + typedef struct { + uint32 count; + AUTHDATUM data[count]; + } AUTHDATA; + + typedef struct { + PRINCIPAL client; + PRINCIPAL server; + KEYBLOCK keyblock; + uint32 authtime; + uint32 starttime; + uint32 endtime; + uint32 renew_till; + uint8 is_skey; + uint32 ticket_flags; + ADDRESSES addresses; + AUTHDATA authdata; + DATA_BLOB ticket; + DATA_BLOB second_ticket; + } CREDENTIAL; + + typedef struct { + [value(0)] int32 kdc_sec_offset; + [value(0)] int32 kdc_usec_offset; + } DELTATIME_TAG; + + typedef [nodiscriminant] union { + [case(1)] DELTATIME_TAG deltatime_tag; + } FIELD; + + typedef struct { + [value(1)] uint16 tag; + [subcontext(2),switch_is(tag)] FIELD field; + } V4TAG; + + typedef struct { + V4TAG tag; + /* + * We should allow for more than one tag to be properly parsed, but that + * would require manual parsing. + */ + [flag(NDR_REMAINING)] DATA_BLOB further_tags; + } V4TAGS; + + typedef struct { + [subcontext(2)] V4TAGS v4tags; + } V4HEADER; + + typedef [nodiscriminant] union { + /* + * We don't attempt to support file format versions 1 and 2 as they + * assume native CPU byte order, which makes no sense in PIDL. + */ + [case(3)] ; + [case(4)] V4HEADER v4header; + } OPTIONAL_HEADER; + + /* Public structures. */ + + typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct { + [value(5)] uint8 pvno; + [value(4)] uint8 version; + [switch_is(version)] OPTIONAL_HEADER optional_header; + PRINCIPAL principal; + CREDENTIAL cred; + [flag(NDR_REMAINING)] DATA_BLOB further_creds; + } CCACHE; + + typedef [flag(NDR_NOALIGN|NDR_BIG_ENDIAN|NDR_PAHEX),public] struct { + CREDENTIAL cred; + [flag(NDR_REMAINING)] DATA_BLOB further_creds; + } MULTIPLE_CREDENTIALS; +} diff --git a/librpc/idl/wscript_build b/librpc/idl/wscript_build index b66f27be901..2eb575e6a4c 100644 --- a/librpc/idl/wscript_build +++ b/librpc/idl/wscript_build @@ -147,6 +147,7 @@ bld.SAMBA_PIDL_LIST('PIDL', drsblobs.idl idmap.idl krb5pac.idl + krb5ccache.idl messaging.idl misc.idl nbt.idl diff --git a/librpc/wscript_build b/librpc/wscript_build index 30763907aaa..08cfc439282 100644 --- a/librpc/wscript_build +++ b/librpc/wscript_build @@ -374,6 +374,11 @@ bld.SAMBA_LIBRARY('ndr-krb5pac', vnum='0.0.1' ) +bld.SAMBA_SUBSYSTEM('NDR_KRB5CCACHE', + source='gen_ndr/ndr_krb5ccache.c', + deps='ndr NDR_COMPRESSION NDR_SECURITY ndr-standard asn1util' + ) + bld.SAMBA_LIBRARY('ndr-standard', source='', vnum='0.0.1', @@ -616,7 +621,8 @@ bld.SAMBA_LIBRARY('ndr-samba', source=[], deps='''NDR_DRSBLOBS NDR_DRSUAPI NDR_IDMAP NDR_NTLMSSP NDR_NEGOEX NDR_SCHANNEL NDR_MGMT NDR_DNSSERVER NDR_EPMAPPER NDR_XATTR NDR_UNIXINFO NDR_NAMED_PIPE_AUTH NDR_DCOM - NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_MDSSVC NDR_OPEN_FILES NDR_SMBXSRV''', + NDR_NTPRINTING NDR_FSRVP NDR_WITNESS NDR_MDSSVC NDR_OPEN_FILES NDR_SMBXSRV + NDR_KRB5CCACHE''', private_library=True, grouping_library=True ) diff --git a/source4/librpc/wscript_build b/source4/librpc/wscript_build index 009b2e13d2e..ea9c4853d7a 100644 --- a/source4/librpc/wscript_build +++ b/source4/librpc/wscript_build @@ -229,6 +229,13 @@ bld.SAMBA_PYTHON('python_krb5pac', cflags_end=gen_cflags ) +bld.SAMBA_PYTHON('python_krb5ccache', + source='../../librpc/gen_ndr/py_krb5ccache.c', + deps='NDR_KRB5CCACHE %s %s' % (pytalloc_util, pyrpc_util), + realname='samba/dcerpc/krb5ccache.so', + cflags_end=gen_cflags + ) + bld.SAMBA_PYTHON('python_netlogon', source='../../librpc/gen_ndr/py_netlogon.c', deps='RPC_NDR_NETLOGON %s %s' % (pytalloc_util, pyrpc_util), -- 2.25.1 From ec6c8920a0882711d5debe1313dce2a505a8c011 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Apr 2021 10:58:48 +1200 Subject: [PATCH 068/380] librpc: Test parsing a Kerberos 5 credentials cache with ndrdump This is the format used by the FILE: credentials cache type. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1f17b1edca9c1638ef404fadce3ca7a4d176de12) --- python/samba/tests/blackbox/ndrdump.py | 37 + source3/selftest/ktest-krb5_ccache-2.txt | 1574 ++++++++++++++++++++++ source3/selftest/ktest-krb5_ccache-3.txt | 832 ++++++++++++ 3 files changed, 2443 insertions(+) create mode 100644 source3/selftest/ktest-krb5_ccache-2.txt create mode 100644 source3/selftest/ktest-krb5_ccache-3.txt diff --git a/python/samba/tests/blackbox/ndrdump.py b/python/samba/tests/blackbox/ndrdump.py index f9a3bd98862..b8a025b8dce 100644 --- a/python/samba/tests/blackbox/ndrdump.py +++ b/python/samba/tests/blackbox/ndrdump.py @@ -307,6 +307,43 @@ dump OK # convert expected to bytes for python 3 self.assertEqual(actual, expected.encode('utf-8')) + def test_ndrdump_Krb5ccache(self): + expected = open(self.data_path("../../../source3/selftest/" + "ktest-krb5_ccache-2.txt")).read() + try: + # Specify -d1 to match the generated output file, because ndrdump + # only outputs some additional info if this parameter is specified, + # and the --configfile parameter gives us an empty smb.conf to avoid + # extraneous output. + actual = self.check_output( + "ndrdump krb5ccache CCACHE struct " + "--configfile /dev/null -d1 --validate " + + self.data_path("../../../source3/selftest/" + "ktest-krb5_ccache-2")) + except BlackboxProcessError as e: + self.fail(e) + # check_output will return bytes + # convert expected to bytes for python 3 + self.assertEqual(actual, expected.encode('utf-8')) + + expected = open(self.data_path("../../../source3/selftest/" + "ktest-krb5_ccache-3.txt")).read() + try: + # Specify -d1 to match the generated output file, because ndrdump + # only outputs some additional info if this parameter is specified, + # and the --configfile parameter gives us an empty smb.conf to avoid + # extraneous output. + actual = self.check_output( + "ndrdump krb5ccache CCACHE struct " + "--configfile /dev/null -d1 --validate " + + self.data_path("../../../source3/selftest/" + "ktest-krb5_ccache-3")) + except BlackboxProcessError as e: + self.fail(e) + # check_output will return bytes + # convert expected to bytes for python 3 + self.assertEqual(actual, expected.encode('utf-8')) + # This is a good example of a union with an empty default # and no buffers to parse. def test_ndrdump_fuzzed_spoolss_EnumForms(self): diff --git a/source3/selftest/ktest-krb5_ccache-2.txt b/source3/selftest/ktest-krb5_ccache-2.txt new file mode 100644 index 00000000000..c86750ae585 --- /dev/null +++ b/source3/selftest/ktest-krb5_ccache-2.txt @@ -0,0 +1,1574 @@ +pull returned Success + CCACHE: struct CCACHE + pvno : 0x05 (5) + version : 0x04 (4) + optional_header : union OPTIONAL_HEADER(case 0x4) + v4header: struct V4HEADER + v4tags: struct V4TAGS + tag: struct V4TAG + tag : 0x0001 (1) + field : union FIELD(case 0x1) + deltatime_tag: struct DELTATIME_TAG + kdc_sec_offset : 0 + kdc_usec_offset : 0 + further_tags : DATA_BLOB length=0 + principal: struct PRINCIPAL + name_type : 0x00000001 (1) + component_count : 0x00000001 (1) + realm : 'KTEST.SAMBA.EXAMPLE.COM' + components: ARRAY(1) + components : 'administrator' + cred: struct CREDENTIAL + client: struct PRINCIPAL + name_type : 0x00000001 (1) + component_count : 0x00000001 (1) + realm : 'KTEST.SAMBA.EXAMPLE.COM' + components: ARRAY(1) + components : 'administrator' + server: struct PRINCIPAL + name_type : 0x00000000 (0) + component_count : 0x00000002 (2) + realm : 'KTEST.SAMBA.EXAMPLE.COM' + components: ARRAY(2) + components : 'krbtgt' + components : 'KTEST.SAMBA.EXAMPLE.COM' + keyblock: struct KEYBLOCK + enctype : 0x0017 (23) + data : DATA_BLOB length=16 +[0000] 8B 94 0B 31 51 5B F7 A7 15 E9 EE D7 D7 0C 8C 90 ...1Q[.. ........ + authtime : 0x4d994f6a (1301892970) + starttime : 0x4d994f6a (1301892970) + endtime : 0x7d440b68 (2101611368) + renew_till : 0x7d440b68 (2101611368) + is_skey : 0x00 (0) + ticket_flags : 0x40e00000 (1088421888) + addresses: struct ADDRESSES + count : 0x00000000 (0) + data: ARRAY(0) + authdata: struct AUTHDATA + count : 0x00000000 (0) + data: ARRAY(0) + ticket : DATA_BLOB length=1032 +[0000] 61 82 04 04 30 82 04 00 A0 03 02 01 05 A1 19 1B a...0... ........ +[0010] 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 .KTEST.S AMBA.EXA +[0020] 4D 50 4C 45 2E 43 4F 4D A2 2C 30 2A A0 03 02 01 MPLE.COM .,0*.... +[0030] 00 A1 23 30 21 1B 06 6B 72 62 74 67 74 1B 17 4B ..#0!..k rbtgt..K +[0040] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[0050] 4C 45 2E 43 4F 4D A3 82 03 AE 30 82 03 AA A0 03 LE.COM.. ..0..... +[0060] 02 01 17 A1 03 02 01 01 A2 82 03 9C 04 82 03 98 ........ ........ +[0070] 80 66 8F CF AB 24 9D C8 76 E4 28 F5 25 6B 73 B2 .f...$.. v.(.%ks. +[0080] 4B 94 ED 09 10 29 05 C4 C0 B8 B9 33 FA C4 46 AB K....).. ...3..F. +[0090] F4 B5 9E 5B 07 54 D6 58 1D B8 CA 04 41 A6 33 A6 ...[.T.X ....A.3. +[00A0] 67 9D EB 83 70 65 A9 2D 65 A5 19 8C 55 2A 0F FC g...pe.- e...U*.. +[00B0] 1B BB 7A BD 86 C0 32 06 F2 2F 0A A5 93 E7 D1 1E ..z...2. ./...... +[00C0] 16 C4 27 DD 1F A7 61 03 FF 05 81 EF 49 B7 25 A3 ..'...a. ....I.%. +[00D0] 6E EA E6 E8 15 E3 10 AF A3 F1 21 B3 D9 C0 67 2F n....... ..!...g/ +[00E0] 0C 0C B7 42 D6 9A 34 8E D4 5E 55 C2 FE 62 03 37 ...B..4. .^U..b.7 +[00F0] A5 58 9B 43 E7 26 E3 71 B2 E5 F1 91 B4 23 8F AC .X.C.&.q .....#.. +[0100] 7A 31 3C 4E B4 94 E4 81 36 98 71 3B 98 7B B7 AB z1....... +[0150] 1A 69 EE 8C 4E A4 D8 55 A5 0B 23 0F D0 89 48 C4 .i..N..U ..#...H. +[0160] 51 FE 32 FD CC F6 71 E1 95 2D CC 1D 0A 0C 8A A2 Q.2...q. .-...... +[0170] 69 58 3B 65 88 53 EC D0 2E E1 C6 CC 6B BC 09 E5 iX;e.S.. ....k... +[0180] B9 15 27 8B E4 B2 24 18 61 42 BB 8B 09 1B 8A 7B ..'...$. aB.....{ +[0190] 13 D8 51 E1 0B 79 12 48 DE A9 54 04 00 6D DD E6 ..Q..y.H ..T..m.. +[01A0] 5E 03 91 FF C7 6D 0B 7C 91 44 E1 0F C0 7E 32 34 ^....m.| .D...~24 +[01B0] 82 86 94 F7 CD 53 EC 52 38 18 AA ED FF FC 5C 01 .....S.R 8.....\. +[01C0] D2 EE 99 45 8E 5B E6 B3 46 B0 F6 3B 22 29 EC 11 ...E.[.. F..;").. +[01D0] 30 6A F6 A1 1F 9E AE 71 E3 A6 E7 3F F3 7D 2B 75 0j.....q ...?.}+u +[01E0] 70 4D 63 47 5C 18 2C 8B B1 1A 69 B6 C5 46 01 17 pMcG\.,. ..i..F.. +[01F0] 8E 64 3D 47 88 20 1C AA D7 60 32 28 11 60 EA 28 .d=G. .. .`2(.`.( +[0200] 66 99 4C B1 2A 28 96 BF 18 2A 3E F4 D6 84 E5 A0 f.L.*(.. .*>..... +[0210] F4 4E E7 F9 54 95 22 96 2A 87 01 CC 3E A7 FF 42 .N..T.". *...>..B +[0220] 6A A4 4A 3A B9 24 10 65 99 53 58 2A 4E 72 E7 1F j.J:.$.e .SX*Nr.. +[0230] 82 BC BD 3C 6C 9D 33 3A CE C6 6E 72 A2 81 B3 84 ........ +[0280] AB F0 D0 93 08 42 E5 37 19 24 4E C1 AF FC 92 A9 .....B.7 .$N..... +[0290] B1 27 B1 9A 2A 62 34 F1 DC C0 6B 83 AE C3 74 E8 .'..*b4. ..k...t. +[02A0] A3 05 DD 82 DD A3 D7 90 A8 E3 9C EB 64 16 23 06 ........ ....d.#. +[02B0] 5D FB E4 35 7C 22 29 78 E3 3B 75 92 91 0C 9D A1 ]..5|")x .;u..... +[02C0] 87 7C 2E 82 AE 49 9D 4A 50 A9 C2 D5 85 B0 16 5D .|...I.J P......] +[02D0] A2 CD B0 DD 29 3F 6F 66 C9 C1 9F 5C F0 B6 FC D2 ....)?of ...\.... +[02E0] 52 BE 7B F0 1F 26 AF 8A FC C3 A6 24 8C C0 10 06 R.{..&.. ...$.... +[02F0] 73 1E 17 9E 6E 6F 32 44 6A DF 82 5D D0 6B 74 CE s...no2D j..].kt. +[0300] 58 0B 4C 7B EB A1 13 44 B1 3E D8 F8 BA F4 4E 55 X.L{...D .>....NU +[0310] 71 3D C1 09 D9 E7 97 9A 14 5C 54 7E 57 81 5F 6B q=...... .\T~W._k +[0320] 30 BE 9A E1 98 29 47 D4 C0 8F 63 0A F8 27 1F CE 0....)G. ..c..'.. +[0330] ED D9 BB 7B 12 24 D0 34 2A 7C F0 F7 77 F4 F1 1D ...{.$.4 *|..w... +[0340] 4C 5D 75 2D 6B 0D 80 35 82 CC D8 7A 6B FA A0 55 L]u-k..5 ...zk..U +[0350] 34 CD 87 15 61 38 78 D4 69 0F AA 72 D6 AC FA 99 4...a8x. i..r.... +[0360] BC 70 39 27 A7 25 2E 1B 6F 36 01 FD E9 B4 9A 79 .p9'.%.. o6.....y +[0370] 6C 19 DD A6 8C 78 B0 40 92 60 58 F0 28 AD 08 78 l....x.@ .`X.(..x +[0380] 4A 29 06 2C 82 2B 1A E3 91 0B 5F EE D6 B8 66 47 J).,.+.. .._...fG +[0390] 31 9B A3 DF 9F 79 D7 BB 0E 2C FA 0E C9 66 84 8D 1....y.. .,...f.. +[03A0] FF BA BB 21 27 9E AD 86 84 55 8D 4C 4C 47 D9 5F ...!'... .U.LLG._ +[03B0] B2 7D 26 CA B7 49 3C 9D 1B 67 71 11 3A 8A EB EA .}&..I<. .gq.:... +[03C0] 0F 15 EB F0 1E 46 F7 A4 34 04 D7 E3 50 67 47 D3 .....F.. 4...PgG. +[03D0] 66 21 17 77 51 A7 1F 1D 84 3B 7C B1 5D 4E B8 D4 f!.wQ... .;|.]N.. +[03E0] F9 C5 75 06 AA 19 45 1C E9 06 9E AD 23 26 6B 10 ..u...E. ....#&k. +[03F0] 53 A0 36 D3 58 9F 5E 8C CB A5 F6 BC C9 30 3C BC S.6.X.^. .....0<. +[0400] AD FF 7C 92 F0 C6 9A 02 ..|..... + second_ticket : DATA_BLOB length=0 + further_creds : DATA_BLOB length=10683 +[0000] 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 ........ ....KTES +[0010] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[0020] 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 COM....a dministr +[0030] 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 ator.... ........ +[0040] 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D KTEST.SA MBA.EXAM +[0050] 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 73 00 PLE.COM. ...cifs. +[0060] 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 00 17 ...local ktest6.. +[0070] 00 00 00 10 00 6E A1 B2 31 6D 48 C7 90 72 3A 0C .....n.. 1mH..r:. +[0080] 4B 8B 83 8C 4D 99 4F 6A 4D 99 50 85 7D 44 0B 68 K...M.Oj M.P.}D.h +[0090] 00 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 .....@(. ........ +[00A0] 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 .....a.. .0...... +[00B0] 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB +[00C0] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 A.EXAMPL E.COM..0 +[00D0] 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 69 66 73 ........ 0...cifs +[00E0] 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 A3 82 03 ..localk test6... +[00F0] AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 02 A2 .0...... ........ +[0100] 82 03 9C 04 82 03 98 C6 BB 64 A8 31 00 FC 5E 51 ........ .d.1..^Q +[0110] 3C 87 F8 34 47 3B D0 6F 6F FD 9E A6 91 12 74 2D <..4G;.o o.....t- +[0120] 44 BB AA 91 A0 2D 46 3E 9E FB FB C4 FB F1 15 FD D....-F> ........ +[0130] BB DA EE 06 A9 20 6A 38 DC 46 06 27 D9 A2 9D 2D ..... j8 .F.'...- +[0140] 1F FD 0D 7D 8A BB 0A 7C E8 47 17 BC 7B 70 E4 51 ...}...| .G..{p.Q +[0150] 6A BA 51 68 62 28 4A 1E 51 D1 0D CD 02 55 75 44 j.Qhb(J. Q....UuD +[0160] 8A B9 C2 84 F4 17 34 92 9B 31 85 9E 43 C1 0C 3A ......4. .1..C..: +[0170] B2 69 7F 20 1A 18 1F 65 4F C0 20 C9 B5 AF E1 61 .i. ...e O. ....a +[0180] 8C 90 10 63 26 A6 5D 05 3C CD 29 BB 7B 74 D5 8F ...c&.]. <.).{t.. +[0190] 2C 7F 4B E8 84 24 57 37 8A C6 F7 91 FD 22 9A A5 ,.K..$W7 .....".. +[01A0] 0D E9 4A 78 93 36 FC A8 8C 8A 27 8A C6 28 4B 7B ..Jx.6.. ..'..(K{ +[01B0] DA 11 42 BC 09 10 81 82 14 0F 9C B8 48 26 91 78 ..B..... ....H&.x +[01C0] A8 DD 97 6C 24 A1 D2 E8 85 19 B3 D3 85 4D 38 C7 ...l$... .....M8. +[01D0] 7D 49 55 8E 85 46 E1 EE 7B BA 11 62 63 53 C5 16 }IU..F.. {..bcS.. +[01E0] 4A 0C 1C 99 7C 0E FB 45 1D B4 98 58 67 7E 40 65 J...|..E ...Xg~@e +[01F0] 4B 48 E2 89 9C 8B C2 B8 39 D1 04 C0 A8 56 E8 A1 KH...... 9....V.. +[0200] 04 7A 7A C9 60 18 A0 29 E2 DC 82 4C 8F 18 CE 2F .zz.`..) ...L.../ +[0210] 14 F0 18 5B 6C FF 85 45 88 73 CB A4 55 08 FC BF ...[l..E .s..U... +[0220] C7 9F 51 0A DB 2C C1 E3 3C DD F6 F0 A3 2D F1 3B ..Q..,.. <....-.; +[0230] A0 12 1D FC 2A 67 F5 1A 7F E5 7C 6C FB 8A 18 BD ....*g.. ..|l.... +[0240] D1 5D E5 5E 68 30 AA 58 9E 10 13 E0 26 7E 7D C4 .].^h0.X ....&~}. +[0250] E1 A5 B6 86 0F 1C 0F 13 A4 5E 5E 6A ED 42 79 31 ........ .^^j.By1 +[0260] BB B3 5F 3A 3F DD CB 63 82 FB 06 AE 12 36 C9 1E .._:?..c .....6.. +[0270] 06 7D 41 82 2E D2 FA 26 EC 17 50 5E D0 DE 26 85 .}A....& ..P^..&. +[0280] 30 71 BC 45 3B DA 2E 08 8D B2 2A 3C E0 79 8F 77 0q.E;... ..*<.y.w +[0290] 4C 01 69 7A 09 C7 88 E1 D1 DC FF 78 DB 25 7B B1 L.iz.... ...x.%{. +[02A0] 3C BB 22 27 80 0D 75 96 18 B6 40 95 6D C8 AB 04 <."'..u. ..@.m... +[02B0] 05 41 A1 C4 25 71 C4 53 3A A6 9C B2 4D E6 15 2C .A..%q.S :...M.., +[02C0] B2 47 6C DA A8 7D CC A3 89 8B C9 1E 21 F5 E9 B2 .Gl..}.. ....!... +[02D0] 42 95 68 28 AF C6 37 22 BA 30 8D 53 FA 08 0D CE B.h(..7" .0.S.... +[02E0] CA 81 61 0D 84 A5 2D 75 BD 41 85 4C 88 56 72 C6 ..a...-u .A.L.Vr. +[02F0] B6 10 F8 34 CD B2 F4 5C 94 FA 80 90 82 A0 BD 68 ...4...\ .......h +[0300] EC 08 32 C3 B6 51 1E 3F 67 CB 7B EB 70 83 84 D4 ..2..Q.? g.{.p... +[0310] CB 52 55 36 61 1E 60 90 5B 6F FE 9A 62 05 CF 26 .RU6a.`. [o..b..& +[0320] 8E 65 E2 60 4B ED 63 B4 C4 E6 44 B4 2F B0 B8 07 .e.`K.c. ..D./... +[0330] FE BE 0D 50 E4 56 A4 2E 0D 25 76 0B 0F 44 09 20 ...P.V.. .%v..D. +[0340] 80 E5 C4 94 63 E0 54 46 1D AB 5E 0B 09 93 B1 30 ....c.TF ..^....0 +[0350] 31 7B 04 DC 23 43 3B DB 7D 39 67 FE 9A 1F C1 08 1{..#C;. }9g..... +[0360] AF 34 24 F6 74 E4 14 DA 34 8F 61 57 6A 7F 1D 4A .4$.t... 4.aWj..J +[0370] 88 0A 90 78 93 F1 86 54 DB 22 86 D6 69 0F DF 44 ...x...T ."..i..D +[0380] 7C D3 6B 9D 41 63 50 98 3A 97 B9 7B 4C 53 E3 85 |.k.AcP. :..{LS.. +[0390] 73 9A C9 08 A0 75 12 50 02 87 B0 CF CC 84 84 D9 s....u.P ........ +[03A0] BC FC 94 79 AF 6A A6 08 FF 19 7E E9 22 9B EC 5C ...y.j.. ..~."..\ +[03B0] C1 6B 1D A4 B4 55 32 5E 23 C3 C0 D4 8B 80 E6 67 .k...U2^ #......g +[03C0] B1 59 EB 9D 5D 9B AD C6 0E 7D E2 FE B1 24 8A B1 .Y..]... .}...$.. +[03D0] 37 1E 60 7F 83 35 48 32 F7 03 E8 12 E6 21 7C 3D 7.`..5H2 .....!|= +[03E0] 21 7F 6B 14 31 9C 1A A3 4C 2B 1C 5E EC 34 C1 2D !.k.1... L+.^.4.- +[03F0] DA 19 6C E6 6D 8D 60 D7 55 9E E6 D0 B5 07 06 72 ..l.m.`. U......r +[0400] C0 E9 4E 91 94 6B 3E 0B F1 0A 75 4D E8 CB 53 6B ..N..k>. ..uM..Sk +[0410] 34 A4 2F 96 A5 39 1A 18 6E 27 00 6D 41 B7 D8 F5 4./..9.. n'.mA... +[0420] 9A E5 01 FC 0B A8 97 56 EE 98 04 1D 98 84 5E 82 .......V ......^. +[0430] C8 E8 EC 17 D5 FA 96 00 3B E1 98 1C D8 FA 66 A0 ........ ;.....f. +[0440] DC 32 60 F6 03 46 08 3C E5 16 6F F2 8B 4D 72 9F .2`..F.< ..o..Mr. +[0450] 0F E0 A9 71 6E 7C AE AA FB A3 4D F1 A1 B6 1B 9F ...qn|.. ..M..... +[0460] 62 71 E1 2C 82 9B AE E3 07 9B 79 90 F1 C2 69 E5 bq.,.... ..y...i. +[0470] 7E CB 57 E6 C9 1C 4E A8 C7 12 EA 4F 4C 52 17 03 ~.W...N. ...OLR.. +[0480] AB D4 FD 34 60 F4 7C BE 9E 36 30 37 88 95 61 2E ...4`.|. .607..a. +[0490] CF 70 AF 22 70 DB E8 AA 6E 3D 30 F7 4D 84 D5 00 .p."p... n=0.M... +[04A0] 00 00 00 00 00 00 01 00 00 00 01 00 00 00 17 4B ........ .......K +[04B0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[04C0] 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 LE.COM.. ..admini +[04D0] 73 74 72 61 74 6F 72 00 00 00 01 00 00 00 02 00 strator. ........ +[04E0] 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 ...KTEST .SAMBA.E +[04F0] 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 XAMPLE.C OM....ci +[0500] 66 73 00 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 fs....lo calktest +[0510] 36 00 17 00 00 00 10 00 6E A1 B2 31 6D 48 C7 90 6....... n..1mH.. +[0520] 72 3A 0C 4B 8B 83 8C 4D 99 4F 6A 4D 99 50 85 7D r:.K...M .OjM.P.} +[0530] 44 0B 68 00 00 00 00 00 40 28 00 00 00 00 00 00 D.h..... @(...... +[0540] 00 00 00 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 ........ a...0... +[0550] A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 ........ .KTEST.S +[0560] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM +[0570] A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 ..0..... ...0...c +[0580] 69 66 73 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 ifs..loc alktest6 +[0590] A3 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 03 02 ....0... ........ +[05A0] 01 02 A2 82 03 9C 04 82 03 98 C6 BB 64 A8 31 00 ........ ....d.1. +[05B0] FC 5E 51 3C 87 F8 34 47 3B D0 6F 6F FD 9E A6 91 .^Q<..4G ;.oo.... +[05C0] 12 74 2D 44 BB AA 91 A0 2D 46 3E 9E FB FB C4 FB .t-D.... -F>..... +[05D0] F1 15 FD BB DA EE 06 A9 20 6A 38 DC 46 06 27 D9 ........ j8.F.'. +[05E0] A2 9D 2D 1F FD 0D 7D 8A BB 0A 7C E8 47 17 BC 7B ..-...}. ..|.G..{ +[05F0] 70 E4 51 6A BA 51 68 62 28 4A 1E 51 D1 0D CD 02 p.Qj.Qhb (J.Q.... +[0600] 55 75 44 8A B9 C2 84 F4 17 34 92 9B 31 85 9E 43 UuD..... .4..1..C +[0610] C1 0C 3A B2 69 7F 20 1A 18 1F 65 4F C0 20 C9 B5 ..:.i. . ..eO. .. +[0620] AF E1 61 8C 90 10 63 26 A6 5D 05 3C CD 29 BB 7B ..a...c& .].<.).{ +[0630] 74 D5 8F 2C 7F 4B E8 84 24 57 37 8A C6 F7 91 FD t..,.K.. $W7..... +[0640] 22 9A A5 0D E9 4A 78 93 36 FC A8 8C 8A 27 8A C6 "....Jx. 6....'.. +[0650] 28 4B 7B DA 11 42 BC 09 10 81 82 14 0F 9C B8 48 (K{..B.. .......H +[0660] 26 91 78 A8 DD 97 6C 24 A1 D2 E8 85 19 B3 D3 85 &.x...l$ ........ +[0670] 4D 38 C7 7D 49 55 8E 85 46 E1 EE 7B BA 11 62 63 M8.}IU.. F..{..bc +[0680] 53 C5 16 4A 0C 1C 99 7C 0E FB 45 1D B4 98 58 67 S..J...| ..E...Xg +[0690] 7E 40 65 4B 48 E2 89 9C 8B C2 B8 39 D1 04 C0 A8 ~@eKH... ...9.... +[06A0] 56 E8 A1 04 7A 7A C9 60 18 A0 29 E2 DC 82 4C 8F V...zz.` ..)...L. +[06B0] 18 CE 2F 14 F0 18 5B 6C FF 85 45 88 73 CB A4 55 ../...[l ..E.s..U +[06C0] 08 FC BF C7 9F 51 0A DB 2C C1 E3 3C DD F6 F0 A3 .....Q.. ,..<.... +[06D0] 2D F1 3B A0 12 1D FC 2A 67 F5 1A 7F E5 7C 6C FB -.;....* g....|l. +[06E0] 8A 18 BD D1 5D E5 5E 68 30 AA 58 9E 10 13 E0 26 ....].^h 0.X....& +[06F0] 7E 7D C4 E1 A5 B6 86 0F 1C 0F 13 A4 5E 5E 6A ED ~}...... ....^^j. +[0700] 42 79 31 BB B3 5F 3A 3F DD CB 63 82 FB 06 AE 12 By1.._:? ..c..... +[0710] 36 C9 1E 06 7D 41 82 2E D2 FA 26 EC 17 50 5E D0 6...}A.. ..&..P^. +[0720] DE 26 85 30 71 BC 45 3B DA 2E 08 8D B2 2A 3C E0 .&.0q.E; .....*<. +[0730] 79 8F 77 4C 01 69 7A 09 C7 88 E1 D1 DC FF 78 DB y.wL.iz. ......x. +[0740] 25 7B B1 3C BB 22 27 80 0D 75 96 18 B6 40 95 6D %{.<."'. .u...@.m +[0750] C8 AB 04 05 41 A1 C4 25 71 C4 53 3A A6 9C B2 4D ....A..% q.S:...M +[0760] E6 15 2C B2 47 6C DA A8 7D CC A3 89 8B C9 1E 21 ..,.Gl.. }......! +[0770] F5 E9 B2 42 95 68 28 AF C6 37 22 BA 30 8D 53 FA ...B.h(. .7".0.S. +[0780] 08 0D CE CA 81 61 0D 84 A5 2D 75 BD 41 85 4C 88 .....a.. .-u.A.L. +[0790] 56 72 C6 B6 10 F8 34 CD B2 F4 5C 94 FA 80 90 82 Vr....4. ..\..... +[07A0] A0 BD 68 EC 08 32 C3 B6 51 1E 3F 67 CB 7B EB 70 ..h..2.. Q.?g.{.p +[07B0] 83 84 D4 CB 52 55 36 61 1E 60 90 5B 6F FE 9A 62 ....RU6a .`.[o..b +[07C0] 05 CF 26 8E 65 E2 60 4B ED 63 B4 C4 E6 44 B4 2F ..&.e.`K .c...D./ +[07D0] B0 B8 07 FE BE 0D 50 E4 56 A4 2E 0D 25 76 0B 0F ......P. V...%v.. +[07E0] 44 09 20 80 E5 C4 94 63 E0 54 46 1D AB 5E 0B 09 D. ....c .TF..^.. +[07F0] 93 B1 30 31 7B 04 DC 23 43 3B DB 7D 39 67 FE 9A ..01{..# C;.}9g.. +[0800] 1F C1 08 AF 34 24 F6 74 E4 14 DA 34 8F 61 57 6A ....4$.t ...4.aWj +[0810] 7F 1D 4A 88 0A 90 78 93 F1 86 54 DB 22 86 D6 69 ..J...x. ..T."..i +[0820] 0F DF 44 7C D3 6B 9D 41 63 50 98 3A 97 B9 7B 4C ..D|.k.A cP.:..{L +[0830] 53 E3 85 73 9A C9 08 A0 75 12 50 02 87 B0 CF CC S..s.... u.P..... +[0840] 84 84 D9 BC FC 94 79 AF 6A A6 08 FF 19 7E E9 22 ......y. j....~." +[0850] 9B EC 5C C1 6B 1D A4 B4 55 32 5E 23 C3 C0 D4 8B ..\.k... U2^#.... +[0860] 80 E6 67 B1 59 EB 9D 5D 9B AD C6 0E 7D E2 FE B1 ..g.Y..] ....}... +[0870] 24 8A B1 37 1E 60 7F 83 35 48 32 F7 03 E8 12 E6 $..7.`.. 5H2..... +[0880] 21 7C 3D 21 7F 6B 14 31 9C 1A A3 4C 2B 1C 5E EC !|=!.k.1 ...L+.^. +[0890] 34 C1 2D DA 19 6C E6 6D 8D 60 D7 55 9E E6 D0 B5 4.-..l.m .`.U.... +[08A0] 07 06 72 C0 E9 4E 91 94 6B 3E 0B F1 0A 75 4D E8 ..r..N.. k>...uM. +[08B0] CB 53 6B 34 A4 2F 96 A5 39 1A 18 6E 27 00 6D 41 .Sk4./.. 9..n'.mA +[08C0] B7 D8 F5 9A E5 01 FC 0B A8 97 56 EE 98 04 1D 98 ........ ..V..... +[08D0] 84 5E 82 C8 E8 EC 17 D5 FA 96 00 3B E1 98 1C D8 .^...... ...;.... +[08E0] FA 66 A0 DC 32 60 F6 03 46 08 3C E5 16 6F F2 8B .f..2`.. F.<..o.. +[08F0] 4D 72 9F 0F E0 A9 71 6E 7C AE AA FB A3 4D F1 A1 Mr....qn |....M.. +[0900] B6 1B 9F 62 71 E1 2C 82 9B AE E3 07 9B 79 90 F1 ...bq.,. .....y.. +[0910] C2 69 E5 7E CB 57 E6 C9 1C 4E A8 C7 12 EA 4F 4C .i.~.W.. .N....OL +[0920] 52 17 03 AB D4 FD 34 60 F4 7C BE 9E 36 30 37 88 R.....4` .|..607. +[0930] 95 61 2E CF 70 AF 22 70 DB E8 AA 6E 3D 30 F7 4D .a..p."p ...n=0.M +[0940] 84 D5 00 00 00 00 00 00 00 01 00 00 00 01 00 00 ........ ........ +[0950] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX +[0960] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D AMPLE.CO M....adm +[0970] 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 inistrat or...... +[0980] 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB +[0990] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 A.EXAMPL E.COM... +[09A0] 04 63 69 66 73 00 00 00 0B 6C 6F 63 61 6C 6B 74 .cifs... .localkt +[09B0] 65 73 74 36 00 17 00 00 00 10 00 6E A1 B2 31 6D est6.... ...n..1m +[09C0] 48 C7 90 72 3A 0C 4B 8B 83 8C 4D 99 4F 6A 4D 99 H..r:.K. ..M.OjM. +[09D0] 50 85 7D 44 0B 68 00 00 00 00 00 40 28 00 00 00 P.}D.h.. ...@(... +[09E0] 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 ........ ...a...0 +[09F0] 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 ........ ....KTES +[0A00] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[0A10] 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 COM..0.. ......0. +[0A20] 1B 04 63 69 66 73 1B 0B 6C 6F 63 61 6C 6B 74 65 ..cifs.. localkte +[0A30] 73 74 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 st6....0 ........ +[0A40] A1 03 02 01 02 A2 82 03 9C 04 82 03 98 C6 BB 64 ........ .......d +[0A50] A8 31 00 FC 5E 51 3C 87 F8 34 47 3B D0 6F 6F FD .1..^Q<. .4G;.oo. +[0A60] 9E A6 91 12 74 2D 44 BB AA 91 A0 2D 46 3E 9E FB ....t-D. ...-F>.. +[0A70] FB C4 FB F1 15 FD BB DA EE 06 A9 20 6A 38 DC 46 ........ ... j8.F +[0A80] 06 27 D9 A2 9D 2D 1F FD 0D 7D 8A BB 0A 7C E8 47 .'...-.. .}...|.G +[0A90] 17 BC 7B 70 E4 51 6A BA 51 68 62 28 4A 1E 51 D1 ..{p.Qj. Qhb(J.Q. +[0AA0] 0D CD 02 55 75 44 8A B9 C2 84 F4 17 34 92 9B 31 ...UuD.. ....4..1 +[0AB0] 85 9E 43 C1 0C 3A B2 69 7F 20 1A 18 1F 65 4F C0 ..C..:.i . ...eO. +[0AC0] 20 C9 B5 AF E1 61 8C 90 10 63 26 A6 5D 05 3C CD ....a.. .c&.].<. +[0AD0] 29 BB 7B 74 D5 8F 2C 7F 4B E8 84 24 57 37 8A C6 ).{t..,. K..$W7.. +[0AE0] F7 91 FD 22 9A A5 0D E9 4A 78 93 36 FC A8 8C 8A ...".... Jx.6.... +[0AF0] 27 8A C6 28 4B 7B DA 11 42 BC 09 10 81 82 14 0F '..(K{.. B....... +[0B00] 9C B8 48 26 91 78 A8 DD 97 6C 24 A1 D2 E8 85 19 ..H&.x.. .l$..... +[0B10] B3 D3 85 4D 38 C7 7D 49 55 8E 85 46 E1 EE 7B BA ...M8.}I U..F..{. +[0B20] 11 62 63 53 C5 16 4A 0C 1C 99 7C 0E FB 45 1D B4 .bcS..J. ..|..E.. +[0B30] 98 58 67 7E 40 65 4B 48 E2 89 9C 8B C2 B8 39 D1 .Xg~@eKH ......9. +[0B40] 04 C0 A8 56 E8 A1 04 7A 7A C9 60 18 A0 29 E2 DC ...V...z z.`..).. +[0B50] 82 4C 8F 18 CE 2F 14 F0 18 5B 6C FF 85 45 88 73 .L.../.. .[l..E.s +[0B60] CB A4 55 08 FC BF C7 9F 51 0A DB 2C C1 E3 3C DD ..U..... Q..,..<. +[0B70] F6 F0 A3 2D F1 3B A0 12 1D FC 2A 67 F5 1A 7F E5 ...-.;.. ..*g.... +[0B80] 7C 6C FB 8A 18 BD D1 5D E5 5E 68 30 AA 58 9E 10 |l.....] .^h0.X.. +[0B90] 13 E0 26 7E 7D C4 E1 A5 B6 86 0F 1C 0F 13 A4 5E ..&~}... .......^ +[0BA0] 5E 6A ED 42 79 31 BB B3 5F 3A 3F DD CB 63 82 FB ^j.By1.. _:?..c.. +[0BB0] 06 AE 12 36 C9 1E 06 7D 41 82 2E D2 FA 26 EC 17 ...6...} A....&.. +[0BC0] 50 5E D0 DE 26 85 30 71 BC 45 3B DA 2E 08 8D B2 P^..&.0q .E;..... +[0BD0] 2A 3C E0 79 8F 77 4C 01 69 7A 09 C7 88 E1 D1 DC *<.y.wL. iz...... +[0BE0] FF 78 DB 25 7B B1 3C BB 22 27 80 0D 75 96 18 B6 .x.%{.<. "'..u... +[0BF0] 40 95 6D C8 AB 04 05 41 A1 C4 25 71 C4 53 3A A6 @.m....A ..%q.S:. +[0C00] 9C B2 4D E6 15 2C B2 47 6C DA A8 7D CC A3 89 8B ..M..,.G l..}.... +[0C10] C9 1E 21 F5 E9 B2 42 95 68 28 AF C6 37 22 BA 30 ..!...B. h(..7".0 +[0C20] 8D 53 FA 08 0D CE CA 81 61 0D 84 A5 2D 75 BD 41 .S...... a...-u.A +[0C30] 85 4C 88 56 72 C6 B6 10 F8 34 CD B2 F4 5C 94 FA .L.Vr... .4...\.. +[0C40] 80 90 82 A0 BD 68 EC 08 32 C3 B6 51 1E 3F 67 CB .....h.. 2..Q.?g. +[0C50] 7B EB 70 83 84 D4 CB 52 55 36 61 1E 60 90 5B 6F {.p....R U6a.`.[o +[0C60] FE 9A 62 05 CF 26 8E 65 E2 60 4B ED 63 B4 C4 E6 ..b..&.e .`K.c... +[0C70] 44 B4 2F B0 B8 07 FE BE 0D 50 E4 56 A4 2E 0D 25 D./..... .P.V...% +[0C80] 76 0B 0F 44 09 20 80 E5 C4 94 63 E0 54 46 1D AB v..D. .. ..c.TF.. +[0C90] 5E 0B 09 93 B1 30 31 7B 04 DC 23 43 3B DB 7D 39 ^....01{ ..#C;.}9 +[0CA0] 67 FE 9A 1F C1 08 AF 34 24 F6 74 E4 14 DA 34 8F g......4 $.t...4. +[0CB0] 61 57 6A 7F 1D 4A 88 0A 90 78 93 F1 86 54 DB 22 aWj..J.. .x...T." +[0CC0] 86 D6 69 0F DF 44 7C D3 6B 9D 41 63 50 98 3A 97 ..i..D|. k.AcP.:. +[0CD0] B9 7B 4C 53 E3 85 73 9A C9 08 A0 75 12 50 02 87 .{LS..s. ...u.P.. +[0CE0] B0 CF CC 84 84 D9 BC FC 94 79 AF 6A A6 08 FF 19 ........ .y.j.... +[0CF0] 7E E9 22 9B EC 5C C1 6B 1D A4 B4 55 32 5E 23 C3 ~."..\.k ...U2^#. +[0D00] C0 D4 8B 80 E6 67 B1 59 EB 9D 5D 9B AD C6 0E 7D .....g.Y ..]....} +[0D10] E2 FE B1 24 8A B1 37 1E 60 7F 83 35 48 32 F7 03 ...$..7. `..5H2.. +[0D20] E8 12 E6 21 7C 3D 21 7F 6B 14 31 9C 1A A3 4C 2B ...!|=!. k.1...L+ +[0D30] 1C 5E EC 34 C1 2D DA 19 6C E6 6D 8D 60 D7 55 9E .^.4.-.. l.m.`.U. +[0D40] E6 D0 B5 07 06 72 C0 E9 4E 91 94 6B 3E 0B F1 0A .....r.. N..k>... +[0D50] 75 4D E8 CB 53 6B 34 A4 2F 96 A5 39 1A 18 6E 27 uM..Sk4. /..9..n' +[0D60] 00 6D 41 B7 D8 F5 9A E5 01 FC 0B A8 97 56 EE 98 .mA..... .....V.. +[0D70] 04 1D 98 84 5E 82 C8 E8 EC 17 D5 FA 96 00 3B E1 ....^... ......;. +[0D80] 98 1C D8 FA 66 A0 DC 32 60 F6 03 46 08 3C E5 16 ....f..2 `..F.<.. +[0D90] 6F F2 8B 4D 72 9F 0F E0 A9 71 6E 7C AE AA FB A3 o..Mr... .qn|.... +[0DA0] 4D F1 A1 B6 1B 9F 62 71 E1 2C 82 9B AE E3 07 9B M.....bq .,...... +[0DB0] 79 90 F1 C2 69 E5 7E CB 57 E6 C9 1C 4E A8 C7 12 y...i.~. W...N... +[0DC0] EA 4F 4C 52 17 03 AB D4 FD 34 60 F4 7C BE 9E 36 .OLR.... .4`.|..6 +[0DD0] 30 37 88 95 61 2E CF 70 AF 22 70 DB E8 AA 6E 3D 07..a..p ."p...n= +[0DE0] 30 F7 4D 84 D5 00 00 00 00 00 00 00 01 00 00 00 0.M..... ........ +[0DF0] 01 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA +[0E00] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D .EXAMPLE .COM.... +[0E10] 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 administ rator... +[0E20] 01 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 ........ .KTEST.S +[0E30] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM +[0E40] 00 00 00 04 63 69 66 73 00 00 00 0B 4C 4F 43 41 ....cifs ....LOCA +[0E50] 4C 4B 54 45 53 54 36 00 17 00 00 00 10 1D C8 5E LKTEST6. .......^ +[0E60] 46 48 82 F9 29 DB C6 A6 F1 72 6D 8D E9 4D 99 4F FH..)... .rm..M.O +[0E70] 6A 4D 99 85 09 7D 44 0B 68 00 00 00 00 00 40 28 jM...}D. h.....@( +[0E80] 00 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 ........ ......a. +[0E90] 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B ..0..... .......K +[0EA0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[0EB0] 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 LE.COM.. 0....... +[0EC0] 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F 43 41 4C .0...cif s..LOCAL +[0ED0] 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 KTEST6.. ..0..... +[0EE0] 02 01 17 A1 03 02 01 02 A2 82 03 9C 04 82 03 98 ........ ........ +[0EF0] 66 D8 19 46 FA CB 73 2D CF 88 FD 4A EE 07 48 DA f..F..s- ...J..H. +[0F00] 0E BC 58 30 43 40 A4 9C 00 0F 3B 17 C1 2D F5 9C ..X0C@.. ..;..-.. +[0F10] 3E D9 2F 1D CA 01 9B D7 2E EC D7 70 ED 8B 8B 1B >./..... ...p.... +[0F20] 5E F2 4E EE DD 0F C0 8D 61 E5 D7 0A 56 00 32 B1 ^.N..... a...V.2. +[0F30] DB 91 37 29 0F 2F 85 EE A8 43 BA A5 B8 D4 19 74 ..7)./.. .C.....t +[0F40] 33 F0 69 52 E1 58 98 83 D6 16 0B 44 A9 63 9B D4 3.iR.X.. ...D.c.. +[0F50] 4E 6E A7 3E CD 9A 96 4D C4 96 F5 07 6D 29 B6 ED Nn.>...M ....m).. +[0F60] 2A 62 3D 53 22 33 D1 95 E9 DF 74 4C 2A E2 29 AF *b=S"3.. ..tL*.). +[0F70] 5B 69 B0 48 2D AD 94 FD A5 1D 54 D8 E2 5E C1 68 [i.H-... ..T..^.h +[0F80] 6F BA 02 01 79 C3 C9 97 0B 76 66 45 E2 3B 10 17 o...y... .vfE.;.. +[0F90] 95 40 46 E4 85 B9 87 BB CF CF 19 8C 3A C0 EA 38 .@F..... ....:..8 +[0FA0] 3B B9 E9 4B 05 89 E5 27 8C 62 95 BC 0D 65 F0 D2 ;..K...' .b...e.. +[0FB0] C0 5E BC 65 01 D5 0B CB 17 31 0F 06 49 4F A2 4A .^.e.... .1..IO.J +[0FC0] 70 77 DB BD 92 5B 37 5C EC 06 DF C5 E2 31 C8 40 pw...[7\ .....1.@ +[0FD0] 09 11 68 14 E7 7D CE 54 4F 52 61 31 2C 1C 53 52 ..h..}.T ORa1,.SR +[0FE0] DB BE D8 95 39 EE 7D C6 CE C8 22 95 92 97 97 3D ....9.}. .."....= +[0FF0] 5E 66 0F AD DC C2 4E 2E 2B 9F 63 20 30 DF B7 C1 ^f....N. +.c 0... +[1000] D4 65 AA 6F 2D 10 24 07 20 8D 88 6E 4B 09 04 31 .e.o-.$. ..nK..1 +[1010] B6 A3 EB F7 37 32 0E 0C 73 C6 F6 B8 4D D9 0C 4C ....72.. s...M..L +[1020] 5B EC 10 6A 51 19 EA 3F FF 46 E7 73 16 A7 1F 33 [..jQ..? .F.s...3 +[1030] 98 7C 9B AD 5A 23 A9 40 7C 0F DF EE 0F AA C7 E8 .|..Z#.@ |....... +[1040] 63 07 98 3A 4A 0D 18 62 01 21 B2 AE A5 69 B0 C1 c..:J..b .!...i.. +[1050] 15 51 BA 97 D2 C5 42 5B C5 30 38 18 A9 48 AB D7 .Q....B[ .08..H.. +[1060] FC A1 BC 9F 71 E7 EA 18 54 42 DA D6 A4 FC C1 DC ....q... TB...... +[1070] F3 12 30 62 AC 98 E1 7D 2B 34 1E 52 4C 26 67 32 ..0b...} +4.RL&g2 +[1080] D9 44 1A 08 27 0E DA D0 FC 84 66 35 81 D6 EB 98 .D..'... ..f5.... +[1090] 46 6F 1E 47 E0 14 31 BE 47 80 65 AA 0B 20 D6 33 Fo.G..1. G.e.. .3 +[10A0] 36 3B 0D 40 2F 5A 2E 0E 01 BE 00 EB 33 3E 4B 32 6;.@/Z.. ....3>K2 +[10B0] 91 F4 22 96 E5 5F D4 D5 92 94 CC 5B 59 6A 3E D2 ..".._.. ...[Yj>. +[10C0] FB A0 4F 99 C4 07 8B 6F 2B 14 37 CD 37 44 C0 1F ..O....o +.7.7D.. +[10D0] 80 9C 43 46 F2 5E F4 FE D3 39 70 61 BE 72 5B 3A ..CF.^.. .9pa.r[: +[10E0] 8F 37 95 78 1E AB D9 E7 E9 DA FC 47 09 81 A0 0D .7.x.... ...G.... +[10F0] 62 E1 F9 34 36 D1 DB E6 98 D8 F4 3E 77 5A 4D E2 b..46... ...>wZM. +[1100] 5F 20 70 3D 3D 5B 34 D9 FD A8 31 F7 D9 59 F7 A3 _ p==[4. ..1..Y.. +[1110] F0 66 F7 D9 AD 1C CD D5 85 33 A0 87 22 31 D4 F3 .f...... .3.."1.. +[1120] 67 80 68 20 A2 90 72 7A 6F 64 FD 68 82 9E 91 B8 g.h ..rz od.h.... +[1130] E3 F7 6D 6C 38 74 F0 96 A2 F6 25 D7 92 58 14 60 ..ml8t.. ..%..X.` +[1140] 9F AE 01 4C 0C 09 67 3E 35 67 71 1E 2A 86 21 D3 ...L..g> 5gq.*.!. +[1150] 60 61 98 16 94 67 0B 52 76 63 93 BD A3 3B A9 F0 `a...g.R vc...;.. +[1160] A2 6A B7 E6 0F 35 64 DA 6A EA 20 A6 3D 94 71 59 .j...5d. j. .=.qY +[1170] 5E CB B2 D3 F9 4D FE 1B 4B D8 64 C8 3B 7A A8 E6 ^....M.. K.d.;z.. +[1180] D2 D5 76 71 26 D4 5C DA 1A 55 17 F2 16 C9 2F 77 ..vq&.\. .U..../w +[1190] DB 95 19 48 A5 AC D0 C3 31 9C 0A CC 1B 44 11 6B ...H.... 1....D.k +[11A0] 7C 88 7A 5D CF 6E 12 DA EF C5 C7 34 1D F4 CC EA |.z].n.. ...4.... +[11B0] 37 24 4B B3 0F C1 A3 F2 29 A0 D8 93 39 C6 16 57 7$K..... )...9..W +[11C0] D5 BF 57 BF 6C 7E F7 90 E0 EB A3 8B 07 56 9C EC ..W.l~.. .....V.. +[11D0] 15 3E 21 DA A5 7C 00 3C F9 D2 A7 1C 6F 16 25 31 .>!..|.< ....o.%1 +[11E0] C5 28 A7 EA F3 47 31 50 DD E1 ED 0A 93 DB 85 CC .(...G1P ........ +[11F0] 6B 4B 2C 7F E8 F8 2D A9 6D 1D 0A 87 F2 10 8C 82 kK,...-. m....... +[1200] 2F 9B D4 9B 92 8C 77 40 50 42 1E 42 C4 0A 4F E3 /.....w@ PB.B..O. +[1210] 6C 6C DC 81 C4 1E BB F0 7D CF 3C 73 22 5B C3 1A ll...... }..x K....%J. +[1240] 1E 6C 8F 01 D6 59 D7 CF 2E A0 CC 98 F6 75 28 2F .l...Y.. .....u(/ +[1250] F7 2A 70 28 A9 45 1F 75 C2 4E 62 ED D8 C4 A0 8D .*p(.E.u .Nb..... +[1260] 55 B2 84 1C A4 CE 87 EF 24 EE BC CE 40 09 EB 05 U....... $...@... +[1270] 0B D1 14 31 50 32 2F B6 A8 97 17 4B A7 95 01 50 ...1P2/. ...K...P +[1280] 6E 0E 23 49 9C 72 21 91 00 00 00 00 00 00 00 01 n.#I.r!. ........ +[1290] 00 00 00 01 00 00 00 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA +[12A0] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 MBA.EXAM PLE.COM. +[12B0] 00 00 0D 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 ...admin istrator +[12C0] 00 00 00 01 00 00 00 02 00 00 00 17 4B 54 45 53 ........ ....KTES +[12D0] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[12E0] 43 4F 4D 00 00 00 04 63 69 66 73 00 00 00 0B 4C COM....c ifs....L +[12F0] 4F 43 41 4C 4B 54 45 53 54 36 00 17 00 00 00 10 OCALKTES T6...... +[1300] 1D C8 5E 46 48 82 F9 29 DB C6 A6 F1 72 6D 8D E9 ..^FH..) ....rm.. +[1310] 4D 99 4F 6A 4D 99 85 09 7D 44 0B 68 00 00 00 00 M.OjM... }D.h.... +[1320] 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 03 .@(..... ........ +[1330] FA 61 82 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 .a...0.. ........ +[1340] 1B 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX +[1350] 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 AMPLE.CO M..0.... +[1360] 01 01 A1 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F ....0... cifs..LO +[1370] 43 41 4C 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 CALKTEST 6....0.. +[1380] AA A0 03 02 01 17 A1 03 02 01 02 A2 82 03 9C 04 ........ ........ +[1390] 82 03 98 66 D8 19 46 FA CB 73 2D CF 88 FD 4A EE ...f..F. .s-...J. +[13A0] 07 48 DA 0E BC 58 30 43 40 A4 9C 00 0F 3B 17 C1 .H...X0C @....;.. +[13B0] 2D F5 9C 3E D9 2F 1D CA 01 9B D7 2E EC D7 70 ED -..>./.. ......p. +[13C0] 8B 8B 1B 5E F2 4E EE DD 0F C0 8D 61 E5 D7 0A 56 ...^.N.. ...a...V +[13D0] 00 32 B1 DB 91 37 29 0F 2F 85 EE A8 43 BA A5 B8 .2...7). /...C... +[13E0] D4 19 74 33 F0 69 52 E1 58 98 83 D6 16 0B 44 A9 ..t3.iR. X.....D. +[13F0] 63 9B D4 4E 6E A7 3E CD 9A 96 4D C4 96 F5 07 6D c..Nn.>. ..M....m +[1400] 29 B6 ED 2A 62 3D 53 22 33 D1 95 E9 DF 74 4C 2A )..*b=S" 3....tL* +[1410] E2 29 AF 5B 69 B0 48 2D AD 94 FD A5 1D 54 D8 E2 .).[i.H- .....T.. +[1420] 5E C1 68 6F BA 02 01 79 C3 C9 97 0B 76 66 45 E2 ^.ho...y ....vfE. +[1430] 3B 10 17 95 40 46 E4 85 B9 87 BB CF CF 19 8C 3A ;...@F.. .......: +[1440] C0 EA 38 3B B9 E9 4B 05 89 E5 27 8C 62 95 BC 0D ..8;..K. ..'.b... +[1450] 65 F0 D2 C0 5E BC 65 01 D5 0B CB 17 31 0F 06 49 e...^.e. ....1..I +[1460] 4F A2 4A 70 77 DB BD 92 5B 37 5C EC 06 DF C5 E2 O.Jpw... [7\..... +[1470] 31 C8 40 09 11 68 14 E7 7D CE 54 4F 52 61 31 2C 1.@..h.. }.TORa1, +[1480] 1C 53 52 DB BE D8 95 39 EE 7D C6 CE C8 22 95 92 .SR....9 .}...".. +[1490] 97 97 3D 5E 66 0F AD DC C2 4E 2E 2B 9F 63 20 30 ..=^f... .N.+.c 0 +[14A0] DF B7 C1 D4 65 AA 6F 2D 10 24 07 20 8D 88 6E 4B ....e.o- .$. ..nK +[14B0] 09 04 31 B6 A3 EB F7 37 32 0E 0C 73 C6 F6 B8 4D ..1....7 2..s...M +[14C0] D9 0C 4C 5B EC 10 6A 51 19 EA 3F FF 46 E7 73 16 ..L[..jQ ..?.F.s. +[14D0] A7 1F 33 98 7C 9B AD 5A 23 A9 40 7C 0F DF EE 0F ..3.|..Z #.@|.... +[14E0] AA C7 E8 63 07 98 3A 4A 0D 18 62 01 21 B2 AE A5 ...c..:J ..b.!... +[14F0] 69 B0 C1 15 51 BA 97 D2 C5 42 5B C5 30 38 18 A9 i...Q... .B[.08.. +[1500] 48 AB D7 FC A1 BC 9F 71 E7 EA 18 54 42 DA D6 A4 H......q ...TB... +[1510] FC C1 DC F3 12 30 62 AC 98 E1 7D 2B 34 1E 52 4C .....0b. ..}+4.RL +[1520] 26 67 32 D9 44 1A 08 27 0E DA D0 FC 84 66 35 81 &g2.D..' .....f5. +[1530] D6 EB 98 46 6F 1E 47 E0 14 31 BE 47 80 65 AA 0B ...Fo.G. .1.G.e.. +[1540] 20 D6 33 36 3B 0D 40 2F 5A 2E 0E 01 BE 00 EB 33 .36;.@/ Z......3 +[1550] 3E 4B 32 91 F4 22 96 E5 5F D4 D5 92 94 CC 5B 59 >K2..".. _.....[Y +[1560] 6A 3E D2 FB A0 4F 99 C4 07 8B 6F 2B 14 37 CD 37 j>...O.. ..o+.7.7 +[1570] 44 C0 1F 80 9C 43 46 F2 5E F4 FE D3 39 70 61 BE D....CF. ^...9pa. +[1580] 72 5B 3A 8F 37 95 78 1E AB D9 E7 E9 DA FC 47 09 r[:.7.x. ......G. +[1590] 81 A0 0D 62 E1 F9 34 36 D1 DB E6 98 D8 F4 3E 77 ...b..46 ......>w +[15A0] 5A 4D E2 5F 20 70 3D 3D 5B 34 D9 FD A8 31 F7 D9 ZM._ p== [4...1.. +[15B0] 59 F7 A3 F0 66 F7 D9 AD 1C CD D5 85 33 A0 87 22 Y...f... ....3.." +[15C0] 31 D4 F3 67 80 68 20 A2 90 72 7A 6F 64 FD 68 82 1..g.h . .rzod.h. +[15D0] 9E 91 B8 E3 F7 6D 6C 38 74 F0 96 A2 F6 25 D7 92 .....ml8 t....%.. +[15E0] 58 14 60 9F AE 01 4C 0C 09 67 3E 35 67 71 1E 2A X.`...L. .g>5gq.* +[15F0] 86 21 D3 60 61 98 16 94 67 0B 52 76 63 93 BD A3 .!.`a... g.Rvc... +[1600] 3B A9 F0 A2 6A B7 E6 0F 35 64 DA 6A EA 20 A6 3D ;...j... 5d.j. .= +[1610] 94 71 59 5E CB B2 D3 F9 4D FE 1B 4B D8 64 C8 3B .qY^.... M..K.d.; +[1620] 7A A8 E6 D2 D5 76 71 26 D4 5C DA 1A 55 17 F2 16 z....vq& .\..U... +[1630] C9 2F 77 DB 95 19 48 A5 AC D0 C3 31 9C 0A CC 1B ./w...H. ...1.... +[1640] 44 11 6B 7C 88 7A 5D CF 6E 12 DA EF C5 C7 34 1D D.k|.z]. n.....4. +[1650] F4 CC EA 37 24 4B B3 0F C1 A3 F2 29 A0 D8 93 39 ...7$K.. ...)...9 +[1660] C6 16 57 D5 BF 57 BF 6C 7E F7 90 E0 EB A3 8B 07 ..W..W.l ~....... +[1670] 56 9C EC 15 3E 21 DA A5 7C 00 3C F9 D2 A7 1C 6F V...>!.. |.<....o +[1680] 16 25 31 C5 28 A7 EA F3 47 31 50 DD E1 ED 0A 93 .%1.(... G1P..... +[1690] DB 85 CC 6B 4B 2C 7F E8 F8 2D A9 6D 1D 0A 87 F2 ...kK,.. .-.m.... +[16A0] 10 8C 82 2F 9B D4 9B 92 8C 77 40 50 42 1E 42 C4 .../.... .w@PB.B. +[16B0] 0A 4F E3 6C 6C DC 81 C4 1E BB F0 7D CF 3C 73 22 .O.ll... ...}..xK.... +[16E0] 25 4A 92 1E 6C 8F 01 D6 59 D7 CF 2E A0 CC 98 F6 %J..l... Y....... +[16F0] 75 28 2F F7 2A 70 28 A9 45 1F 75 C2 4E 62 ED D8 u(/.*p(. E.u.Nb.. +[1700] C4 A0 8D 55 B2 84 1C A4 CE 87 EF 24 EE BC CE 40 ...U.... ...$...@ +[1710] 09 EB 05 0B D1 14 31 50 32 2F B6 A8 97 17 4B A7 ......1P 2/....K. +[1720] 95 01 50 6E 0E 23 49 9C 72 21 91 00 00 00 00 00 ..Pn.#I. r!...... +[1730] 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 54 ........ ...KTEST +[1740] 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 .SAMBA.E XAMPLE.C +[1750] 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 61 OM....ad ministra +[1760] 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 4B tor..... .......K +[1770] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[1780] 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 73 00 00 LE.COM.. ..cifs.. +[1790] 00 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 00 17 00 ..LOCALK TEST6... +[17A0] 00 00 10 1D C8 5E 46 48 82 F9 29 DB C6 A6 F1 72 .....^FH ..)....r +[17B0] 6D 8D E9 4D 99 4F 6A 4D 99 85 09 7D 44 0B 68 00 m..M.OjM ...}D.h. +[17C0] 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 00 ....@(.. ........ +[17D0] 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 01 ....a... 0....... +[17E0] 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA +[17F0] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 1C .EXAMPLE .COM..0. +[1800] A0 03 02 01 01 A1 15 30 13 1B 04 63 69 66 73 1B .......0 ...cifs. +[1810] 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 A3 82 03 AE .LOCALKT EST6.... +[1820] 30 82 03 AA A0 03 02 01 17 A1 03 02 01 02 A2 82 0....... ........ +[1830] 03 9C 04 82 03 98 66 D8 19 46 FA CB 73 2D CF 88 ......f. .F..s-.. +[1840] FD 4A EE 07 48 DA 0E BC 58 30 43 40 A4 9C 00 0F .J..H... X0C@.... +[1850] 3B 17 C1 2D F5 9C 3E D9 2F 1D CA 01 9B D7 2E EC ;..-..>. /....... +[1860] D7 70 ED 8B 8B 1B 5E F2 4E EE DD 0F C0 8D 61 E5 .p....^. N.....a. +[1870] D7 0A 56 00 32 B1 DB 91 37 29 0F 2F 85 EE A8 43 ..V.2... 7)./...C +[1880] BA A5 B8 D4 19 74 33 F0 69 52 E1 58 98 83 D6 16 .....t3. iR.X.... +[1890] 0B 44 A9 63 9B D4 4E 6E A7 3E CD 9A 96 4D C4 96 .D.c..Nn .>...M.. +[18A0] F5 07 6D 29 B6 ED 2A 62 3D 53 22 33 D1 95 E9 DF ..m)..*b =S"3.... +[18B0] 74 4C 2A E2 29 AF 5B 69 B0 48 2D AD 94 FD A5 1D tL*.).[i .H-..... +[18C0] 54 D8 E2 5E C1 68 6F BA 02 01 79 C3 C9 97 0B 76 T..^.ho. ..y....v +[18D0] 66 45 E2 3B 10 17 95 40 46 E4 85 B9 87 BB CF CF fE.;...@ F....... +[18E0] 19 8C 3A C0 EA 38 3B B9 E9 4B 05 89 E5 27 8C 62 ..:..8;. .K...'.b +[18F0] 95 BC 0D 65 F0 D2 C0 5E BC 65 01 D5 0B CB 17 31 ...e...^ .e.....1 +[1900] 0F 06 49 4F A2 4A 70 77 DB BD 92 5B 37 5C EC 06 ..IO.Jpw ...[7\.. +[1910] DF C5 E2 31 C8 40 09 11 68 14 E7 7D CE 54 4F 52 ...1.@.. h..}.TOR +[1920] 61 31 2C 1C 53 52 DB BE D8 95 39 EE 7D C6 CE C8 a1,.SR.. ..9.}... +[1930] 22 95 92 97 97 3D 5E 66 0F AD DC C2 4E 2E 2B 9F "....=^f ....N.+. +[1940] 63 20 30 DF B7 C1 D4 65 AA 6F 2D 10 24 07 20 8D c 0....e .o-.$. . +[1950] 88 6E 4B 09 04 31 B6 A3 EB F7 37 32 0E 0C 73 C6 .nK..1.. ..72..s. +[1960] F6 B8 4D D9 0C 4C 5B EC 10 6A 51 19 EA 3F FF 46 ..M..L[. .jQ..?.F +[1970] E7 73 16 A7 1F 33 98 7C 9B AD 5A 23 A9 40 7C 0F .s...3.| ..Z#.@|. +[1980] DF EE 0F AA C7 E8 63 07 98 3A 4A 0D 18 62 01 21 ......c. .:J..b.! +[1990] B2 AE A5 69 B0 C1 15 51 BA 97 D2 C5 42 5B C5 30 ...i...Q ....B[.0 +[19A0] 38 18 A9 48 AB D7 FC A1 BC 9F 71 E7 EA 18 54 42 8..H.... ..q...TB +[19B0] DA D6 A4 FC C1 DC F3 12 30 62 AC 98 E1 7D 2B 34 ........ 0b...}+4 +[19C0] 1E 52 4C 26 67 32 D9 44 1A 08 27 0E DA D0 FC 84 .RL&g2.D ..'..... +[19D0] 66 35 81 D6 EB 98 46 6F 1E 47 E0 14 31 BE 47 80 f5....Fo .G..1.G. +[19E0] 65 AA 0B 20 D6 33 36 3B 0D 40 2F 5A 2E 0E 01 BE e.. .36; .@/Z.... +[19F0] 00 EB 33 3E 4B 32 91 F4 22 96 E5 5F D4 D5 92 94 ..3>K2.. ".._.... +[1A00] CC 5B 59 6A 3E D2 FB A0 4F 99 C4 07 8B 6F 2B 14 .[Yj>... O....o+. +[1A10] 37 CD 37 44 C0 1F 80 9C 43 46 F2 5E F4 FE D3 39 7.7D.... CF.^...9 +[1A20] 70 61 BE 72 5B 3A 8F 37 95 78 1E AB D9 E7 E9 DA pa.r[:.7 .x...... +[1A30] FC 47 09 81 A0 0D 62 E1 F9 34 36 D1 DB E6 98 D8 .G....b. .46..... +[1A40] F4 3E 77 5A 4D E2 5F 20 70 3D 3D 5B 34 D9 FD A8 .>wZM._ p==[4... +[1A50] 31 F7 D9 59 F7 A3 F0 66 F7 D9 AD 1C CD D5 85 33 1..Y...f .......3 +[1A60] A0 87 22 31 D4 F3 67 80 68 20 A2 90 72 7A 6F 64 .."1..g. h ..rzod +[1A70] FD 68 82 9E 91 B8 E3 F7 6D 6C 38 74 F0 96 A2 F6 .h...... ml8t.... +[1A80] 25 D7 92 58 14 60 9F AE 01 4C 0C 09 67 3E 35 67 %..X.`.. .L..g>5g +[1A90] 71 1E 2A 86 21 D3 60 61 98 16 94 67 0B 52 76 63 q.*.!.`a ...g.Rvc +[1AA0] 93 BD A3 3B A9 F0 A2 6A B7 E6 0F 35 64 DA 6A EA ...;...j ...5d.j. +[1AB0] 20 A6 3D 94 71 59 5E CB B2 D3 F9 4D FE 1B 4B D8 .=.qY^. ...M..K. +[1AC0] 64 C8 3B 7A A8 E6 D2 D5 76 71 26 D4 5C DA 1A 55 d.;z.... vq&.\..U +[1AD0] 17 F2 16 C9 2F 77 DB 95 19 48 A5 AC D0 C3 31 9C ..../w.. .H....1. +[1AE0] 0A CC 1B 44 11 6B 7C 88 7A 5D CF 6E 12 DA EF C5 ...D.k|. z].n.... +[1AF0] C7 34 1D F4 CC EA 37 24 4B B3 0F C1 A3 F2 29 A0 .4....7$ K.....). +[1B00] D8 93 39 C6 16 57 D5 BF 57 BF 6C 7E F7 90 E0 EB ..9..W.. W.l~.... +[1B10] A3 8B 07 56 9C EC 15 3E 21 DA A5 7C 00 3C F9 D2 ...V...> !..|.<.. +[1B20] A7 1C 6F 16 25 31 C5 28 A7 EA F3 47 31 50 DD E1 ..o.%1.( ...G1P.. +[1B30] ED 0A 93 DB 85 CC 6B 4B 2C 7F E8 F8 2D A9 6D 1D ......kK ,...-.m. +[1B40] 0A 87 F2 10 8C 82 2F 9B D4 9B 92 8C 77 40 50 42 ....../. ....w@PB +[1B50] 1E 42 C4 0A 4F E3 6C 6C DC 81 C4 1E BB F0 7D CF .B..O.ll ......}. +[1B60] 3C 73 22 5B C3 1A 97 35 EE 3A CD 6D F3 68 A3 C5 .xK. +[1B80] 18 9F A5 25 4A 92 1E 6C 8F 01 D6 59 D7 CF 2E A0 ...%J..l ...Y.... +[1B90] CC 98 F6 75 28 2F F7 2A 70 28 A9 45 1F 75 C2 4E ...u(/.* p(.E.u.N +[1BA0] 62 ED D8 C4 A0 8D 55 B2 84 1C A4 CE 87 EF 24 EE b.....U. ......$. +[1BB0] BC CE 40 09 EB 05 0B D1 14 31 50 32 2F B6 A8 97 ..@..... .1P2/... +[1BC0] 17 4B A7 95 01 50 6E 0E 23 49 9C 72 21 91 00 00 .K...Pn. #I.r!... +[1BD0] 00 00 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 ........ ......KT +[1BE0] 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C EST.SAMB A.EXAMPL +[1BF0] 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 E.COM... .adminis +[1C00] 74 72 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 trator.. ........ +[1C10] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX +[1C20] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 AMPLE.CO M....cif +[1C30] 73 00 00 00 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 s....LOC ALKTEST6 +[1C40] 00 17 00 00 00 10 1D C8 5E 46 48 82 F9 29 DB C6 ........ ^FH..).. +[1C50] A6 F1 72 6D 8D E9 4D 99 4F 6A 4D 99 85 09 7D 44 ..rm..M. OjM...}D +[1C60] 0B 68 00 00 00 00 00 40 28 00 00 00 00 00 00 00 .h.....@ (....... +[1C70] 00 00 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 .......a ...0.... +[1C80] 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA +[1C90] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 MBA.EXAM PLE.COM. +[1CA0] 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 69 .0...... ..0...ci +[1CB0] 66 73 1B 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 A3 fs..LOCA LKTEST6. +[1CC0] 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 ...0.... ........ +[1CD0] 02 A2 82 03 9C 04 82 03 98 66 D8 19 46 FA CB 73 ........ .f..F..s +[1CE0] 2D CF 88 FD 4A EE 07 48 DA 0E BC 58 30 43 40 A4 -...J..H ...X0C@. +[1CF0] 9C 00 0F 3B 17 C1 2D F5 9C 3E D9 2F 1D CA 01 9B ...;..-. .>./.... +[1D00] D7 2E EC D7 70 ED 8B 8B 1B 5E F2 4E EE DD 0F C0 ....p... .^.N.... +[1D10] 8D 61 E5 D7 0A 56 00 32 B1 DB 91 37 29 0F 2F 85 .a...V.2 ...7)./. +[1D20] EE A8 43 BA A5 B8 D4 19 74 33 F0 69 52 E1 58 98 ..C..... t3.iR.X. +[1D30] 83 D6 16 0B 44 A9 63 9B D4 4E 6E A7 3E CD 9A 96 ....D.c. .Nn.>... +[1D40] 4D C4 96 F5 07 6D 29 B6 ED 2A 62 3D 53 22 33 D1 M....m). .*b=S"3. +[1D50] 95 E9 DF 74 4C 2A E2 29 AF 5B 69 B0 48 2D AD 94 ...tL*.) .[i.H-.. +[1D60] FD A5 1D 54 D8 E2 5E C1 68 6F BA 02 01 79 C3 C9 ...T..^. ho...y.. +[1D70] 97 0B 76 66 45 E2 3B 10 17 95 40 46 E4 85 B9 87 ..vfE.;. ..@F.... +[1D80] BB CF CF 19 8C 3A C0 EA 38 3B B9 E9 4B 05 89 E5 .....:.. 8;..K... +[1D90] 27 8C 62 95 BC 0D 65 F0 D2 C0 5E BC 65 01 D5 0B '.b...e. ..^.e... +[1DA0] CB 17 31 0F 06 49 4F A2 4A 70 77 DB BD 92 5B 37 ..1..IO. Jpw...[7 +[1DB0] 5C EC 06 DF C5 E2 31 C8 40 09 11 68 14 E7 7D CE \.....1. @..h..}. +[1DC0] 54 4F 52 61 31 2C 1C 53 52 DB BE D8 95 39 EE 7D TORa1,.S R....9.} +[1DD0] C6 CE C8 22 95 92 97 97 3D 5E 66 0F AD DC C2 4E ...".... =^f....N +[1DE0] 2E 2B 9F 63 20 30 DF B7 C1 D4 65 AA 6F 2D 10 24 .+.c 0.. ..e.o-.$ +[1DF0] 07 20 8D 88 6E 4B 09 04 31 B6 A3 EB F7 37 32 0E . ..nK.. 1....72. +[1E00] 0C 73 C6 F6 B8 4D D9 0C 4C 5B EC 10 6A 51 19 EA .s...M.. L[..jQ.. +[1E10] 3F FF 46 E7 73 16 A7 1F 33 98 7C 9B AD 5A 23 A9 ?.F.s... 3.|..Z#. +[1E20] 40 7C 0F DF EE 0F AA C7 E8 63 07 98 3A 4A 0D 18 @|...... .c..:J.. +[1E30] 62 01 21 B2 AE A5 69 B0 C1 15 51 BA 97 D2 C5 42 b.!...i. ..Q....B +[1E40] 5B C5 30 38 18 A9 48 AB D7 FC A1 BC 9F 71 E7 EA [.08..H. .....q.. +[1E50] 18 54 42 DA D6 A4 FC C1 DC F3 12 30 62 AC 98 E1 .TB..... ...0b... +[1E60] 7D 2B 34 1E 52 4C 26 67 32 D9 44 1A 08 27 0E DA }+4.RL&g 2.D..'.. +[1E70] D0 FC 84 66 35 81 D6 EB 98 46 6F 1E 47 E0 14 31 ...f5... .Fo.G..1 +[1E80] BE 47 80 65 AA 0B 20 D6 33 36 3B 0D 40 2F 5A 2E .G.e.. . 36;.@/Z. +[1E90] 0E 01 BE 00 EB 33 3E 4B 32 91 F4 22 96 E5 5F D4 .....3>K 2..".._. +[1EA0] D5 92 94 CC 5B 59 6A 3E D2 FB A0 4F 99 C4 07 8B ....[Yj> ...O.... +[1EB0] 6F 2B 14 37 CD 37 44 C0 1F 80 9C 43 46 F2 5E F4 o+.7.7D. ...CF.^. +[1EC0] FE D3 39 70 61 BE 72 5B 3A 8F 37 95 78 1E AB D9 ..9pa.r[ :.7.x... +[1ED0] E7 E9 DA FC 47 09 81 A0 0D 62 E1 F9 34 36 D1 DB ....G... .b..46.. +[1EE0] E6 98 D8 F4 3E 77 5A 4D E2 5F 20 70 3D 3D 5B 34 ....>wZM ._ p==[4 +[1EF0] D9 FD A8 31 F7 D9 59 F7 A3 F0 66 F7 D9 AD 1C CD ...1..Y. ..f..... +[1F00] D5 85 33 A0 87 22 31 D4 F3 67 80 68 20 A2 90 72 ..3.."1. .g.h ..r +[1F10] 7A 6F 64 FD 68 82 9E 91 B8 E3 F7 6D 6C 38 74 F0 zod.h... ...ml8t. +[1F20] 96 A2 F6 25 D7 92 58 14 60 9F AE 01 4C 0C 09 67 ...%..X. `...L..g +[1F30] 3E 35 67 71 1E 2A 86 21 D3 60 61 98 16 94 67 0B >5gq.*.! .`a...g. +[1F40] 52 76 63 93 BD A3 3B A9 F0 A2 6A B7 E6 0F 35 64 Rvc...;. ..j...5d +[1F50] DA 6A EA 20 A6 3D 94 71 59 5E CB B2 D3 F9 4D FE .j. .=.q Y^....M. +[1F60] 1B 4B D8 64 C8 3B 7A A8 E6 D2 D5 76 71 26 D4 5C .K.d.;z. ...vq&.\ +[1F70] DA 1A 55 17 F2 16 C9 2F 77 DB 95 19 48 A5 AC D0 ..U..../ w...H... +[1F80] C3 31 9C 0A CC 1B 44 11 6B 7C 88 7A 5D CF 6E 12 .1....D. k|.z].n. +[1F90] DA EF C5 C7 34 1D F4 CC EA 37 24 4B B3 0F C1 A3 ....4... .7$K.... +[1FA0] F2 29 A0 D8 93 39 C6 16 57 D5 BF 57 BF 6C 7E F7 .)...9.. W..W.l~. +[1FB0] 90 E0 EB A3 8B 07 56 9C EC 15 3E 21 DA A5 7C 00 ......V. ..>!..|. +[1FC0] 3C F9 D2 A7 1C 6F 16 25 31 C5 28 A7 EA F3 47 31 <....o.% 1.(...G1 +[1FD0] 50 DD E1 ED 0A 93 DB 85 CC 6B 4B 2C 7F E8 F8 2D P....... .kK,...- +[1FE0] A9 6D 1D 0A 87 F2 10 8C 82 2F 9B D4 9B 92 8C 77 .m...... ./.....w +[1FF0] 40 50 42 1E 42 C4 0A 4F E3 6C 6C DC 81 C4 1E BB @PB.B..O .ll..... +[2000] F0 7D CF 3C 73 22 5B C3 1A 97 35 EE 3A CD 6D F3 .}.. +[2020] 78 4B BF 18 9F A5 25 4A 92 1E 6C 8F 01 D6 59 D7 xK....%J ..l...Y. +[2030] CF 2E A0 CC 98 F6 75 28 2F F7 2A 70 28 A9 45 1F ......u( /.*p(.E. +[2040] 75 C2 4E 62 ED D8 C4 A0 8D 55 B2 84 1C A4 CE 87 u.Nb.... .U...... +[2050] EF 24 EE BC CE 40 09 EB 05 0B D1 14 31 50 32 2F .$...@.. ....1P2/ +[2060] B6 A8 97 17 4B A7 95 01 50 6E 0E 23 49 9C 72 21 ....K... Pn.#I.r! +[2070] 91 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ........ ........ +[2080] 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 .KTEST.S AMBA.EXA +[2090] 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 MPLE.COM ....admi +[20A0] 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 00 nistrato r....... +[20B0] 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA +[20C0] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 .EXAMPLE .COM.... +[20D0] 68 6F 73 74 00 00 00 0B 6C 6F 63 61 6C 6B 74 65 host.... localkte +[20E0] 73 74 36 00 17 00 00 00 10 72 47 04 38 B6 E6 F0 st6..... .rG.8... +[20F0] 44 9E 9F 27 66 E1 69 9C 9A 4D 99 4F 6A 4D 99 90 D..'f.i. .M.OjM.. +[2100] F5 7D 44 0B 68 00 00 00 00 00 40 28 00 00 00 00 .}D.h... ..@(.... +[2110] 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 82 ........ ..a...0. +[2120] 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 ........ ...KTEST +[2130] 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 .SAMBA.E XAMPLE.C +[2140] 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B OM..0... .....0.. +[2150] 04 68 6F 73 74 1B 0B 6C 6F 63 61 6C 6B 74 65 73 .host..l ocalktes +[2160] 74 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 t6....0. ........ +[2170] 03 02 01 02 A2 82 03 9C 04 82 03 98 58 95 95 EB ........ ....X... +[2180] CB 8F 68 D4 77 43 0F 3B 44 B4 15 DA 40 6D FD E9 ..h.wC.; D...@m.. +[2190] 85 D3 2F CD B5 1E 96 CD F6 E9 67 91 36 08 9E B4 ../..... ..g.6... +[21A0] B3 47 70 7A B3 4E 82 5A 4F 8E 4B F5 8D 04 E4 5C .Gpz.N.Z O.K....\ +[21B0] C4 D8 0C AF 08 25 F9 C1 64 B2 3A 35 26 E9 B2 72 .....%.. d.:5&..r +[21C0] 66 B5 E9 81 FC BE 12 1B CC 8A A5 82 31 F6 7F C3 f....... ....1... +[21D0] 5A 19 A3 31 F2 99 14 1E 64 E4 41 E8 C7 C3 F3 DF Z..1.... d.A..... +[21E0] F5 65 7D B0 9F DC 5D 25 1D 1A A8 EA AA 88 6D F4 .e}...]% ......m. +[21F0] 7C 25 9F 53 F6 A6 8F B1 24 AF 98 FE 53 7B 35 3C |%.S.... $...S{5< +[2200] DB EC 7F 09 74 E9 C4 8D 20 B4 47 08 0E 32 B8 C9 ....t... .G..2.. +[2210] 45 27 12 F9 8E F5 D6 C2 DD 1A 96 0E 68 5F 39 65 E'...... ....h_9e +[2220] 72 C7 BD 8E 04 0E 13 E1 03 27 AC 50 80 76 E6 7A r....... .'.P.v.z +[2230] 8E F4 C2 72 4F 68 B3 34 00 A9 54 41 DA FD 96 94 ...rOh.4 ..TA.... +[2240] 29 A1 59 15 2F DB 6C 94 85 49 C5 D0 6D 48 B0 C4 ).Y./.l. .I..mH.. +[2250] 65 D0 95 1D DB 3D 25 D0 75 50 D4 CF FA 2F 71 57 e....=%. uP.../qW +[2260] BD 6C 1C 59 E1 C3 5B C7 24 95 FF B0 20 EF 6A DB .l.Y..[. $... .j. +[2270] 79 87 67 91 94 E9 16 E2 BB 74 7A 08 E1 6A 36 5F y.g..... .tz..j6_ +[2280] DF 11 AB 35 9B 3E 32 48 83 89 41 4E 06 BF F9 BB ...5.>2H ..AN.... +[2290] EC E4 D7 6D 77 C4 55 22 DF F7 91 4D CB C5 01 A5 ...mw.U" ...M.... +[22A0] BA 2D 1E 92 76 04 E8 02 2F 5E AF 1C B3 B7 A6 FB .-..v... /^...... +[22B0] 3A 9F D9 7C 6D DA B4 8F 31 00 A5 30 F2 76 72 9B :..|m... 1..0.vr. +[22C0] 62 97 E0 56 E5 E4 C7 6B 8B FC 84 75 57 66 6E D7 b..V...k ...uWfn. +[22D0] B7 41 6F 61 F4 5B 0F 87 68 F6 54 02 26 1B 1F B7 .Aoa.[.. h.T.&... +[22E0] 60 D6 E7 FA 4F C7 DB 35 58 EC 13 21 D4 C6 A1 27 `...O..5 X..!...' +[22F0] BA E7 82 DF 29 FB 9D 5D E8 35 28 C9 9C 4E D7 BE ....)..] .5(..N.. +[2300] 2F 6D F1 E8 0B 5A 74 C9 93 9F AD 42 24 4B B7 3B /m...Zt. ...B$K.; +[2310] 38 2A 11 CF F0 BD 85 40 48 D8 9D E7 6B 65 70 42 8*.....@ H...kepB +[2320] 60 DA 9B 65 CB C8 C5 D7 40 3A 12 DC 64 AF 82 54 `..e.... @:..d..T +[2330] 34 05 38 4F C6 FB 38 E2 73 A9 89 B7 FC 33 15 85 4.8O..8. s....3.. +[2340] 9E CA E9 E0 89 18 18 84 02 65 B4 74 5B D4 A1 6F ........ .e.t[..o +[2350] 5F 79 20 CB D7 36 C8 6D 5B 1E 5E 0C 82 16 9F CC _y ..6.m [.^..... +[2360] 5A 1E 57 C1 B6 94 51 87 A1 3D 12 D4 8B FE 0F 93 Z.W...Q. .=...... +[2370] ED 53 A3 F4 88 3C 35 05 89 FE AF 0B 36 62 E3 2F .S...<5. ....6b./ +[2380] 5C 4A 0E 07 67 39 A3 8E C0 45 07 7F 73 32 BC DE \J..g9.. .E..s2.. +[2390] 2D 00 8B 47 79 3D 1C A1 90 AE B6 8F 83 B2 1B 31 -..Gy=.. .......1 +[23A0] EE E4 F2 C5 C1 4A E2 4A 2F 28 F0 AA 19 43 6A 14 .....J.J /(...Cj. +[23B0] B1 42 61 90 34 2E EE 3D 16 9F 5D 9F 7A A2 01 7A .Ba.4..= ..].z..z +[23C0] 4B 96 FA 4D C9 85 1A 75 27 B7 6B FD 4D 7D 9C 65 K..M...u '.k.M}.e +[23D0] 97 DB 05 CC 76 68 EA 05 5D 5D BB BD 51 4B 5B F2 ....vh.. ]]..QK[. +[23E0] 48 59 BD 1E AD 56 D4 69 A5 75 CD ED EC B1 3E AB HY...V.i .u....>. +[23F0] FA B7 F8 8D 4F BE 95 63 38 1C 4C 70 26 C4 3A 21 ....O..c 8.Lp&.:! +[2400] 80 61 05 3A D4 E2 28 2C 85 01 5A DA FC 10 60 F3 .a.:..(, ..Z...`. +[2410] 74 0C FD DB 2F 5B 25 4B 14 E4 7D 8A DB 85 12 D2 t.../[%K ..}..... +[2420] D7 69 CD B5 B1 93 CE E5 E6 4D 57 D3 C2 D3 2E A0 .i...... .MW..... +[2430] 08 37 09 CD 19 99 09 FA 33 68 4A E0 92 46 21 0C .7...... 3hJ..F!. +[2440] 99 9F DA 05 15 20 8B 3D 7C 7B CA D6 81 AC AA 83 ..... .= |{...... +[2450] 48 C8 24 4C C8 FC A5 14 2C BC 49 1A 1C 49 61 1D H.$L.... ,.I..Ia. +[2460] 24 86 42 B1 37 6A C8 3A AC 18 CC C0 50 84 12 48 $.B.7j.: ....P..H +[2470] 8B 29 0A 49 26 A4 E2 B9 E5 96 E7 37 C3 DE 4C 23 .).I&... ...7..L# +[2480] D2 D4 62 14 8F 1E 72 39 CF 03 BC A3 00 C7 63 51 ..b...r9 ......cQ +[2490] A9 6B E4 3E B2 65 A1 A2 BB EC 06 41 85 50 22 02 .k.>.e.. ...A.P". +[24A0] 46 2F 72 2B 32 1A A4 2D 85 94 02 47 69 8D AD 6D F/r+2..- ...Gi..m +[24B0] 66 AB D4 E4 29 C8 C7 DA F4 18 31 2A DF 50 6A 05 f...)... ..1*.Pj. +[24C0] D6 47 26 C4 F9 87 0F 35 24 6E 72 D6 23 7D 3A 94 .G&....5 $nr.#}:. +[24D0] 14 8D E8 57 AA BA D7 CF A9 2D E7 4C 10 7C D8 0D ...W.... .-.L.|.. +[24E0] 51 30 1F E1 FB E5 E2 6C EE AA 65 2F D8 22 05 67 Q0.....l ..e/.".g +[24F0] 87 4D 4D D2 11 3D B4 1E AA 20 3F 76 E3 94 93 6D .MM..=.. . ?v...m +[2500] AC 10 05 AF 09 BD 67 86 C5 83 93 D6 1C D3 81 D9 ......g. ........ +[2510] B1 3B E1 76 00 00 00 00 00 00 00 01 00 00 00 01 .;.v.... ........ +[2520] 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E ....KTES T.SAMBA. +[2530] 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 EXAMPLE. COM....a +[2540] 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 dministr ator.... +[2550] 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA +[2560] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 MBA.EXAM PLE.COM. +[2570] 00 00 04 68 6F 73 74 00 00 00 0B 4C 4F 43 41 4C ...host. ...LOCAL +[2580] 4B 54 45 53 54 36 00 17 00 00 00 10 55 6E 3E FC KTEST6.. ....Un>. +[2590] E2 F4 40 51 19 E6 6E EB 23 4C 48 8E 4D 99 4F 6A ..@Q..n. #LH.M.Oj +[25A0] 4D 99 90 FC 7D 44 0B 68 00 00 00 00 00 40 28 00 M...}D.h .....@(. +[25B0] 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 ........ .....a.. +[25C0] F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 .0...... ......KT +[25D0] 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C EST.SAMB A.EXAMPL +[25E0] 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 E.COM..0 ........ +[25F0] 30 13 1B 04 68 6F 73 74 1B 0B 4C 4F 43 41 4C 4B 0...host ..LOCALK +[2600] 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 02 TEST6... .0...... +[2610] 01 17 A1 03 02 01 02 A2 82 03 9C 04 82 03 98 6E ........ .......n +[2620] 87 B7 7B 3A 7E EF 4A 1B 29 C9 E3 C4 1F 42 4F 0E ..{:~.J. )....BO. +[2630] C8 AC AC 4E A2 77 1D DA 93 37 F1 AF DA A3 75 2D ...N.w.. .7....u- +[2640] 12 8B 40 34 23 0E 8E A9 90 58 46 42 42 39 31 D6 ..@4#... .XFBB91. +[2650] 03 9E 5D 81 D9 E8 F6 08 2B D9 96 88 8A 2F F1 CC ..]..... +..../.. +[2660] F2 EA 9E 9A 4B 31 B6 04 2D 3D 4C 7F 92 DE 3B 04 ....K1.. -=L...;. +[2670] 19 EE 28 D0 83 81 C3 46 CD 74 23 4C 14 34 DE 62 ..(....F .t#L.4.b +[2680] 0A AC E5 12 16 75 E9 A8 4B 32 78 CC 8D AE A2 E5 .....u.. K2x..... +[2690] 6D E8 09 70 76 52 F5 E5 18 F7 E7 91 15 6A 69 AB m..pvR.. .....ji. +[26A0] B8 62 DD 80 F5 28 6D DF ED 10 DA AC FB 92 27 CF .b...(m. ......'. +[26B0] 98 B5 77 9D A5 96 E6 9A CC B9 C3 91 78 22 35 9C ..w..... ....x"5. +[26C0] A1 13 A3 20 28 D1 16 E5 3E 4A 85 1E 12 0B CA 4D ... (... >J.....M +[26D0] C6 C8 03 C8 28 2C D8 29 5D 9A 76 4A 92 13 43 56 ....(,.) ].vJ..CV +[26E0] AF F7 C1 71 25 72 5C 38 75 1C 07 F1 5E 86 05 72 ...q%r\8 u...^..r +[26F0] 6F 69 95 42 B6 F2 DA A9 91 06 9F B9 54 20 33 A5 oi.B.... ....T 3. +[2700] 31 60 3B 54 DC 3A 95 34 96 26 07 52 6B 0E 1D 3B 1`;T.:.4 .&.Rk..; +[2710] D9 F8 48 20 AC CD 05 3B 99 F8 EE DB 83 28 CD C7 ..H ...; .....(.. +[2720] 2F 45 00 7E 2F 0A 65 7A D1 9E 95 4B EE C3 34 93 /E.~/.ez ...K..4. +[2730] A8 C7 DF 03 8B 14 D0 FC CE 56 90 AC EE 93 C5 D3 ........ .V...... +[2740] F7 12 24 69 0B 20 8D A2 65 87 55 26 2A F9 9A 88 ..$i. .. e.U&*... +[2750] D7 0D 86 61 D6 92 B6 FE E5 D1 66 F9 1F 9D F4 04 ...a.... ..f..... +[2760] 48 A6 39 BC 54 20 EA 10 21 E9 6D 30 46 1D C2 1C H.9.T .. !.m0F... +[2770] A4 E8 B4 63 85 37 27 25 80 52 41 60 C7 A1 32 21 ...c.7'% .RA`..2! +[2780] 43 90 02 E6 5F 5A E9 4E AF F9 B5 13 BD 42 BD A3 C..._Z.N .....B.. +[2790] A5 4D 10 45 83 4D 92 18 1F C9 CF FB 84 29 89 23 .M.E.M.. .....).# +[27A0] AC 71 4B 89 1B 52 E5 06 8C 3E 7C 88 CB D3 B3 CF .qK..R.. .>|..... +[27B0] B9 7A 67 D6 24 F4 AC 00 A6 AD 91 30 9A 95 53 F1 .zg.$... ...0..S. +[27C0] 48 06 A6 39 DB CF DC 9D C9 55 76 26 5E C1 DB 5D H..9.... .Uv&^..] +[27D0] B3 5B 3E AE 1A A0 10 BA 82 21 83 44 02 E0 99 33 .[>..... .!.D...3 +[27E0] 40 BA 29 9E 28 E5 73 4C 23 94 A2 4F BF 07 ED 4F @.).(.sL #..O...O +[27F0] 7C 45 9B 30 C8 41 6B 0A 55 13 6E F5 AD 7A 0C B2 |E.0.Ak. U.n..z.. +[2800] EA FF D0 06 13 4D F3 24 82 7F F6 51 2F 4A 4F 0D .....M.$ ...Q/JO. +[2810] 37 F8 14 6B E9 E4 82 BB 3A 75 63 63 12 E8 78 6F 7..k.... :ucc..xo +[2820] 6F FC 6C D3 4B A6 F1 CC 2A F1 7D EB 82 26 2F D0 o.l.K... *.}..&/. +[2830] A1 8B 3E 9A 71 D7 91 D3 08 E6 FD 62 1B 84 13 2D ..>.q... ...b...- +[2840] 8E A0 A0 C3 85 78 2F 0D F8 E7 10 FC CB 05 A7 B9 .....x/. ........ +[2850] 9A 33 90 B5 9B 26 E3 23 98 B0 91 4B EB 32 37 D6 .3...&.# ...K.27. +[2860] F4 ED 61 08 D8 75 CC 03 83 2C 3C CF 21 63 9C F6 ..a..u.. .,<.!c.. +[2870] AF 5B 4F 12 07 74 17 CD 98 BB E7 5E C7 17 2D C4 .[O..t.. ...^..-. +[2880] 87 A4 74 6D 5E CE DB A3 01 B9 AD 20 73 38 78 22 ..tm^... ... s8x" +[2890] 3D 45 F5 51 77 C6 47 63 45 61 81 D9 FF 31 90 C4 =E.Qw.Gc Ea...1.. +[28A0] 6F 5A F8 FE 6A 56 5B D4 EE EC 49 C7 A7 51 AE 5C oZ..jV[. ..I..Q.\ +[28B0] 85 53 70 3D 1A 49 83 59 CF 65 58 B3 48 7E 04 9E .Sp=.I.Y .eX.H~.. +[28C0] C7 64 8A 05 73 E3 DC 1A 65 5D 4F 41 01 56 73 90 .d..s... e]OA.Vs. +[28D0] 61 F3 84 1F FF CF 46 B2 06 46 56 97 93 B9 DB 32 a.....F. .FV....2 +[28E0] 2A 64 8A 48 02 05 84 E9 FA 76 8B 94 96 89 A0 73 *d.H.... .v.....s +[28F0] 20 75 4D 52 1D 23 13 D1 83 D7 5D 59 23 6A 87 C1 uMR.#.. ..]Y#j.. +[2900] 09 3E 01 3A 28 65 42 8C 35 F1 91 EA 6A 1F 83 0D .>.:(eB. 5...j... +[2910] 8F 57 69 81 D4 A2 D2 EA 0C BF AF 95 A3 F4 90 15 .Wi..... ........ +[2920] 61 34 F2 6C 8B D0 DA B5 1E 43 AC CE C7 8A 1B 2B a4.l.... .C.....+ +[2930] 29 2B 89 1C C5 53 C8 04 F7 1E 46 72 F3 A8 CE F7 )+...S.. ..Fr.... +[2940] 59 76 55 E7 53 1C A2 9F D8 23 F7 EA 71 B0 74 83 YvU.S... .#..q.t. +[2950] 71 95 3E DC A6 FA 2D A4 42 13 93 8B 2B FA A2 70 q.>...-. B...+..p +[2960] 25 21 2D F6 E1 26 56 DF 58 79 25 16 E8 C9 03 EC %!-..&V. Xy%..... +[2970] 72 5F 35 CF 59 6B E1 AD 85 85 7B AB 78 F2 0D AC r_5.Yk.. ..{.x... +[2980] AB 89 F2 DA 85 E7 DE 09 77 99 EC 7C F3 97 1F 71 ........ w..|...q +[2990] 3C DB 09 44 7A 3C 69 E5 03 B0 6D 4D 3B 6B 4C D5 <..Dz....... +[0150] 1A 69 EE 8C 4E A4 D8 55 A5 0B 23 0F D0 89 48 C4 .i..N..U ..#...H. +[0160] 51 FE 32 FD CC F6 71 E1 95 2D CC 1D 0A 0C 8A A2 Q.2...q. .-...... +[0170] 69 58 3B 65 88 53 EC D0 2E E1 C6 CC 6B BC 09 E5 iX;e.S.. ....k... +[0180] B9 15 27 8B E4 B2 24 18 61 42 BB 8B 09 1B 8A 7B ..'...$. aB.....{ +[0190] 13 D8 51 E1 0B 79 12 48 DE A9 54 04 00 6D DD E6 ..Q..y.H ..T..m.. +[01A0] 5E 03 91 FF C7 6D 0B 7C 91 44 E1 0F C0 7E 32 34 ^....m.| .D...~24 +[01B0] 82 86 94 F7 CD 53 EC 52 38 18 AA ED FF FC 5C 01 .....S.R 8.....\. +[01C0] D2 EE 99 45 8E 5B E6 B3 46 B0 F6 3B 22 29 EC 11 ...E.[.. F..;").. +[01D0] 30 6A F6 A1 1F 9E AE 71 E3 A6 E7 3F F3 7D 2B 75 0j.....q ...?.}+u +[01E0] 70 4D 63 47 5C 18 2C 8B B1 1A 69 B6 C5 46 01 17 pMcG\.,. ..i..F.. +[01F0] 8E 64 3D 47 88 20 1C AA D7 60 32 28 11 60 EA 28 .d=G. .. .`2(.`.( +[0200] 66 99 4C B1 2A 28 96 BF 18 2A 3E F4 D6 84 E5 A0 f.L.*(.. .*>..... +[0210] F4 4E E7 F9 54 95 22 96 2A 87 01 CC 3E A7 FF 42 .N..T.". *...>..B +[0220] 6A A4 4A 3A B9 24 10 65 99 53 58 2A 4E 72 E7 1F j.J:.$.e .SX*Nr.. +[0230] 82 BC BD 3C 6C 9D 33 3A CE C6 6E 72 A2 81 B3 84 ........ +[0280] AB F0 D0 93 08 42 E5 37 19 24 4E C1 AF FC 92 A9 .....B.7 .$N..... +[0290] B1 27 B1 9A 2A 62 34 F1 DC C0 6B 83 AE C3 74 E8 .'..*b4. ..k...t. +[02A0] A3 05 DD 82 DD A3 D7 90 A8 E3 9C EB 64 16 23 06 ........ ....d.#. +[02B0] 5D FB E4 35 7C 22 29 78 E3 3B 75 92 91 0C 9D A1 ]..5|")x .;u..... +[02C0] 87 7C 2E 82 AE 49 9D 4A 50 A9 C2 D5 85 B0 16 5D .|...I.J P......] +[02D0] A2 CD B0 DD 29 3F 6F 66 C9 C1 9F 5C F0 B6 FC D2 ....)?of ...\.... +[02E0] 52 BE 7B F0 1F 26 AF 8A FC C3 A6 24 8C C0 10 06 R.{..&.. ...$.... +[02F0] 73 1E 17 9E 6E 6F 32 44 6A DF 82 5D D0 6B 74 CE s...no2D j..].kt. +[0300] 58 0B 4C 7B EB A1 13 44 B1 3E D8 F8 BA F4 4E 55 X.L{...D .>....NU +[0310] 71 3D C1 09 D9 E7 97 9A 14 5C 54 7E 57 81 5F 6B q=...... .\T~W._k +[0320] 30 BE 9A E1 98 29 47 D4 C0 8F 63 0A F8 27 1F CE 0....)G. ..c..'.. +[0330] ED D9 BB 7B 12 24 D0 34 2A 7C F0 F7 77 F4 F1 1D ...{.$.4 *|..w... +[0340] 4C 5D 75 2D 6B 0D 80 35 82 CC D8 7A 6B FA A0 55 L]u-k..5 ...zk..U +[0350] 34 CD 87 15 61 38 78 D4 69 0F AA 72 D6 AC FA 99 4...a8x. i..r.... +[0360] BC 70 39 27 A7 25 2E 1B 6F 36 01 FD E9 B4 9A 79 .p9'.%.. o6.....y +[0370] 6C 19 DD A6 8C 78 B0 40 92 60 58 F0 28 AD 08 78 l....x.@ .`X.(..x +[0380] 4A 29 06 2C 82 2B 1A E3 91 0B 5F EE D6 B8 66 47 J).,.+.. .._...fG +[0390] 31 9B A3 DF 9F 79 D7 BB 0E 2C FA 0E C9 66 84 8D 1....y.. .,...f.. +[03A0] FF BA BB 21 27 9E AD 86 84 55 8D 4C 4C 47 D9 5F ...!'... .U.LLG._ +[03B0] B2 7D 26 CA B7 49 3C 9D 1B 67 71 11 3A 8A EB EA .}&..I<. .gq.:... +[03C0] 0F 15 EB F0 1E 46 F7 A4 34 04 D7 E3 50 67 47 D3 .....F.. 4...PgG. +[03D0] 66 21 17 77 51 A7 1F 1D 84 3B 7C B1 5D 4E B8 D4 f!.wQ... .;|.]N.. +[03E0] F9 C5 75 06 AA 19 45 1C E9 06 9E AD 23 26 6B 10 ..u...E. ....#&k. +[03F0] 53 A0 36 D3 58 9F 5E 8C CB A5 F6 BC C9 30 3C BC S.6.X.^. .....0<. +[0400] AD FF 7C 92 F0 C6 9A 02 ..|..... + second_ticket : DATA_BLOB length=0 + further_creds : DATA_BLOB length=10683 +[0000] 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 ........ ....KTES +[0010] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[0020] 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 COM....a dministr +[0030] 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 ator.... ........ +[0040] 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D KTEST.SA MBA.EXAM +[0050] 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 73 00 PLE.COM. ...cifs. +[0060] 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 00 17 ...local ktest6.. +[0070] 00 00 00 10 00 6E A1 B2 31 6D 48 C7 90 72 3A 0C .....n.. 1mH..r:. +[0080] 4B 8B 83 8C 4D 99 4F 6A 4D 99 50 85 7D 44 0B 68 K...M.Oj M.P.}D.h +[0090] 00 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 .....@(. ........ +[00A0] 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 .....a.. .0...... +[00B0] 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB +[00C0] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 A.EXAMPL E.COM..0 +[00D0] 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 69 66 73 ........ 0...cifs +[00E0] 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 A3 82 03 ..localk test6... +[00F0] AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 02 A2 .0...... ........ +[0100] 82 03 9C 04 82 03 98 C6 BB 64 A8 31 00 FC 5E 51 ........ .d.1..^Q +[0110] 3C 87 F8 34 47 3B D0 6F 6F FD 9E A6 91 12 74 2D <..4G;.o o.....t- +[0120] 44 BB AA 91 A0 2D 46 3E 9E FB FB C4 FB F1 15 FD D....-F> ........ +[0130] BB DA EE 06 A9 20 6A 38 DC 46 06 27 D9 A2 9D 2D ..... j8 .F.'...- +[0140] 1F FD 0D 7D 8A BB 0A 7C E8 47 17 BC 7B 70 E4 51 ...}...| .G..{p.Q +[0150] 6A BA 51 68 62 28 4A 1E 51 D1 0D CD 02 55 75 44 j.Qhb(J. Q....UuD +[0160] 8A B9 C2 84 F4 17 34 92 9B 31 85 9E 43 C1 0C 3A ......4. .1..C..: +[0170] B2 69 7F 20 1A 18 1F 65 4F C0 20 C9 B5 AF E1 61 .i. ...e O. ....a +[0180] 8C 90 10 63 26 A6 5D 05 3C CD 29 BB 7B 74 D5 8F ...c&.]. <.).{t.. +[0190] 2C 7F 4B E8 84 24 57 37 8A C6 F7 91 FD 22 9A A5 ,.K..$W7 .....".. +[01A0] 0D E9 4A 78 93 36 FC A8 8C 8A 27 8A C6 28 4B 7B ..Jx.6.. ..'..(K{ +[01B0] DA 11 42 BC 09 10 81 82 14 0F 9C B8 48 26 91 78 ..B..... ....H&.x +[01C0] A8 DD 97 6C 24 A1 D2 E8 85 19 B3 D3 85 4D 38 C7 ...l$... .....M8. +[01D0] 7D 49 55 8E 85 46 E1 EE 7B BA 11 62 63 53 C5 16 }IU..F.. {..bcS.. +[01E0] 4A 0C 1C 99 7C 0E FB 45 1D B4 98 58 67 7E 40 65 J...|..E ...Xg~@e +[01F0] 4B 48 E2 89 9C 8B C2 B8 39 D1 04 C0 A8 56 E8 A1 KH...... 9....V.. +[0200] 04 7A 7A C9 60 18 A0 29 E2 DC 82 4C 8F 18 CE 2F .zz.`..) ...L.../ +[0210] 14 F0 18 5B 6C FF 85 45 88 73 CB A4 55 08 FC BF ...[l..E .s..U... +[0220] C7 9F 51 0A DB 2C C1 E3 3C DD F6 F0 A3 2D F1 3B ..Q..,.. <....-.; +[0230] A0 12 1D FC 2A 67 F5 1A 7F E5 7C 6C FB 8A 18 BD ....*g.. ..|l.... +[0240] D1 5D E5 5E 68 30 AA 58 9E 10 13 E0 26 7E 7D C4 .].^h0.X ....&~}. +[0250] E1 A5 B6 86 0F 1C 0F 13 A4 5E 5E 6A ED 42 79 31 ........ .^^j.By1 +[0260] BB B3 5F 3A 3F DD CB 63 82 FB 06 AE 12 36 C9 1E .._:?..c .....6.. +[0270] 06 7D 41 82 2E D2 FA 26 EC 17 50 5E D0 DE 26 85 .}A....& ..P^..&. +[0280] 30 71 BC 45 3B DA 2E 08 8D B2 2A 3C E0 79 8F 77 0q.E;... ..*<.y.w +[0290] 4C 01 69 7A 09 C7 88 E1 D1 DC FF 78 DB 25 7B B1 L.iz.... ...x.%{. +[02A0] 3C BB 22 27 80 0D 75 96 18 B6 40 95 6D C8 AB 04 <."'..u. ..@.m... +[02B0] 05 41 A1 C4 25 71 C4 53 3A A6 9C B2 4D E6 15 2C .A..%q.S :...M.., +[02C0] B2 47 6C DA A8 7D CC A3 89 8B C9 1E 21 F5 E9 B2 .Gl..}.. ....!... +[02D0] 42 95 68 28 AF C6 37 22 BA 30 8D 53 FA 08 0D CE B.h(..7" .0.S.... +[02E0] CA 81 61 0D 84 A5 2D 75 BD 41 85 4C 88 56 72 C6 ..a...-u .A.L.Vr. +[02F0] B6 10 F8 34 CD B2 F4 5C 94 FA 80 90 82 A0 BD 68 ...4...\ .......h +[0300] EC 08 32 C3 B6 51 1E 3F 67 CB 7B EB 70 83 84 D4 ..2..Q.? g.{.p... +[0310] CB 52 55 36 61 1E 60 90 5B 6F FE 9A 62 05 CF 26 .RU6a.`. [o..b..& +[0320] 8E 65 E2 60 4B ED 63 B4 C4 E6 44 B4 2F B0 B8 07 .e.`K.c. ..D./... +[0330] FE BE 0D 50 E4 56 A4 2E 0D 25 76 0B 0F 44 09 20 ...P.V.. .%v..D. +[0340] 80 E5 C4 94 63 E0 54 46 1D AB 5E 0B 09 93 B1 30 ....c.TF ..^....0 +[0350] 31 7B 04 DC 23 43 3B DB 7D 39 67 FE 9A 1F C1 08 1{..#C;. }9g..... +[0360] AF 34 24 F6 74 E4 14 DA 34 8F 61 57 6A 7F 1D 4A .4$.t... 4.aWj..J +[0370] 88 0A 90 78 93 F1 86 54 DB 22 86 D6 69 0F DF 44 ...x...T ."..i..D +[0380] 7C D3 6B 9D 41 63 50 98 3A 97 B9 7B 4C 53 E3 85 |.k.AcP. :..{LS.. +[0390] 73 9A C9 08 A0 75 12 50 02 87 B0 CF CC 84 84 D9 s....u.P ........ +[03A0] BC FC 94 79 AF 6A A6 08 FF 19 7E E9 22 9B EC 5C ...y.j.. ..~."..\ +[03B0] C1 6B 1D A4 B4 55 32 5E 23 C3 C0 D4 8B 80 E6 67 .k...U2^ #......g +[03C0] B1 59 EB 9D 5D 9B AD C6 0E 7D E2 FE B1 24 8A B1 .Y..]... .}...$.. +[03D0] 37 1E 60 7F 83 35 48 32 F7 03 E8 12 E6 21 7C 3D 7.`..5H2 .....!|= +[03E0] 21 7F 6B 14 31 9C 1A A3 4C 2B 1C 5E EC 34 C1 2D !.k.1... L+.^.4.- +[03F0] DA 19 6C E6 6D 8D 60 D7 55 9E E6 D0 B5 07 06 72 ..l.m.`. U......r +[0400] C0 E9 4E 91 94 6B 3E 0B F1 0A 75 4D E8 CB 53 6B ..N..k>. ..uM..Sk +[0410] 34 A4 2F 96 A5 39 1A 18 6E 27 00 6D 41 B7 D8 F5 4./..9.. n'.mA... +[0420] 9A E5 01 FC 0B A8 97 56 EE 98 04 1D 98 84 5E 82 .......V ......^. +[0430] C8 E8 EC 17 D5 FA 96 00 3B E1 98 1C D8 FA 66 A0 ........ ;.....f. +[0440] DC 32 60 F6 03 46 08 3C E5 16 6F F2 8B 4D 72 9F .2`..F.< ..o..Mr. +[0450] 0F E0 A9 71 6E 7C AE AA FB A3 4D F1 A1 B6 1B 9F ...qn|.. ..M..... +[0460] 62 71 E1 2C 82 9B AE E3 07 9B 79 90 F1 C2 69 E5 bq.,.... ..y...i. +[0470] 7E CB 57 E6 C9 1C 4E A8 C7 12 EA 4F 4C 52 17 03 ~.W...N. ...OLR.. +[0480] AB D4 FD 34 60 F4 7C BE 9E 36 30 37 88 95 61 2E ...4`.|. .607..a. +[0490] CF 70 AF 22 70 DB E8 AA 6E 3D 30 F7 4D 84 D5 00 .p."p... n=0.M... +[04A0] 00 00 00 00 00 00 01 00 00 00 01 00 00 00 17 4B ........ .......K +[04B0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[04C0] 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 LE.COM.. ..admini +[04D0] 73 74 72 61 74 6F 72 00 00 00 01 00 00 00 02 00 strator. ........ +[04E0] 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 ...KTEST .SAMBA.E +[04F0] 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 XAMPLE.C OM....ci +[0500] 66 73 00 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 fs....lo calktest +[0510] 36 00 17 00 00 00 10 00 6E A1 B2 31 6D 48 C7 90 6....... n..1mH.. +[0520] 72 3A 0C 4B 8B 83 8C 4D 99 4F 6A 4D 99 50 85 7D r:.K...M .OjM.P.} +[0530] 44 0B 68 00 00 00 00 00 40 28 00 00 00 00 00 00 D.h..... @(...... +[0540] 00 00 00 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 ........ a...0... +[0550] A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 ........ .KTEST.S +[0560] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM +[0570] A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 ..0..... ...0...c +[0580] 69 66 73 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 ifs..loc alktest6 +[0590] A3 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 03 02 ....0... ........ +[05A0] 01 02 A2 82 03 9C 04 82 03 98 C6 BB 64 A8 31 00 ........ ....d.1. +[05B0] FC 5E 51 3C 87 F8 34 47 3B D0 6F 6F FD 9E A6 91 .^Q<..4G ;.oo.... +[05C0] 12 74 2D 44 BB AA 91 A0 2D 46 3E 9E FB FB C4 FB .t-D.... -F>..... +[05D0] F1 15 FD BB DA EE 06 A9 20 6A 38 DC 46 06 27 D9 ........ j8.F.'. +[05E0] A2 9D 2D 1F FD 0D 7D 8A BB 0A 7C E8 47 17 BC 7B ..-...}. ..|.G..{ +[05F0] 70 E4 51 6A BA 51 68 62 28 4A 1E 51 D1 0D CD 02 p.Qj.Qhb (J.Q.... +[0600] 55 75 44 8A B9 C2 84 F4 17 34 92 9B 31 85 9E 43 UuD..... .4..1..C +[0610] C1 0C 3A B2 69 7F 20 1A 18 1F 65 4F C0 20 C9 B5 ..:.i. . ..eO. .. +[0620] AF E1 61 8C 90 10 63 26 A6 5D 05 3C CD 29 BB 7B ..a...c& .].<.).{ +[0630] 74 D5 8F 2C 7F 4B E8 84 24 57 37 8A C6 F7 91 FD t..,.K.. $W7..... +[0640] 22 9A A5 0D E9 4A 78 93 36 FC A8 8C 8A 27 8A C6 "....Jx. 6....'.. +[0650] 28 4B 7B DA 11 42 BC 09 10 81 82 14 0F 9C B8 48 (K{..B.. .......H +[0660] 26 91 78 A8 DD 97 6C 24 A1 D2 E8 85 19 B3 D3 85 &.x...l$ ........ +[0670] 4D 38 C7 7D 49 55 8E 85 46 E1 EE 7B BA 11 62 63 M8.}IU.. F..{..bc +[0680] 53 C5 16 4A 0C 1C 99 7C 0E FB 45 1D B4 98 58 67 S..J...| ..E...Xg +[0690] 7E 40 65 4B 48 E2 89 9C 8B C2 B8 39 D1 04 C0 A8 ~@eKH... ...9.... +[06A0] 56 E8 A1 04 7A 7A C9 60 18 A0 29 E2 DC 82 4C 8F V...zz.` ..)...L. +[06B0] 18 CE 2F 14 F0 18 5B 6C FF 85 45 88 73 CB A4 55 ../...[l ..E.s..U +[06C0] 08 FC BF C7 9F 51 0A DB 2C C1 E3 3C DD F6 F0 A3 .....Q.. ,..<.... +[06D0] 2D F1 3B A0 12 1D FC 2A 67 F5 1A 7F E5 7C 6C FB -.;....* g....|l. +[06E0] 8A 18 BD D1 5D E5 5E 68 30 AA 58 9E 10 13 E0 26 ....].^h 0.X....& +[06F0] 7E 7D C4 E1 A5 B6 86 0F 1C 0F 13 A4 5E 5E 6A ED ~}...... ....^^j. +[0700] 42 79 31 BB B3 5F 3A 3F DD CB 63 82 FB 06 AE 12 By1.._:? ..c..... +[0710] 36 C9 1E 06 7D 41 82 2E D2 FA 26 EC 17 50 5E D0 6...}A.. ..&..P^. +[0720] DE 26 85 30 71 BC 45 3B DA 2E 08 8D B2 2A 3C E0 .&.0q.E; .....*<. +[0730] 79 8F 77 4C 01 69 7A 09 C7 88 E1 D1 DC FF 78 DB y.wL.iz. ......x. +[0740] 25 7B B1 3C BB 22 27 80 0D 75 96 18 B6 40 95 6D %{.<."'. .u...@.m +[0750] C8 AB 04 05 41 A1 C4 25 71 C4 53 3A A6 9C B2 4D ....A..% q.S:...M +[0760] E6 15 2C B2 47 6C DA A8 7D CC A3 89 8B C9 1E 21 ..,.Gl.. }......! +[0770] F5 E9 B2 42 95 68 28 AF C6 37 22 BA 30 8D 53 FA ...B.h(. .7".0.S. +[0780] 08 0D CE CA 81 61 0D 84 A5 2D 75 BD 41 85 4C 88 .....a.. .-u.A.L. +[0790] 56 72 C6 B6 10 F8 34 CD B2 F4 5C 94 FA 80 90 82 Vr....4. ..\..... +[07A0] A0 BD 68 EC 08 32 C3 B6 51 1E 3F 67 CB 7B EB 70 ..h..2.. Q.?g.{.p +[07B0] 83 84 D4 CB 52 55 36 61 1E 60 90 5B 6F FE 9A 62 ....RU6a .`.[o..b +[07C0] 05 CF 26 8E 65 E2 60 4B ED 63 B4 C4 E6 44 B4 2F ..&.e.`K .c...D./ +[07D0] B0 B8 07 FE BE 0D 50 E4 56 A4 2E 0D 25 76 0B 0F ......P. V...%v.. +[07E0] 44 09 20 80 E5 C4 94 63 E0 54 46 1D AB 5E 0B 09 D. ....c .TF..^.. +[07F0] 93 B1 30 31 7B 04 DC 23 43 3B DB 7D 39 67 FE 9A ..01{..# C;.}9g.. +[0800] 1F C1 08 AF 34 24 F6 74 E4 14 DA 34 8F 61 57 6A ....4$.t ...4.aWj +[0810] 7F 1D 4A 88 0A 90 78 93 F1 86 54 DB 22 86 D6 69 ..J...x. ..T."..i +[0820] 0F DF 44 7C D3 6B 9D 41 63 50 98 3A 97 B9 7B 4C ..D|.k.A cP.:..{L +[0830] 53 E3 85 73 9A C9 08 A0 75 12 50 02 87 B0 CF CC S..s.... u.P..... +[0840] 84 84 D9 BC FC 94 79 AF 6A A6 08 FF 19 7E E9 22 ......y. j....~." +[0850] 9B EC 5C C1 6B 1D A4 B4 55 32 5E 23 C3 C0 D4 8B ..\.k... U2^#.... +[0860] 80 E6 67 B1 59 EB 9D 5D 9B AD C6 0E 7D E2 FE B1 ..g.Y..] ....}... +[0870] 24 8A B1 37 1E 60 7F 83 35 48 32 F7 03 E8 12 E6 $..7.`.. 5H2..... +[0880] 21 7C 3D 21 7F 6B 14 31 9C 1A A3 4C 2B 1C 5E EC !|=!.k.1 ...L+.^. +[0890] 34 C1 2D DA 19 6C E6 6D 8D 60 D7 55 9E E6 D0 B5 4.-..l.m .`.U.... +[08A0] 07 06 72 C0 E9 4E 91 94 6B 3E 0B F1 0A 75 4D E8 ..r..N.. k>...uM. +[08B0] CB 53 6B 34 A4 2F 96 A5 39 1A 18 6E 27 00 6D 41 .Sk4./.. 9..n'.mA +[08C0] B7 D8 F5 9A E5 01 FC 0B A8 97 56 EE 98 04 1D 98 ........ ..V..... +[08D0] 84 5E 82 C8 E8 EC 17 D5 FA 96 00 3B E1 98 1C D8 .^...... ...;.... +[08E0] FA 66 A0 DC 32 60 F6 03 46 08 3C E5 16 6F F2 8B .f..2`.. F.<..o.. +[08F0] 4D 72 9F 0F E0 A9 71 6E 7C AE AA FB A3 4D F1 A1 Mr....qn |....M.. +[0900] B6 1B 9F 62 71 E1 2C 82 9B AE E3 07 9B 79 90 F1 ...bq.,. .....y.. +[0910] C2 69 E5 7E CB 57 E6 C9 1C 4E A8 C7 12 EA 4F 4C .i.~.W.. .N....OL +[0920] 52 17 03 AB D4 FD 34 60 F4 7C BE 9E 36 30 37 88 R.....4` .|..607. +[0930] 95 61 2E CF 70 AF 22 70 DB E8 AA 6E 3D 30 F7 4D .a..p."p ...n=0.M +[0940] 84 D5 00 00 00 00 00 00 00 01 00 00 00 01 00 00 ........ ........ +[0950] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX +[0960] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D AMPLE.CO M....adm +[0970] 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 inistrat or...... +[0980] 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB +[0990] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 A.EXAMPL E.COM... +[09A0] 04 63 69 66 73 00 00 00 0B 6C 6F 63 61 6C 6B 74 .cifs... .localkt +[09B0] 65 73 74 36 00 17 00 00 00 10 00 6E A1 B2 31 6D est6.... ...n..1m +[09C0] 48 C7 90 72 3A 0C 4B 8B 83 8C 4D 99 4F 6A 4D 99 H..r:.K. ..M.OjM. +[09D0] 50 85 7D 44 0B 68 00 00 00 00 00 40 28 00 00 00 P.}D.h.. ...@(... +[09E0] 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 ........ ...a...0 +[09F0] 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 ........ ....KTES +[0A00] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[0A10] 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 COM..0.. ......0. +[0A20] 1B 04 63 69 66 73 1B 0B 6C 6F 63 61 6C 6B 74 65 ..cifs.. localkte +[0A30] 73 74 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 st6....0 ........ +[0A40] A1 03 02 01 02 A2 82 03 9C 04 82 03 98 C6 BB 64 ........ .......d +[0A50] A8 31 00 FC 5E 51 3C 87 F8 34 47 3B D0 6F 6F FD .1..^Q<. .4G;.oo. +[0A60] 9E A6 91 12 74 2D 44 BB AA 91 A0 2D 46 3E 9E FB ....t-D. ...-F>.. +[0A70] FB C4 FB F1 15 FD BB DA EE 06 A9 20 6A 38 DC 46 ........ ... j8.F +[0A80] 06 27 D9 A2 9D 2D 1F FD 0D 7D 8A BB 0A 7C E8 47 .'...-.. .}...|.G +[0A90] 17 BC 7B 70 E4 51 6A BA 51 68 62 28 4A 1E 51 D1 ..{p.Qj. Qhb(J.Q. +[0AA0] 0D CD 02 55 75 44 8A B9 C2 84 F4 17 34 92 9B 31 ...UuD.. ....4..1 +[0AB0] 85 9E 43 C1 0C 3A B2 69 7F 20 1A 18 1F 65 4F C0 ..C..:.i . ...eO. +[0AC0] 20 C9 B5 AF E1 61 8C 90 10 63 26 A6 5D 05 3C CD ....a.. .c&.].<. +[0AD0] 29 BB 7B 74 D5 8F 2C 7F 4B E8 84 24 57 37 8A C6 ).{t..,. K..$W7.. +[0AE0] F7 91 FD 22 9A A5 0D E9 4A 78 93 36 FC A8 8C 8A ...".... Jx.6.... +[0AF0] 27 8A C6 28 4B 7B DA 11 42 BC 09 10 81 82 14 0F '..(K{.. B....... +[0B00] 9C B8 48 26 91 78 A8 DD 97 6C 24 A1 D2 E8 85 19 ..H&.x.. .l$..... +[0B10] B3 D3 85 4D 38 C7 7D 49 55 8E 85 46 E1 EE 7B BA ...M8.}I U..F..{. +[0B20] 11 62 63 53 C5 16 4A 0C 1C 99 7C 0E FB 45 1D B4 .bcS..J. ..|..E.. +[0B30] 98 58 67 7E 40 65 4B 48 E2 89 9C 8B C2 B8 39 D1 .Xg~@eKH ......9. +[0B40] 04 C0 A8 56 E8 A1 04 7A 7A C9 60 18 A0 29 E2 DC ...V...z z.`..).. +[0B50] 82 4C 8F 18 CE 2F 14 F0 18 5B 6C FF 85 45 88 73 .L.../.. .[l..E.s +[0B60] CB A4 55 08 FC BF C7 9F 51 0A DB 2C C1 E3 3C DD ..U..... Q..,..<. +[0B70] F6 F0 A3 2D F1 3B A0 12 1D FC 2A 67 F5 1A 7F E5 ...-.;.. ..*g.... +[0B80] 7C 6C FB 8A 18 BD D1 5D E5 5E 68 30 AA 58 9E 10 |l.....] .^h0.X.. +[0B90] 13 E0 26 7E 7D C4 E1 A5 B6 86 0F 1C 0F 13 A4 5E ..&~}... .......^ +[0BA0] 5E 6A ED 42 79 31 BB B3 5F 3A 3F DD CB 63 82 FB ^j.By1.. _:?..c.. +[0BB0] 06 AE 12 36 C9 1E 06 7D 41 82 2E D2 FA 26 EC 17 ...6...} A....&.. +[0BC0] 50 5E D0 DE 26 85 30 71 BC 45 3B DA 2E 08 8D B2 P^..&.0q .E;..... +[0BD0] 2A 3C E0 79 8F 77 4C 01 69 7A 09 C7 88 E1 D1 DC *<.y.wL. iz...... +[0BE0] FF 78 DB 25 7B B1 3C BB 22 27 80 0D 75 96 18 B6 .x.%{.<. "'..u... +[0BF0] 40 95 6D C8 AB 04 05 41 A1 C4 25 71 C4 53 3A A6 @.m....A ..%q.S:. +[0C00] 9C B2 4D E6 15 2C B2 47 6C DA A8 7D CC A3 89 8B ..M..,.G l..}.... +[0C10] C9 1E 21 F5 E9 B2 42 95 68 28 AF C6 37 22 BA 30 ..!...B. h(..7".0 +[0C20] 8D 53 FA 08 0D CE CA 81 61 0D 84 A5 2D 75 BD 41 .S...... a...-u.A +[0C30] 85 4C 88 56 72 C6 B6 10 F8 34 CD B2 F4 5C 94 FA .L.Vr... .4...\.. +[0C40] 80 90 82 A0 BD 68 EC 08 32 C3 B6 51 1E 3F 67 CB .....h.. 2..Q.?g. +[0C50] 7B EB 70 83 84 D4 CB 52 55 36 61 1E 60 90 5B 6F {.p....R U6a.`.[o +[0C60] FE 9A 62 05 CF 26 8E 65 E2 60 4B ED 63 B4 C4 E6 ..b..&.e .`K.c... +[0C70] 44 B4 2F B0 B8 07 FE BE 0D 50 E4 56 A4 2E 0D 25 D./..... .P.V...% +[0C80] 76 0B 0F 44 09 20 80 E5 C4 94 63 E0 54 46 1D AB v..D. .. ..c.TF.. +[0C90] 5E 0B 09 93 B1 30 31 7B 04 DC 23 43 3B DB 7D 39 ^....01{ ..#C;.}9 +[0CA0] 67 FE 9A 1F C1 08 AF 34 24 F6 74 E4 14 DA 34 8F g......4 $.t...4. +[0CB0] 61 57 6A 7F 1D 4A 88 0A 90 78 93 F1 86 54 DB 22 aWj..J.. .x...T." +[0CC0] 86 D6 69 0F DF 44 7C D3 6B 9D 41 63 50 98 3A 97 ..i..D|. k.AcP.:. +[0CD0] B9 7B 4C 53 E3 85 73 9A C9 08 A0 75 12 50 02 87 .{LS..s. ...u.P.. +[0CE0] B0 CF CC 84 84 D9 BC FC 94 79 AF 6A A6 08 FF 19 ........ .y.j.... +[0CF0] 7E E9 22 9B EC 5C C1 6B 1D A4 B4 55 32 5E 23 C3 ~."..\.k ...U2^#. +[0D00] C0 D4 8B 80 E6 67 B1 59 EB 9D 5D 9B AD C6 0E 7D .....g.Y ..]....} +[0D10] E2 FE B1 24 8A B1 37 1E 60 7F 83 35 48 32 F7 03 ...$..7. `..5H2.. +[0D20] E8 12 E6 21 7C 3D 21 7F 6B 14 31 9C 1A A3 4C 2B ...!|=!. k.1...L+ +[0D30] 1C 5E EC 34 C1 2D DA 19 6C E6 6D 8D 60 D7 55 9E .^.4.-.. l.m.`.U. +[0D40] E6 D0 B5 07 06 72 C0 E9 4E 91 94 6B 3E 0B F1 0A .....r.. N..k>... +[0D50] 75 4D E8 CB 53 6B 34 A4 2F 96 A5 39 1A 18 6E 27 uM..Sk4. /..9..n' +[0D60] 00 6D 41 B7 D8 F5 9A E5 01 FC 0B A8 97 56 EE 98 .mA..... .....V.. +[0D70] 04 1D 98 84 5E 82 C8 E8 EC 17 D5 FA 96 00 3B E1 ....^... ......;. +[0D80] 98 1C D8 FA 66 A0 DC 32 60 F6 03 46 08 3C E5 16 ....f..2 `..F.<.. +[0D90] 6F F2 8B 4D 72 9F 0F E0 A9 71 6E 7C AE AA FB A3 o..Mr... .qn|.... +[0DA0] 4D F1 A1 B6 1B 9F 62 71 E1 2C 82 9B AE E3 07 9B M.....bq .,...... +[0DB0] 79 90 F1 C2 69 E5 7E CB 57 E6 C9 1C 4E A8 C7 12 y...i.~. W...N... +[0DC0] EA 4F 4C 52 17 03 AB D4 FD 34 60 F4 7C BE 9E 36 .OLR.... .4`.|..6 +[0DD0] 30 37 88 95 61 2E CF 70 AF 22 70 DB E8 AA 6E 3D 07..a..p ."p...n= +[0DE0] 30 F7 4D 84 D5 00 00 00 00 00 00 00 01 00 00 00 0.M..... ........ +[0DF0] 01 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA +[0E00] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D .EXAMPLE .COM.... +[0E10] 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 administ rator... +[0E20] 01 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 ........ .KTEST.S +[0E30] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM +[0E40] 00 00 00 04 63 69 66 73 00 00 00 0B 4C 4F 43 41 ....cifs ....LOCA +[0E50] 4C 4B 54 45 53 54 36 00 17 00 00 00 10 1D C8 5E LKTEST6. .......^ +[0E60] 46 48 82 F9 29 DB C6 A6 F1 72 6D 8D E9 4D 99 4F FH..)... .rm..M.O +[0E70] 6A 4D 99 85 09 7D 44 0B 68 00 00 00 00 00 40 28 jM...}D. h.....@( +[0E80] 00 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 ........ ......a. +[0E90] 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B ..0..... .......K +[0EA0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[0EB0] 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 LE.COM.. 0....... +[0EC0] 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F 43 41 4C .0...cif s..LOCAL +[0ED0] 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 KTEST6.. ..0..... +[0EE0] 02 01 17 A1 03 02 01 02 A2 82 03 9C 04 82 03 98 ........ ........ +[0EF0] 66 D8 19 46 FA CB 73 2D CF 88 FD 4A EE 07 48 DA f..F..s- ...J..H. +[0F00] 0E BC 58 30 43 40 A4 9C 00 0F 3B 17 C1 2D F5 9C ..X0C@.. ..;..-.. +[0F10] 3E D9 2F 1D CA 01 9B D7 2E EC D7 70 ED 8B 8B 1B >./..... ...p.... +[0F20] 5E F2 4E EE DD 0F C0 8D 61 E5 D7 0A 56 00 32 B1 ^.N..... a...V.2. +[0F30] DB 91 37 29 0F 2F 85 EE A8 43 BA A5 B8 D4 19 74 ..7)./.. .C.....t +[0F40] 33 F0 69 52 E1 58 98 83 D6 16 0B 44 A9 63 9B D4 3.iR.X.. ...D.c.. +[0F50] 4E 6E A7 3E CD 9A 96 4D C4 96 F5 07 6D 29 B6 ED Nn.>...M ....m).. +[0F60] 2A 62 3D 53 22 33 D1 95 E9 DF 74 4C 2A E2 29 AF *b=S"3.. ..tL*.). +[0F70] 5B 69 B0 48 2D AD 94 FD A5 1D 54 D8 E2 5E C1 68 [i.H-... ..T..^.h +[0F80] 6F BA 02 01 79 C3 C9 97 0B 76 66 45 E2 3B 10 17 o...y... .vfE.;.. +[0F90] 95 40 46 E4 85 B9 87 BB CF CF 19 8C 3A C0 EA 38 .@F..... ....:..8 +[0FA0] 3B B9 E9 4B 05 89 E5 27 8C 62 95 BC 0D 65 F0 D2 ;..K...' .b...e.. +[0FB0] C0 5E BC 65 01 D5 0B CB 17 31 0F 06 49 4F A2 4A .^.e.... .1..IO.J +[0FC0] 70 77 DB BD 92 5B 37 5C EC 06 DF C5 E2 31 C8 40 pw...[7\ .....1.@ +[0FD0] 09 11 68 14 E7 7D CE 54 4F 52 61 31 2C 1C 53 52 ..h..}.T ORa1,.SR +[0FE0] DB BE D8 95 39 EE 7D C6 CE C8 22 95 92 97 97 3D ....9.}. .."....= +[0FF0] 5E 66 0F AD DC C2 4E 2E 2B 9F 63 20 30 DF B7 C1 ^f....N. +.c 0... +[1000] D4 65 AA 6F 2D 10 24 07 20 8D 88 6E 4B 09 04 31 .e.o-.$. ..nK..1 +[1010] B6 A3 EB F7 37 32 0E 0C 73 C6 F6 B8 4D D9 0C 4C ....72.. s...M..L +[1020] 5B EC 10 6A 51 19 EA 3F FF 46 E7 73 16 A7 1F 33 [..jQ..? .F.s...3 +[1030] 98 7C 9B AD 5A 23 A9 40 7C 0F DF EE 0F AA C7 E8 .|..Z#.@ |....... +[1040] 63 07 98 3A 4A 0D 18 62 01 21 B2 AE A5 69 B0 C1 c..:J..b .!...i.. +[1050] 15 51 BA 97 D2 C5 42 5B C5 30 38 18 A9 48 AB D7 .Q....B[ .08..H.. +[1060] FC A1 BC 9F 71 E7 EA 18 54 42 DA D6 A4 FC C1 DC ....q... TB...... +[1070] F3 12 30 62 AC 98 E1 7D 2B 34 1E 52 4C 26 67 32 ..0b...} +4.RL&g2 +[1080] D9 44 1A 08 27 0E DA D0 FC 84 66 35 81 D6 EB 98 .D..'... ..f5.... +[1090] 46 6F 1E 47 E0 14 31 BE 47 80 65 AA 0B 20 D6 33 Fo.G..1. G.e.. .3 +[10A0] 36 3B 0D 40 2F 5A 2E 0E 01 BE 00 EB 33 3E 4B 32 6;.@/Z.. ....3>K2 +[10B0] 91 F4 22 96 E5 5F D4 D5 92 94 CC 5B 59 6A 3E D2 ..".._.. ...[Yj>. +[10C0] FB A0 4F 99 C4 07 8B 6F 2B 14 37 CD 37 44 C0 1F ..O....o +.7.7D.. +[10D0] 80 9C 43 46 F2 5E F4 FE D3 39 70 61 BE 72 5B 3A ..CF.^.. .9pa.r[: +[10E0] 8F 37 95 78 1E AB D9 E7 E9 DA FC 47 09 81 A0 0D .7.x.... ...G.... +[10F0] 62 E1 F9 34 36 D1 DB E6 98 D8 F4 3E 77 5A 4D E2 b..46... ...>wZM. +[1100] 5F 20 70 3D 3D 5B 34 D9 FD A8 31 F7 D9 59 F7 A3 _ p==[4. ..1..Y.. +[1110] F0 66 F7 D9 AD 1C CD D5 85 33 A0 87 22 31 D4 F3 .f...... .3.."1.. +[1120] 67 80 68 20 A2 90 72 7A 6F 64 FD 68 82 9E 91 B8 g.h ..rz od.h.... +[1130] E3 F7 6D 6C 38 74 F0 96 A2 F6 25 D7 92 58 14 60 ..ml8t.. ..%..X.` +[1140] 9F AE 01 4C 0C 09 67 3E 35 67 71 1E 2A 86 21 D3 ...L..g> 5gq.*.!. +[1150] 60 61 98 16 94 67 0B 52 76 63 93 BD A3 3B A9 F0 `a...g.R vc...;.. +[1160] A2 6A B7 E6 0F 35 64 DA 6A EA 20 A6 3D 94 71 59 .j...5d. j. .=.qY +[1170] 5E CB B2 D3 F9 4D FE 1B 4B D8 64 C8 3B 7A A8 E6 ^....M.. K.d.;z.. +[1180] D2 D5 76 71 26 D4 5C DA 1A 55 17 F2 16 C9 2F 77 ..vq&.\. .U..../w +[1190] DB 95 19 48 A5 AC D0 C3 31 9C 0A CC 1B 44 11 6B ...H.... 1....D.k +[11A0] 7C 88 7A 5D CF 6E 12 DA EF C5 C7 34 1D F4 CC EA |.z].n.. ...4.... +[11B0] 37 24 4B B3 0F C1 A3 F2 29 A0 D8 93 39 C6 16 57 7$K..... )...9..W +[11C0] D5 BF 57 BF 6C 7E F7 90 E0 EB A3 8B 07 56 9C EC ..W.l~.. .....V.. +[11D0] 15 3E 21 DA A5 7C 00 3C F9 D2 A7 1C 6F 16 25 31 .>!..|.< ....o.%1 +[11E0] C5 28 A7 EA F3 47 31 50 DD E1 ED 0A 93 DB 85 CC .(...G1P ........ +[11F0] 6B 4B 2C 7F E8 F8 2D A9 6D 1D 0A 87 F2 10 8C 82 kK,...-. m....... +[1200] 2F 9B D4 9B 92 8C 77 40 50 42 1E 42 C4 0A 4F E3 /.....w@ PB.B..O. +[1210] 6C 6C DC 81 C4 1E BB F0 7D CF 3C 73 22 5B C3 1A ll...... }..x K....%J. +[1240] 1E 6C 8F 01 D6 59 D7 CF 2E A0 CC 98 F6 75 28 2F .l...Y.. .....u(/ +[1250] F7 2A 70 28 A9 45 1F 75 C2 4E 62 ED D8 C4 A0 8D .*p(.E.u .Nb..... +[1260] 55 B2 84 1C A4 CE 87 EF 24 EE BC CE 40 09 EB 05 U....... $...@... +[1270] 0B D1 14 31 50 32 2F B6 A8 97 17 4B A7 95 01 50 ...1P2/. ...K...P +[1280] 6E 0E 23 49 9C 72 21 91 00 00 00 00 00 00 00 01 n.#I.r!. ........ +[1290] 00 00 00 01 00 00 00 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA +[12A0] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 MBA.EXAM PLE.COM. +[12B0] 00 00 0D 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 ...admin istrator +[12C0] 00 00 00 01 00 00 00 02 00 00 00 17 4B 54 45 53 ........ ....KTES +[12D0] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[12E0] 43 4F 4D 00 00 00 04 63 69 66 73 00 00 00 0B 4C COM....c ifs....L +[12F0] 4F 43 41 4C 4B 54 45 53 54 36 00 17 00 00 00 10 OCALKTES T6...... +[1300] 1D C8 5E 46 48 82 F9 29 DB C6 A6 F1 72 6D 8D E9 ..^FH..) ....rm.. +[1310] 4D 99 4F 6A 4D 99 85 09 7D 44 0B 68 00 00 00 00 M.OjM... }D.h.... +[1320] 00 40 28 00 00 00 00 00 00 00 00 00 00 00 00 03 .@(..... ........ +[1330] FA 61 82 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 .a...0.. ........ +[1340] 1B 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX +[1350] 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 AMPLE.CO M..0.... +[1360] 01 01 A1 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F ....0... cifs..LO +[1370] 43 41 4C 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 CALKTEST 6....0.. +[1380] AA A0 03 02 01 17 A1 03 02 01 02 A2 82 03 9C 04 ........ ........ +[1390] 82 03 98 66 D8 19 46 FA CB 73 2D CF 88 FD 4A EE ...f..F. .s-...J. +[13A0] 07 48 DA 0E BC 58 30 43 40 A4 9C 00 0F 3B 17 C1 .H...X0C @....;.. +[13B0] 2D F5 9C 3E D9 2F 1D CA 01 9B D7 2E EC D7 70 ED -..>./.. ......p. +[13C0] 8B 8B 1B 5E F2 4E EE DD 0F C0 8D 61 E5 D7 0A 56 ...^.N.. ...a...V +[13D0] 00 32 B1 DB 91 37 29 0F 2F 85 EE A8 43 BA A5 B8 .2...7). /...C... +[13E0] D4 19 74 33 F0 69 52 E1 58 98 83 D6 16 0B 44 A9 ..t3.iR. X.....D. +[13F0] 63 9B D4 4E 6E A7 3E CD 9A 96 4D C4 96 F5 07 6D c..Nn.>. ..M....m +[1400] 29 B6 ED 2A 62 3D 53 22 33 D1 95 E9 DF 74 4C 2A )..*b=S" 3....tL* +[1410] E2 29 AF 5B 69 B0 48 2D AD 94 FD A5 1D 54 D8 E2 .).[i.H- .....T.. +[1420] 5E C1 68 6F BA 02 01 79 C3 C9 97 0B 76 66 45 E2 ^.ho...y ....vfE. +[1430] 3B 10 17 95 40 46 E4 85 B9 87 BB CF CF 19 8C 3A ;...@F.. .......: +[1440] C0 EA 38 3B B9 E9 4B 05 89 E5 27 8C 62 95 BC 0D ..8;..K. ..'.b... +[1450] 65 F0 D2 C0 5E BC 65 01 D5 0B CB 17 31 0F 06 49 e...^.e. ....1..I +[1460] 4F A2 4A 70 77 DB BD 92 5B 37 5C EC 06 DF C5 E2 O.Jpw... [7\..... +[1470] 31 C8 40 09 11 68 14 E7 7D CE 54 4F 52 61 31 2C 1.@..h.. }.TORa1, +[1480] 1C 53 52 DB BE D8 95 39 EE 7D C6 CE C8 22 95 92 .SR....9 .}...".. +[1490] 97 97 3D 5E 66 0F AD DC C2 4E 2E 2B 9F 63 20 30 ..=^f... .N.+.c 0 +[14A0] DF B7 C1 D4 65 AA 6F 2D 10 24 07 20 8D 88 6E 4B ....e.o- .$. ..nK +[14B0] 09 04 31 B6 A3 EB F7 37 32 0E 0C 73 C6 F6 B8 4D ..1....7 2..s...M +[14C0] D9 0C 4C 5B EC 10 6A 51 19 EA 3F FF 46 E7 73 16 ..L[..jQ ..?.F.s. +[14D0] A7 1F 33 98 7C 9B AD 5A 23 A9 40 7C 0F DF EE 0F ..3.|..Z #.@|.... +[14E0] AA C7 E8 63 07 98 3A 4A 0D 18 62 01 21 B2 AE A5 ...c..:J ..b.!... +[14F0] 69 B0 C1 15 51 BA 97 D2 C5 42 5B C5 30 38 18 A9 i...Q... .B[.08.. +[1500] 48 AB D7 FC A1 BC 9F 71 E7 EA 18 54 42 DA D6 A4 H......q ...TB... +[1510] FC C1 DC F3 12 30 62 AC 98 E1 7D 2B 34 1E 52 4C .....0b. ..}+4.RL +[1520] 26 67 32 D9 44 1A 08 27 0E DA D0 FC 84 66 35 81 &g2.D..' .....f5. +[1530] D6 EB 98 46 6F 1E 47 E0 14 31 BE 47 80 65 AA 0B ...Fo.G. .1.G.e.. +[1540] 20 D6 33 36 3B 0D 40 2F 5A 2E 0E 01 BE 00 EB 33 .36;.@/ Z......3 +[1550] 3E 4B 32 91 F4 22 96 E5 5F D4 D5 92 94 CC 5B 59 >K2..".. _.....[Y +[1560] 6A 3E D2 FB A0 4F 99 C4 07 8B 6F 2B 14 37 CD 37 j>...O.. ..o+.7.7 +[1570] 44 C0 1F 80 9C 43 46 F2 5E F4 FE D3 39 70 61 BE D....CF. ^...9pa. +[1580] 72 5B 3A 8F 37 95 78 1E AB D9 E7 E9 DA FC 47 09 r[:.7.x. ......G. +[1590] 81 A0 0D 62 E1 F9 34 36 D1 DB E6 98 D8 F4 3E 77 ...b..46 ......>w +[15A0] 5A 4D E2 5F 20 70 3D 3D 5B 34 D9 FD A8 31 F7 D9 ZM._ p== [4...1.. +[15B0] 59 F7 A3 F0 66 F7 D9 AD 1C CD D5 85 33 A0 87 22 Y...f... ....3.." +[15C0] 31 D4 F3 67 80 68 20 A2 90 72 7A 6F 64 FD 68 82 1..g.h . .rzod.h. +[15D0] 9E 91 B8 E3 F7 6D 6C 38 74 F0 96 A2 F6 25 D7 92 .....ml8 t....%.. +[15E0] 58 14 60 9F AE 01 4C 0C 09 67 3E 35 67 71 1E 2A X.`...L. .g>5gq.* +[15F0] 86 21 D3 60 61 98 16 94 67 0B 52 76 63 93 BD A3 .!.`a... g.Rvc... +[1600] 3B A9 F0 A2 6A B7 E6 0F 35 64 DA 6A EA 20 A6 3D ;...j... 5d.j. .= +[1610] 94 71 59 5E CB B2 D3 F9 4D FE 1B 4B D8 64 C8 3B .qY^.... M..K.d.; +[1620] 7A A8 E6 D2 D5 76 71 26 D4 5C DA 1A 55 17 F2 16 z....vq& .\..U... +[1630] C9 2F 77 DB 95 19 48 A5 AC D0 C3 31 9C 0A CC 1B ./w...H. ...1.... +[1640] 44 11 6B 7C 88 7A 5D CF 6E 12 DA EF C5 C7 34 1D D.k|.z]. n.....4. +[1650] F4 CC EA 37 24 4B B3 0F C1 A3 F2 29 A0 D8 93 39 ...7$K.. ...)...9 +[1660] C6 16 57 D5 BF 57 BF 6C 7E F7 90 E0 EB A3 8B 07 ..W..W.l ~....... +[1670] 56 9C EC 15 3E 21 DA A5 7C 00 3C F9 D2 A7 1C 6F V...>!.. |.<....o +[1680] 16 25 31 C5 28 A7 EA F3 47 31 50 DD E1 ED 0A 93 .%1.(... G1P..... +[1690] DB 85 CC 6B 4B 2C 7F E8 F8 2D A9 6D 1D 0A 87 F2 ...kK,.. .-.m.... +[16A0] 10 8C 82 2F 9B D4 9B 92 8C 77 40 50 42 1E 42 C4 .../.... .w@PB.B. +[16B0] 0A 4F E3 6C 6C DC 81 C4 1E BB F0 7D CF 3C 73 22 .O.ll... ...}..xK.... +[16E0] 25 4A 92 1E 6C 8F 01 D6 59 D7 CF 2E A0 CC 98 F6 %J..l... Y....... +[16F0] 75 28 2F F7 2A 70 28 A9 45 1F 75 C2 4E 62 ED D8 u(/.*p(. E.u.Nb.. +[1700] C4 A0 8D 55 B2 84 1C A4 CE 87 EF 24 EE BC CE 40 ...U.... ...$...@ +[1710] 09 EB 05 0B D1 14 31 50 32 2F B6 A8 97 17 4B A7 ......1P 2/....K. +[1720] 95 01 50 6E 0E 23 49 9C 72 21 91 00 00 00 00 00 ..Pn.#I. r!...... +[1730] 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 54 ........ ...KTEST +[1740] 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 .SAMBA.E XAMPLE.C +[1750] 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 61 OM....ad ministra +[1760] 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 4B tor..... .......K +[1770] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[1780] 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 73 00 00 LE.COM.. ..cifs.. +[1790] 00 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 00 17 00 ..LOCALK TEST6... +[17A0] 00 00 10 1D C8 5E 46 48 82 F9 29 DB C6 A6 F1 72 .....^FH ..)....r +[17B0] 6D 8D E9 4D 99 4F 6A 4D 99 85 09 7D 44 0B 68 00 m..M.OjM ...}D.h. +[17C0] 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 00 ....@(.. ........ +[17D0] 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 01 ....a... 0....... +[17E0] 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA +[17F0] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 1C .EXAMPLE .COM..0. +[1800] A0 03 02 01 01 A1 15 30 13 1B 04 63 69 66 73 1B .......0 ...cifs. +[1810] 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 A3 82 03 AE .LOCALKT EST6.... +[1820] 30 82 03 AA A0 03 02 01 17 A1 03 02 01 02 A2 82 0....... ........ +[1830] 03 9C 04 82 03 98 66 D8 19 46 FA CB 73 2D CF 88 ......f. .F..s-.. +[1840] FD 4A EE 07 48 DA 0E BC 58 30 43 40 A4 9C 00 0F .J..H... X0C@.... +[1850] 3B 17 C1 2D F5 9C 3E D9 2F 1D CA 01 9B D7 2E EC ;..-..>. /....... +[1860] D7 70 ED 8B 8B 1B 5E F2 4E EE DD 0F C0 8D 61 E5 .p....^. N.....a. +[1870] D7 0A 56 00 32 B1 DB 91 37 29 0F 2F 85 EE A8 43 ..V.2... 7)./...C +[1880] BA A5 B8 D4 19 74 33 F0 69 52 E1 58 98 83 D6 16 .....t3. iR.X.... +[1890] 0B 44 A9 63 9B D4 4E 6E A7 3E CD 9A 96 4D C4 96 .D.c..Nn .>...M.. +[18A0] F5 07 6D 29 B6 ED 2A 62 3D 53 22 33 D1 95 E9 DF ..m)..*b =S"3.... +[18B0] 74 4C 2A E2 29 AF 5B 69 B0 48 2D AD 94 FD A5 1D tL*.).[i .H-..... +[18C0] 54 D8 E2 5E C1 68 6F BA 02 01 79 C3 C9 97 0B 76 T..^.ho. ..y....v +[18D0] 66 45 E2 3B 10 17 95 40 46 E4 85 B9 87 BB CF CF fE.;...@ F....... +[18E0] 19 8C 3A C0 EA 38 3B B9 E9 4B 05 89 E5 27 8C 62 ..:..8;. .K...'.b +[18F0] 95 BC 0D 65 F0 D2 C0 5E BC 65 01 D5 0B CB 17 31 ...e...^ .e.....1 +[1900] 0F 06 49 4F A2 4A 70 77 DB BD 92 5B 37 5C EC 06 ..IO.Jpw ...[7\.. +[1910] DF C5 E2 31 C8 40 09 11 68 14 E7 7D CE 54 4F 52 ...1.@.. h..}.TOR +[1920] 61 31 2C 1C 53 52 DB BE D8 95 39 EE 7D C6 CE C8 a1,.SR.. ..9.}... +[1930] 22 95 92 97 97 3D 5E 66 0F AD DC C2 4E 2E 2B 9F "....=^f ....N.+. +[1940] 63 20 30 DF B7 C1 D4 65 AA 6F 2D 10 24 07 20 8D c 0....e .o-.$. . +[1950] 88 6E 4B 09 04 31 B6 A3 EB F7 37 32 0E 0C 73 C6 .nK..1.. ..72..s. +[1960] F6 B8 4D D9 0C 4C 5B EC 10 6A 51 19 EA 3F FF 46 ..M..L[. .jQ..?.F +[1970] E7 73 16 A7 1F 33 98 7C 9B AD 5A 23 A9 40 7C 0F .s...3.| ..Z#.@|. +[1980] DF EE 0F AA C7 E8 63 07 98 3A 4A 0D 18 62 01 21 ......c. .:J..b.! +[1990] B2 AE A5 69 B0 C1 15 51 BA 97 D2 C5 42 5B C5 30 ...i...Q ....B[.0 +[19A0] 38 18 A9 48 AB D7 FC A1 BC 9F 71 E7 EA 18 54 42 8..H.... ..q...TB +[19B0] DA D6 A4 FC C1 DC F3 12 30 62 AC 98 E1 7D 2B 34 ........ 0b...}+4 +[19C0] 1E 52 4C 26 67 32 D9 44 1A 08 27 0E DA D0 FC 84 .RL&g2.D ..'..... +[19D0] 66 35 81 D6 EB 98 46 6F 1E 47 E0 14 31 BE 47 80 f5....Fo .G..1.G. +[19E0] 65 AA 0B 20 D6 33 36 3B 0D 40 2F 5A 2E 0E 01 BE e.. .36; .@/Z.... +[19F0] 00 EB 33 3E 4B 32 91 F4 22 96 E5 5F D4 D5 92 94 ..3>K2.. ".._.... +[1A00] CC 5B 59 6A 3E D2 FB A0 4F 99 C4 07 8B 6F 2B 14 .[Yj>... O....o+. +[1A10] 37 CD 37 44 C0 1F 80 9C 43 46 F2 5E F4 FE D3 39 7.7D.... CF.^...9 +[1A20] 70 61 BE 72 5B 3A 8F 37 95 78 1E AB D9 E7 E9 DA pa.r[:.7 .x...... +[1A30] FC 47 09 81 A0 0D 62 E1 F9 34 36 D1 DB E6 98 D8 .G....b. .46..... +[1A40] F4 3E 77 5A 4D E2 5F 20 70 3D 3D 5B 34 D9 FD A8 .>wZM._ p==[4... +[1A50] 31 F7 D9 59 F7 A3 F0 66 F7 D9 AD 1C CD D5 85 33 1..Y...f .......3 +[1A60] A0 87 22 31 D4 F3 67 80 68 20 A2 90 72 7A 6F 64 .."1..g. h ..rzod +[1A70] FD 68 82 9E 91 B8 E3 F7 6D 6C 38 74 F0 96 A2 F6 .h...... ml8t.... +[1A80] 25 D7 92 58 14 60 9F AE 01 4C 0C 09 67 3E 35 67 %..X.`.. .L..g>5g +[1A90] 71 1E 2A 86 21 D3 60 61 98 16 94 67 0B 52 76 63 q.*.!.`a ...g.Rvc +[1AA0] 93 BD A3 3B A9 F0 A2 6A B7 E6 0F 35 64 DA 6A EA ...;...j ...5d.j. +[1AB0] 20 A6 3D 94 71 59 5E CB B2 D3 F9 4D FE 1B 4B D8 .=.qY^. ...M..K. +[1AC0] 64 C8 3B 7A A8 E6 D2 D5 76 71 26 D4 5C DA 1A 55 d.;z.... vq&.\..U +[1AD0] 17 F2 16 C9 2F 77 DB 95 19 48 A5 AC D0 C3 31 9C ..../w.. .H....1. +[1AE0] 0A CC 1B 44 11 6B 7C 88 7A 5D CF 6E 12 DA EF C5 ...D.k|. z].n.... +[1AF0] C7 34 1D F4 CC EA 37 24 4B B3 0F C1 A3 F2 29 A0 .4....7$ K.....). +[1B00] D8 93 39 C6 16 57 D5 BF 57 BF 6C 7E F7 90 E0 EB ..9..W.. W.l~.... +[1B10] A3 8B 07 56 9C EC 15 3E 21 DA A5 7C 00 3C F9 D2 ...V...> !..|.<.. +[1B20] A7 1C 6F 16 25 31 C5 28 A7 EA F3 47 31 50 DD E1 ..o.%1.( ...G1P.. +[1B30] ED 0A 93 DB 85 CC 6B 4B 2C 7F E8 F8 2D A9 6D 1D ......kK ,...-.m. +[1B40] 0A 87 F2 10 8C 82 2F 9B D4 9B 92 8C 77 40 50 42 ....../. ....w@PB +[1B50] 1E 42 C4 0A 4F E3 6C 6C DC 81 C4 1E BB F0 7D CF .B..O.ll ......}. +[1B60] 3C 73 22 5B C3 1A 97 35 EE 3A CD 6D F3 68 A3 C5 .xK. +[1B80] 18 9F A5 25 4A 92 1E 6C 8F 01 D6 59 D7 CF 2E A0 ...%J..l ...Y.... +[1B90] CC 98 F6 75 28 2F F7 2A 70 28 A9 45 1F 75 C2 4E ...u(/.* p(.E.u.N +[1BA0] 62 ED D8 C4 A0 8D 55 B2 84 1C A4 CE 87 EF 24 EE b.....U. ......$. +[1BB0] BC CE 40 09 EB 05 0B D1 14 31 50 32 2F B6 A8 97 ..@..... .1P2/... +[1BC0] 17 4B A7 95 01 50 6E 0E 23 49 9C 72 21 91 00 00 .K...Pn. #I.r!... +[1BD0] 00 00 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 ........ ......KT +[1BE0] 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C EST.SAMB A.EXAMPL +[1BF0] 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 E.COM... .adminis +[1C00] 74 72 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 trator.. ........ +[1C10] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX +[1C20] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 63 69 66 AMPLE.CO M....cif +[1C30] 73 00 00 00 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 s....LOC ALKTEST6 +[1C40] 00 17 00 00 00 10 1D C8 5E 46 48 82 F9 29 DB C6 ........ ^FH..).. +[1C50] A6 F1 72 6D 8D E9 4D 99 4F 6A 4D 99 85 09 7D 44 ..rm..M. OjM...}D +[1C60] 0B 68 00 00 00 00 00 40 28 00 00 00 00 00 00 00 .h.....@ (....... +[1C70] 00 00 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 .......a ...0.... +[1C80] 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA +[1C90] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 MBA.EXAM PLE.COM. +[1CA0] 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B 04 63 69 .0...... ..0...ci +[1CB0] 66 73 1B 0B 4C 4F 43 41 4C 4B 54 45 53 54 36 A3 fs..LOCA LKTEST6. +[1CC0] 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 ...0.... ........ +[1CD0] 02 A2 82 03 9C 04 82 03 98 66 D8 19 46 FA CB 73 ........ .f..F..s +[1CE0] 2D CF 88 FD 4A EE 07 48 DA 0E BC 58 30 43 40 A4 -...J..H ...X0C@. +[1CF0] 9C 00 0F 3B 17 C1 2D F5 9C 3E D9 2F 1D CA 01 9B ...;..-. .>./.... +[1D00] D7 2E EC D7 70 ED 8B 8B 1B 5E F2 4E EE DD 0F C0 ....p... .^.N.... +[1D10] 8D 61 E5 D7 0A 56 00 32 B1 DB 91 37 29 0F 2F 85 .a...V.2 ...7)./. +[1D20] EE A8 43 BA A5 B8 D4 19 74 33 F0 69 52 E1 58 98 ..C..... t3.iR.X. +[1D30] 83 D6 16 0B 44 A9 63 9B D4 4E 6E A7 3E CD 9A 96 ....D.c. .Nn.>... +[1D40] 4D C4 96 F5 07 6D 29 B6 ED 2A 62 3D 53 22 33 D1 M....m). .*b=S"3. +[1D50] 95 E9 DF 74 4C 2A E2 29 AF 5B 69 B0 48 2D AD 94 ...tL*.) .[i.H-.. +[1D60] FD A5 1D 54 D8 E2 5E C1 68 6F BA 02 01 79 C3 C9 ...T..^. ho...y.. +[1D70] 97 0B 76 66 45 E2 3B 10 17 95 40 46 E4 85 B9 87 ..vfE.;. ..@F.... +[1D80] BB CF CF 19 8C 3A C0 EA 38 3B B9 E9 4B 05 89 E5 .....:.. 8;..K... +[1D90] 27 8C 62 95 BC 0D 65 F0 D2 C0 5E BC 65 01 D5 0B '.b...e. ..^.e... +[1DA0] CB 17 31 0F 06 49 4F A2 4A 70 77 DB BD 92 5B 37 ..1..IO. Jpw...[7 +[1DB0] 5C EC 06 DF C5 E2 31 C8 40 09 11 68 14 E7 7D CE \.....1. @..h..}. +[1DC0] 54 4F 52 61 31 2C 1C 53 52 DB BE D8 95 39 EE 7D TORa1,.S R....9.} +[1DD0] C6 CE C8 22 95 92 97 97 3D 5E 66 0F AD DC C2 4E ...".... =^f....N +[1DE0] 2E 2B 9F 63 20 30 DF B7 C1 D4 65 AA 6F 2D 10 24 .+.c 0.. ..e.o-.$ +[1DF0] 07 20 8D 88 6E 4B 09 04 31 B6 A3 EB F7 37 32 0E . ..nK.. 1....72. +[1E00] 0C 73 C6 F6 B8 4D D9 0C 4C 5B EC 10 6A 51 19 EA .s...M.. L[..jQ.. +[1E10] 3F FF 46 E7 73 16 A7 1F 33 98 7C 9B AD 5A 23 A9 ?.F.s... 3.|..Z#. +[1E20] 40 7C 0F DF EE 0F AA C7 E8 63 07 98 3A 4A 0D 18 @|...... .c..:J.. +[1E30] 62 01 21 B2 AE A5 69 B0 C1 15 51 BA 97 D2 C5 42 b.!...i. ..Q....B +[1E40] 5B C5 30 38 18 A9 48 AB D7 FC A1 BC 9F 71 E7 EA [.08..H. .....q.. +[1E50] 18 54 42 DA D6 A4 FC C1 DC F3 12 30 62 AC 98 E1 .TB..... ...0b... +[1E60] 7D 2B 34 1E 52 4C 26 67 32 D9 44 1A 08 27 0E DA }+4.RL&g 2.D..'.. +[1E70] D0 FC 84 66 35 81 D6 EB 98 46 6F 1E 47 E0 14 31 ...f5... .Fo.G..1 +[1E80] BE 47 80 65 AA 0B 20 D6 33 36 3B 0D 40 2F 5A 2E .G.e.. . 36;.@/Z. +[1E90] 0E 01 BE 00 EB 33 3E 4B 32 91 F4 22 96 E5 5F D4 .....3>K 2..".._. +[1EA0] D5 92 94 CC 5B 59 6A 3E D2 FB A0 4F 99 C4 07 8B ....[Yj> ...O.... +[1EB0] 6F 2B 14 37 CD 37 44 C0 1F 80 9C 43 46 F2 5E F4 o+.7.7D. ...CF.^. +[1EC0] FE D3 39 70 61 BE 72 5B 3A 8F 37 95 78 1E AB D9 ..9pa.r[ :.7.x... +[1ED0] E7 E9 DA FC 47 09 81 A0 0D 62 E1 F9 34 36 D1 DB ....G... .b..46.. +[1EE0] E6 98 D8 F4 3E 77 5A 4D E2 5F 20 70 3D 3D 5B 34 ....>wZM ._ p==[4 +[1EF0] D9 FD A8 31 F7 D9 59 F7 A3 F0 66 F7 D9 AD 1C CD ...1..Y. ..f..... +[1F00] D5 85 33 A0 87 22 31 D4 F3 67 80 68 20 A2 90 72 ..3.."1. .g.h ..r +[1F10] 7A 6F 64 FD 68 82 9E 91 B8 E3 F7 6D 6C 38 74 F0 zod.h... ...ml8t. +[1F20] 96 A2 F6 25 D7 92 58 14 60 9F AE 01 4C 0C 09 67 ...%..X. `...L..g +[1F30] 3E 35 67 71 1E 2A 86 21 D3 60 61 98 16 94 67 0B >5gq.*.! .`a...g. +[1F40] 52 76 63 93 BD A3 3B A9 F0 A2 6A B7 E6 0F 35 64 Rvc...;. ..j...5d +[1F50] DA 6A EA 20 A6 3D 94 71 59 5E CB B2 D3 F9 4D FE .j. .=.q Y^....M. +[1F60] 1B 4B D8 64 C8 3B 7A A8 E6 D2 D5 76 71 26 D4 5C .K.d.;z. ...vq&.\ +[1F70] DA 1A 55 17 F2 16 C9 2F 77 DB 95 19 48 A5 AC D0 ..U..../ w...H... +[1F80] C3 31 9C 0A CC 1B 44 11 6B 7C 88 7A 5D CF 6E 12 .1....D. k|.z].n. +[1F90] DA EF C5 C7 34 1D F4 CC EA 37 24 4B B3 0F C1 A3 ....4... .7$K.... +[1FA0] F2 29 A0 D8 93 39 C6 16 57 D5 BF 57 BF 6C 7E F7 .)...9.. W..W.l~. +[1FB0] 90 E0 EB A3 8B 07 56 9C EC 15 3E 21 DA A5 7C 00 ......V. ..>!..|. +[1FC0] 3C F9 D2 A7 1C 6F 16 25 31 C5 28 A7 EA F3 47 31 <....o.% 1.(...G1 +[1FD0] 50 DD E1 ED 0A 93 DB 85 CC 6B 4B 2C 7F E8 F8 2D P....... .kK,...- +[1FE0] A9 6D 1D 0A 87 F2 10 8C 82 2F 9B D4 9B 92 8C 77 .m...... ./.....w +[1FF0] 40 50 42 1E 42 C4 0A 4F E3 6C 6C DC 81 C4 1E BB @PB.B..O .ll..... +[2000] F0 7D CF 3C 73 22 5B C3 1A 97 35 EE 3A CD 6D F3 .}.. +[2020] 78 4B BF 18 9F A5 25 4A 92 1E 6C 8F 01 D6 59 D7 xK....%J ..l...Y. +[2030] CF 2E A0 CC 98 F6 75 28 2F F7 2A 70 28 A9 45 1F ......u( /.*p(.E. +[2040] 75 C2 4E 62 ED D8 C4 A0 8D 55 B2 84 1C A4 CE 87 u.Nb.... .U...... +[2050] EF 24 EE BC CE 40 09 EB 05 0B D1 14 31 50 32 2F .$...@.. ....1P2/ +[2060] B6 A8 97 17 4B A7 95 01 50 6E 0E 23 49 9C 72 21 ....K... Pn.#I.r! +[2070] 91 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 ........ ........ +[2080] 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 .KTEST.S AMBA.EXA +[2090] 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D 69 MPLE.COM ....admi +[20A0] 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 00 nistrato r....... +[20B0] 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA +[20C0] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 04 .EXAMPLE .COM.... +[20D0] 68 6F 73 74 00 00 00 0B 6C 6F 63 61 6C 6B 74 65 host.... localkte +[20E0] 73 74 36 00 17 00 00 00 10 72 47 04 38 B6 E6 F0 st6..... .rG.8... +[20F0] 44 9E 9F 27 66 E1 69 9C 9A 4D 99 4F 6A 4D 99 90 D..'f.i. .M.OjM.. +[2100] F5 7D 44 0B 68 00 00 00 00 00 40 28 00 00 00 00 .}D.h... ..@(.... +[2110] 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 82 ........ ..a...0. +[2120] 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 54 ........ ...KTEST +[2130] 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 .SAMBA.E XAMPLE.C +[2140] 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 1B OM..0... .....0.. +[2150] 04 68 6F 73 74 1B 0B 6C 6F 63 61 6C 6B 74 65 73 .host..l ocalktes +[2160] 74 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 A1 t6....0. ........ +[2170] 03 02 01 02 A2 82 03 9C 04 82 03 98 58 95 95 EB ........ ....X... +[2180] CB 8F 68 D4 77 43 0F 3B 44 B4 15 DA 40 6D FD E9 ..h.wC.; D...@m.. +[2190] 85 D3 2F CD B5 1E 96 CD F6 E9 67 91 36 08 9E B4 ../..... ..g.6... +[21A0] B3 47 70 7A B3 4E 82 5A 4F 8E 4B F5 8D 04 E4 5C .Gpz.N.Z O.K....\ +[21B0] C4 D8 0C AF 08 25 F9 C1 64 B2 3A 35 26 E9 B2 72 .....%.. d.:5&..r +[21C0] 66 B5 E9 81 FC BE 12 1B CC 8A A5 82 31 F6 7F C3 f....... ....1... +[21D0] 5A 19 A3 31 F2 99 14 1E 64 E4 41 E8 C7 C3 F3 DF Z..1.... d.A..... +[21E0] F5 65 7D B0 9F DC 5D 25 1D 1A A8 EA AA 88 6D F4 .e}...]% ......m. +[21F0] 7C 25 9F 53 F6 A6 8F B1 24 AF 98 FE 53 7B 35 3C |%.S.... $...S{5< +[2200] DB EC 7F 09 74 E9 C4 8D 20 B4 47 08 0E 32 B8 C9 ....t... .G..2.. +[2210] 45 27 12 F9 8E F5 D6 C2 DD 1A 96 0E 68 5F 39 65 E'...... ....h_9e +[2220] 72 C7 BD 8E 04 0E 13 E1 03 27 AC 50 80 76 E6 7A r....... .'.P.v.z +[2230] 8E F4 C2 72 4F 68 B3 34 00 A9 54 41 DA FD 96 94 ...rOh.4 ..TA.... +[2240] 29 A1 59 15 2F DB 6C 94 85 49 C5 D0 6D 48 B0 C4 ).Y./.l. .I..mH.. +[2250] 65 D0 95 1D DB 3D 25 D0 75 50 D4 CF FA 2F 71 57 e....=%. uP.../qW +[2260] BD 6C 1C 59 E1 C3 5B C7 24 95 FF B0 20 EF 6A DB .l.Y..[. $... .j. +[2270] 79 87 67 91 94 E9 16 E2 BB 74 7A 08 E1 6A 36 5F y.g..... .tz..j6_ +[2280] DF 11 AB 35 9B 3E 32 48 83 89 41 4E 06 BF F9 BB ...5.>2H ..AN.... +[2290] EC E4 D7 6D 77 C4 55 22 DF F7 91 4D CB C5 01 A5 ...mw.U" ...M.... +[22A0] BA 2D 1E 92 76 04 E8 02 2F 5E AF 1C B3 B7 A6 FB .-..v... /^...... +[22B0] 3A 9F D9 7C 6D DA B4 8F 31 00 A5 30 F2 76 72 9B :..|m... 1..0.vr. +[22C0] 62 97 E0 56 E5 E4 C7 6B 8B FC 84 75 57 66 6E D7 b..V...k ...uWfn. +[22D0] B7 41 6F 61 F4 5B 0F 87 68 F6 54 02 26 1B 1F B7 .Aoa.[.. h.T.&... +[22E0] 60 D6 E7 FA 4F C7 DB 35 58 EC 13 21 D4 C6 A1 27 `...O..5 X..!...' +[22F0] BA E7 82 DF 29 FB 9D 5D E8 35 28 C9 9C 4E D7 BE ....)..] .5(..N.. +[2300] 2F 6D F1 E8 0B 5A 74 C9 93 9F AD 42 24 4B B7 3B /m...Zt. ...B$K.; +[2310] 38 2A 11 CF F0 BD 85 40 48 D8 9D E7 6B 65 70 42 8*.....@ H...kepB +[2320] 60 DA 9B 65 CB C8 C5 D7 40 3A 12 DC 64 AF 82 54 `..e.... @:..d..T +[2330] 34 05 38 4F C6 FB 38 E2 73 A9 89 B7 FC 33 15 85 4.8O..8. s....3.. +[2340] 9E CA E9 E0 89 18 18 84 02 65 B4 74 5B D4 A1 6F ........ .e.t[..o +[2350] 5F 79 20 CB D7 36 C8 6D 5B 1E 5E 0C 82 16 9F CC _y ..6.m [.^..... +[2360] 5A 1E 57 C1 B6 94 51 87 A1 3D 12 D4 8B FE 0F 93 Z.W...Q. .=...... +[2370] ED 53 A3 F4 88 3C 35 05 89 FE AF 0B 36 62 E3 2F .S...<5. ....6b./ +[2380] 5C 4A 0E 07 67 39 A3 8E C0 45 07 7F 73 32 BC DE \J..g9.. .E..s2.. +[2390] 2D 00 8B 47 79 3D 1C A1 90 AE B6 8F 83 B2 1B 31 -..Gy=.. .......1 +[23A0] EE E4 F2 C5 C1 4A E2 4A 2F 28 F0 AA 19 43 6A 14 .....J.J /(...Cj. +[23B0] B1 42 61 90 34 2E EE 3D 16 9F 5D 9F 7A A2 01 7A .Ba.4..= ..].z..z +[23C0] 4B 96 FA 4D C9 85 1A 75 27 B7 6B FD 4D 7D 9C 65 K..M...u '.k.M}.e +[23D0] 97 DB 05 CC 76 68 EA 05 5D 5D BB BD 51 4B 5B F2 ....vh.. ]]..QK[. +[23E0] 48 59 BD 1E AD 56 D4 69 A5 75 CD ED EC B1 3E AB HY...V.i .u....>. +[23F0] FA B7 F8 8D 4F BE 95 63 38 1C 4C 70 26 C4 3A 21 ....O..c 8.Lp&.:! +[2400] 80 61 05 3A D4 E2 28 2C 85 01 5A DA FC 10 60 F3 .a.:..(, ..Z...`. +[2410] 74 0C FD DB 2F 5B 25 4B 14 E4 7D 8A DB 85 12 D2 t.../[%K ..}..... +[2420] D7 69 CD B5 B1 93 CE E5 E6 4D 57 D3 C2 D3 2E A0 .i...... .MW..... +[2430] 08 37 09 CD 19 99 09 FA 33 68 4A E0 92 46 21 0C .7...... 3hJ..F!. +[2440] 99 9F DA 05 15 20 8B 3D 7C 7B CA D6 81 AC AA 83 ..... .= |{...... +[2450] 48 C8 24 4C C8 FC A5 14 2C BC 49 1A 1C 49 61 1D H.$L.... ,.I..Ia. +[2460] 24 86 42 B1 37 6A C8 3A AC 18 CC C0 50 84 12 48 $.B.7j.: ....P..H +[2470] 8B 29 0A 49 26 A4 E2 B9 E5 96 E7 37 C3 DE 4C 23 .).I&... ...7..L# +[2480] D2 D4 62 14 8F 1E 72 39 CF 03 BC A3 00 C7 63 51 ..b...r9 ......cQ +[2490] A9 6B E4 3E B2 65 A1 A2 BB EC 06 41 85 50 22 02 .k.>.e.. ...A.P". +[24A0] 46 2F 72 2B 32 1A A4 2D 85 94 02 47 69 8D AD 6D F/r+2..- ...Gi..m +[24B0] 66 AB D4 E4 29 C8 C7 DA F4 18 31 2A DF 50 6A 05 f...)... ..1*.Pj. +[24C0] D6 47 26 C4 F9 87 0F 35 24 6E 72 D6 23 7D 3A 94 .G&....5 $nr.#}:. +[24D0] 14 8D E8 57 AA BA D7 CF A9 2D E7 4C 10 7C D8 0D ...W.... .-.L.|.. +[24E0] 51 30 1F E1 FB E5 E2 6C EE AA 65 2F D8 22 05 67 Q0.....l ..e/.".g +[24F0] 87 4D 4D D2 11 3D B4 1E AA 20 3F 76 E3 94 93 6D .MM..=.. . ?v...m +[2500] AC 10 05 AF 09 BD 67 86 C5 83 93 D6 1C D3 81 D9 ......g. ........ +[2510] B1 3B E1 76 00 00 00 00 00 00 00 01 00 00 00 01 .;.v.... ........ +[2520] 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E ....KTES T.SAMBA. +[2530] 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 EXAMPLE. COM....a +[2540] 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 dministr ator.... +[2550] 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 ........ KTEST.SA +[2560] 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 MBA.EXAM PLE.COM. +[2570] 00 00 04 68 6F 73 74 00 00 00 0B 4C 4F 43 41 4C ...host. ...LOCAL +[2580] 4B 54 45 53 54 36 00 17 00 00 00 10 55 6E 3E FC KTEST6.. ....Un>. +[2590] E2 F4 40 51 19 E6 6E EB 23 4C 48 8E 4D 99 4F 6A ..@Q..n. #LH.M.Oj +[25A0] 4D 99 90 FC 7D 44 0B 68 00 00 00 00 00 40 28 00 M...}D.h .....@(. +[25B0] 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 ........ .....a.. +[25C0] F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 .0...... ......KT +[25D0] 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C EST.SAMB A.EXAMPL +[25E0] 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 E.COM..0 ........ +[25F0] 30 13 1B 04 68 6F 73 74 1B 0B 4C 4F 43 41 4C 4B 0...host ..LOCALK +[2600] 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 02 TEST6... .0...... +[2610] 01 17 A1 03 02 01 02 A2 82 03 9C 04 82 03 98 6E ........ .......n +[2620] 87 B7 7B 3A 7E EF 4A 1B 29 C9 E3 C4 1F 42 4F 0E ..{:~.J. )....BO. +[2630] C8 AC AC 4E A2 77 1D DA 93 37 F1 AF DA A3 75 2D ...N.w.. .7....u- +[2640] 12 8B 40 34 23 0E 8E A9 90 58 46 42 42 39 31 D6 ..@4#... .XFBB91. +[2650] 03 9E 5D 81 D9 E8 F6 08 2B D9 96 88 8A 2F F1 CC ..]..... +..../.. +[2660] F2 EA 9E 9A 4B 31 B6 04 2D 3D 4C 7F 92 DE 3B 04 ....K1.. -=L...;. +[2670] 19 EE 28 D0 83 81 C3 46 CD 74 23 4C 14 34 DE 62 ..(....F .t#L.4.b +[2680] 0A AC E5 12 16 75 E9 A8 4B 32 78 CC 8D AE A2 E5 .....u.. K2x..... +[2690] 6D E8 09 70 76 52 F5 E5 18 F7 E7 91 15 6A 69 AB m..pvR.. .....ji. +[26A0] B8 62 DD 80 F5 28 6D DF ED 10 DA AC FB 92 27 CF .b...(m. ......'. +[26B0] 98 B5 77 9D A5 96 E6 9A CC B9 C3 91 78 22 35 9C ..w..... ....x"5. +[26C0] A1 13 A3 20 28 D1 16 E5 3E 4A 85 1E 12 0B CA 4D ... (... >J.....M +[26D0] C6 C8 03 C8 28 2C D8 29 5D 9A 76 4A 92 13 43 56 ....(,.) ].vJ..CV +[26E0] AF F7 C1 71 25 72 5C 38 75 1C 07 F1 5E 86 05 72 ...q%r\8 u...^..r +[26F0] 6F 69 95 42 B6 F2 DA A9 91 06 9F B9 54 20 33 A5 oi.B.... ....T 3. +[2700] 31 60 3B 54 DC 3A 95 34 96 26 07 52 6B 0E 1D 3B 1`;T.:.4 .&.Rk..; +[2710] D9 F8 48 20 AC CD 05 3B 99 F8 EE DB 83 28 CD C7 ..H ...; .....(.. +[2720] 2F 45 00 7E 2F 0A 65 7A D1 9E 95 4B EE C3 34 93 /E.~/.ez ...K..4. +[2730] A8 C7 DF 03 8B 14 D0 FC CE 56 90 AC EE 93 C5 D3 ........ .V...... +[2740] F7 12 24 69 0B 20 8D A2 65 87 55 26 2A F9 9A 88 ..$i. .. e.U&*... +[2750] D7 0D 86 61 D6 92 B6 FE E5 D1 66 F9 1F 9D F4 04 ...a.... ..f..... +[2760] 48 A6 39 BC 54 20 EA 10 21 E9 6D 30 46 1D C2 1C H.9.T .. !.m0F... +[2770] A4 E8 B4 63 85 37 27 25 80 52 41 60 C7 A1 32 21 ...c.7'% .RA`..2! +[2780] 43 90 02 E6 5F 5A E9 4E AF F9 B5 13 BD 42 BD A3 C..._Z.N .....B.. +[2790] A5 4D 10 45 83 4D 92 18 1F C9 CF FB 84 29 89 23 .M.E.M.. .....).# +[27A0] AC 71 4B 89 1B 52 E5 06 8C 3E 7C 88 CB D3 B3 CF .qK..R.. .>|..... +[27B0] B9 7A 67 D6 24 F4 AC 00 A6 AD 91 30 9A 95 53 F1 .zg.$... ...0..S. +[27C0] 48 06 A6 39 DB CF DC 9D C9 55 76 26 5E C1 DB 5D H..9.... .Uv&^..] +[27D0] B3 5B 3E AE 1A A0 10 BA 82 21 83 44 02 E0 99 33 .[>..... .!.D...3 +[27E0] 40 BA 29 9E 28 E5 73 4C 23 94 A2 4F BF 07 ED 4F @.).(.sL #..O...O +[27F0] 7C 45 9B 30 C8 41 6B 0A 55 13 6E F5 AD 7A 0C B2 |E.0.Ak. U.n..z.. +[2800] EA FF D0 06 13 4D F3 24 82 7F F6 51 2F 4A 4F 0D .....M.$ ...Q/JO. +[2810] 37 F8 14 6B E9 E4 82 BB 3A 75 63 63 12 E8 78 6F 7..k.... :ucc..xo +[2820] 6F FC 6C D3 4B A6 F1 CC 2A F1 7D EB 82 26 2F D0 o.l.K... *.}..&/. +[2830] A1 8B 3E 9A 71 D7 91 D3 08 E6 FD 62 1B 84 13 2D ..>.q... ...b...- +[2840] 8E A0 A0 C3 85 78 2F 0D F8 E7 10 FC CB 05 A7 B9 .....x/. ........ +[2850] 9A 33 90 B5 9B 26 E3 23 98 B0 91 4B EB 32 37 D6 .3...&.# ...K.27. +[2860] F4 ED 61 08 D8 75 CC 03 83 2C 3C CF 21 63 9C F6 ..a..u.. .,<.!c.. +[2870] AF 5B 4F 12 07 74 17 CD 98 BB E7 5E C7 17 2D C4 .[O..t.. ...^..-. +[2880] 87 A4 74 6D 5E CE DB A3 01 B9 AD 20 73 38 78 22 ..tm^... ... s8x" +[2890] 3D 45 F5 51 77 C6 47 63 45 61 81 D9 FF 31 90 C4 =E.Qw.Gc Ea...1.. +[28A0] 6F 5A F8 FE 6A 56 5B D4 EE EC 49 C7 A7 51 AE 5C oZ..jV[. ..I..Q.\ +[28B0] 85 53 70 3D 1A 49 83 59 CF 65 58 B3 48 7E 04 9E .Sp=.I.Y .eX.H~.. +[28C0] C7 64 8A 05 73 E3 DC 1A 65 5D 4F 41 01 56 73 90 .d..s... e]OA.Vs. +[28D0] 61 F3 84 1F FF CF 46 B2 06 46 56 97 93 B9 DB 32 a.....F. .FV....2 +[28E0] 2A 64 8A 48 02 05 84 E9 FA 76 8B 94 96 89 A0 73 *d.H.... .v.....s +[28F0] 20 75 4D 52 1D 23 13 D1 83 D7 5D 59 23 6A 87 C1 uMR.#.. ..]Y#j.. +[2900] 09 3E 01 3A 28 65 42 8C 35 F1 91 EA 6A 1F 83 0D .>.:(eB. 5...j... +[2910] 8F 57 69 81 D4 A2 D2 EA 0C BF AF 95 A3 F4 90 15 .Wi..... ........ +[2920] 61 34 F2 6C 8B D0 DA B5 1E 43 AC CE C7 8A 1B 2B a4.l.... .C.....+ +[2930] 29 2B 89 1C C5 53 C8 04 F7 1E 46 72 F3 A8 CE F7 )+...S.. ..Fr.... +[2940] 59 76 55 E7 53 1C A2 9F D8 23 F7 EA 71 B0 74 83 YvU.S... .#..q.t. +[2950] 71 95 3E DC A6 FA 2D A4 42 13 93 8B 2B FA A2 70 q.>...-. B...+..p +[2960] 25 21 2D F6 E1 26 56 DF 58 79 25 16 E8 C9 03 EC %!-..&V. Xy%..... +[2970] 72 5F 35 CF 59 6B E1 AD 85 85 7B AB 78 F2 0D AC r_5.Yk.. ..{.x... +[2980] AB 89 F2 DA 85 E7 DE 09 77 99 EC 7C F3 97 1F 71 ........ w..|...q +[2990] 3C DB 09 44 7A 3C 69 E5 03 B0 6D 4D 3B 6B 4C D5 <..Dz.B].]} +[00E0] 0B 1F C3 88 2A 93 40 F9 E9 18 7D 3F 73 DA AC 1F ....*.@. ..}?s... +[00F0] E7 7B C3 B8 14 56 C3 63 86 5B AF C9 C3 21 9F 94 .{...V.c .[...!.. +[0100] B4 67 06 60 7F 56 2D F4 C7 22 CD B4 1C 14 B7 5B .g.`.V-. .".....[ +[0110] 26 67 9D 18 28 B5 5D C2 FC 13 B6 CA 9F AB CD 32 &g..(.]. .......2 +[0120] 71 D5 51 5F A2 11 5A 5D 4A B3 3B 1D D1 6B 4F 7D q.Q_..Z] J.;..kO} +[0130] E9 54 F0 B4 AC 80 DE 27 80 C5 64 3C 0B 22 79 1C .T.....' ..d<."y. +[0140] 9E D1 58 A1 3E 20 5A 9F E3 34 49 D8 16 C6 6B 2D ..X.> Z. .4I...k- +[0150] 36 0E E2 C2 3F 44 DE 63 32 DB EB 78 50 A2 6F 37 6...?D.c 2..xP.o7 +[0160] 05 2B 13 D4 31 07 D4 2A C0 53 B1 30 39 79 C3 D8 .+..1..* .S.09y.. +[0170] C4 4C 30 97 E8 F9 DA ED 10 B0 D0 21 71 8B 56 F3 .L0..... ...!q.V. +[0180] 0F 3A 2D 26 A2 3D AD 70 27 82 95 59 0A D7 7D 4E .:-&.=.p '..Y..}N +[0190] 2D 76 96 4D 94 70 2A BB 26 3B 7E FC E1 59 5A 55 -v.M.p*. &;~..YZU +[01A0] 04 A2 DA 27 AD 46 70 45 43 C0 FB C1 42 7F F0 CB ...'.FpE C...B... +[01B0] 21 D2 CD 54 35 7C 60 13 EE BB BB 60 6B 91 2B BE !..T5|`. ...`k.+. +[01C0] 91 8A CF 49 29 F8 60 D1 AB A5 51 B5 5E 4B B2 3A ...I).`. ..Q.^K.: +[01D0] F4 56 3A 89 2D 88 D0 73 08 A6 FB D8 6E B3 B1 4E .V:.-..s ....n..N +[01E0] D8 90 27 58 D2 53 40 B2 A0 3C 40 4D E9 21 C6 83 ..'X.S@. .<@M.!.. +[01F0] FC 15 14 F0 8C 08 46 C5 29 14 E3 84 CC 2C 56 C9 ......F. )....,V. +[0200] 20 53 45 34 D0 BE E0 CC F7 F1 15 D4 D4 B1 3C 43 SE4.... .......BT.Ba +[03A0] C5 22 B7 AE 51 76 8F 12 83 7F E1 9F 97 D8 31 38 ."..Qv.. ......18 +[03B0] A6 B9 11 B4 E1 BA 19 5B E4 A5 A3 6F 4B B3 03 93 .......[ ...oK... +[03C0] 4C D6 1E 08 FC 94 D1 C5 7C AA 95 EB 9C 7A C2 57 L....... |....z.W +[03D0] 60 CA 17 FF 8E 66 80 76 CB 35 46 26 C3 BD CA 83 `....f.v .5F&.... +[03E0] F0 04 08 0D 4C 5D B2 E4 7C 1C 82 28 D7 2C 42 B1 ....L].. |..(.,B. +[03F0] 36 72 60 5E 26 4A 79 D0 41 94 3C 2C 65 0E 32 18 6r`^&Jy. A.<,e.2. +[0400] B8 56 26 9D D3 84 78 BB .V&...x. + second_ticket : DATA_BLOB length=0 + further_creds : DATA_BLOB length=4748 +[0000] 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 ........ ....KTES +[0010] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[0020] 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 COM....a dministr +[0030] 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 ator.... ........ +[0040] 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D KTEST.SA MBA.EXAM +[0050] 50 4C 45 2E 43 4F 4D 00 00 00 04 68 6F 73 74 00 PLE.COM. ...host. +[0060] 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 00 17 ...local ktest6.. +[0070] 00 00 00 10 EA 0D 3A 24 41 21 F7 7D 7D A3 C5 BB ......:$ A!.}}... +[0080] A4 88 F6 17 4D 9B 90 45 4D 9B 90 52 7D 46 4C 43 ....M..E M..R}FLC +[0090] 00 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 .....@(. ........ +[00A0] 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 .....a.. .0...... +[00B0] 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB +[00C0] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 A.EXAMPL E.COM..0 +[00D0] 1C A0 03 02 01 01 A1 15 30 13 1B 04 68 6F 73 74 ........ 0...host +[00E0] 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 A3 82 03 ..localk test6... +[00F0] AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 03 A2 .0...... ........ +[0100] 82 03 9C 04 82 03 98 44 8B C4 7D BA 9F FE 59 F6 .......D ..}...Y. +[0110] C1 DF 62 89 02 A4 55 54 AB D6 D6 2E 8B 5E 35 3D ..b...UT .....^5= +[0120] D9 46 9D 8B 49 93 A6 66 5F 1A 8B 81 AD 09 19 E9 .F..I..f _....... +[0130] 59 CE 58 18 50 63 4A A6 7D 6F 71 21 51 4A 41 C2 Y.X.PcJ. }oq!QJA. +[0140] A1 FE B0 D5 0A 3D 38 9F E5 3B 72 A2 7A 59 22 A4 .....=8. .;r.zY". +[0150] B7 1C A3 8D DB EA 5D A5 E2 D3 1D AE 42 D0 7F 75 ......]. ....B..u +[0160] B5 E9 ED B5 04 7B 67 1E 28 90 7D 3D 1A 3E F6 62 .....{g. (.}=.>.b +[0170] D0 A1 56 89 28 76 5C 19 1A FD 66 E5 F2 86 E7 58 ..V.(v\. ..f....X +[0180] 93 31 90 C5 CD F8 71 96 56 21 15 13 F0 EA C2 CC .1....q. V!...... +[0190] 48 4C B4 50 EF F9 81 44 29 8A 75 C4 31 75 D1 BA HL.P...D ).u.1u.. +[01A0] E2 0B 05 B2 E0 EA 64 3A 11 45 84 3D 69 55 FF E6 ......d: .E.=iU.. +[01B0] 32 7E C9 CA C4 28 E8 40 B6 5E F9 26 0F 09 12 1F 2~...(.@ .^.&.... +[01C0] 1F D4 9C 9A 50 E8 B7 6D F8 4F 55 6E 2A D4 AC 6A ....P..m .OUn*..j +[01D0] 79 D1 C2 2A 88 99 F8 39 75 36 F1 2D C7 89 0A C6 y..*...9 u6.-.... +[01E0] B4 C7 A1 7B F1 BF 22 87 A4 B2 93 22 54 A1 72 25 ...{..". ..."T.r% +[01F0] AF 67 FE 20 D5 C8 29 47 28 FF 51 FB F9 4E 2C 17 .g. ..)G (.Q..N,. +[0200] 10 BE 2E 13 8B 18 BE 3C A3 BE 50 49 A7 65 DD 2E .......< ..PI.e.. +[0210] CC EB D6 0F 47 4E DB 7E 08 D5 F0 37 79 36 8F 24 ....GN.~ ...7y6.$ +[0220] 34 28 86 89 EC A3 84 7F 44 4E 37 03 B5 D8 89 1C 4(...... DN7..... +[0230] C7 AA AC 42 70 5F 96 73 35 8B 83 D1 16 24 27 C1 ...Bp_.s 5....$'. +[0240] EC 0E AE 83 59 5A C2 EB C1 91 B6 3D BB 8D 21 49 ....YZ.. ...=..!I +[0250] 63 41 3C 91 1D E9 01 C2 4F A9 E4 42 C1 FD 54 E3 cA<..... O..B..T. +[0260] 7B 3B DF 24 3D 98 E9 84 F8 1D 8D CE 4D 85 AC 8A {;.$=... ....M... +[0270] 12 15 48 C4 DA 1B 3C B8 FC A3 0B AF E2 4D 71 E9 ..H...<. .....Mq. +[0280] 0A 28 53 DC 4E 6C 23 2C 73 26 50 FE 37 03 BF D1 .(S.Nl#, s&P.7... +[0290] 5F 8A 39 4F 04 2E 4A CE 3C 90 11 0C DA 84 5C C3 _.9O..J. <.....\. +[02A0] F8 BE C7 74 ED F4 CF 7E B2 AE 9B 47 D6 2A 1D 93 ...t...~ ...G.*.. +[02B0] 3F A8 8B 51 E9 A3 A0 59 55 DB E3 52 67 E3 DE FF ?..Q...Y U..Rg... +[02C0] B1 56 74 A0 87 21 99 23 8C 8E D1 92 A6 3D 93 D6 .Vt..!.# .....=.. +[02D0] 4D 5B 84 2B B1 8D DD E4 F7 01 A6 6C 4A DF 3C 6E M[.+.... ...lJ....+... +[0330] 4B 6D 22 B3 41 DE 85 35 2D 19 09 E5 68 8E 1F 98 Km".A..5 -...h... +[0340] 1B F2 73 F2 D4 91 08 89 42 0C 05 8B 42 77 6B CC ..s..... B...Bwk. +[0350] 18 78 43 1A 73 C2 7C E7 C2 23 28 56 F7 A0 19 B3 .xC.s.|. .#(V.... +[0360] 99 A6 25 4F C3 5E 70 EC 78 BB 30 15 36 77 B3 A6 ..%O.^p. x.0.6w.. +[0370] 89 98 B6 A0 85 CC 8F E7 41 40 B5 E0 89 93 25 04 ........ A@....%. +[0380] B8 1D 0B 06 31 1D C7 30 52 E1 64 29 8C 64 B9 89 ....1..0 R.d).d.. +[0390] 1F 86 5A AD 74 15 1C C8 AF 37 7B 27 E0 C0 DB 73 ..Z.t... .7{'...s +[03A0] 30 72 65 D3 C0 A5 07 61 E9 0C 07 A1 27 18 8F 50 0re....a ....'..P +[03B0] DB CE FB 4C DD 75 98 F2 28 D2 76 FF F2 41 9F D5 ...L.u.. (.v..A.. +[03C0] 74 22 8A 03 73 B1 A8 B3 B8 80 93 E5 E2 CD 4B F2 t"..s... ......K. +[03D0] 6B 99 DF 5B 5B C7 22 69 81 2A 8A CD 2A F9 9D 08 k..[[."i .*..*... +[03E0] B8 B0 40 77 D3 43 8B AF 40 DD 0C CB 45 E3 88 CB ..@w.C.. @...E... +[03F0] 06 AA 63 38 EB DD 72 89 03 0E DC 3E 97 3F 16 D4 ..c8..r. ...>.?.. +[0400] 1A 21 40 D8 30 BD B0 B4 04 C2 7A 22 43 15 A2 D8 .!@.0... ..z"C... +[0410] 2F 08 28 3B 63 26 AA B3 1C B6 FC E4 0B 2A CD 0E /.(;c&.. .....*.. +[0420] A8 7C E8 11 33 03 D3 C5 6C 35 6A 5D 3C 5A 80 1A .|..3... l5j];J +[0680] 60 25 3D 11 E4 F9 16 02 3E 55 8F CE D2 E9 95 E7 `%=..... >U...... +[0690] B1 C4 8F C4 0B 3E 3C 14 15 28 1A 21 49 15 CE 8E .....><. .(.!I... +[06A0] 91 5E 98 71 00 1F 29 D3 12 C8 D0 11 4F E7 14 E3 .^.q..). ....O... +[06B0] 72 1B 61 6D 7B 8A 00 A6 5E 01 01 50 C2 CF 1A A9 r.am{... ^..P.... +[06C0] 34 8C BA 33 9E 62 C5 69 97 6A 24 3D E0 C6 3F C6 4..3.b.i .j$=..?. +[06D0] F4 36 B1 80 D6 5C 44 19 5B 65 C7 CA 47 DE 4B 65 .6...\D. [e..G.Ke +[06E0] 41 29 9F F8 EA E8 E0 3B E2 C6 98 9D 58 A4 6C 62 A).....; ....X.lb +[06F0] EF 25 12 C9 0E 97 CE 9D F0 D8 08 AD 13 73 A6 82 .%...... .....s.. +[0700] C5 54 23 F4 A4 CB 91 35 91 BD 10 B4 04 DD 55 7E .T#....5 ......U~ +[0710] C9 DE AE CB B0 8F C0 D8 28 AE BD 78 64 91 6C AB ........ (..xd.l. +[0720] CA 36 EA 0E 0E 97 DC 40 ED 26 1D 09 17 28 30 D3 .6.....@ .&...(0. +[0730] 78 DC F7 D2 9C 78 DA 6F 6F 57 00 B3 FD 8E 75 A1 x....x.o oW....u. +[0740] 56 98 5C 4B D8 61 A6 0A 89 27 CD 11 BF 7F 79 53 V.\K.a.. .'....yS +[0750] D9 50 9A 8D EC DD DB BB B8 23 27 0D 20 5B 53 51 .P...... .#'. [SQ +[0760] 07 C4 26 31 3B D4 DF ED 3C 40 B4 1C 8B 46 E2 A6 ..&1;... <@...F.. +[0770] B7 0F 97 D2 B3 1D 19 FD 13 60 7B 38 E6 37 0C 59 ........ .`{8.7.Y +[0780] B0 A8 47 5D 32 A5 0C 57 76 EF 2C ED 40 9F BF 4B ..G]2..W v.,.@..K +[0790] 43 99 3C 68 C4 DE 84 9C A1 36 8C CA CB 2A 08 36 C..%p.4 ...>..-. +[0930] 72 8E DA 4D 2D 55 EC 49 66 5E 01 96 E4 C1 0C 23 r..M-U.I f^.....# +[0940] 57 91 00 00 00 00 00 00 00 01 00 00 00 01 00 00 W....... ........ +[0950] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX +[0960] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D AMPLE.CO M....adm +[0970] 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 inistrat or...... +[0980] 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB +[0990] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 A.EXAMPL E.COM... +[09A0] 04 68 6F 73 74 00 00 00 0B 4C 4F 43 41 4C 4B 54 .host... .LOCALKT +[09B0] 45 53 54 36 00 17 00 00 00 10 9D AE 06 BE 29 E0 EST6.... ......). +[09C0] F7 9A 46 97 29 E0 69 8E 5A F0 4D 9B 90 45 4D 9B ..F.).i. Z.M..EM. +[09D0] 90 61 7D 46 4C 43 00 00 00 00 00 40 28 00 00 00 .a}FLC.. ...@(... +[09E0] 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 ........ ...a...0 +[09F0] 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 ........ ....KTES +[0A00] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[0A10] 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 COM..0.. ......0. +[0A20] 1B 04 68 6F 73 74 1B 0B 4C 4F 43 41 4C 4B 54 45 ..host.. LOCALKTE +[0A30] 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 ST6....0 ........ +[0A40] A1 03 02 01 03 A2 82 03 9C 04 82 03 98 B9 C5 6E ........ .......n +[0A50] 77 F9 59 6D 19 F0 A6 56 2F 14 B3 9A A3 17 06 A6 w.Ym...V /....... +[0A60] AD F5 92 38 6A 1E EA 3D 53 BF 5E 95 13 FF 5D BB ...8j..= S.^...]. +[0A70] 43 4F 51 AE FB 12 3B 06 67 36 91 B9 E0 C4 C4 F3 COQ...;. g6...... +[0A80] 45 A0 48 E6 DC 49 E8 EA 6F 55 D2 3F 79 57 54 FF E.H..I.. oU.?yWT. +[0A90] 10 8D 89 4A A4 E2 B2 80 FD EE 36 C5 D5 4C D0 97 ...J.... ..6..L.. +[0AA0] B3 EC 96 8B E8 5A 05 F0 13 39 8B 1B B3 C4 32 2A .....Z.. .9....2* +[0AB0] 9B BB EF 06 C4 1C 53 2F 0A F6 A8 C6 BE 09 57 26 ......S/ ......W& +[0AC0] B9 39 7B 7B 50 13 2D 6C 52 FF C4 B5 83 28 A8 47 .9{{P.-l R....(.G +[0AD0] 5A CD 1C DD A7 65 FD 8A 84 2A 10 E7 44 E6 83 E7 Z....e.. .*..D... +[0AE0] E7 AA B8 E5 0A 8B 7E E1 87 7B 3D C4 9F 68 BD 19 ......~. .{=..h.. +[0AF0] 2B 59 5E 5A 45 0D B5 71 CC A6 C7 03 3C B3 17 D3 +Y^ZE..q ....<... +[0B00] AF 99 F6 A2 52 A0 99 F7 39 56 B4 33 B4 C5 F4 CC ....R... 9V.3.... +[0B10] 74 34 4C 00 76 26 10 D1 3A 87 6E 6A 52 9B 7A BF t4L.v&.. :.njR.z. +[0B20] 4E 59 36 32 C5 41 29 CF E1 BF 14 E0 54 BF 4A 25 NY62.A). ....T.J% +[0B30] 1F 0B 6E 9A 8C 0E 5D 47 A9 64 1B A4 9D 99 A9 09 ..n...]G .d...... +[0B40] 39 14 E7 41 22 98 8C 62 CC E2 B5 91 8E C1 31 EB 9..A"..b ......1. +[0B50] B2 70 A6 3B 86 FC DD 19 0B 3F 5D C9 B5 1A 95 73 .p.;.... .?]....s +[0B60] EB 97 89 BE 14 87 85 17 BE 40 F6 80 14 23 4D 66 ........ .@...#Mf +[0B70] E4 B0 E5 51 46 34 DA 1C C8 CB FF C6 84 A3 DF D2 ...QF4.. ........ +[0B80] DC 00 AF 7B 27 C8 78 44 CB 6E 7B CC 5C 94 1E 7A ...{'.xD .n{.\..z +[0B90] 95 29 19 F4 14 BE 5C 23 C3 B9 A4 2C 5D 4D F3 61 .)....\# ...,]M.a +[0BA0] 63 1F D4 FE 37 EE 44 14 06 B7 14 50 B6 74 37 75 c...7.D. ...P.t7u +[0BB0] 2C AB 06 F0 93 F9 93 34 75 63 44 7E 12 48 D1 F1 ,......4 ucD~.H.. +[0BC0] 06 55 14 11 B9 23 43 CE 01 16 3E 6B A3 BD 23 55 .U...#C. ..>k..#U +[0BD0] DE 48 5D AF E1 2B 89 E8 E7 C2 E2 34 25 A2 09 4A .H]..+.. ...4%..J +[0BE0] 1F BE 05 AA DE 4B 08 65 27 4C 9B C7 54 96 C2 FB .....K.e 'L..T... +[0BF0] E2 CE 53 4A 32 93 8D 0B 44 77 8C D3 65 54 F9 0E ..SJ2... Dw..eT.. +[0C00] 7F 74 1E FE 3D 74 83 0F 2F E7 9F BC A2 B0 2B 25 .t..=t.. /.....+% +[0C10] BB D2 6F A8 49 C1 3E 9E B5 93 67 74 39 A4 FE 84 ..o.I.>. ..gt9... +[0C20] 4C 45 5F 30 74 E0 CA 5F F6 46 EC 89 B5 2D C8 14 LE_0t.._ .F...-.. +[0C30] 69 76 BC 93 15 F4 60 30 5F AB EB 02 DD 12 4C 62 iv....`0 _.....Lb +[0C40] F9 73 F7 01 E1 7F 2A 6F 09 05 BF 3A 3A 7E 69 A3 .s....*o ...::~i. +[0C50] 7B FC 20 2B D6 CE C0 74 4F BB 29 E4 BE CE 04 9D {. +...t O.)..... +[0C60] 24 D4 98 4A ED 94 A8 81 CD 26 A0 63 EA 09 57 42 $..J.... .&.c..WB +[0C70] 26 B7 B5 4E B5 CB 45 35 A7 84 D8 74 CA C3 9F FF &..N..E5 ...t.... +[0C80] C8 1E 2A 75 34 01 C5 A7 B4 9D 6F A3 E1 BB 2B F8 ..*u4... ..o...+. +[0C90] F0 21 D6 77 57 74 2E 80 DB 76 53 01 86 33 17 32 .!.wWt.. .vS..3.2 +[0CA0] 2E 16 E1 8D 89 3A B2 67 ED A3 ED 39 82 87 26 A6 .....:.g ...9..&. +[0CB0] DB CE 59 84 E4 0A A6 CA 7E 07 98 F7 02 91 6E 56 ..Y..... ~.....nV +[0CC0] 9F 60 03 D3 88 B0 FF EB 20 CA 9E 5B 37 26 67 00 .`...... ..[7&g. +[0CD0] CC BD 9D 53 15 31 53 14 FD 9C E1 28 08 CB C4 0B ...S.1S. ...(.... +[0CE0] E3 50 D9 DB 0C E2 E4 F9 44 50 E9 28 6E 01 96 AA .P...... DP.(n... +[0CF0] C1 D2 4E B2 DE 38 A2 F8 94 32 79 AE 49 64 FB 57 ..N..8.. .2y.Id.W +[0D00] 50 F6 73 E8 98 43 C6 DD 67 3C 91 AC 97 C9 2E 8C P.s..C.. g<...... +[0D10] 06 59 A1 FC 49 EC 2F BF 6F 64 21 63 ED C8 6C CE .Y..I./. od!c..l. +[0D20] 37 28 7B 80 7F 5F 85 F6 98 93 C0 66 A8 D6 F1 2C 7({.._.. ...f..., +[0D30] D8 01 68 B1 C8 EA 82 0D 5B 9B 35 4F 3D B3 47 19 ..h..... [.5O=.G. +[0D40] 54 7A C6 9F AD D7 54 CF B0 DB 3E 18 BA 2A 39 08 Tz....T. ..>..*9. +[0D50] 0C C4 98 4B 43 DE 53 68 25 B1 83 93 1D E1 6C BF ...KC.Sh %.....l. +[0D60] F5 B4 A9 83 17 34 64 8C 2F 91 80 97 4A 48 EC 90 .....4d. /...JH.. +[0D70] BB FA 92 2C 01 80 E4 99 91 0E 67 88 D5 75 AB 7C ...,.... ..g..u.| +[0D80] 98 59 98 45 C9 11 A9 8C 02 98 91 DE AB A0 FF 45 .Y.E.... .......E +[0D90] 11 66 6F C5 DE 61 6D C6 DB C9 CA A3 A0 2B B1 73 .fo..am. .....+.s +[0DA0] 05 85 37 BF AB CA 43 7A 6F 38 C8 BE ED CE 12 49 ..7...Cz o8.....I +[0DB0] 93 C7 7C 1A 33 60 52 7A 67 67 AA 60 57 7E C8 FF ..|.3`Rz gg.`W~.. +[0DC0] DF 91 91 18 45 74 C0 9E 36 19 BC 42 F9 46 CC 84 ....Et.. 6..B.F.. +[0DD0] 09 2E 8C 59 1A E3 65 51 F4 87 6F 4C 3E 29 38 E6 ...Y..eQ ..oL>)8. +[0DE0] 77 E8 A9 B7 FA 00 00 00 00 00 00 00 01 00 00 00 w....... ........ +[0DF0] 01 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA +[0E00] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D .EXAMPLE .COM.... +[0E10] 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 administ rator... +[0E20] 01 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 ........ .KTEST.S +[0E30] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM +[0E40] 00 00 00 04 63 69 66 73 00 00 00 0B 4C 4F 43 41 ....cifs ....LOCA +[0E50] 4C 4B 54 45 53 54 36 00 17 00 00 00 10 01 78 D0 LKTEST6. ......x. +[0E60] 3B 9B FF F0 88 86 4B 3B FE 41 A9 6B 00 4D 9B 90 ;.....K; .A.k.M.. +[0E70] 45 4D 9B 90 6B 7D 46 4C 43 00 00 00 00 00 40 28 EM..k}FL C.....@( +[0E80] 00 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 ........ ......a. +[0E90] 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B ..0..... .......K +[0EA0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[0EB0] 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 LE.COM.. 0....... +[0EC0] 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F 43 41 4C .0...cif s..LOCAL +[0ED0] 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 KTEST6.. ..0..... +[0EE0] 02 01 17 A1 03 02 01 03 A2 82 03 9C 04 82 03 98 ........ ........ +[0EF0] CA EA 4D 46 2D D1 E9 58 5D 25 8D 9F DF EA C9 01 ..MF-..X ]%...... +[0F00] B6 08 27 CD 14 85 02 DC 20 C6 51 AA F9 6A B1 CE ..'..... .Q..j.. +[0F10] F5 77 84 BF 9A AC 6B A7 B2 F2 1F 60 BF CB C6 FC .w....k. ...`.... +[0F20] C7 14 B7 41 1C A8 C9 70 7B 86 BC 8E 70 2B 65 4B ...A...p {...p+eK +[0F30] DC F5 B9 23 F8 08 BF 96 C9 A8 77 F4 54 67 25 F8 ...#.... ..w.Tg%. +[0F40] 0F A8 C5 D6 D1 BB 46 5E A0 7E D2 98 9C CD AF E0 ......F^ .~...... +[0F50] 82 62 ED 39 D2 FB F2 E8 9B 1B EE E5 B4 1B C9 0A .b.9.... ........ +[0F60] 86 27 52 6E 11 8B D7 AD B4 54 F9 C6 69 8D E0 F1 .'Rn.... .T..i... +[0F70] CD 63 1C 89 7C 8F B6 A0 71 53 A6 DA B1 66 D2 9D .c..|... qS...f.. +[0F80] D3 4C A8 FB C6 9D 81 74 10 8E 84 D2 3D D8 1C BE .L.....t ....=... +[0F90] BB 3F F7 BF 91 3E 89 66 43 A1 E0 90 1B 1A 97 FF .?...>.f C....... +[0FA0] EF CC 35 75 14 62 4F 67 3A 29 F4 F9 C5 2E BE C5 ..5u.bOg :)...... +[0FB0] C2 2B A8 35 22 D9 92 31 1D 49 2A A5 19 AA 08 0F .+.5"..1 .I*..... +[0FC0] A8 22 0B 68 D2 A2 D7 07 7B 37 1E A3 AC 9B 4F 0A .".h.... {7....O. +[0FD0] A4 FA 7F 37 6F 3E 35 79 4E 00 4B B6 28 A3 6A E4 ...7o>5y N.K.(.j. +[0FE0] 0C 95 53 BA E8 41 07 DA BE E9 08 B9 51 24 91 49 ..S..A.. ....Q$.I +[0FF0] 78 5D 44 12 BC 85 63 81 B8 E0 88 D5 95 0C D3 A8 x]D...c. ........ +[1000] 1D 32 4B E4 A0 C8 A7 7D 3C 97 EE D8 59 AC 3A 21 .2K....} <...Y.:! +[1010] 09 F2 7A CC D0 4A F3 50 10 DC FC 26 BB C2 6A 8E ..z..J.P ...&..j. +[1020] 8B 14 2B 2D 50 2E B3 1E 9B D2 69 56 22 F2 48 BD ..+-P... ..iV".H. +[1030] E9 2E 2F 28 DE 77 67 5F 68 AA 29 05 4B 36 58 40 ../(.wg_ h.).K6X@ +[1040] E5 54 11 C5 4D 68 96 49 9D 53 37 87 5F D2 3A 9B .T..Mh.I .S7._.:. +[1050] E9 8E 79 BE AE 11 B4 6B AB FD DB 8A F5 A0 9B 29 ..y....k .......) +[1060] D9 F5 ED CA FA 3F FE 35 FC F4 69 7E E4 D0 44 29 .....?.5 ..i~..D) +[1070] 48 FF 82 61 26 FC D3 E2 10 EE 14 F7 4A E3 CD F2 H..a&... ....J... +[1080] 8B BC 8B 43 64 2C DE 40 6E BB E1 56 C0 B6 2C D0 ...Cd,.@ n..V..,. +[1090] E5 1E E9 B3 FB 38 48 66 ED AF D2 25 D1 35 5C C6 .....8Hf ...%.5\. +[10A0] F0 4D 36 19 0B EC 33 07 34 D0 27 8D 14 DC 01 45 .M6...3. 4.'....E +[10B0] DE F8 73 A6 A0 F4 C1 91 9D BD 05 E3 70 25 E1 10 ..s..... ....p%.. +[10C0] 44 F6 4B 46 F7 24 84 BF 20 96 AD 6A 96 94 81 58 D.KF.$.. ..j...X +[10D0] 80 95 06 92 F5 7F 17 39 3B 32 47 B2 C5 CE 7B 73 .......9 ;2G...{s +[10E0] CF 53 AE FA D1 9A 60 5A 98 EC 8C FA BD C0 CE 8D .S....`Z ........ +[10F0] C5 27 E6 17 1A 4D 47 D8 3F 5D A9 7C FB 2C B3 05 .'...MG. ?].|.,.. +[1100] 0C 69 20 48 99 80 11 DC 48 AB A7 EA 5B 98 C1 15 .i H.... H...[... +[1110] 27 AE FA 3E 1E 1E E0 E1 F8 32 C0 54 13 D6 30 34 '..>.... .2.T..04 +[1120] 71 98 26 61 6C 1C C4 C7 4E C4 A6 7E FE A8 B8 89 q.&al... N..~.... +[1130] 2A 70 3C 19 58 8D 57 45 55 83 0A C2 B5 F7 89 0E *p<.X.WE U....... +[1140] 7B 7A 17 0C CF 6E 08 A5 F7 21 4A 62 81 4F 49 CA {z...n.. .!Jb.OI. +[1150] E2 ED C2 B4 C7 33 5C BC A1 A0 DE 4E 09 37 BE 24 .....3\. ...N.7.$ +[1160] 62 22 94 55 75 AA 53 DE E0 74 5A B0 B8 E9 BF 2B b".Uu.S. .tZ....+ +[1170] 12 65 2F 90 6B 84 ED 11 AD F7 CE 19 A1 96 E4 1E .e/.k... ........ +[1180] 8C EA C8 81 1B 47 4F 5F B1 5D A5 8B E3 0D 5A 80 .....GO_ .]....Z. +[1190] 89 EC 4B D9 CE ED E8 67 7F 96 FC 1B EF 65 C2 68 ..K....g .....e.h +[11A0] 40 F7 20 36 83 58 62 F4 CA 02 F4 5C 0D 46 B1 CB @. 6.Xb. ...\.F.. +[11B0] 50 D2 D8 3D B7 9A 96 48 8C CF EB E6 8C F4 B2 B4 P..=...H ........ +[11C0] 47 C9 34 C9 DC 14 F1 33 1B 6F 9E 65 27 D7 9D 46 G.4....3 .o.e'..F +[11D0] 1E 91 FF 2E FB 8E 97 5D 17 8F 48 54 7C 3C A0 11 .......] ..HT|<.. +[11E0] 9C AA 77 E9 79 DE 26 D1 F0 7C EA 24 73 BE EC 60 ..w.y.&. .|.$s..` +[11F0] B4 EE BD ED 0D 0A AB 74 60 6E 46 C0 35 5B 65 1A .......t `nF.5[e. +[1200] A4 4A 5C 22 AC B9 CD B7 56 06 88 09 FC 48 68 55 .J\".... V....HhU +[1210] B7 5E 39 72 DF 8A 4C CD 79 74 B0 84 0B 78 DA B2 .^9r..L. yt...x.. +[1220] 55 F8 06 0B 5C 27 06 B3 CA 10 65 6B 04 A3 64 11 U...\'.. ..ek..d. +[1230] 04 09 DC DF 67 00 70 B1 16 DF 24 E9 27 85 11 91 ....g.p. ..$.'... +[1240] 31 CB 92 95 50 18 91 08 C2 A1 A3 76 C7 1A FC 64 1...P... ...v...d +[1250] 9E 2C 3A E7 30 F4 16 0D A0 56 C0 BC D2 FE 2D A0 .,:.0... .V....-. +[1260] 20 A4 E2 82 AD F0 C5 12 71 09 23 E1 66 52 53 D0 ....... q.#.fRS. +[1270] 89 30 E7 BE B7 C2 89 F2 1C 7A F6 8E D7 28 F0 A4 .0...... .z...(.. +[1280] 33 46 7C A2 79 66 DE 26 00 00 00 00 3F|.yf.& .... +push returned Success +pull returned Success + CCACHE: struct CCACHE + pvno : 0x05 (5) + version : 0x04 (4) + optional_header : union OPTIONAL_HEADER(case 0x4) + v4header: struct V4HEADER + v4tags: struct V4TAGS + tag: struct V4TAG + tag : 0x0001 (1) + field : union FIELD(case 0x1) + deltatime_tag: struct DELTATIME_TAG + kdc_sec_offset : 0 + kdc_usec_offset : 0 + further_tags : DATA_BLOB length=0 + principal: struct PRINCIPAL + name_type : 0x00000001 (1) + component_count : 0x00000001 (1) + realm : 'KTEST.SAMBA.EXAMPLE.COM' + components: ARRAY(1) + components : 'administrator' + cred: struct CREDENTIAL + client: struct PRINCIPAL + name_type : 0x00000001 (1) + component_count : 0x00000001 (1) + realm : 'KTEST.SAMBA.EXAMPLE.COM' + components: ARRAY(1) + components : 'administrator' + server: struct PRINCIPAL + name_type : 0x00000000 (0) + component_count : 0x00000002 (2) + realm : 'KTEST.SAMBA.EXAMPLE.COM' + components: ARRAY(2) + components : 'krbtgt' + components : 'KTEST.SAMBA.EXAMPLE.COM' + keyblock: struct KEYBLOCK + enctype : 0x0017 (23) + data : DATA_BLOB length=16 +[0000] E5 E4 15 C8 A8 0F 4D 95 F9 1B E3 B9 98 CA A1 7F ......M. ........ + authtime : 0x4d9b9045 (1302040645) + starttime : 0x4d9b9045 (1302040645) + endtime : 0x7d464c43 (2101759043) + renew_till : 0x7d464c43 (2101759043) + is_skey : 0x00 (0) + ticket_flags : 0x40e00000 (1088421888) + addresses: struct ADDRESSES + count : 0x00000000 (0) + data: ARRAY(0) + authdata: struct AUTHDATA + count : 0x00000000 (0) + data: ARRAY(0) + ticket : DATA_BLOB length=1032 +[0000] 61 82 04 04 30 82 04 00 A0 03 02 01 05 A1 19 1B a...0... ........ +[0010] 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 .KTEST.S AMBA.EXA +[0020] 4D 50 4C 45 2E 43 4F 4D A2 2C 30 2A A0 03 02 01 MPLE.COM .,0*.... +[0030] 00 A1 23 30 21 1B 06 6B 72 62 74 67 74 1B 17 4B ..#0!..k rbtgt..K +[0040] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[0050] 4C 45 2E 43 4F 4D A3 82 03 AE 30 82 03 AA A0 03 LE.COM.. ..0..... +[0060] 02 01 17 A1 03 02 01 01 A2 82 03 9C 04 82 03 98 ........ ........ +[0070] 01 40 48 A6 B8 F0 DA 43 54 A5 18 CF B0 15 CB 68 .@H....C T......h +[0080] 9F A0 69 44 87 A9 FF 06 25 B9 29 48 59 64 26 48 ..iD.... %.)HYd&H +[0090] 96 7C 46 6A 79 E5 F0 77 DB 46 6C 20 A1 59 D9 F8 .|Fjy..w .Fl .Y.. +[00A0] 6A 8A 2D B5 D9 EF A4 54 DE 19 20 C0 7B 93 D4 3D j.-....T .. .{..= +[00B0] ED 72 35 AF 9D 87 75 9E 44 01 A4 6C D9 EA 94 A3 .r5...u. D..l.... +[00C0] 18 C6 42 75 E3 0A 0C 76 9A AE 75 BC A3 02 91 BC ..Bu...v ..u..... +[00D0] 2D BB 3C 23 73 A6 1A A7 8A 3E 85 42 5D 1F 5D 7D -.<#s... .>.B].]} +[00E0] 0B 1F C3 88 2A 93 40 F9 E9 18 7D 3F 73 DA AC 1F ....*.@. ..}?s... +[00F0] E7 7B C3 B8 14 56 C3 63 86 5B AF C9 C3 21 9F 94 .{...V.c .[...!.. +[0100] B4 67 06 60 7F 56 2D F4 C7 22 CD B4 1C 14 B7 5B .g.`.V-. .".....[ +[0110] 26 67 9D 18 28 B5 5D C2 FC 13 B6 CA 9F AB CD 32 &g..(.]. .......2 +[0120] 71 D5 51 5F A2 11 5A 5D 4A B3 3B 1D D1 6B 4F 7D q.Q_..Z] J.;..kO} +[0130] E9 54 F0 B4 AC 80 DE 27 80 C5 64 3C 0B 22 79 1C .T.....' ..d<."y. +[0140] 9E D1 58 A1 3E 20 5A 9F E3 34 49 D8 16 C6 6B 2D ..X.> Z. .4I...k- +[0150] 36 0E E2 C2 3F 44 DE 63 32 DB EB 78 50 A2 6F 37 6...?D.c 2..xP.o7 +[0160] 05 2B 13 D4 31 07 D4 2A C0 53 B1 30 39 79 C3 D8 .+..1..* .S.09y.. +[0170] C4 4C 30 97 E8 F9 DA ED 10 B0 D0 21 71 8B 56 F3 .L0..... ...!q.V. +[0180] 0F 3A 2D 26 A2 3D AD 70 27 82 95 59 0A D7 7D 4E .:-&.=.p '..Y..}N +[0190] 2D 76 96 4D 94 70 2A BB 26 3B 7E FC E1 59 5A 55 -v.M.p*. &;~..YZU +[01A0] 04 A2 DA 27 AD 46 70 45 43 C0 FB C1 42 7F F0 CB ...'.FpE C...B... +[01B0] 21 D2 CD 54 35 7C 60 13 EE BB BB 60 6B 91 2B BE !..T5|`. ...`k.+. +[01C0] 91 8A CF 49 29 F8 60 D1 AB A5 51 B5 5E 4B B2 3A ...I).`. ..Q.^K.: +[01D0] F4 56 3A 89 2D 88 D0 73 08 A6 FB D8 6E B3 B1 4E .V:.-..s ....n..N +[01E0] D8 90 27 58 D2 53 40 B2 A0 3C 40 4D E9 21 C6 83 ..'X.S@. .<@M.!.. +[01F0] FC 15 14 F0 8C 08 46 C5 29 14 E3 84 CC 2C 56 C9 ......F. )....,V. +[0200] 20 53 45 34 D0 BE E0 CC F7 F1 15 D4 D4 B1 3C 43 SE4.... .......BT.Ba +[03A0] C5 22 B7 AE 51 76 8F 12 83 7F E1 9F 97 D8 31 38 ."..Qv.. ......18 +[03B0] A6 B9 11 B4 E1 BA 19 5B E4 A5 A3 6F 4B B3 03 93 .......[ ...oK... +[03C0] 4C D6 1E 08 FC 94 D1 C5 7C AA 95 EB 9C 7A C2 57 L....... |....z.W +[03D0] 60 CA 17 FF 8E 66 80 76 CB 35 46 26 C3 BD CA 83 `....f.v .5F&.... +[03E0] F0 04 08 0D 4C 5D B2 E4 7C 1C 82 28 D7 2C 42 B1 ....L].. |..(.,B. +[03F0] 36 72 60 5E 26 4A 79 D0 41 94 3C 2C 65 0E 32 18 6r`^&Jy. A.<,e.2. +[0400] B8 56 26 9D D3 84 78 BB .V&...x. + second_ticket : DATA_BLOB length=0 + further_creds : DATA_BLOB length=4748 +[0000] 00 00 00 01 00 00 00 01 00 00 00 17 4B 54 45 53 ........ ....KTES +[0010] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[0020] 43 4F 4D 00 00 00 0D 61 64 6D 69 6E 69 73 74 72 COM....a dministr +[0030] 61 74 6F 72 00 00 00 01 00 00 00 02 00 00 00 17 ator.... ........ +[0040] 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D KTEST.SA MBA.EXAM +[0050] 50 4C 45 2E 43 4F 4D 00 00 00 04 68 6F 73 74 00 PLE.COM. ...host. +[0060] 00 00 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 00 17 ...local ktest6.. +[0070] 00 00 00 10 EA 0D 3A 24 41 21 F7 7D 7D A3 C5 BB ......:$ A!.}}... +[0080] A4 88 F6 17 4D 9B 90 45 4D 9B 90 52 7D 46 4C 43 ....M..E M..R}FLC +[0090] 00 00 00 00 00 40 28 00 00 00 00 00 00 00 00 00 .....@(. ........ +[00A0] 00 00 00 03 FA 61 82 03 F6 30 82 03 F2 A0 03 02 .....a.. .0...... +[00B0] 01 05 A1 19 1B 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB +[00C0] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D A2 1E 30 A.EXAMPL E.COM..0 +[00D0] 1C A0 03 02 01 01 A1 15 30 13 1B 04 68 6F 73 74 ........ 0...host +[00E0] 1B 0B 6C 6F 63 61 6C 6B 74 65 73 74 36 A3 82 03 ..localk test6... +[00F0] AE 30 82 03 AA A0 03 02 01 17 A1 03 02 01 03 A2 .0...... ........ +[0100] 82 03 9C 04 82 03 98 44 8B C4 7D BA 9F FE 59 F6 .......D ..}...Y. +[0110] C1 DF 62 89 02 A4 55 54 AB D6 D6 2E 8B 5E 35 3D ..b...UT .....^5= +[0120] D9 46 9D 8B 49 93 A6 66 5F 1A 8B 81 AD 09 19 E9 .F..I..f _....... +[0130] 59 CE 58 18 50 63 4A A6 7D 6F 71 21 51 4A 41 C2 Y.X.PcJ. }oq!QJA. +[0140] A1 FE B0 D5 0A 3D 38 9F E5 3B 72 A2 7A 59 22 A4 .....=8. .;r.zY". +[0150] B7 1C A3 8D DB EA 5D A5 E2 D3 1D AE 42 D0 7F 75 ......]. ....B..u +[0160] B5 E9 ED B5 04 7B 67 1E 28 90 7D 3D 1A 3E F6 62 .....{g. (.}=.>.b +[0170] D0 A1 56 89 28 76 5C 19 1A FD 66 E5 F2 86 E7 58 ..V.(v\. ..f....X +[0180] 93 31 90 C5 CD F8 71 96 56 21 15 13 F0 EA C2 CC .1....q. V!...... +[0190] 48 4C B4 50 EF F9 81 44 29 8A 75 C4 31 75 D1 BA HL.P...D ).u.1u.. +[01A0] E2 0B 05 B2 E0 EA 64 3A 11 45 84 3D 69 55 FF E6 ......d: .E.=iU.. +[01B0] 32 7E C9 CA C4 28 E8 40 B6 5E F9 26 0F 09 12 1F 2~...(.@ .^.&.... +[01C0] 1F D4 9C 9A 50 E8 B7 6D F8 4F 55 6E 2A D4 AC 6A ....P..m .OUn*..j +[01D0] 79 D1 C2 2A 88 99 F8 39 75 36 F1 2D C7 89 0A C6 y..*...9 u6.-.... +[01E0] B4 C7 A1 7B F1 BF 22 87 A4 B2 93 22 54 A1 72 25 ...{..". ..."T.r% +[01F0] AF 67 FE 20 D5 C8 29 47 28 FF 51 FB F9 4E 2C 17 .g. ..)G (.Q..N,. +[0200] 10 BE 2E 13 8B 18 BE 3C A3 BE 50 49 A7 65 DD 2E .......< ..PI.e.. +[0210] CC EB D6 0F 47 4E DB 7E 08 D5 F0 37 79 36 8F 24 ....GN.~ ...7y6.$ +[0220] 34 28 86 89 EC A3 84 7F 44 4E 37 03 B5 D8 89 1C 4(...... DN7..... +[0230] C7 AA AC 42 70 5F 96 73 35 8B 83 D1 16 24 27 C1 ...Bp_.s 5....$'. +[0240] EC 0E AE 83 59 5A C2 EB C1 91 B6 3D BB 8D 21 49 ....YZ.. ...=..!I +[0250] 63 41 3C 91 1D E9 01 C2 4F A9 E4 42 C1 FD 54 E3 cA<..... O..B..T. +[0260] 7B 3B DF 24 3D 98 E9 84 F8 1D 8D CE 4D 85 AC 8A {;.$=... ....M... +[0270] 12 15 48 C4 DA 1B 3C B8 FC A3 0B AF E2 4D 71 E9 ..H...<. .....Mq. +[0280] 0A 28 53 DC 4E 6C 23 2C 73 26 50 FE 37 03 BF D1 .(S.Nl#, s&P.7... +[0290] 5F 8A 39 4F 04 2E 4A CE 3C 90 11 0C DA 84 5C C3 _.9O..J. <.....\. +[02A0] F8 BE C7 74 ED F4 CF 7E B2 AE 9B 47 D6 2A 1D 93 ...t...~ ...G.*.. +[02B0] 3F A8 8B 51 E9 A3 A0 59 55 DB E3 52 67 E3 DE FF ?..Q...Y U..Rg... +[02C0] B1 56 74 A0 87 21 99 23 8C 8E D1 92 A6 3D 93 D6 .Vt..!.# .....=.. +[02D0] 4D 5B 84 2B B1 8D DD E4 F7 01 A6 6C 4A DF 3C 6E M[.+.... ...lJ....+... +[0330] 4B 6D 22 B3 41 DE 85 35 2D 19 09 E5 68 8E 1F 98 Km".A..5 -...h... +[0340] 1B F2 73 F2 D4 91 08 89 42 0C 05 8B 42 77 6B CC ..s..... B...Bwk. +[0350] 18 78 43 1A 73 C2 7C E7 C2 23 28 56 F7 A0 19 B3 .xC.s.|. .#(V.... +[0360] 99 A6 25 4F C3 5E 70 EC 78 BB 30 15 36 77 B3 A6 ..%O.^p. x.0.6w.. +[0370] 89 98 B6 A0 85 CC 8F E7 41 40 B5 E0 89 93 25 04 ........ A@....%. +[0380] B8 1D 0B 06 31 1D C7 30 52 E1 64 29 8C 64 B9 89 ....1..0 R.d).d.. +[0390] 1F 86 5A AD 74 15 1C C8 AF 37 7B 27 E0 C0 DB 73 ..Z.t... .7{'...s +[03A0] 30 72 65 D3 C0 A5 07 61 E9 0C 07 A1 27 18 8F 50 0re....a ....'..P +[03B0] DB CE FB 4C DD 75 98 F2 28 D2 76 FF F2 41 9F D5 ...L.u.. (.v..A.. +[03C0] 74 22 8A 03 73 B1 A8 B3 B8 80 93 E5 E2 CD 4B F2 t"..s... ......K. +[03D0] 6B 99 DF 5B 5B C7 22 69 81 2A 8A CD 2A F9 9D 08 k..[[."i .*..*... +[03E0] B8 B0 40 77 D3 43 8B AF 40 DD 0C CB 45 E3 88 CB ..@w.C.. @...E... +[03F0] 06 AA 63 38 EB DD 72 89 03 0E DC 3E 97 3F 16 D4 ..c8..r. ...>.?.. +[0400] 1A 21 40 D8 30 BD B0 B4 04 C2 7A 22 43 15 A2 D8 .!@.0... ..z"C... +[0410] 2F 08 28 3B 63 26 AA B3 1C B6 FC E4 0B 2A CD 0E /.(;c&.. .....*.. +[0420] A8 7C E8 11 33 03 D3 C5 6C 35 6A 5D 3C 5A 80 1A .|..3... l5j];J +[0680] 60 25 3D 11 E4 F9 16 02 3E 55 8F CE D2 E9 95 E7 `%=..... >U...... +[0690] B1 C4 8F C4 0B 3E 3C 14 15 28 1A 21 49 15 CE 8E .....><. .(.!I... +[06A0] 91 5E 98 71 00 1F 29 D3 12 C8 D0 11 4F E7 14 E3 .^.q..). ....O... +[06B0] 72 1B 61 6D 7B 8A 00 A6 5E 01 01 50 C2 CF 1A A9 r.am{... ^..P.... +[06C0] 34 8C BA 33 9E 62 C5 69 97 6A 24 3D E0 C6 3F C6 4..3.b.i .j$=..?. +[06D0] F4 36 B1 80 D6 5C 44 19 5B 65 C7 CA 47 DE 4B 65 .6...\D. [e..G.Ke +[06E0] 41 29 9F F8 EA E8 E0 3B E2 C6 98 9D 58 A4 6C 62 A).....; ....X.lb +[06F0] EF 25 12 C9 0E 97 CE 9D F0 D8 08 AD 13 73 A6 82 .%...... .....s.. +[0700] C5 54 23 F4 A4 CB 91 35 91 BD 10 B4 04 DD 55 7E .T#....5 ......U~ +[0710] C9 DE AE CB B0 8F C0 D8 28 AE BD 78 64 91 6C AB ........ (..xd.l. +[0720] CA 36 EA 0E 0E 97 DC 40 ED 26 1D 09 17 28 30 D3 .6.....@ .&...(0. +[0730] 78 DC F7 D2 9C 78 DA 6F 6F 57 00 B3 FD 8E 75 A1 x....x.o oW....u. +[0740] 56 98 5C 4B D8 61 A6 0A 89 27 CD 11 BF 7F 79 53 V.\K.a.. .'....yS +[0750] D9 50 9A 8D EC DD DB BB B8 23 27 0D 20 5B 53 51 .P...... .#'. [SQ +[0760] 07 C4 26 31 3B D4 DF ED 3C 40 B4 1C 8B 46 E2 A6 ..&1;... <@...F.. +[0770] B7 0F 97 D2 B3 1D 19 FD 13 60 7B 38 E6 37 0C 59 ........ .`{8.7.Y +[0780] B0 A8 47 5D 32 A5 0C 57 76 EF 2C ED 40 9F BF 4B ..G]2..W v.,.@..K +[0790] 43 99 3C 68 C4 DE 84 9C A1 36 8C CA CB 2A 08 36 C..%p.4 ...>..-. +[0930] 72 8E DA 4D 2D 55 EC 49 66 5E 01 96 E4 C1 0C 23 r..M-U.I f^.....# +[0940] 57 91 00 00 00 00 00 00 00 01 00 00 00 01 00 00 W....... ........ +[0950] 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 ..KTEST. SAMBA.EX +[0960] 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D 61 64 6D AMPLE.CO M....adm +[0970] 69 6E 69 73 74 72 61 74 6F 72 00 00 00 01 00 00 inistrat or...... +[0980] 00 02 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 ......KT EST.SAMB +[0990] 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 A.EXAMPL E.COM... +[09A0] 04 68 6F 73 74 00 00 00 0B 4C 4F 43 41 4C 4B 54 .host... .LOCALKT +[09B0] 45 53 54 36 00 17 00 00 00 10 9D AE 06 BE 29 E0 EST6.... ......). +[09C0] F7 9A 46 97 29 E0 69 8E 5A F0 4D 9B 90 45 4D 9B ..F.).i. Z.M..EM. +[09D0] 90 61 7D 46 4C 43 00 00 00 00 00 40 28 00 00 00 .a}FLC.. ...@(... +[09E0] 00 00 00 00 00 00 00 00 00 03 FA 61 82 03 F6 30 ........ ...a...0 +[09F0] 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B 54 45 53 ........ ....KTES +[0A00] 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E T.SAMBA. EXAMPLE. +[0A10] 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 15 30 13 COM..0.. ......0. +[0A20] 1B 04 68 6F 73 74 1B 0B 4C 4F 43 41 4C 4B 54 45 ..host.. LOCALKTE +[0A30] 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 02 01 17 ST6....0 ........ +[0A40] A1 03 02 01 03 A2 82 03 9C 04 82 03 98 B9 C5 6E ........ .......n +[0A50] 77 F9 59 6D 19 F0 A6 56 2F 14 B3 9A A3 17 06 A6 w.Ym...V /....... +[0A60] AD F5 92 38 6A 1E EA 3D 53 BF 5E 95 13 FF 5D BB ...8j..= S.^...]. +[0A70] 43 4F 51 AE FB 12 3B 06 67 36 91 B9 E0 C4 C4 F3 COQ...;. g6...... +[0A80] 45 A0 48 E6 DC 49 E8 EA 6F 55 D2 3F 79 57 54 FF E.H..I.. oU.?yWT. +[0A90] 10 8D 89 4A A4 E2 B2 80 FD EE 36 C5 D5 4C D0 97 ...J.... ..6..L.. +[0AA0] B3 EC 96 8B E8 5A 05 F0 13 39 8B 1B B3 C4 32 2A .....Z.. .9....2* +[0AB0] 9B BB EF 06 C4 1C 53 2F 0A F6 A8 C6 BE 09 57 26 ......S/ ......W& +[0AC0] B9 39 7B 7B 50 13 2D 6C 52 FF C4 B5 83 28 A8 47 .9{{P.-l R....(.G +[0AD0] 5A CD 1C DD A7 65 FD 8A 84 2A 10 E7 44 E6 83 E7 Z....e.. .*..D... +[0AE0] E7 AA B8 E5 0A 8B 7E E1 87 7B 3D C4 9F 68 BD 19 ......~. .{=..h.. +[0AF0] 2B 59 5E 5A 45 0D B5 71 CC A6 C7 03 3C B3 17 D3 +Y^ZE..q ....<... +[0B00] AF 99 F6 A2 52 A0 99 F7 39 56 B4 33 B4 C5 F4 CC ....R... 9V.3.... +[0B10] 74 34 4C 00 76 26 10 D1 3A 87 6E 6A 52 9B 7A BF t4L.v&.. :.njR.z. +[0B20] 4E 59 36 32 C5 41 29 CF E1 BF 14 E0 54 BF 4A 25 NY62.A). ....T.J% +[0B30] 1F 0B 6E 9A 8C 0E 5D 47 A9 64 1B A4 9D 99 A9 09 ..n...]G .d...... +[0B40] 39 14 E7 41 22 98 8C 62 CC E2 B5 91 8E C1 31 EB 9..A"..b ......1. +[0B50] B2 70 A6 3B 86 FC DD 19 0B 3F 5D C9 B5 1A 95 73 .p.;.... .?]....s +[0B60] EB 97 89 BE 14 87 85 17 BE 40 F6 80 14 23 4D 66 ........ .@...#Mf +[0B70] E4 B0 E5 51 46 34 DA 1C C8 CB FF C6 84 A3 DF D2 ...QF4.. ........ +[0B80] DC 00 AF 7B 27 C8 78 44 CB 6E 7B CC 5C 94 1E 7A ...{'.xD .n{.\..z +[0B90] 95 29 19 F4 14 BE 5C 23 C3 B9 A4 2C 5D 4D F3 61 .)....\# ...,]M.a +[0BA0] 63 1F D4 FE 37 EE 44 14 06 B7 14 50 B6 74 37 75 c...7.D. ...P.t7u +[0BB0] 2C AB 06 F0 93 F9 93 34 75 63 44 7E 12 48 D1 F1 ,......4 ucD~.H.. +[0BC0] 06 55 14 11 B9 23 43 CE 01 16 3E 6B A3 BD 23 55 .U...#C. ..>k..#U +[0BD0] DE 48 5D AF E1 2B 89 E8 E7 C2 E2 34 25 A2 09 4A .H]..+.. ...4%..J +[0BE0] 1F BE 05 AA DE 4B 08 65 27 4C 9B C7 54 96 C2 FB .....K.e 'L..T... +[0BF0] E2 CE 53 4A 32 93 8D 0B 44 77 8C D3 65 54 F9 0E ..SJ2... Dw..eT.. +[0C00] 7F 74 1E FE 3D 74 83 0F 2F E7 9F BC A2 B0 2B 25 .t..=t.. /.....+% +[0C10] BB D2 6F A8 49 C1 3E 9E B5 93 67 74 39 A4 FE 84 ..o.I.>. ..gt9... +[0C20] 4C 45 5F 30 74 E0 CA 5F F6 46 EC 89 B5 2D C8 14 LE_0t.._ .F...-.. +[0C30] 69 76 BC 93 15 F4 60 30 5F AB EB 02 DD 12 4C 62 iv....`0 _.....Lb +[0C40] F9 73 F7 01 E1 7F 2A 6F 09 05 BF 3A 3A 7E 69 A3 .s....*o ...::~i. +[0C50] 7B FC 20 2B D6 CE C0 74 4F BB 29 E4 BE CE 04 9D {. +...t O.)..... +[0C60] 24 D4 98 4A ED 94 A8 81 CD 26 A0 63 EA 09 57 42 $..J.... .&.c..WB +[0C70] 26 B7 B5 4E B5 CB 45 35 A7 84 D8 74 CA C3 9F FF &..N..E5 ...t.... +[0C80] C8 1E 2A 75 34 01 C5 A7 B4 9D 6F A3 E1 BB 2B F8 ..*u4... ..o...+. +[0C90] F0 21 D6 77 57 74 2E 80 DB 76 53 01 86 33 17 32 .!.wWt.. .vS..3.2 +[0CA0] 2E 16 E1 8D 89 3A B2 67 ED A3 ED 39 82 87 26 A6 .....:.g ...9..&. +[0CB0] DB CE 59 84 E4 0A A6 CA 7E 07 98 F7 02 91 6E 56 ..Y..... ~.....nV +[0CC0] 9F 60 03 D3 88 B0 FF EB 20 CA 9E 5B 37 26 67 00 .`...... ..[7&g. +[0CD0] CC BD 9D 53 15 31 53 14 FD 9C E1 28 08 CB C4 0B ...S.1S. ...(.... +[0CE0] E3 50 D9 DB 0C E2 E4 F9 44 50 E9 28 6E 01 96 AA .P...... DP.(n... +[0CF0] C1 D2 4E B2 DE 38 A2 F8 94 32 79 AE 49 64 FB 57 ..N..8.. .2y.Id.W +[0D00] 50 F6 73 E8 98 43 C6 DD 67 3C 91 AC 97 C9 2E 8C P.s..C.. g<...... +[0D10] 06 59 A1 FC 49 EC 2F BF 6F 64 21 63 ED C8 6C CE .Y..I./. od!c..l. +[0D20] 37 28 7B 80 7F 5F 85 F6 98 93 C0 66 A8 D6 F1 2C 7({.._.. ...f..., +[0D30] D8 01 68 B1 C8 EA 82 0D 5B 9B 35 4F 3D B3 47 19 ..h..... [.5O=.G. +[0D40] 54 7A C6 9F AD D7 54 CF B0 DB 3E 18 BA 2A 39 08 Tz....T. ..>..*9. +[0D50] 0C C4 98 4B 43 DE 53 68 25 B1 83 93 1D E1 6C BF ...KC.Sh %.....l. +[0D60] F5 B4 A9 83 17 34 64 8C 2F 91 80 97 4A 48 EC 90 .....4d. /...JH.. +[0D70] BB FA 92 2C 01 80 E4 99 91 0E 67 88 D5 75 AB 7C ...,.... ..g..u.| +[0D80] 98 59 98 45 C9 11 A9 8C 02 98 91 DE AB A0 FF 45 .Y.E.... .......E +[0D90] 11 66 6F C5 DE 61 6D C6 DB C9 CA A3 A0 2B B1 73 .fo..am. .....+.s +[0DA0] 05 85 37 BF AB CA 43 7A 6F 38 C8 BE ED CE 12 49 ..7...Cz o8.....I +[0DB0] 93 C7 7C 1A 33 60 52 7A 67 67 AA 60 57 7E C8 FF ..|.3`Rz gg.`W~.. +[0DC0] DF 91 91 18 45 74 C0 9E 36 19 BC 42 F9 46 CC 84 ....Et.. 6..B.F.. +[0DD0] 09 2E 8C 59 1A E3 65 51 F4 87 6F 4C 3E 29 38 E6 ...Y..eQ ..oL>)8. +[0DE0] 77 E8 A9 B7 FA 00 00 00 00 00 00 00 01 00 00 00 w....... ........ +[0DF0] 01 00 00 00 17 4B 54 45 53 54 2E 53 41 4D 42 41 .....KTE ST.SAMBA +[0E00] 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D 00 00 00 0D .EXAMPLE .COM.... +[0E10] 61 64 6D 69 6E 69 73 74 72 61 74 6F 72 00 00 00 administ rator... +[0E20] 01 00 00 00 02 00 00 00 17 4B 54 45 53 54 2E 53 ........ .KTEST.S +[0E30] 41 4D 42 41 2E 45 58 41 4D 50 4C 45 2E 43 4F 4D AMBA.EXA MPLE.COM +[0E40] 00 00 00 04 63 69 66 73 00 00 00 0B 4C 4F 43 41 ....cifs ....LOCA +[0E50] 4C 4B 54 45 53 54 36 00 17 00 00 00 10 01 78 D0 LKTEST6. ......x. +[0E60] 3B 9B FF F0 88 86 4B 3B FE 41 A9 6B 00 4D 9B 90 ;.....K; .A.k.M.. +[0E70] 45 4D 9B 90 6B 7D 46 4C 43 00 00 00 00 00 40 28 EM..k}FL C.....@( +[0E80] 00 00 00 00 00 00 00 00 00 00 00 00 03 FA 61 82 ........ ......a. +[0E90] 03 F6 30 82 03 F2 A0 03 02 01 05 A1 19 1B 17 4B ..0..... .......K +[0EA0] 54 45 53 54 2E 53 41 4D 42 41 2E 45 58 41 4D 50 TEST.SAM BA.EXAMP +[0EB0] 4C 45 2E 43 4F 4D A2 1E 30 1C A0 03 02 01 01 A1 LE.COM.. 0....... +[0EC0] 15 30 13 1B 04 63 69 66 73 1B 0B 4C 4F 43 41 4C .0...cif s..LOCAL +[0ED0] 4B 54 45 53 54 36 A3 82 03 AE 30 82 03 AA A0 03 KTEST6.. ..0..... +[0EE0] 02 01 17 A1 03 02 01 03 A2 82 03 9C 04 82 03 98 ........ ........ +[0EF0] CA EA 4D 46 2D D1 E9 58 5D 25 8D 9F DF EA C9 01 ..MF-..X ]%...... +[0F00] B6 08 27 CD 14 85 02 DC 20 C6 51 AA F9 6A B1 CE ..'..... .Q..j.. +[0F10] F5 77 84 BF 9A AC 6B A7 B2 F2 1F 60 BF CB C6 FC .w....k. ...`.... +[0F20] C7 14 B7 41 1C A8 C9 70 7B 86 BC 8E 70 2B 65 4B ...A...p {...p+eK +[0F30] DC F5 B9 23 F8 08 BF 96 C9 A8 77 F4 54 67 25 F8 ...#.... ..w.Tg%. +[0F40] 0F A8 C5 D6 D1 BB 46 5E A0 7E D2 98 9C CD AF E0 ......F^ .~...... +[0F50] 82 62 ED 39 D2 FB F2 E8 9B 1B EE E5 B4 1B C9 0A .b.9.... ........ +[0F60] 86 27 52 6E 11 8B D7 AD B4 54 F9 C6 69 8D E0 F1 .'Rn.... .T..i... +[0F70] CD 63 1C 89 7C 8F B6 A0 71 53 A6 DA B1 66 D2 9D .c..|... qS...f.. +[0F80] D3 4C A8 FB C6 9D 81 74 10 8E 84 D2 3D D8 1C BE .L.....t ....=... +[0F90] BB 3F F7 BF 91 3E 89 66 43 A1 E0 90 1B 1A 97 FF .?...>.f C....... +[0FA0] EF CC 35 75 14 62 4F 67 3A 29 F4 F9 C5 2E BE C5 ..5u.bOg :)...... +[0FB0] C2 2B A8 35 22 D9 92 31 1D 49 2A A5 19 AA 08 0F .+.5"..1 .I*..... +[0FC0] A8 22 0B 68 D2 A2 D7 07 7B 37 1E A3 AC 9B 4F 0A .".h.... {7....O. +[0FD0] A4 FA 7F 37 6F 3E 35 79 4E 00 4B B6 28 A3 6A E4 ...7o>5y N.K.(.j. +[0FE0] 0C 95 53 BA E8 41 07 DA BE E9 08 B9 51 24 91 49 ..S..A.. ....Q$.I +[0FF0] 78 5D 44 12 BC 85 63 81 B8 E0 88 D5 95 0C D3 A8 x]D...c. ........ +[1000] 1D 32 4B E4 A0 C8 A7 7D 3C 97 EE D8 59 AC 3A 21 .2K....} <...Y.:! +[1010] 09 F2 7A CC D0 4A F3 50 10 DC FC 26 BB C2 6A 8E ..z..J.P ...&..j. +[1020] 8B 14 2B 2D 50 2E B3 1E 9B D2 69 56 22 F2 48 BD ..+-P... ..iV".H. +[1030] E9 2E 2F 28 DE 77 67 5F 68 AA 29 05 4B 36 58 40 ../(.wg_ h.).K6X@ +[1040] E5 54 11 C5 4D 68 96 49 9D 53 37 87 5F D2 3A 9B .T..Mh.I .S7._.:. +[1050] E9 8E 79 BE AE 11 B4 6B AB FD DB 8A F5 A0 9B 29 ..y....k .......) +[1060] D9 F5 ED CA FA 3F FE 35 FC F4 69 7E E4 D0 44 29 .....?.5 ..i~..D) +[1070] 48 FF 82 61 26 FC D3 E2 10 EE 14 F7 4A E3 CD F2 H..a&... ....J... +[1080] 8B BC 8B 43 64 2C DE 40 6E BB E1 56 C0 B6 2C D0 ...Cd,.@ n..V..,. +[1090] E5 1E E9 B3 FB 38 48 66 ED AF D2 25 D1 35 5C C6 .....8Hf ...%.5\. +[10A0] F0 4D 36 19 0B EC 33 07 34 D0 27 8D 14 DC 01 45 .M6...3. 4.'....E +[10B0] DE F8 73 A6 A0 F4 C1 91 9D BD 05 E3 70 25 E1 10 ..s..... ....p%.. +[10C0] 44 F6 4B 46 F7 24 84 BF 20 96 AD 6A 96 94 81 58 D.KF.$.. ..j...X +[10D0] 80 95 06 92 F5 7F 17 39 3B 32 47 B2 C5 CE 7B 73 .......9 ;2G...{s +[10E0] CF 53 AE FA D1 9A 60 5A 98 EC 8C FA BD C0 CE 8D .S....`Z ........ +[10F0] C5 27 E6 17 1A 4D 47 D8 3F 5D A9 7C FB 2C B3 05 .'...MG. ?].|.,.. +[1100] 0C 69 20 48 99 80 11 DC 48 AB A7 EA 5B 98 C1 15 .i H.... H...[... +[1110] 27 AE FA 3E 1E 1E E0 E1 F8 32 C0 54 13 D6 30 34 '..>.... .2.T..04 +[1120] 71 98 26 61 6C 1C C4 C7 4E C4 A6 7E FE A8 B8 89 q.&al... N..~.... +[1130] 2A 70 3C 19 58 8D 57 45 55 83 0A C2 B5 F7 89 0E *p<.X.WE U....... +[1140] 7B 7A 17 0C CF 6E 08 A5 F7 21 4A 62 81 4F 49 CA {z...n.. .!Jb.OI. +[1150] E2 ED C2 B4 C7 33 5C BC A1 A0 DE 4E 09 37 BE 24 .....3\. ...N.7.$ +[1160] 62 22 94 55 75 AA 53 DE E0 74 5A B0 B8 E9 BF 2B b".Uu.S. .tZ....+ +[1170] 12 65 2F 90 6B 84 ED 11 AD F7 CE 19 A1 96 E4 1E .e/.k... ........ +[1180] 8C EA C8 81 1B 47 4F 5F B1 5D A5 8B E3 0D 5A 80 .....GO_ .]....Z. +[1190] 89 EC 4B D9 CE ED E8 67 7F 96 FC 1B EF 65 C2 68 ..K....g .....e.h +[11A0] 40 F7 20 36 83 58 62 F4 CA 02 F4 5C 0D 46 B1 CB @. 6.Xb. ...\.F.. +[11B0] 50 D2 D8 3D B7 9A 96 48 8C CF EB E6 8C F4 B2 B4 P..=...H ........ +[11C0] 47 C9 34 C9 DC 14 F1 33 1B 6F 9E 65 27 D7 9D 46 G.4....3 .o.e'..F +[11D0] 1E 91 FF 2E FB 8E 97 5D 17 8F 48 54 7C 3C A0 11 .......] ..HT|<.. +[11E0] 9C AA 77 E9 79 DE 26 D1 F0 7C EA 24 73 BE EC 60 ..w.y.&. .|.$s..` +[11F0] B4 EE BD ED 0D 0A AB 74 60 6E 46 C0 35 5B 65 1A .......t `nF.5[e. +[1200] A4 4A 5C 22 AC B9 CD B7 56 06 88 09 FC 48 68 55 .J\".... V....HhU +[1210] B7 5E 39 72 DF 8A 4C CD 79 74 B0 84 0B 78 DA B2 .^9r..L. yt...x.. +[1220] 55 F8 06 0B 5C 27 06 B3 CA 10 65 6B 04 A3 64 11 U...\'.. ..ek..d. +[1230] 04 09 DC DF 67 00 70 B1 16 DF 24 E9 27 85 11 91 ....g.p. ..$.'... +[1240] 31 CB 92 95 50 18 91 08 C2 A1 A3 76 C7 1A FC 64 1...P... ...v...d +[1250] 9E 2C 3A E7 30 F4 16 0D A0 56 C0 BC D2 FE 2D A0 .,:.0... .V....-. +[1260] 20 A4 E2 82 AD F0 C5 12 71 09 23 E1 66 52 53 D0 ....... q.#.fRS. +[1270] 89 30 E7 BE B7 C2 89 F2 1C 7A F6 8E D7 28 F0 A4 .0...... .z...(.. +[1280] 33 46 7C A2 79 66 DE 26 00 00 00 00 3F|.yf.& .... +dump OK -- 2.25.1 From 722c46e13c61c5a08f49ee7975a3ebafaf356a1c Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Apr 2021 11:02:47 +1200 Subject: [PATCH 069/380] krb5: Add Python functions to create a credentials cache containing a service ticket This is a FILE: format credentials cache readable by the MIT/Heimdal Kerberos libraries. This allows us to glue the Python ASN1 Kerberos system to the MIT/Heimdal one. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 2d88a6ff3dbcf650b09ef9c8c37170ca6663b533) --- python/samba/tests/krb5/kdc_base_test.py | 167 ++++++++++++++++++++++- 1 file changed, 163 insertions(+), 4 deletions(-) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index 1c7f05dda6d..d8193ae9cdc 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -1,6 +1,6 @@ # Unix SMB/CIFS implementation. # Copyright (C) Stefan Metzmacher 2020 -# Copyright (C) 2020 Catalyst.Net Ltd +# Copyright (C) 2020-2021 Catalyst.Net Ltd # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by @@ -18,6 +18,8 @@ import sys import os +from datetime import datetime +import tempfile sys.path.insert(0, "bin/python") os.environ["PYTHONUNBUFFERED"] = "1" @@ -26,10 +28,10 @@ import ldb from ldb import SCOPE_BASE from samba import generate_random_password from samba.auth import system_session -from samba.credentials import Credentials -from samba.dcerpc import krb5pac +from samba.credentials import Credentials, SPECIFIED, MUST_USE_KERBEROS +from samba.dcerpc import krb5pac, krb5ccache from samba.dsdb import UF_WORKSTATION_TRUST_ACCOUNT, UF_NORMAL_ACCOUNT -from samba.ndr import ndr_unpack +from samba.ndr import ndr_pack, ndr_unpack from samba.samdb import SamDB from samba.tests import delete_force @@ -38,6 +40,8 @@ import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 from samba.tests.krb5.rfc4120_constants import ( AD_IF_RELEVANT, AD_WIN2K_PAC, + AES256_CTS_HMAC_SHA1_96, + ARCFOUR_HMAC_MD5, KDC_ERR_PREAUTH_REQUIRED, KRB_AS_REP, KRB_TGS_REP, @@ -46,6 +50,8 @@ from samba.tests.krb5.rfc4120_constants import ( KU_PA_ENC_TIMESTAMP, KU_TGS_REP_ENC_PART_SUB_KEY, KU_TICKET, + NT_PRINCIPAL, + NT_SRV_HST, PADATA_ENC_TIMESTAMP, PADATA_ETYPE_INFO2, ) @@ -445,3 +451,156 @@ class KDCBaseTest(RawKerberosTest): msg = ldb.Message(dn) msg[name] = ldb.MessageElement(values, flag, name) self.ldb.modify(msg) + + def create_ccache(self, cname, ticket, enc_part): + """ Lay out a version 4 on-disk credentials cache, to be read using the + FILE: protocol. + """ + + field = krb5ccache.DELTATIME_TAG() + field.kdc_sec_offset = 0 + field.kdc_usec_offset = 0 + + v4tag = krb5ccache.V4TAG() + v4tag.tag = 1 + v4tag.field = field + + v4tags = krb5ccache.V4TAGS() + v4tags.tag = v4tag + v4tags.further_tags = b'' + + optional_header = krb5ccache.V4HEADER() + optional_header.v4tags = v4tags + + cname_string = cname['name-string'] + + cprincipal = krb5ccache.PRINCIPAL() + cprincipal.name_type = cname['name-type'] + cprincipal.component_count = len(cname_string) + cprincipal.realm = ticket['realm'] + cprincipal.components = cname_string + + sname = ticket['sname'] + sname_string = sname['name-string'] + + sprincipal = krb5ccache.PRINCIPAL() + sprincipal.name_type = sname['name-type'] + sprincipal.component_count = len(sname_string) + sprincipal.realm = ticket['realm'] + sprincipal.components = sname_string + + key = self.EncryptionKey_import(enc_part['key']) + + key_data = key.export_obj() + keyblock = krb5ccache.KEYBLOCK() + keyblock.enctype = key_data['keytype'] + keyblock.data = key_data['keyvalue'] + + addresses = krb5ccache.ADDRESSES() + addresses.count = 0 + addresses.data = [] + + authdata = krb5ccache.AUTHDATA() + authdata.count = 0 + authdata.data = [] + + # Re-encode the ticket, since it was decoded by another layer. + ticket_data = self.der_encode(ticket, asn1Spec=krb5_asn1.Ticket()) + + authtime = enc_part['authtime'] + try: + starttime = enc_part['starttime'] + except KeyError: + starttime = authtime + endtime = enc_part['endtime'] + + cred = krb5ccache.CREDENTIAL() + cred.client = cprincipal + cred.server = sprincipal + cred.keyblock = keyblock + cred.authtime = int(datetime.strptime(authtime.decode(), + "%Y%m%d%H%M%SZ").timestamp()) + cred.starttime = int(datetime.strptime(starttime.decode(), + "%Y%m%d%H%M%SZ").timestamp()) + cred.endtime = int(datetime.strptime(endtime.decode(), + "%Y%m%d%H%M%SZ").timestamp()) + cred.renew_till = cred.endtime + cred.is_skey = 0 + cred.ticket_flags = int(enc_part['flags'], 2) + cred.addresses = addresses + cred.authdata = authdata + cred.ticket = ticket_data + cred.second_ticket = b'' + + ccache = krb5ccache.CCACHE() + ccache.pvno = 5 + ccache.version = 4 + ccache.optional_header = optional_header + ccache.principal = cprincipal + ccache.cred = cred + + # Serialise the credentials cache structure. + result = ndr_pack(ccache) + + # Create a temporary file and write the credentials. + cachefile = tempfile.NamedTemporaryFile(dir=self.tempdir, delete=False) + cachefile.write(result) + cachefile.close() + + return cachefile + + def create_ccache_with_user(self, user_credentials, mach_name, + service="host"): + # Obtain a service ticket authorising the user and place it into a + # newly created credentials cache file. + + user_name = user_credentials.get_username() + realm = user_credentials.get_realm() + + # Do the initial AS-REQ, should get a pre-authentication required + # response + etype = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5) + cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[user_name]) + sname = self.PrincipalName_create(name_type=NT_SRV_HST, + names=["krbtgt", realm]) + + rep = self.as_req(cname, sname, realm, etype) + self.check_pre_authenication(rep) + + # Do the next AS-REQ + padata = self.get_pa_data(user_credentials, rep) + key = self.get_as_rep_key(user_credentials, rep) + rep = self.as_req(cname, sname, realm, etype, padata=padata) + self.check_as_reply(rep) + + # Request a ticket to the host service on the machine account + ticket = rep['ticket'] + enc_part = self.get_as_rep_enc_data(key, rep) + key = self.EncryptionKey_import(enc_part['key']) + cname = self.PrincipalName_create(name_type=NT_PRINCIPAL, + names=[user_name]) + sname = self.PrincipalName_create(name_type=NT_SRV_HST, + names=[service, mach_name]) + + (rep, enc_part) = self.tgs_req( + cname, sname, realm, ticket, key, etype) + self.check_tgs_reply(rep) + key = self.EncryptionKey_import(enc_part['key']) + + # Check the contents of the pac, and the ticket + ticket = rep['ticket'] + + # Write the ticket into a credentials cache file that can be ingested + # by the main credentials code. + cachefile = self.create_ccache(cname, ticket, enc_part) + + # Create a credentials object to reference the credentials cache. + creds = Credentials() + creds.set_kerberos_state(MUST_USE_KERBEROS) + creds.set_username(user_name, SPECIFIED) + creds.set_realm(realm) + creds.set_named_ccache(cachefile.name, SPECIFIED, self.lp) + + # Return the credentials along with the cache file. + return (creds, cachefile) -- 2.25.1 From ffbd4d841e90df64a9ed50503a347a0708d80fce Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 28 Apr 2021 11:06:33 +1200 Subject: [PATCH 070/380] python: Add credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service using the normal credentials system backed on to MIT/Heimdal Kerberos 5 libraries. This will allow us to validate the output of the MIT/Heimdal libraries in the future. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit c15f26ec40860782b22e862f9bdf665745387718) --- python/samba/tests/krb5/raw_testcase.py | 8 +- python/samba/tests/krb5/rfc4120_constants.py | 1 + python/samba/tests/krb5/test_ccache.py | 127 +++++++++++++++++++ python/samba/tests/usage.py | 1 + source4/selftest/tests.py | 2 + 5 files changed, 135 insertions(+), 4 deletions(-) create mode 100755 python/samba/tests/krb5/test_ccache.py diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 82e68ee7019..27ab89ecf99 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -25,7 +25,7 @@ import random import samba.tests from samba.credentials import Credentials -from samba.tests import TestCase +from samba.tests import TestCaseInTempDir import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 import samba.tests.krb5.kcrypto as kcrypto @@ -178,11 +178,11 @@ class Krb5EncryptionKey(object): return EncryptionKey_obj -class RawKerberosTest(TestCase): +class RawKerberosTest(TestCaseInTempDir): """A raw Kerberos Test case.""" def setUp(self): - super(RawKerberosTest, self).setUp() + super().setUp() self.do_asn1_print = False self.do_hexdump = False @@ -192,7 +192,7 @@ class RawKerberosTest(TestCase): def tearDown(self): self._disconnect("tearDown") - super(TestCase, self).tearDown() + super().tearDown() def _disconnect(self, reason): if self.s is None: diff --git a/python/samba/tests/krb5/rfc4120_constants.py b/python/samba/tests/krb5/rfc4120_constants.py index 5bbf1229d09..702f6084217 100644 --- a/python/samba/tests/krb5/rfc4120_constants.py +++ b/python/samba/tests/krb5/rfc4120_constants.py @@ -46,6 +46,7 @@ KDC_ERR_SKEW = 37 # Name types NT_UNKNOWN = int(krb5_asn1.NameTypeValues('kRB5-NT-UNKNOWN')) NT_PRINCIPAL = int(krb5_asn1.NameTypeValues('kRB5-NT-PRINCIPAL')) +NT_SRV_HST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-HST')) NT_SRV_INST = int(krb5_asn1.NameTypeValues('kRB5-NT-SRV-INST')) NT_ENTERPRISE_PRINCIPAL = int(krb5_asn1.NameTypeValues( 'kRB5-NT-ENTERPRISE-PRINCIPAL')) diff --git a/python/samba/tests/krb5/test_ccache.py b/python/samba/tests/krb5/test_ccache.py new file mode 100755 index 00000000000..e0998a4c43f --- /dev/null +++ b/python/samba/tests/krb5/test_ccache.py @@ -0,0 +1,127 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2021 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +from ldb import SCOPE_SUBTREE +from samba import gensec +from samba.auth import AuthContext +from samba.dcerpc import security +from samba.ndr import ndr_unpack + +from samba.tests.krb5.kdc_base_test import KDCBaseTest + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +global_asn1_print = False +global_hexdump = False + + +class CcacheTests(KDCBaseTest): + """Test for authentication using Kerberos credentials stored in a + credentials cache file. + """ + + def test_ccache(self): + # Create a user account and a machine account, along with a Kerberos + # credentials cache file where the service ticket authenticating the + # user are stored. + + user_name = "ccacheusr" + mach_name = "ccachemac" + + # Create the user account. + (user_credentials, _) = self.create_account(user_name) + + # Create the machine account. + (mach_credentials, _) = self.create_account(mach_name, + machine_account=True) + + # Talk to the KDC to obtain the service ticket, which gets placed into + # the cache. The machine account name has to match the name in the + # ticket, to ensure that the krbtgt ticket doesn't also need to be + # stored. + (creds, cachefile) = self.create_ccache_with_user(user_credentials, + mach_name) + + # Authenticate in-process to the machine account using the user's + # cached credentials. + + settings = {} + settings["lp_ctx"] = self.lp + settings["target_hostname"] = mach_name + + gensec_client = gensec.Security.start_client(settings) + gensec_client.set_credentials(creds) + gensec_client.want_feature(gensec.FEATURE_SEAL) + gensec_client.start_mech_by_sasl_name("GSSAPI") + + auth_context = AuthContext(lp_ctx=self.lp, ldb=self.ldb, methods=[]) + + gensec_server = gensec.Security.start_server(settings, auth_context) + gensec_server.set_credentials(mach_credentials) + + gensec_server.start_mech_by_sasl_name("GSSAPI") + + client_finished = False + server_finished = False + server_to_client = b'' + + # Operate as both the client and the server to verify the user's + # credentials. + while not client_finished or not server_finished: + if not client_finished: + print("running client gensec_update") + (client_finished, client_to_server) = gensec_client.update( + server_to_client) + if not server_finished: + print("running server gensec_update") + (server_finished, server_to_client) = gensec_server.update( + client_to_server) + + # Ensure that the first SID contained within the obtained security + # token is the SID of the user we created. + + # Retrieve the user account's SID. + ldb_res = self.ldb.search(scope=SCOPE_SUBTREE, + expression="(sAMAccountName=%s)" % user_name, + attrs=["objectSid"]) + self.assertEqual(1, len(ldb_res)) + sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0]) + + # Retrieve the SIDs from the security token. + session = gensec_server.session_info() + token = session.security_token + token_sids = token.sids + self.assertGreater(len(token_sids), 0) + + # Ensure that they match. + self.assertEqual(sid, token_sids[0]) + + # Remove the cached credentials file. + os.remove(cachefile.name) + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 1b22461c735..2ca1e0215ce 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -95,6 +95,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/kdc_tests.py', 'python/samba/tests/krb5/kdc_base_test.py', 'python/samba/tests/krb5/kdc_tgs_tests.py', + 'python/samba/tests/krb5/test_ccache.py', 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', } diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 9bb2ff2e1ed..d5b51ad3a3a 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -752,6 +752,8 @@ planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") +planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache") + for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"']) planoldpythontestsuite(env + ":local", "samba.tests.ntacls_backup", -- 2.25.1 From 31d3ac2bcb162869c6932f0c2e49e002c3ab009c Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 29 Apr 2021 20:58:11 +1200 Subject: [PATCH 071/380] python: Add LDAP credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through LDAP. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 7663b5c37fa3413f7c67c018107322494e4a6fd9) --- python/samba/tests/krb5/test_ldap.py | 94 ++++++++++++++++++++++++++++ python/samba/tests/usage.py | 1 + source4/selftest/tests.py | 1 + 3 files changed, 96 insertions(+) create mode 100755 python/samba/tests/krb5/test_ldap.py diff --git a/python/samba/tests/krb5/test_ldap.py b/python/samba/tests/krb5/test_ldap.py new file mode 100755 index 00000000000..6a4bf52d77f --- /dev/null +++ b/python/samba/tests/krb5/test_ldap.py @@ -0,0 +1,94 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2021 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +from ldb import SCOPE_BASE, SCOPE_SUBTREE +from samba.dcerpc import security +from samba.ndr import ndr_unpack +from samba.samdb import SamDB + +from samba.tests.krb5.kdc_base_test import KDCBaseTest + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +global_asn1_print = False +global_hexdump = False + + +class LdapTests(KDCBaseTest): + """Test for LDAP authentication using Kerberos credentials stored in a + credentials cache file. + """ + + def test_ldap(self): + # Create a user account and a machine account, along with a Kerberos + # credentials cache file where the service ticket authenticating the + # user are stored. + + user_name = "ldapusr" + mach_name = self.dns_host_name + service = "ldap" + + # Create the user account. + (user_credentials, _) = self.create_account(user_name) + + # Talk to the KDC to obtain the service ticket, which gets placed into + # the cache. The machine account name has to match the name in the + # ticket, to ensure that the krbtgt ticket doesn't also need to be + # stored. + (creds, cachefile) = self.create_ccache_with_user(user_credentials, + mach_name, + service) + + # Authenticate in-process to the machine account using the user's + # cached credentials. + + # Retrieve the user account's SID. + ldb_res = self.ldb.search(scope=SCOPE_SUBTREE, + expression="(sAMAccountName=%s)" % user_name, + attrs=["objectSid"]) + self.assertEqual(1, len(ldb_res)) + sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0]) + + # Connect to the machine account and retrieve the user SID. + ldb_as_user = SamDB(url="ldap://%s" % mach_name, + credentials=creds, + lp=self.lp) + ldb_res = ldb_as_user.search('', + scope=SCOPE_BASE, + attrs=["tokenGroups"]) + self.assertEqual(1, len(ldb_res)) + + token_sid = ndr_unpack(security.dom_sid, ldb_res[0]["tokenGroups"][0]) + + # Ensure that they match. + self.assertEqual(sid, token_sid) + + # Remove the cached credentials file. + os.remove(cachefile.name) + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 2ca1e0215ce..45636f3d3a3 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -96,6 +96,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/kdc_base_test.py', 'python/samba/tests/krb5/kdc_tgs_tests.py', 'python/samba/tests/krb5/test_ccache.py', + 'python/samba/tests/krb5/test_ldap.py', 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', } diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index d5b51ad3a3a..83fe47cbc20 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -753,6 +753,7 @@ planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests", planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache") +planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap") for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"']) -- 2.25.1 From 13cfa898cc5ec314710eca97631320d5df53b9aa Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Thu, 29 Apr 2021 21:04:25 +1200 Subject: [PATCH 072/380] python: Add RPC credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through RPC. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 072451a033da07c0cdaa005dd1020ef1c7951e99) --- python/samba/tests/krb5/test_rpc.py | 77 +++++++++++++++++++++++++++++ python/samba/tests/usage.py | 1 + source4/selftest/tests.py | 1 + 3 files changed, 79 insertions(+) create mode 100755 python/samba/tests/krb5/test_rpc.py diff --git a/python/samba/tests/krb5/test_rpc.py b/python/samba/tests/krb5/test_rpc.py new file mode 100755 index 00000000000..da1c4eb88ac --- /dev/null +++ b/python/samba/tests/krb5/test_rpc.py @@ -0,0 +1,77 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2021 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +from samba.dcerpc import lsa + +from samba.tests.krb5.kdc_base_test import KDCBaseTest + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +global_asn1_print = False +global_hexdump = False + + +class RpcTests(KDCBaseTest): + """Test for RPC authentication using Kerberos credentials stored in a + credentials cache file. + """ + + def test_rpc(self): + # Create a user account and a machine account, along with a Kerberos + # credentials cache file where the service ticket authenticating the + # user are stored. + + user_name = "rpcusr" + mach_name = self.dns_host_name + service = "cifs" + + # Create the user account. + (user_credentials, _) = self.create_account(user_name) + + # Talk to the KDC to obtain the service ticket, which gets placed into + # the cache. The machine account name has to match the name in the + # ticket, to ensure that the krbtgt ticket doesn't also need to be + # stored. + (creds, cachefile) = self.create_ccache_with_user(user_credentials, + mach_name, + service) + + # Authenticate in-process to the machine account using the user's + # cached credentials. + + binding_str = "ncacn_np:%s[\\pipe\\lsarpc]" % mach_name + conn = lsa.lsarpc(binding_str, self.lp, creds) + + (account_name, _) = conn.GetUserName(None, None, None) + + self.assertEqual(user_name, account_name.string) + + # Remove the cached credentials file. + os.remove(cachefile.name) + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index 45636f3d3a3..eb7c003b48b 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -97,6 +97,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/kdc_tgs_tests.py', 'python/samba/tests/krb5/test_ccache.py', 'python/samba/tests/krb5/test_ldap.py', + 'python/samba/tests/krb5/test_rpc.py', 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', } diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 83fe47cbc20..5acbeda6bbe 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -754,6 +754,7 @@ planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap") +planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_rpc") for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"']) -- 2.25.1 From 4f807efdad0d00d3c3a52d29234a8107cf8d6ff0 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 3 May 2021 15:48:43 +1200 Subject: [PATCH 073/380] Revert "libsmb: Use sid_parse()" This reverts commit afd5d34f5e1d13ba88448b3b94d353aa8361d1a9. This code originally used ndr_pull_struct_blob() to pull one SID from a buffer potentially containing multiple SIDs. When this was changed to use sid_parse(), it was now attempting to parse the whole buffer as a single SID with ndr_pull_struct_blob_all(), which would cause it to fail if more than one SID was present. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 2b487890d946df88abce67c3d07d74559f70f069) --- source3/libsmb/clifsinfo.c | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c index 1c140ebbd59..09c0d9535f1 100644 --- a/source3/libsmb/clifsinfo.c +++ b/source3/libsmb/clifsinfo.c @@ -29,7 +29,6 @@ #include "../libcli/smb/smbXcli_base.h" #include "auth/credentials/credentials.h" #include "../librpc/gen_ndr/ndr_security.h" -#include "libcli/security/dom_sid.h" /**************************************************************************** Get UNIX extensions version info. @@ -686,9 +685,23 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) num_rdata -= (p - rdata); for (i = 0; i < state->num_sids; i++) { - ssize_t sid_size = sid_parse(p, num_rdata, &state->sids[i]); + size_t sid_size; + DATA_BLOB in = data_blob_const(p, num_rdata); + enum ndr_err_code ndr_err; - if ((sid_size == -1) || (sid_size > num_rdata)) { + ndr_err = ndr_pull_struct_blob(&in, + state, + &state->sids[i], + (ndr_pull_flags_fn_t)ndr_pull_dom_sid); + if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) { + tevent_req_nterror(req, + NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + + sid_size = ndr_size_dom_sid(&state->sids[i], 0); + + if (sid_size > num_rdata) { tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); return; -- 2.25.1 From 468548531aeb4cbe225541ad4654669e56992f0e Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 3 May 2021 15:55:01 +1200 Subject: [PATCH 074/380] libsmb: Remove overflow check Pointer overflow is undefined, so this check does not accomplish anything. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit db5b34c7682e36630908356cf674fddd18d8fa1f) --- source3/libsmb/clifsinfo.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c index 09c0d9535f1..cc9f7382d49 100644 --- a/source3/libsmb/clifsinfo.c +++ b/source3/libsmb/clifsinfo.c @@ -650,7 +650,7 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) * parsing network packets in C. */ - if (num_rdata < 40 || rdata + num_rdata < rdata) { + if (num_rdata < 40) { tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); return; } -- 2.25.1 From 88e0b2d428c3ea3fe3a3c5d9aab510ac2619cc50 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 3 May 2021 16:16:51 +1200 Subject: [PATCH 075/380] libsmb: Avoid undefined behaviour when parsing whoami state If num_gids is such that the gids array would overflow the rdata buffer, 'p + 8' could produce a result pointing outside the buffer, and thus result in undefined behaviour. To avoid this, we check num_gids against the size of the buffer beforehand. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 9d8aeed33d8edf7a5dc96dbe35e4e164e2baeeeb) --- source3/libsmb/clifsinfo.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c index cc9f7382d49..aca559d153b 100644 --- a/source3/libsmb/clifsinfo.c +++ b/source3/libsmb/clifsinfo.c @@ -661,6 +661,13 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) state->num_gids = IVAL(rdata, 24); state->num_sids = IVAL(rdata, 28); + /* Ensure the gid array doesn't overflow */ + if (state->num_gids > (num_rdata - 40) / sizeof(uint64_t)) { + tevent_req_nterror(req, + NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + state->gids = talloc_array(state, uint64_t, state->num_gids); if (tevent_req_nomem(state->gids, req)) { return; @@ -673,11 +680,6 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) p = rdata + 40; for (i = 0; i < state->num_gids; i++) { - if (p + 8 > rdata + num_rdata) { - tevent_req_nterror(req, - NT_STATUS_INVALID_NETWORK_RESPONSE); - return; - } state->gids[i] = BVAL(p, 0); p += 8; } -- 2.25.1 From 1d830b72140fa95a708cf08443e3abc6efb7c546 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 3 May 2021 16:22:43 +1200 Subject: [PATCH 076/380] libsmb: Check to see that whoami is not receiving more data than it requested Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 9e414233c84d2f2fa4a9415be9ee975eca8b9bfd) --- source3/libsmb/clifsinfo.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c index aca559d153b..6f3c07a8a7e 100644 --- a/source3/libsmb/clifsinfo.c +++ b/source3/libsmb/clifsinfo.c @@ -570,6 +570,8 @@ struct posix_whoami_state { static void cli_posix_whoami_done(struct tevent_req *subreq); +static const uint32_t posix_whoami_max_rdata = 62*1024; + struct tevent_req *cli_posix_whoami_send(TALLOC_CTX *mem_ctx, struct tevent_context *ev, struct cli_state *cli) @@ -586,7 +588,7 @@ struct tevent_req *cli_posix_whoami_send(TALLOC_CTX *mem_ctx, SSVAL(state->setup, 0, TRANSACT2_QFSINFO); SSVAL(state->param, 0, SMB_QUERY_POSIX_WHOAMI); - state->max_rdata = 62*1024; + state->max_rdata = posix_whoami_max_rdata; subreq = cli_trans_send(state, /* mem ctx. */ ev, /* event ctx. */ @@ -650,7 +652,7 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) * parsing network packets in C. */ - if (num_rdata < 40) { + if (num_rdata < 40 || num_rdata > posix_whoami_max_rdata) { tevent_req_nterror(req, NT_STATUS_INVALID_NETWORK_RESPONSE); return; } -- 2.25.1 From c9d13bc9d0f368858b4e04f4fd6ec326b101a9ce Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 3 May 2021 16:24:42 +1200 Subject: [PATCH 077/380] libsmb: Ensure that whoami parses all the data provided to it Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 9b96ebea5c6966b096cf1100a0895a9c41f2aa1d) --- source3/libsmb/clifsinfo.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/source3/libsmb/clifsinfo.c b/source3/libsmb/clifsinfo.c index 6f3c07a8a7e..f09428bdbcb 100644 --- a/source3/libsmb/clifsinfo.c +++ b/source3/libsmb/clifsinfo.c @@ -714,6 +714,13 @@ static void cli_posix_whoami_done(struct tevent_req *subreq) p += sid_size; num_rdata -= sid_size; } + + if (num_rdata != 0) { + tevent_req_nterror(req, + NT_STATUS_INVALID_NETWORK_RESPONSE); + return; + } + tevent_req_done(req); } -- 2.25.1 From a4df60363edb107d0a1287b394ace2f7fccbaea6 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 30 Apr 2021 12:49:24 +1200 Subject: [PATCH 078/380] pylibsmb: Add posix_whoami() Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 [abartlet@samba.org backport from commit 482559436f12a85adb3409433aac3ab06baa82b1 as the 4.13 backport doesn't have ealier pylibsmb changes including 752a8f870de2bb087802a1287d7fb6c7624ac631 (s3:pylibsmb: remove unused SECINFO_DEFAULT_FLAGS)] --- source3/libsmb/pylibsmb.c | 138 +++++++++++++++++++++++++++++++++++++- 1 file changed, 137 insertions(+), 1 deletion(-) diff --git a/source3/libsmb/pylibsmb.c b/source3/libsmb/pylibsmb.c index c09df917251..a882fe2f2a7 100644 --- a/source3/libsmb/pylibsmb.c +++ b/source3/libsmb/pylibsmb.c @@ -43,6 +43,8 @@ SECINFO_DACL | SECINFO_PROTECTED_DACL | SECINFO_UNPROTECTED_DACL | \ SECINFO_SACL | SECINFO_PROTECTED_SACL | SECINFO_UNPROTECTED_SACL) +static PyTypeObject *dom_sid_Type = NULL; + static PyTypeObject *get_pytype(const char *module, const char *type) { PyObject *mod; @@ -1357,6 +1359,123 @@ static PyObject *py_smb_mkdir(struct py_cli_state *self, PyObject *args) Py_RETURN_NONE; } +/* + * Does a whoami call + */ +static PyObject *py_smb_posix_whoami(struct py_cli_state *self, + PyObject *Py_UNUSED(ignored)) +{ + TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; + struct tevent_req *req = NULL; + uint64_t uid; + uint64_t gid; + uint32_t num_gids; + uint64_t *gids = NULL; + uint32_t num_sids; + struct dom_sid *sids = NULL; + bool guest; + PyObject *py_gids = NULL; + PyObject *py_sids = NULL; + PyObject *py_guest = NULL; + PyObject *py_ret = NULL; + Py_ssize_t i; + + req = cli_posix_whoami_send(frame, self->ev, self->cli); + if (!py_tevent_req_wait_exc(self, req)) { + goto fail; + } + status = cli_posix_whoami_recv(req, + frame, + &uid, + &gid, + &num_gids, + &gids, + &num_sids, + &sids, + &guest); + if (!NT_STATUS_IS_OK(status)) { + PyErr_SetNTSTATUS(status); + goto fail; + } + if (num_gids > PY_SSIZE_T_MAX) { + PyErr_SetString(PyExc_OverflowError, "posix_whoami: Too many GIDs"); + goto fail; + } + if (num_sids > PY_SSIZE_T_MAX) { + PyErr_SetString(PyExc_OverflowError, "posix_whoami: Too many SIDs"); + goto fail; + } + + py_gids = PyList_New(num_gids); + if (!py_gids) { + goto fail; + } + for (i = 0; i < num_gids; ++i) { + int ret; + PyObject *py_item = PyLong_FromUnsignedLongLong(gids[i]); + if (!py_item) { + goto fail2; + } + + ret = PyList_SetItem(py_gids, i, py_item); + if (ret) { + goto fail2; + } + } + py_sids = PyList_New(num_sids); + if (!py_sids) { + goto fail2; + } + for (i = 0; i < num_sids; ++i) { + int ret; + struct dom_sid *sid; + PyObject *py_item; + + sid = dom_sid_dup(frame, &sids[i]); + if (!sid) { + PyErr_NoMemory(); + goto fail3; + } + + py_item = pytalloc_steal(dom_sid_Type, sid); + if (!py_item) { + PyErr_NoMemory(); + goto fail3; + } + + ret = PyList_SetItem(py_sids, i, py_item); + if (ret) { + goto fail3; + } + } + + py_guest = guest ? Py_True : Py_False; + + py_ret = Py_BuildValue("KKNNO", + uid, + gid, + py_gids, + py_sids, + py_guest); + if (!py_ret) { + goto fail3; + } + + TALLOC_FREE(frame); + return py_ret; + +fail3: + Py_CLEAR(py_sids); + +fail2: + Py_CLEAR(py_gids); + +fail: + TALLOC_FREE(frame); + return NULL; +} + /* * Checks existence of a directory */ @@ -1618,6 +1737,8 @@ static PyMethodDef py_cli_state_methods[] = { "unlink(path) -> None\n\n \t\tDelete a file." }, { "mkdir", (PyCFunction)py_smb_mkdir, METH_VARARGS, "mkdir(path) -> None\n\n \t\tCreate a directory." }, + { "posix_whoami", (PyCFunction)py_smb_posix_whoami, METH_NOARGS, + "posix_whoami() -> (uid, gid, gids, sids, guest)" }, { "rmdir", (PyCFunction)py_smb_rmdir, METH_VARARGS, "rmdir(path) -> None\n\n \t\tDelete a directory." }, { "chkpath", (PyCFunction)py_smb_chkpath, METH_VARARGS, @@ -1670,16 +1791,31 @@ static struct PyModuleDef moduledef = { MODULE_INIT_FUNC(libsmb_samba_internal) { PyObject *m = NULL; + PyObject *mod = NULL; talloc_stackframe(); + if (PyType_Ready(&py_cli_state_type) < 0) { + return NULL; + } + m = PyModule_Create(&moduledef); if (m == NULL) { return m; } - if (PyType_Ready(&py_cli_state_type) < 0) { + + /* Import dom_sid type from dcerpc.security */ + mod = PyImport_ImportModule("samba.dcerpc.security"); + if (mod == NULL) { return NULL; } + + dom_sid_Type = (PyTypeObject *)PyObject_GetAttrString(mod, "dom_sid"); + if (dom_sid_Type == NULL) { + Py_DECREF(mod); + return NULL; + } + Py_INCREF(&py_cli_state_type); PyModule_AddObject(m, "Conn", (PyObject *)&py_cli_state_type); -- 2.25.1 From b1467c9533ce11aa5c3436564780764974648a1b Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 30 Apr 2021 08:58:11 +1200 Subject: [PATCH 079/380] python: Add SMB credentials cache test Test that we can use a credentials cache with a user's service ticket obtained with our Python code to connect to a service through SMB. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 78a0b57b51642df07deed8aeb6e39e608fafda60) --- python/samba/tests/krb5/test_smb.py | 108 ++++++++++++++++++++++++++++ python/samba/tests/usage.py | 1 + source4/selftest/tests.py | 1 + 3 files changed, 110 insertions(+) create mode 100755 python/samba/tests/krb5/test_smb.py diff --git a/python/samba/tests/krb5/test_smb.py b/python/samba/tests/krb5/test_smb.py new file mode 100755 index 00000000000..0262a37ebb5 --- /dev/null +++ b/python/samba/tests/krb5/test_smb.py @@ -0,0 +1,108 @@ +#!/usr/bin/env python3 +# Unix SMB/CIFS implementation. +# Copyright (C) Stefan Metzmacher 2020 +# Copyright (C) 2021 Catalyst.Net Ltd +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import sys +import os + +from ldb import SCOPE_SUBTREE +from samba.dcerpc import security +from samba.ndr import ndr_unpack +from samba.samba3 import libsmb_samba_internal as libsmb +from samba.samba3 import param as s3param + +from samba.tests.krb5.kdc_base_test import KDCBaseTest + +sys.path.insert(0, "bin/python") +os.environ["PYTHONUNBUFFERED"] = "1" + +global_asn1_print = False +global_hexdump = False + + +class SmbTests(KDCBaseTest): + """Test for SMB authentication using Kerberos credentials stored in a + credentials cache file. + """ + + def test_smb(self): + # Create a user account and a machine account, along with a Kerberos + # credentials cache file where the service ticket authenticating the + # user are stored. + + user_name = "smbusr" + mach_name = self.dns_host_name + service = "cifs" + share = "tmp" + + # Create the user account. + (user_credentials, _) = self.create_account(user_name) + + # Talk to the KDC to obtain the service ticket, which gets placed into + # the cache. The machine account name has to match the name in the + # ticket, to ensure that the krbtgt ticket doesn't also need to be + # stored. + (creds, cachefile) = self.create_ccache_with_user(user_credentials, + mach_name, + service) + + # Set the Kerberos 5 credentials cache environment variable. This is + # required because the codepath that gets run (gse_krb5) looks for it + # in here and not in the credentials object. + krb5_ccname = os.environ.get("KRB5CCNAME", "") + self.addCleanup(os.environ.__setitem__, "KRB5CCNAME", krb5_ccname) + os.environ["KRB5CCNAME"] = "FILE:" + cachefile.name + + # Authenticate in-process to the machine account using the user's + # cached credentials. + + # Retrieve the user account's SID. + ldb_res = self.ldb.search(scope=SCOPE_SUBTREE, + expression="(sAMAccountName=%s)" % user_name, + attrs=["objectSid"]) + self.assertEqual(1, len(ldb_res)) + sid = ndr_unpack(security.dom_sid, ldb_res[0]["objectSid"][0]) + + # Connect to a share and retrieve the user SID. + s3_lp = s3param.get_context() + s3_lp.load(self.lp.configfile) + + min_protocol = s3_lp.get("client min protocol") + self.addCleanup(s3_lp.set, "client min protocol", min_protocol) + s3_lp.set("client min protocol", "NT1") + + max_protocol = s3_lp.get("client max protocol") + self.addCleanup(s3_lp.set, "client max protocol", max_protocol) + s3_lp.set("client max protocol", "NT1") + + conn = libsmb.Conn(mach_name, share, lp=s3_lp, creds=creds) + + (uid, gid, gids, sids, guest) = conn.posix_whoami() + + # Ensure that they match. + self.assertEqual(sid, sids[0]) + + # Remove the cached credentials file. + os.remove(cachefile.name) + + +if __name__ == "__main__": + global_asn1_print = True + global_hexdump = True + import unittest + unittest.main() diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py index eb7c003b48b..e8eda7d6896 100644 --- a/python/samba/tests/usage.py +++ b/python/samba/tests/usage.py @@ -98,6 +98,7 @@ EXCLUDE_USAGE = { 'python/samba/tests/krb5/test_ccache.py', 'python/samba/tests/krb5/test_ldap.py', 'python/samba/tests/krb5/test_rpc.py', + 'python/samba/tests/krb5/test_smb.py', 'python/samba/tests/krb5/ms_kile_client_principal_lookup_tests.py', } diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py index 5acbeda6bbe..f26bdc2bf6f 100755 --- a/source4/selftest/tests.py +++ b/source4/selftest/tests.py @@ -755,6 +755,7 @@ planoldpythontestsuite("fl2008r2dc:local", "samba.tests.krb5.xrealm_tests") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ccache") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_ldap") planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.test_rpc") +planoldpythontestsuite("ad_dc_smb1", "samba.tests.krb5.test_smb") for env in ["ad_dc", smbv1_disabled_testenv]: planoldpythontestsuite(env, "samba.tests.smb", extra_args=['-U"$USERNAME%$PASSWORD"']) -- 2.25.1 From b42676c2d97e77b7ec107a949af52d68fa771ac0 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 3 May 2021 14:42:10 +1200 Subject: [PATCH 080/380] python: Ensure reference counts are properly incremented Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 290c1dc0975867a71c02e911708323d1f38b6f96) --- lib/talloc/pytalloc.c | 4 ++-- libgpo/pygpo.c | 2 +- source4/auth/gensec/pygensec.c | 4 ++-- source4/librpc/ndr/py_security.c | 2 +- source4/ntvfs/posix/python/pyposix_eadb.c | 2 +- source4/ntvfs/posix/python/pyxattr_native.c | 4 ++-- source4/ntvfs/posix/python/pyxattr_tdb.c | 2 +- 7 files changed, 10 insertions(+), 10 deletions(-) diff --git a/lib/talloc/pytalloc.c b/lib/talloc/pytalloc.c index 12c7325fcac..700e0f7f2af 100644 --- a/lib/talloc/pytalloc.c +++ b/lib/talloc/pytalloc.c @@ -37,7 +37,7 @@ static PyObject *pytalloc_report_full(PyObject *self, PyObject *args) } else { talloc_report_full(pytalloc_get_mem_ctx(py_obj), stdout); } - return Py_None; + Py_RETURN_NONE; } /* enable null tracking */ @@ -45,7 +45,7 @@ static PyObject *pytalloc_enable_null_tracking(PyObject *self, PyObject *Py_UNUSED(ignored)) { talloc_enable_null_tracking(); - return Py_None; + Py_RETURN_NONE; } /* return the number of talloc blocks */ diff --git a/libgpo/pygpo.c b/libgpo/pygpo.c index 97bbb3ec528..ddfb5c76ef9 100644 --- a/libgpo/pygpo.c +++ b/libgpo/pygpo.c @@ -41,7 +41,7 @@ static PyObject* GPO_get_##ATTR(PyObject *self, void *closure) \ if (gpo_ptr->ATTR) \ return PyUnicode_FromString(gpo_ptr->ATTR); \ else \ - return Py_None; \ + Py_RETURN_NONE; \ } GPO_getter(ds_path) GPO_getter(file_sys_path) diff --git a/source4/auth/gensec/pygensec.c b/source4/auth/gensec/pygensec.c index 35b3307ab8f..35095344168 100644 --- a/source4/auth/gensec/pygensec.c +++ b/source4/auth/gensec/pygensec.c @@ -426,9 +426,9 @@ static PyObject *py_gensec_have_feature(PyObject *self, PyObject *args) return NULL; if (gensec_have_feature(security, feature)) { - return Py_True; + Py_RETURN_TRUE; } - return Py_False; + Py_RETURN_FALSE; } static PyObject *py_gensec_set_max_update_size(PyObject *self, PyObject *args) diff --git a/source4/librpc/ndr/py_security.c b/source4/librpc/ndr/py_security.c index 0b8a1c66b7a..fc0aea99c3b 100644 --- a/source4/librpc/ndr/py_security.c +++ b/source4/librpc/ndr/py_security.c @@ -342,7 +342,7 @@ static PyObject *py_descriptor_richcmp( break; } - return Py_NotImplemented; + Py_RETURN_NOTIMPLEMENTED; } static void py_descriptor_patch(PyTypeObject *type) diff --git a/source4/ntvfs/posix/python/pyposix_eadb.c b/source4/ntvfs/posix/python/pyposix_eadb.c index ef4db0e867a..14979b95a58 100644 --- a/source4/ntvfs/posix/python/pyposix_eadb.c +++ b/source4/ntvfs/posix/python/pyposix_eadb.c @@ -32,7 +32,7 @@ static PyObject *py_is_xattr_supported(PyObject *self, PyObject *Py_UNUSED(ignored)) { - return Py_True; + Py_RETURN_TRUE; } static PyObject *py_wrap_setxattr(PyObject *self, PyObject *args) diff --git a/source4/ntvfs/posix/python/pyxattr_native.c b/source4/ntvfs/posix/python/pyxattr_native.c index 7d5bee0c37c..c479be66a65 100644 --- a/source4/ntvfs/posix/python/pyxattr_native.c +++ b/source4/ntvfs/posix/python/pyxattr_native.c @@ -29,9 +29,9 @@ static PyObject *py_is_xattr_supported(PyObject *self, PyObject *Py_UNUSED(ignored)) { #if !defined(HAVE_XATTR_SUPPORT) - return Py_False; + Py_RETURN_FALSE; #else - return Py_True; + Py_RETURN_TRUE; #endif } diff --git a/source4/ntvfs/posix/python/pyxattr_tdb.c b/source4/ntvfs/posix/python/pyxattr_tdb.c index 397cae77bc9..133c7089d5f 100644 --- a/source4/ntvfs/posix/python/pyxattr_tdb.c +++ b/source4/ntvfs/posix/python/pyxattr_tdb.c @@ -36,7 +36,7 @@ static PyObject *py_is_xattr_supported(PyObject *self, PyObject *Py_UNUSED(ignored)) { - return Py_True; + Py_RETURN_TRUE; } static PyObject *py_wrap_setxattr(PyObject *self, PyObject *args) -- 2.25.1 From 683872460d45cd18327e40d475f4245cd7b6f3d8 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 3 May 2021 14:43:04 +1200 Subject: [PATCH 081/380] python: Fix erroneous increments of reference counts Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 66695f0f94775c4db24fb625fe78ff44d964b5ad) --- source3/passdb/py_passdb.c | 4 ---- 1 file changed, 4 deletions(-) diff --git a/source3/passdb/py_passdb.c b/source3/passdb/py_passdb.c index f7e80c47397..c323adf2969 100644 --- a/source3/passdb/py_passdb.c +++ b/source3/passdb/py_passdb.c @@ -2075,8 +2075,6 @@ static PyObject *py_pdb_enum_group_mapping(PyObject *self, PyObject *args) PyObject *py_gmap_list, *py_group_map; int i; - Py_INCREF(Py_None); - if (!PyArg_ParseTuple(args, "|O!ii:enum_group_mapping", dom_sid_Type, &py_domain_sid, &lsa_sidtype_value, &unix_only)) { talloc_free(frame); @@ -2816,8 +2814,6 @@ static PyObject *py_pdb_search_aliases(PyObject *self, PyObject *args) PyObject *py_domain_sid = Py_None; struct dom_sid *domain_sid = NULL; - Py_INCREF(Py_None); - if (!PyArg_ParseTuple(args, "|O!:search_aliases", dom_sid_Type, &py_domain_sid)) { talloc_free(frame); return NULL; -- 2.25.1 From c10f2a41b0d6b22d39af2095b9881ea97b18f8dd Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 10 May 2021 16:43:03 +1200 Subject: [PATCH 082/380] python: Fix ticket timestamp conversion when local timezone is not UTC Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit b9006f33343ba8bb82ef8ffe1fd90c780961b41e) --- python/samba/tests/krb5/kdc_base_test.py | 23 +++++++++++++++++++---- 1 file changed, 19 insertions(+), 4 deletions(-) diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py index d8193ae9cdc..e345f739e1c 100644 --- a/python/samba/tests/krb5/kdc_base_test.py +++ b/python/samba/tests/krb5/kdc_base_test.py @@ -18,7 +18,7 @@ import sys import os -from datetime import datetime +from datetime import datetime, timezone import tempfile sys.path.insert(0, "bin/python") @@ -519,11 +519,26 @@ class KDCBaseTest(RawKerberosTest): cred.server = sprincipal cred.keyblock = keyblock cred.authtime = int(datetime.strptime(authtime.decode(), - "%Y%m%d%H%M%SZ").timestamp()) + "%Y%m%d%H%M%SZ") + .replace(tzinfo=timezone.utc).timestamp()) cred.starttime = int(datetime.strptime(starttime.decode(), - "%Y%m%d%H%M%SZ").timestamp()) + "%Y%m%d%H%M%SZ") + .replace(tzinfo=timezone.utc).timestamp()) cred.endtime = int(datetime.strptime(endtime.decode(), - "%Y%m%d%H%M%SZ").timestamp()) + "%Y%m%d%H%M%SZ") + .replace(tzinfo=timezone.utc).timestamp()) + + # Account for clock skew of up to five minutes. + self.assertLess(cred.authtime - 5*60, + datetime.now(timezone.utc).timestamp(), + "Ticket not yet valid - clocks may be out of sync.") + self.assertLess(cred.starttime - 5*60, + datetime.now(timezone.utc).timestamp(), + "Ticket not yet valid - clocks may be out of sync.") + self.assertGreater(cred.endtime - 60*60, + datetime.now(timezone.utc).timestamp(), + "Ticket already expired/about to expire - clocks may be out of sync.") + cred.renew_till = cred.endtime cred.is_skey = 0 cred.ticket_flags = int(enc_part['flags'], 2) -- 2.25.1 From 391b4538fa0c2064a32f3f4dba61b4b8fc419bf3 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Mon, 10 May 2021 15:06:06 +1200 Subject: [PATCH 083/380] python: Make credentials cache test run against Windows Windows, unlike Samba, requires the service principal name to be set when requesting a ticket to that service. Additionally, default_realm from the libdefaults section of krb5.conf should be set so that the correct realm is used. Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett Reviewed-by: Douglas Bagnall BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 Autobuild-User(master): Jeremy Allison Autobuild-Date(master): Wed May 19 02:22:01 UTC 2021 on sn-devel-184 (cherry picked from commit 7791acb074b84ec7b571a81f15b56d33e2214ce9) --- python/samba/tests/krb5/test_ccache.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/python/samba/tests/krb5/test_ccache.py b/python/samba/tests/krb5/test_ccache.py index e0998a4c43f..32c9e3cce6b 100755 --- a/python/samba/tests/krb5/test_ccache.py +++ b/python/samba/tests/krb5/test_ccache.py @@ -47,13 +47,16 @@ class CcacheTests(KDCBaseTest): user_name = "ccacheusr" mach_name = "ccachemac" + service = "host" # Create the user account. (user_credentials, _) = self.create_account(user_name) # Create the machine account. (mach_credentials, _) = self.create_account(mach_name, - machine_account=True) + machine_account=True, + spn="%s/%s" % (service, + mach_name)) # Talk to the KDC to obtain the service ticket, which gets placed into # the cache. The machine account name has to match the name in the -- 2.25.1 From b3fe7ab0c493db72c38318d828e067045232abd9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 9 Apr 2020 21:04:44 +0200 Subject: [PATCH 084/380] auth/credentials: allow credentials.Credentials to act as base class In tests it's useful to add more details. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 1f413b2b2977687884781ca2399dadf6611ab461) --- auth/credentials/pycredentials.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auth/credentials/pycredentials.c b/auth/credentials/pycredentials.c index 314f0eba894..ad39fe13925 100644 --- a/auth/credentials/pycredentials.c +++ b/auth/credentials/pycredentials.c @@ -1221,7 +1221,7 @@ static struct PyModuleDef moduledef = { PyTypeObject PyCredentials = { .tp_name = "credentials.Credentials", .tp_new = py_creds_new, - .tp_flags = Py_TPFLAGS_DEFAULT, + .tp_flags = Py_TPFLAGS_DEFAULT | Py_TPFLAGS_BASETYPE, .tp_methods = py_creds_methods, }; -- 2.25.1 From 9ccd5f89d624a4a7dacac79e5b42f8afb851b6f6 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 15 Apr 2020 16:50:55 +0200 Subject: [PATCH 085/380] Rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} This is a clearer name for the script Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit fef08add9ec324fb0c3902e96c2a91c07646d499) --- .../samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename python/samba/tests/krb5/{rfc4120_pyasn1_regen.sh => pyasn1_regen.sh} (100%) diff --git a/python/samba/tests/krb5/rfc4120_pyasn1_regen.sh b/python/samba/tests/krb5/pyasn1_regen.sh similarity index 100% rename from python/samba/tests/krb5/rfc4120_pyasn1_regen.sh rename to python/samba/tests/krb5/pyasn1_regen.sh -- 2.25.1 From f0a34678d518b488b9f21c9c5d11265a31b737a4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 9 Apr 2020 11:10:11 +0200 Subject: [PATCH 086/380] tests/krb5/rfc4120.asn1: Improve definitions to allow expanded testing Update and re-generate the ASN.1 to allow an improved testsuite. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit d4492a8aaaf70cbe81af7e6703b4ea9fc1f24162) --- python/samba/tests/krb5/rfc4120.asn1 | 70 ++++++++++- python/samba/tests/krb5/rfc4120_pyasn1.py | 134 +++++++++++++++++++++- 2 files changed, 199 insertions(+), 5 deletions(-) diff --git a/python/samba/tests/krb5/rfc4120.asn1 b/python/samba/tests/krb5/rfc4120.asn1 index 654f9788ca7..d81d06ad6f7 100644 --- a/python/samba/tests/krb5/rfc4120.asn1 +++ b/python/samba/tests/krb5/rfc4120.asn1 @@ -386,14 +386,14 @@ PA-ENC-TS-ENC ::= SEQUENCE { } ETYPE-INFO-ENTRY ::= SEQUENCE { - etype [0] Int32, + etype [0] EncryptionType, --Int32 EncryptionType -- salt [1] OCTET STRING OPTIONAL } ETYPE-INFO ::= SEQUENCE OF ETYPE-INFO-ENTRY ETYPE-INFO2-ENTRY ::= SEQUENCE { - etype [0] Int32, + etype [0] EncryptionType, --Int32 EncryptionType -- salt [1] KerberosString OPTIONAL, s2kparams [2] OCTET STRING OPTIONAL } @@ -425,9 +425,48 @@ PA-S4U2Self ::= SEQUENCE { auth [3] KerberosString } +-- +-- +-- MS-KILE Start + +KERB-ERROR-DATA ::= SEQUENCE { + data-type [1] KerbErrorDataType, + data-value [2] OCTET STRING OPTIONAL +} + +KerbErrorDataType ::= INTEGER + +KERB-PA-PAC-REQUEST ::= SEQUENCE { + include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC. + --If FALSE, and PAC present, remove PAC +} + +KERB-LOCAL ::= OCTET STRING -- Implementation-specific data which MUST be + -- ignored if Kerberos client is not local. + +KERB-AD-RESTRICTION-ENTRY ::= SEQUENCE { + restriction-type [0] Int32, + restriction [1] OCTET STRING -- LSAP_TOKEN_INFO_INTEGRITY structure +} + +PA-SUPPORTED-ENCTYPES ::= Int32 -- Supported Encryption Types Bit Field -- +PACOptionFlags ::= KerberosFlags -- Claims (0) + -- Branch Aware (1) + -- Forward to Full DC (2) + -- Resource Based Constrained Delegation (3) +PA-PAC-OPTIONS ::= SEQUENCE { + options [0] PACOptionFlags +} +-- Note: KerberosFlags ::= BIT STRING (SIZE (32..MAX)) +-- minimum number of bits shall be sent, but no fewer than 32 +KERB-KEY-LIST-REQ ::= SEQUENCE OF EncryptionType -- Int32 encryption type -- +KERB-KEY-LIST-REP ::= SEQUENCE OF EncryptionKey +-- MS-KILE End +-- +-- -- -- @@ -504,6 +543,15 @@ KDCOptionsSequence ::= SEQUENCE { dummy [0] KDCOptionsValues } +APOptionsValues ::= BIT STRING { -- KerberosFlags + reserved(0), + use-session-key(1), + mutual-required(2) +} +APOptionsSequence ::= SEQUENCE { + dummy [0] APOptionsValues +} + MessageTypeValues ::= INTEGER { krb-as-req(10), -- Request for initial authentication krb-as-rep(11), -- Response to KRB_AS_REQ request @@ -669,4 +717,22 @@ EncryptionTypeSequence ::= SEQUENCE { dummy [0] EncryptionTypeValues } +KerbErrorDataTypeValues ::= INTEGER { + kERB-AP-ERR-TYPE-SKEW-RECOVERY(2), + kERB-ERR-TYPE-EXTENDED(3) +} +KerbErrorDataTypeSequence ::= SEQUENCE { + dummy [0] KerbErrorDataTypeValues +} + +PACOptionFlagsValues ::= BIT STRING { -- KerberosFlags + claims(0), + branch-aware(1), + forward-to-full-dc(2), + resource-based-constrained-delegation(3) +} +PACOptionFlagsSequence ::= SEQUENCE { + dummy [0] PACOptionFlagsValues +} + END diff --git a/python/samba/tests/krb5/rfc4120_pyasn1.py b/python/samba/tests/krb5/rfc4120_pyasn1.py index 1d89f94adf1..56fe02a68f0 100644 --- a/python/samba/tests/krb5/rfc4120_pyasn1.py +++ b/python/samba/tests/krb5/rfc4120_pyasn1.py @@ -1,5 +1,5 @@ # Auto-generated by asn1ate v.0.6.1.dev0 from rfc4120.asn1 -# (last modified on 2020-11-06 11:30:42.476808) +# (last modified on 2021-06-16 08:54:13.969508) # KerberosV5Spec2 from pyasn1.type import univ, char, namedtype, namedval, tag, constraint, useful @@ -175,6 +175,26 @@ AP_REQ.componentType = namedtype.NamedTypes( ) +class APOptionsValues(univ.BitString): + pass + + +APOptionsValues.namedValues = namedval.NamedValues( + ('reserved', 0), + ('use-session-key', 1), + ('mutual-required', 2) +) + + +class APOptionsSequence(univ.Sequence): + pass + + +APOptionsSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', APOptionsValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + class PADataType(Int32): pass @@ -384,7 +404,7 @@ class ETYPE_INFO_ENTRY(univ.Sequence): ETYPE_INFO_ENTRY.componentType = namedtype.NamedTypes( - namedtype.NamedType('etype', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('etype', EncryptionType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), namedtype.OptionalNamedType('salt', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) ) @@ -401,7 +421,7 @@ class ETYPE_INFO2_ENTRY(univ.Sequence): ETYPE_INFO2_ENTRY.componentType = namedtype.NamedTypes( - namedtype.NamedType('etype', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('etype', EncryptionType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), namedtype.OptionalNamedType('salt', KerberosString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), namedtype.OptionalNamedType('s2kparams', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) ) @@ -636,6 +656,57 @@ KDCOptionsSequence.componentType = namedtype.NamedTypes( ) +class KERB_AD_RESTRICTION_ENTRY(univ.Sequence): + pass + + +KERB_AD_RESTRICTION_ENTRY.componentType = namedtype.NamedTypes( + namedtype.NamedType('restriction-type', Int32().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))), + namedtype.NamedType('restriction', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))) +) + + +class KerbErrorDataType(univ.Integer): + pass + + +class KERB_ERROR_DATA(univ.Sequence): + pass + + +KERB_ERROR_DATA.componentType = namedtype.NamedTypes( + namedtype.NamedType('data-type', KerbErrorDataType().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 1))), + namedtype.OptionalNamedType('data-value', univ.OctetString().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 2))) +) + + +class KERB_KEY_LIST_REP(univ.SequenceOf): + pass + + +KERB_KEY_LIST_REP.componentType = EncryptionKey() + + +class KERB_KEY_LIST_REQ(univ.SequenceOf): + pass + + +KERB_KEY_LIST_REQ.componentType = EncryptionType() + + +class KERB_LOCAL(univ.OctetString): + pass + + +class KERB_PA_PAC_REQUEST(univ.Sequence): + pass + + +KERB_PA_PAC_REQUEST.componentType = namedtype.NamedTypes( + namedtype.NamedType('include-pac', univ.Boolean().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + class KRB_CRED(univ.Sequence): pass @@ -710,6 +781,25 @@ KRB_SAFE.componentType = namedtype.NamedTypes( ) +class KerbErrorDataTypeValues(univ.Integer): + pass + + +KerbErrorDataTypeValues.namedValues = namedval.NamedValues( + ('kERB-AP-ERR-TYPE-SKEW-RECOVERY', 2), + ('kERB-ERR-TYPE-EXTENDED', 3) +) + + +class KerbErrorDataTypeSequence(univ.Sequence): + pass + + +KerbErrorDataTypeSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', KerbErrorDataTypeValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + class MessageTypeValues(univ.Integer): pass @@ -781,6 +871,19 @@ PA_ENC_TS_ENC.componentType = namedtype.NamedTypes( ) +class PACOptionFlags(KerberosFlags): + pass + + +class PA_PAC_OPTIONS(univ.Sequence): + pass + + +PA_PAC_OPTIONS.componentType = namedtype.NamedTypes( + namedtype.NamedType('options', PACOptionFlags().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + class PA_S4U2Self(univ.Sequence): pass @@ -793,6 +896,31 @@ PA_S4U2Self.componentType = namedtype.NamedTypes( ) +class PA_SUPPORTED_ENCTYPES(Int32): + pass + + +class PACOptionFlagsValues(univ.BitString): + pass + + +PACOptionFlagsValues.namedValues = namedval.NamedValues( + ('claims', 0), + ('branch-aware', 1), + ('forward-to-full-dc', 2), + ('resource-based-constrained-delegation', 3) +) + + +class PACOptionFlagsSequence(univ.Sequence): + pass + + +PACOptionFlagsSequence.componentType = namedtype.NamedTypes( + namedtype.NamedType('dummy', PACOptionFlagsValues().subtype(explicitTag=tag.Tag(tag.tagClassContext, tag.tagFormatSimple, 0))) +) + + class PADataTypeValues(univ.Integer): pass -- 2.25.1 From 1bc06fdf8758e3a70d70cdd2048550eea2a0deae Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 9 Apr 2020 10:55:28 +0200 Subject: [PATCH 087/380] tests/krb5/raw_testcase.py: Add get_{client,server,krbtgt}_creds() These helpful functions allow us to build the various credentials that we will use in validating the KDC responses in this test. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit c3222870b92db7f867557c2896b7bf39915d469a) --- python/samba/tests/krb5/raw_testcase.py | 199 +++++++++++++++++++++--- python/samba/tests/krb5/simple_tests.py | 6 +- 2 files changed, 183 insertions(+), 22 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 27ab89ecf99..b28939f0388 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -22,10 +22,12 @@ import struct import time import datetime import random +import binascii import samba.tests from samba.credentials import Credentials from samba.tests import TestCaseInTempDir +from samba.dcerpc import security import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 import samba.tests.krb5.kcrypto as kcrypto @@ -177,6 +179,81 @@ class Krb5EncryptionKey(object): } return EncryptionKey_obj +class KerberosCredentials(Credentials): + def __init__(self): + super(KerberosCredentials, self).__init__() + all_enc_types = 0 + all_enc_types |= security.KERB_ENCTYPE_RC4_HMAC_MD5 + all_enc_types |= security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 + all_enc_types |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 + + self.as_supported_enctypes = all_enc_types + self.tgs_supported_enctypes = all_enc_types + self.ap_supported_enctypes = all_enc_types + + self.kvno = None + self.forced_keys = {} + + self.forced_salt = None + return + + def set_as_supported_enctypes(self, value): + self.as_supported_enctypes = int(value) + return + + def set_tgs_supported_enctypes(self, value): + self.tgs_supported_enctypes = int(value) + return + + def set_ap_supported_enctypes(self, value): + self.ap_supported_enctypes = int(value) + return + + def _get_krb5_etypes(self, supported_enctypes): + etypes = () + + if supported_enctypes & security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96: + etypes += (kcrypto.Enctype.AES256,) + if supported_enctypes & security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96: + etypes += (kcrypto.Enctype.AES128,) + if supported_enctypes & security.KERB_ENCTYPE_RC4_HMAC_MD5: + etypes += (kcrypto.Enctype.RC4,) + + return etypes + + def get_as_krb5_etypes(self): + return self._get_krb5_etypes(self.as_supported_enctypes) + + def get_tgs_krb5_etypes(self): + return self._get_krb5_etypes(self.tgs_supported_enctypes) + + def get_ap_krb5_etypes(self): + return self._get_krb5_etypes(self.ap_supported_enctypes) + + def set_kvno(self, kvno): + self.kvno = kvno + + def get_kvno(self): + return self.kvno + + def set_forced_key(self, etype, hexkey): + etype = int(etype) + contents = binascii.a2b_hex(hexkey) + key = kcrypto.Key(etype, contents) + self.forced_keys[etype] = Krb5EncryptionKey(key, self.kvno) + + def get_forced_key(self, etype): + etype = int(etype) + if etype in self.forced_keys: + return self.forced_keys[etype] + return None + + def set_forced_salt(self, salt): + self.forced_salt = bytes(salt) + return + + def get_forced_salt(self): + return self.forced_salt class RawKerberosTest(TestCaseInTempDir): """A raw Kerberos Test case.""" @@ -229,33 +306,113 @@ class RawKerberosTest(TestCaseInTempDir): sys.stderr.write("connected[%s]\n" % self.host) return - def get_user_creds(self): - c = Credentials() + def _get_krb5_creds(self, prefix, + default_username=None, + allow_missing_password=False, + require_strongest_key=False): + c = KerberosCredentials() c.guess() - domain = samba.tests.env_get_var_value('DOMAIN') - realm = samba.tests.env_get_var_value('REALM') - username = samba.tests.env_get_var_value('USERNAME') - password = samba.tests.env_get_var_value('PASSWORD') - c.set_domain(domain) - c.set_realm(realm) - c.set_username(username) - c.set_password(password) - return c - def get_service_creds(self, allow_missing_password=False): - c = Credentials() - c.guess() - domain = samba.tests.env_get_var_value('DOMAIN') - realm = samba.tests.env_get_var_value('REALM') - username = samba.tests.env_get_var_value('SERVICE_USERNAME') - password = samba.tests.env_get_var_value( - 'SERVICE_PASSWORD', - allow_missing=allow_missing_password) + def env_get_var(varname, prefix, fallback_default=True, allow_missing=False): + val = None + if prefix is not None: + allow_missing_prefix = allow_missing + if fallback_default: + allow_missing_prefix = True + val = samba.tests.env_get_var_value('%s_%s' % (prefix, varname), + allow_missing=allow_missing_prefix) + else: + fallback_default = True + if val is None and fallback_default: + val = samba.tests.env_get_var_value(varname, + allow_missing=allow_missing) + return val + + domain = env_get_var('DOMAIN', prefix) + realm = env_get_var('REALM', prefix) + allow_missing_username = False + if default_username is not None: + allow_missing_username = True + username = env_get_var('USERNAME', prefix, + fallback_default=False, + allow_missing=allow_missing_username) + if username is None: + username = default_username + password = env_get_var('PASSWORD', prefix, + fallback_default=False, + allow_missing=allow_missing_password) c.set_domain(domain) c.set_realm(realm) c.set_username(username) if password is not None: c.set_password(password) + as_supported_enctypes = env_get_var('AS_SUPPORTED_ENCTYPES', + prefix, allow_missing=True) + if as_supported_enctypes is not None: + c.set_as_supported_enctypes(as_supported_enctypes) + tgs_supported_enctypes = env_get_var('TGS_SUPPORTED_ENCTYPES', + prefix, allow_missing=True) + if tgs_supported_enctypes is not None: + c.set_tgs_supported_enctypes(tgs_supported_enctypes) + ap_supported_enctypes = env_get_var('AP_SUPPORTED_ENCTYPES', + prefix, allow_missing=True) + if ap_supported_enctypes is not None: + c.set_ap_supported_enctypes(ap_supported_enctypes) + + if require_strongest_key: + kvno_allow_missing = False + if password is None: + aes256_allow_missing = False + else: + aes256_allow_missing = True + else: + kvno_allow_missing = True + aes256_allow_missing = True + kvno = env_get_var('KVNO', prefix, + fallback_default=False, + allow_missing=kvno_allow_missing) + if kvno is not None: + c.set_kvno(kvno) + aes256_key = env_get_var('AES256_KEY_HEX', prefix, + fallback_default=False, + allow_missing=aes256_allow_missing) + if aes256_key is not None: + c.set_forced_key(kcrypto.Enctype.AES256, aes256_key) + aes128_key = env_get_var('AES128_KEY_HEX', prefix, + fallback_default=False, allow_missing=True) + if aes128_key is not None: + c.set_forced_key(kcrypto.Enctype.AES128, aes128_key) + rc4_key = env_get_var('RC4_KEY_HEX', prefix, + fallback_default=False, allow_missing=True) + if rc4_key is not None: + c.set_forced_key(kcrypto.Enctype.RC4, rc4_key) + return c + + def get_user_creds(self, allow_missing_password=False): + c = self._get_krb5_creds(prefix=None, + allow_missing_password=allow_missing_password) + return c + + def get_service_creds(self, allow_missing_password=False): + c = self._get_krb5_creds(prefix='SERVICE', + allow_missing_password=allow_missing_password) + return c + + def get_client_creds(self, allow_missing_password=False): + c = self._get_krb5_creds(prefix='CLIENT', + allow_missing_password=allow_missing_password) + return c + + def get_server_creds(self, allow_missing_password=False): + c = self._get_krb5_creds(prefix='SERVER', + allow_missing_password=allow_missing_password) + return c + + def get_krbtgt_creds(self, require_strongest_key=False): + c = self._get_krb5_creds(prefix='KRBTGT', + default_username='krbtgt', + allow_missing_password=True, + require_strongest_key=require_strongest_key) return c def get_anon_creds(self): @@ -473,6 +630,8 @@ class RawKerberosTest(TestCaseInTempDir): return Krb5EncryptionKey(key, kvno) def PasswordKey_create(self, etype=None, pwd=None, salt=None, kvno=None): + self.assertIsNotNone(pwd) + self.assertIsNotNone(salt) key = kcrypto.string_to_key(etype, pwd, salt) return Krb5EncryptionKey(key, kvno) diff --git a/python/samba/tests/krb5/simple_tests.py b/python/samba/tests/krb5/simple_tests.py index 889b91a9bf0..2da76a3cf5e 100755 --- a/python/samba/tests/krb5/simple_tests.py +++ b/python/samba/tests/krb5/simple_tests.py @@ -44,10 +44,12 @@ class SimpleKerberosTests(RawKerberosTest): def test_simple(self): user_creds = self.get_user_creds() user = user_creds.get_username() - realm = user_creds.get_realm() + krbtgt_creds = self.get_krbtgt_creds() + krbtgt_account = krbtgt_creds.get_username() + realm = krbtgt_creds.get_realm() cname = self.PrincipalName_create(name_type=1, names=[user]) - sname = self.PrincipalName_create(name_type=2, names=["krbtgt", realm]) + sname = self.PrincipalName_create(name_type=2, names=[krbtgt_account, realm]) till = self.get_KerberosTime(offset=36000) -- 2.25.1 From fdb3ce889cb3aa4a654672f92276b339bbecb899 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 9 Apr 2020 22:28:32 +0200 Subject: [PATCH 088/380] tests/krb5/raw_testcase.py: introduce STRICT_CHECKING=0 in order to relax the checks in future We should write tests as strict as possible in order to let them run against Windows servers. But at the same time we want to allow tests to be useful for Samba too... Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit dff611976d6a067614e37add99edae214815a68b) --- python/samba/tests/krb5/raw_testcase.py | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index b28939f0388..333aab70c8e 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -263,6 +263,11 @@ class RawKerberosTest(TestCaseInTempDir): self.do_asn1_print = False self.do_hexdump = False + strict_checking = samba.tests.env_get_var_value('STRICT_CHECKING', allow_missing=True) + if strict_checking is None: + strict_checking = '1' + self.strict_checking = bool(int(strict_checking)) + self.host = samba.tests.env_get_var_value('SERVER') self.s = None -- 2.25.1 From 8b374617205234af3f72dd4c864848d1a96533a2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 15 Apr 2020 13:49:52 +0200 Subject: [PATCH 089/380] tests/krb5/raw_testcase.py: add assertElement*() These helper functions make writing subsequent Kerberos test clearer. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 61e1b179812e48797146584998afc5bd0168beae) --- python/samba/tests/krb5/raw_testcase.py | 54 +++++++++++++++++++++++++ 1 file changed, 54 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 333aab70c8e..eb294a75a95 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -605,6 +605,36 @@ class RawKerberosTest(TestCaseInTempDir): self.assertIsNotNone(value) return + def getElementValue(self, obj, elem): + v = None + try: + v = obj[elem] + except KeyError: + pass + return v + + def assertElementMissing(self, obj, elem): + v = self.getElementValue(obj, elem) + self.assertIsNone(v) + return + + def assertElementPresent(self, obj, elem): + v = self.getElementValue(obj, elem) + self.assertIsNotNone(v) + return + + def assertElementEqual(self, obj, elem, value): + v = self.getElementValue(obj, elem) + self.assertIsNotNone(v) + self.assertEqual(v, value) + return + + def assertElementEqualUTF8(self, obj, elem, value): + v = self.getElementValue(obj, elem) + self.assertIsNotNone(v) + self.assertEqual(v, bytes(value, 'utf8')) + return + def assertPrincipalEqual(self, princ1, princ2): self.assertEqual(princ1['name-type'], princ2['name-type']) self.assertEqual( @@ -618,6 +648,30 @@ class RawKerberosTest(TestCaseInTempDir): msg="princ1=%s != princ2=%s" % (princ1, princ2)) return + def assertElementEqualPrincipal(self, obj, elem, value): + v = self.getElementValue(obj, elem) + self.assertIsNotNone(v) + v = pyasn1_native_decode(v, asn1Spec=krb5_asn1.PrincipalName()) + self.assertPrincipalEqual(v, value) + return + + def assertElementKVNO(self, obj, elem, value): + v = self.getElementValue(obj, elem) + if value == "autodetect": + value = v + if value is not None: + self.assertIsNotNone(v) + # The value on the wire should never be 0 + self.assertNotEqual(v, 0) + # value == 0 means we don't know the kvno + # but enforce at any value != 0 is present + value = int(value) + if value != 0: + self.assertEqual(v, value) + else: + self.assertIsNone(v) + return + def get_KerberosTimeWithUsec(self, epoch=None, offset=None): if epoch is None: epoch = time.time() -- 2.25.1 From c73566933c23b1ce7ff57c1d5678b7a1155bd4b4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 15 Apr 2020 17:50:00 +0200 Subject: [PATCH 090/380] tests/krb5/raw_testcase.py: Allow prettyPrint of more RFC-defined values By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint we allow the BitString_NamedValues_prettyPrint() routine to show more named values. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 34e079ce9a232a765fb3a2b25441434df35df54c) --- python/samba/tests/krb5/raw_testcase.py | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index eb294a75a95..29745fa4089 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -111,6 +111,12 @@ krb5_asn1.KDCOptions.namedValues =\ krb5_asn1.KDCOptionsValues.namedValues krb5_asn1.KDCOptions.prettyPrint =\ BitString_NamedValues_prettyPrint +krb5_asn1.APOptions.prettyPrintNamedValues =\ + krb5_asn1.APOptionsValues.namedValues +krb5_asn1.APOptions.namedValues =\ + krb5_asn1.APOptionsValues.namedValues +krb5_asn1.APOptions.prettyPrint =\ + BitString_NamedValues_prettyPrint def Integer_NamedValues_prettyPrint(self, scope=0): -- 2.25.1 From 026f7a75b40b469a9990281e61813e6a37346cc5 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 15 Apr 2020 17:57:37 +0200 Subject: [PATCH 091/380] tests/krb5/raw_testcase.py: Allow prettyPrint of more MS-KILE-defined values By setting krb5_asn1.APOptions.prettyPrint = BitString_NamedValues_prettyPrint we allow the BitString_NamedValues_prettyPrint() routine to show more named values. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 3abb3b41368666535a216a98c3e7d15a5d498f7e) --- python/samba/tests/krb5/raw_testcase.py | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 29745fa4089..1ef15db9f8c 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -117,6 +117,12 @@ krb5_asn1.APOptions.namedValues =\ krb5_asn1.APOptionsValues.namedValues krb5_asn1.APOptions.prettyPrint =\ BitString_NamedValues_prettyPrint +krb5_asn1.PACOptionFlags.prettyPrintNamedValues =\ + krb5_asn1.PACOptionFlagsValues.namedValues +krb5_asn1.PACOptionFlags.namedValues =\ + krb5_asn1.PACOptionFlagsValues.namedValues +krb5_asn1.PACOptionFlags.prettyPrint =\ + BitString_NamedValues_prettyPrint def Integer_NamedValues_prettyPrint(self, scope=0): @@ -149,6 +155,10 @@ krb5_asn1.ChecksumType.prettyPrintNamedValues =\ krb5_asn1.ChecksumTypeValues.namedValues krb5_asn1.ChecksumType.prettyPrint =\ Integer_NamedValues_prettyPrint +krb5_asn1.KerbErrorDataType.prettyPrintNamedValues =\ + krb5_asn1.KerbErrorDataTypeValues.namedValues +krb5_asn1.KerbErrorDataType.prettyPrint =\ + Integer_NamedValues_prettyPrint class Krb5EncryptionKey(object): -- 2.25.1 From f3c559f4d276a1e56a70aae8ee8f146c52172ff2 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 21 Apr 2020 14:45:01 +0200 Subject: [PATCH 092/380] tests/krb5/raw_testcase.py: split KDC_REQ_BODY_create() from KDC_REQ_create() This allows us to reuse body in future and calculate checksums on it. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit b03fcfeb6c005936818ce50d511e9f9cc75aa9fb) --- python/samba/tests/krb5/raw_testcase.py | 81 +++++++------------------ 1 file changed, 23 insertions(+), 58 deletions(-) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 1ef15db9f8c..71a4753717f 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -872,19 +872,7 @@ class RawKerberosTest(TestCaseInTempDir): def KDC_REQ_create(self, msg_type, padata, - kdc_options, - cname, - realm, - sname, - from_time, - till_time, - renew_time, - nonce, - etypes, - addresses, - EncAuthorizationData, - EncAuthorizationData_key, - additional_tickets, + req_body, asn1Spec=None, asn1_print=None, hexdump=None): @@ -897,25 +885,10 @@ class RawKerberosTest(TestCaseInTempDir): # req-body [4] KDC-REQ-BODY # } # - KDC_REQ_BODY_obj = self.KDC_REQ_BODY_create(kdc_options, - cname, - realm, - sname, - from_time, - till_time, - renew_time, - nonce, - etypes, - addresses, - EncAuthorizationData, - EncAuthorizationData_key, - additional_tickets, - asn1_print=asn1_print, - hexdump=hexdump) KDC_REQ_obj = { 'pvno': 5, 'msg-type': msg_type, - 'req-body': KDC_REQ_BODY_obj, + 'req-body': req_body, } if padata is not None: KDC_REQ_obj['padata'] = padata @@ -974,22 +947,26 @@ class RawKerberosTest(TestCaseInTempDir): # additional-tickets [11] SEQUENCE OF Ticket OPTIONAL # -- NOTE: not empty # } + KDC_REQ_BODY_obj = self.KDC_REQ_BODY_create( + kdc_options, + cname, + realm, + sname, + from_time, + till_time, + renew_time, + nonce, + etypes, + addresses, + EncAuthorizationData, + EncAuthorizationData_key, + additional_tickets, + asn1_print=asn1_print, + hexdump=hexdump) obj, decoded = self.KDC_REQ_create( msg_type=10, padata=padata, - kdc_options=kdc_options, - cname=cname, - realm=realm, - sname=sname, - from_time=from_time, - till_time=till_time, - renew_time=renew_time, - nonce=nonce, - etypes=etypes, - addresses=addresses, - EncAuthorizationData=EncAuthorizationData, - EncAuthorizationData_key=EncAuthorizationData_key, - additional_tickets=additional_tickets, + req_body=KDC_REQ_BODY_obj, asn1Spec=krb5_asn1.AS_REQ(), asn1_print=asn1_print, hexdump=hexdump) @@ -1115,11 +1092,11 @@ class RawKerberosTest(TestCaseInTempDir): EncAuthorizationData=EncAuthorizationData, EncAuthorizationData_key=EncAuthorizationData_key, additional_tickets=additional_tickets) - req_body = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY(), - asn1_print=asn1_print, hexdump=hexdump) + req_body_blob = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY(), + asn1_print=asn1_print, hexdump=hexdump) req_body_checksum = self.Checksum_create( - ticket_session_key, 6, req_body, ctype=body_checksum_type) + ticket_session_key, 6, req_body_blob, ctype=body_checksum_type) subkey_obj = None if authenticator_subkey is not None: @@ -1158,19 +1135,7 @@ class RawKerberosTest(TestCaseInTempDir): obj, decoded = self.KDC_REQ_create( msg_type=12, padata=padata, - kdc_options=kdc_options, - cname=None, - realm=realm, - sname=sname, - from_time=from_time, - till_time=till_time, - renew_time=renew_time, - nonce=nonce, - etypes=etypes, - addresses=addresses, - EncAuthorizationData=EncAuthorizationData, - EncAuthorizationData_key=EncAuthorizationData_key, - additional_tickets=additional_tickets, + req_body=req_body, asn1Spec=krb5_asn1.TGS_REQ(), asn1_print=asn1_print, hexdump=hexdump) -- 2.25.1 From 351483fc139e648bbc7cab25d1584c1cf377e087 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 16 Apr 2020 10:43:54 +0200 Subject: [PATCH 093/380] tests/krb5/raw_testcase.py: add KERB_PA_PAC_REQUEST_create() This allows building the pre-authentication data that encodes the request for the KDC (or more likely a request not to include) the KRB5 PAC in the resulting ticket. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit ee2ac2b8ccafe3e6d560d893a4135a28e393914d) --- python/samba/tests/krb5/raw_testcase.py | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 71a4753717f..f341911ef53 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -799,6 +799,21 @@ class RawKerberosTest(TestCaseInTempDir): } return PA_ENC_TS_ENC_obj + def KERB_PA_PAC_REQUEST_create(self, include_pac, pa_data_create=True): + #KERB-PA-PAC-REQUEST ::= SEQUENCE { + # include-pac[0] BOOLEAN --If TRUE, and no pac present, include PAC. + # --If FALSE, and PAC present, remove PAC + #} + KERB_PA_PAC_REQUEST_obj = { + 'include-pac': include_pac, + } + if not pa_data_create: + return KERB_PA_PAC_REQUEST_obj + pa_pac = self.der_encode(KERB_PA_PAC_REQUEST_obj, + asn1Spec=krb5_asn1.KERB_PA_PAC_REQUEST()) + pa_data = self.PA_DATA_create(128, pa_pac) # PA-PAC-REQUEST + return pa_data + def KDC_REQ_BODY_create(self, kdc_options, cname, -- 2.25.1 From d1fb21b58e7be6f7b60f1be702c968ab9961a916 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 20 Apr 2020 20:02:52 +0200 Subject: [PATCH 094/380] tests/krb5/raw_testcase.py: add methods to iterate over etype permutations It's often useful to run tests over a lot of input parameter permutations. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit e3905035847a5268c1a65366830cc739280ae437) --- python/samba/tests/krb5/raw_testcase.py | 58 +++++++++++++++++++++++++ 1 file changed, 58 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index f341911ef53..a002a442d03 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -23,6 +23,7 @@ import time import datetime import random import binascii +import itertools import samba.tests from samba.credentials import Credentials @@ -274,6 +275,63 @@ class KerberosCredentials(Credentials): class RawKerberosTest(TestCaseInTempDir): """A raw Kerberos Test case.""" + etypes_to_test = ( + { "value": -1111, "name": "dummy", }, + { "value": kcrypto.Enctype.AES256, "name": "aes128", }, + { "value": kcrypto.Enctype.AES128, "name": "aes256", }, + { "value": kcrypto.Enctype.RC4, "name": "rc4", }, + ) + + setup_etype_test_permutations_done = False + + @classmethod + def setup_etype_test_permutations(cls): + if cls.setup_etype_test_permutations_done: + return + + res = [] + + num_idxs = len(cls.etypes_to_test) + permutations = [] + for num in range(1, num_idxs+1): + chunk = list(itertools.permutations(range(num_idxs), num)) + for e in chunk: + el = list(e) + permutations.append(el) + + for p in permutations: + name = None + etypes = () + for idx in p: + n = cls.etypes_to_test[idx]["name"] + if name is None: + name = n + else: + name += "_%s" % n + etypes += (cls.etypes_to_test[idx]["value"],) + + r = { "name": name, "etypes": etypes, } + res.append(r) + + cls.etype_test_permutations = res + cls.setup_etype_test_permutations_done = True + return + + @classmethod + def etype_test_permutation_name_idx(cls): + cls.setup_etype_test_permutations() + res = [] + idx = 0 + for e in cls.etype_test_permutations: + r = (e['name'], idx) + idx += 1 + res.append(r) + return res + + def etype_test_permutation_by_idx(self, idx): + e = self.etype_test_permutations[idx] + return (e['name'], e['etypes']) + def setUp(self): super().setUp() self.do_asn1_print = False -- 2.25.1 From f59be60ee4ef250e98398907a596506e21439f61 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 16 Apr 2020 17:13:35 +0200 Subject: [PATCH 095/380] tests/krb5/raw_testcase.py: Add TicketDecryptionKey_from_creds() This will allow building test_as_req_enc_timestamp() It also introduces ways to specify keys in hex formated environment variables ${PREFIX}_{AES256,AES128,RC4}_KEY_HEX. Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 69ce2a6408f78d41eb865b89726021ad7643b065) --- python/samba/tests/krb5/raw_testcase.py | 29 +++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index a002a442d03..7d0dc9c9609 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -784,6 +784,35 @@ class RawKerberosTest(TestCaseInTempDir): return self.PasswordKey_create( etype=e, pwd=password, salt=salt, kvno=kvno) + def TicketDecryptionKey_from_creds(self, creds, etype=None): + + if etype is None: + etypes = creds.get_tgs_krb5_etypes() + etype = etypes[0] + + forced_key = creds.get_forced_key(etype) + if forced_key is not None: + return forced_key + + kvno = creds.get_kvno() + + fail_msg = ("%s has no fixed key for etype[%s] kvno[%s] " + "nor a password specified, " % ( + creds.get_username(), etype, kvno)) + + if etype == kcrypto.Enctype.RC4: + nthash = creds.get_nt_hash() + self.assertIsNotNone(nthash, msg=fail_msg) + return self.SessionKey_create(etype=etype, contents=nthash, kvno=kvno) + + password = creds.get_password() + self.assertIsNotNone(password, msg=fail_msg) + salt = creds.get_forced_salt() + if salt is None: + salt = bytes("%s%s" % (creds.get_realm(), creds.get_username()), + encoding='utf-8') + return self.PasswordKey_create(etype=etype, pwd=password, salt=salt, kvno=kvno) + def RandomKey(self, etype): e = kcrypto._get_enctype_profile(etype) contents = samba.generate_random_bytes(e.keysize) -- 2.25.1 From d11a7b65038870d0d38129f6601a0fc3ae303f6f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 21 Apr 2020 11:07:45 +0200 Subject: [PATCH 096/380] tests/krb5/raw_testcase.py: introduce a _generic_kdc_exchange() infrastructure This will allow us to write tests, which will all cross check almost every aspect of the KDC response (including encrypted parts). Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett BUG: https://bugzilla.samba.org/show_bug.cgi?id=14817 (cherry picked from commit 6e2f2adc8e825634780077e24a9e437bdc68155a) --- python/samba/tests/krb5/raw_testcase.py | 634 +++++++++++++++++++ python/samba/tests/krb5/rfc4120_constants.py | 11 + 2 files changed, 645 insertions(+) diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py index 7d0dc9c9609..8c8926b0ad2 100644 --- a/python/samba/tests/krb5/raw_testcase.py +++ b/python/samba/tests/krb5/raw_testcase.py @@ -30,6 +30,27 @@ from samba.credentials import Credentials from samba.tests import TestCaseInTempDir from samba.dcerpc import security import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1 +from samba.tests.krb5.rfc4120_constants import ( + KDC_ERR_ETYPE_NOSUPP, + KDC_ERR_PREAUTH_REQUIRED, + KRB_AS_REP, + KRB_AS_REQ, + KRB_ERROR, + KRB_TGS_REP, + KRB_TGS_REQ, + KU_AS_REP_ENC_PART, + KU_TGS_REP_ENC_PART_SESSION, + KU_TGS_REP_ENC_PART_SUB_KEY, + KU_TGS_REQ_AUTH, + KU_TGS_REQ_AUTH_CKSUM, + KU_TICKET, + PADATA_ENC_TIMESTAMP, + PADATA_ETYPE_INFO, + PADATA_ETYPE_INFO2, + PADATA_KDC_REQ, + PADATA_PK_AS_REQ, + PADATA_PK_AS_REP_19 +) import samba.tests.krb5.kcrypto as kcrypto from pyasn1.codec.der.decoder import decode as pyasn1_der_decode @@ -272,6 +293,24 @@ class KerberosCredentials(Credentials): def get_forced_salt(self): return self.forced_salt +class KerberosTicketCreds(object): + def __init__(self, ticket, session_key, + crealm=None, cname=None, + srealm=None, sname=None, + decryption_key=None, + ticket_private=None, + encpart_private=None): + self.ticket = ticket + self.session_key = session_key + self.crealm = crealm + self.cname = cname + self.srealm = srealm + self.sname = sname + self.decryption_key = decryption_key + self.ticket_private = ticket_private + self.encpart_private = encpart_private + return + class RawKerberosTest(TestCaseInTempDir): """A raw Kerberos Test case.""" @@ -758,6 +797,12 @@ class RawKerberosTest(TestCaseInTempDir): (s, _) = self.get_KerberosTimeWithUsec(epoch=epoch, offset=offset) return s + def get_Nonce(self): + nonce_min=0x7f000000 + nonce_max=0x7fffffff + v = random.randint(nonce_min, nonce_max) + return v + def SessionKey_create(self, etype, contents, kvno=None): key = kcrypto.Key(etype, contents) return Krb5EncryptionKey(key, kvno) @@ -1268,3 +1313,592 @@ class RawKerberosTest(TestCaseInTempDir): pa_s4u2self = self.der_encode( PA_S4U2Self_obj, asn1Spec=krb5_asn1.PA_S4U2Self()) return self.PA_DATA_create(129, pa_s4u2self) + + def _generic_kdc_exchange(self, + kdc_exchange_dict, # required + kdc_options=None, # required + cname=None, # optional + realm=None, # required + sname=None, # optional + from_time=None, # optional + till_time=None, # required + renew_time=None, # optional + nonce=None, # required + etypes=None, # required + addresses=None, # optional + EncAuthorizationData=None, # optional + EncAuthorizationData_key=None, # optional + additional_tickets=None): # optional + + check_error_fn = kdc_exchange_dict['check_error_fn'] + check_rep_fn = kdc_exchange_dict['check_rep_fn'] + generate_padata_fn = kdc_exchange_dict['generate_padata_fn'] + callback_dict = kdc_exchange_dict['callback_dict'] + req_msg_type = kdc_exchange_dict['req_msg_type'] + req_asn1Spec = kdc_exchange_dict['req_asn1Spec'] + rep_msg_type = kdc_exchange_dict['rep_msg_type'] + + if till_time is None: + till_time = self.get_KerberosTime(offset=36000) + if nonce is None: + nonce = self.get_Nonce() + + req_body = self.KDC_REQ_BODY_create(kdc_options=kdc_options, + cname=cname, + realm=realm, + sname=sname, + from_time=from_time, + till_time=till_time, + renew_time=renew_time, + nonce=nonce, + etypes=etypes, + addresses=addresses, + EncAuthorizationData=EncAuthorizationData, + EncAuthorizationData_key=EncAuthorizationData_key, + additional_tickets=additional_tickets) + if generate_padata_fn is not None: + # This can alter req_body... + padata, req_body = generate_padata_fn(kdc_exchange_dict, + callback_dict, + req_body) + else: + padata = None + + kdc_exchange_dict['req_padata'] = padata + kdc_exchange_dict['req_body'] = req_body + + req_obj,req_decoded = self.KDC_REQ_create(msg_type=req_msg_type, + padata=padata, + req_body=req_body, + asn1Spec=req_asn1Spec()) + + rep = self.send_recv_transaction(req_decoded) + self.assertIsNotNone(rep) + + msg_type = self.getElementValue(rep, 'msg-type') + self.assertIsNotNone(msg_type) + + allowed_msg_types = () + if check_error_fn is not None: + allowed_msg_types = (KRB_ERROR,) + if check_rep_fn is not None: + allowed_msg_types += (rep_msg_type,) + self.assertIn(msg_type, allowed_msg_types) + + if msg_type == KRB_ERROR: + return check_error_fn(kdc_exchange_dict, + callback_dict, + rep) + + return check_rep_fn(kdc_exchange_dict, callback_dict, rep) + + def as_exchange_dict(self, + expected_crealm=None, + expected_cname=None, + expected_srealm=None, + expected_sname=None, + ticket_decryption_key=None, + generate_padata_fn=None, + check_error_fn=None, + check_rep_fn=None, + check_padata_fn=None, + check_kdc_private_fn=None, + callback_dict=dict(), + expected_error_mode=None, + client_as_etypes=None, + expected_salt=None): + kdc_exchange_dict = { + 'req_msg_type': KRB_AS_REQ, + 'req_asn1Spec': krb5_asn1.AS_REQ, + 'rep_msg_type': KRB_AS_REP, + 'rep_asn1Spec': krb5_asn1.AS_REP, + 'rep_encpart_asn1Spec': krb5_asn1.EncASRepPart, + 'expected_crealm': expected_crealm, + 'expected_cname': expected_cname, + 'expected_srealm': expected_srealm, + 'expected_sname': expected_sname, + 'ticket_decryption_key': ticket_decryption_key, + 'generate_padata_fn': generate_padata_fn, + 'check_error_fn': check_error_fn, + 'check_rep_fn': check_rep_fn, + 'check_padata_fn': check_padata_fn, + 'check_kdc_private_fn': check_kdc_private_fn, + 'callback_dict': callback_dict, + 'expected_error_mode': expected_error_mode, + 'client_as_etypes': client_as_etypes, + 'expected_salt': expected_salt, + } + return kdc_exchange_dict + + def tgs_exchange_dict(self, + expected_crealm=None, + expected_cname=None, + expected_srealm=None, + expected_sname=None, + ticket_decryption_key=None, + generate_padata_fn=None, + check_error_fn=None, + check_rep_fn=None, + check_padata_fn=None, + check_kdc_private_fn=None, + callback_dict=dict(), + tgt=None, + authenticator_subkey=None, + body_checksum_type=None): + kdc_exchange_dict = { + 'req_msg_type': KRB_TGS_REQ, + 'req_asn1Spec': krb5_asn1.TGS_REQ, + 'rep_msg_type': KRB_TGS_REP, + 'rep_asn1Spec': krb5_asn1.TGS_REP, + 'rep_encpart_asn1Spec': krb5_asn1.EncTGSRepPart, + 'expected_crealm': expected_crealm, + 'expected_cname': expected_cname, + 'expected_srealm': expected_srealm, + 'expected_sname': expected_sname, + 'ticket_decryption_key': ticket_decryption_key, + 'generate_padata_fn': generate_padata_fn, + 'check_error_fn': check_error_fn, + 'check_rep_fn': check_rep_fn, + 'check_padata_fn': check_padata_fn, + 'check_kdc_private_fn': check_kdc_private_fn, + 'callback_dict': callback_dict, + 'tgt': tgt, + 'body_checksum_type': body_checksum_type, + 'authenticator_subkey': authenticator_subkey, + } + return kdc_exchange_dict + + def generic_check_kdc_rep(self, + kdc_exchange_dict, + callback_dict, + rep): + + expected_crealm = kdc_exchange_dict['expected_crealm'] + expected_cname = kdc_exchange_dict['expected_cname'] + expected_srealm = kdc_exchange_dict['expected_srealm'] + expected_sname = kdc_exchange_dict['expected_sname'] + ticket_decryption_key = kdc_exchange_dict['ticket_decryption_key'] + check_padata_fn = kdc_exchange_dict['check_padata_fn'] + check_kdc_private_fn = kdc_exchange_dict['check_kdc_private_fn'] + rep_encpart_asn1Spec = kdc_exchange_dict['rep_encpart_asn1Spec'] + msg_type = kdc_exchange_dict['rep_msg_type'] + + self.assertElementEqual(rep, 'msg-type', msg_type) # AS-REP | TGS-REP + padata = self.getElementValue(rep, 'padata') + self.assertElementEqualUTF8(rep, 'crealm', expected_crealm) + self.assertElementEqualPrincipal(rep, 'cname', expected_cname) + self.assertElementPresent(rep, 'ticket') + ticket = self.getElementValue(rep, 'ticket') + ticket_encpart = None + ticket_cipher = None + if ticket is not None: # Never None, but gives indentation + self.assertElementPresent(ticket, 'tkt-vno') + self.assertElementEqualUTF8(ticket, 'realm', expected_srealm) + self.assertElementEqualPrincipal(ticket, 'sname', expected_sname) + self.assertElementPresent(ticket, 'enc-part') + ticket_encpart = self.getElementValue(ticket, 'enc-part') + if ticket_encpart is not None: # Never None, but gives indentation + self.assertElementPresent(ticket_encpart, 'etype') + # 0 means present, with any value != 0 + self.assertElementKVNO(ticket_encpart, 'kvno', 0) + self.assertElementPresent(ticket_encpart, 'cipher') + ticket_cipher = self.getElementValue(ticket_encpart, 'cipher') + self.assertElementPresent(rep, 'enc-part') + encpart = self.getElementValue(rep, 'enc-part') + encpart_cipher = None + if encpart is not None: # Never None, but gives indentation + self.assertElementPresent(encpart, 'etype') + self.assertElementKVNO(ticket_encpart, 'kvno', 'autodetect') + self.assertElementPresent(encpart, 'cipher') + encpart_cipher = self.getElementValue(encpart, 'cipher') + + encpart_decryption_key = None + if check_padata_fn is not None: + # See if get the decryption key from the preauth phase + encpart_decryption_key,encpart_decryption_usage = \ + check_padata_fn(kdc_exchange_dict, callback_dict, + rep, padata) + + ticket_private = None + if ticket_decryption_key is not None: + self.assertElementEqual(ticket_encpart, 'etype', ticket_decryption_key.etype) + self.assertElementKVNO(ticket_encpart, 'kvno', ticket_decryption_key.kvno) + ticket_decpart = ticket_decryption_key.decrypt(KU_TICKET, ticket_cipher) + ticket_private = self.der_decode(ticket_decpart, asn1Spec=krb5_asn1.EncTicketPart()) + + encpart_private = None + if encpart_decryption_key is not None: + self.assertElementEqual(encpart, 'etype', encpart_decryption_key.etype) + self.assertElementKVNO(encpart, 'kvno', encpart_decryption_key.kvno) + rep_decpart = encpart_decryption_key.decrypt(encpart_decryption_usage, encpart_cipher) + encpart_private = self.der_decode(rep_decpart, asn1Spec=rep_encpart_asn1Spec()) + + if check_kdc_private_fn is not None: + check_kdc_private_fn(kdc_exchange_dict, callback_dict, + rep, ticket_private, encpart_private) + + return rep + + def generic_check_kdc_private(self, + kdc_exchange_dict, + callback_dict, + rep, + ticket_private, + encpart_private): + + expected_crealm = kdc_exchange_dict['expected_crealm'] + expected_cname = kdc_exchange_dict['expected_cname'] + expected_srealm = kdc_exchange_dict['expected_srealm'] + expected_sname = kdc_exchange_dict['expected_sname'] + ticket_decryption_key = kdc_exchange_dict['ticket_decryption_key'] + + ticket = self.getElementValue(rep, 'ticket') + + ticket_session_key = None + if ticket_private is not None: + self.assertElementPresent(ticket_private, 'flags') + self.assertElementPresent(ticket_private, 'key') + ticket_key = self.getElementValue(ticket_private, 'key') + if ticket_key is not None: # Never None, but gives indentation + self.assertElementPresent(ticket_key, 'keytype') + self.assertElementPresent(ticket_key, 'keyvalue') + ticket_session_key = self.EncryptionKey_import(ticket_key) + self.assertElementEqualUTF8(ticket_private, 'crealm', expected_crealm) + self.assertElementEqualPrincipal(ticket_private, 'cname', expected_cname) + self.assertElementPresent(ticket_private, 'transited') + self.assertElementPresent(ticket_private, 'authtime') + if self.strict_checking: + self.assertElementPresent(ticket_private, 'starttime') + self.assertElementPresent(ticket_private, 'endtime') + # TODO self.assertElementPresent(ticket_private, 'renew-till') + # TODO self.assertElementMissing(ticket_private, 'caddr') + self.assertElementPresent(ticket_private, 'authorization-data') + + encpart_session_key = None + if encpart_private is not None: + self.assertElementPresent(encpart_private, 'key') + encpart_key = self.getElementValue(encpart_private, 'key') + if encpart_key is not None: # Never None, but gives indentation + self.assertElementPresent(encpart_key, 'keytype') + self.assertElementPresent(encpart_key, 'keyvalue') + encpart_session_key = self.EncryptionKey_import(encpart_key) + self.assertElementPresent(encpart_private, 'last-req') + self.assertElementPresent(encpart_private, 'nonce') + # TODO self.assertElementPresent(encpart_private, 'key-expiration') + self.assertElementPresent(encpart_private, 'flags') + self.assertElementPresent(encpart_private, 'authtime') + if self.strict_checking: + self.assertElementPresent(encpart_private, 'starttime') + self.assertElementPresent(encpart_private, 'endtime') + # TODO self.assertElementPresent(encpart_private, 'renew-till') + self.assertElementEqualUTF8(encpart_private, 'srealm', expected_srealm) + self.assertElementEqualPrincipal(encpart_private, 'sname', expected_sname) + # TODO self.assertElementMissing(encpart_private, 'caddr') + + if ticket_session_key is not None and encpart_session_key is not None: + self.assertEqual(ticket_session_key.etype, encpart_session_key.etype) + self.assertEqual(ticket_session_key.key.contents, encpart_session_key.key.contents) + if encpart_session_key is not None: + session_key = encpart_session_key + else: + session_key = ticket_session_key + ticket_creds = KerberosTicketCreds(ticket, + session_key, + crealm=expected_crealm, + cname=expected_cname, + srealm=expected_srealm, + sname=expected_sname, + decryption_key=ticket_decryption_key, + ticket_private=ticket_private, + encpart_private=encpart_private) + + kdc_exchange_dict['rep_ticket_creds'] = ticket_creds + return + + def generic_check_as_error(self, + kdc_exchange_dict, + callback_dict, + rep): + + expected_crealm = kdc_exchange_dict['expected_crealm'] + expected_cname = kdc_exchange_dict['expected_cname'] + expected_srealm = kdc_exchange_dict['expected_srealm'] + expected_sname = kdc_exchange_dict['expected_sname'] + expected_salt = kdc_exchange_dict['expected_salt'] + client_as_etypes = kdc_exchange_dict['client_as_etypes'] + expected_error_mode = kdc_exchange_dict['expected_error_mode'] + req_body = kdc_exchange_dict['req_body'] + proposed_etypes = req_body['etype'] + + kdc_exchange_dict['preauth_etype_info2'] = None + + expect_etype_info2 = () + expect_etype_info = False + unexpect_etype_info = True + expected_aes_type = 0 + expected_rc4_type = 0 + if kcrypto.Enctype.RC4 in proposed_etypes: + expect_etype_info = True + for etype in proposed_etypes: + if etype in (kcrypto.Enctype.AES256,kcrypto.Enctype.AES128): + expect_etype_info = False + if etype not in client_as_etypes: + continue + if etype in (kcrypto.Enctype.AES256,kcrypto.Enctype.AES128): + if etype > expected_aes_type: + expected_aes_type = etype + if etype in (kcrypto.Enctype.RC4,): + unexpect_etype_info = False + if etype > expected_rc4_type: + expected_rc4_type = etype + + if expected_aes_type != 0: + expect_etype_info2 += (expected_aes_type,) + if expected_rc4_type != 0: + expect_etype_info2 += (expected_rc4_type,) + + expected_error = KDC_ERR_ETYPE_NOSUPP + expected_patypes = () + if expect_etype_info: + self.assertGreater(len(expect_etype_info2), 0) + expected_patypes += (PADATA_ETYPE_INFO,) + if len(expect_etype_info2) != 0: + expected_error = KDC_ERR_PREAUTH_REQUIRED + expected_patypes += (PADATA_ETYPE_INFO2,) + + expected_patypes += (PADATA_ENC_TIMESTAMP,) + expected_patypes += (PADATA_PK_AS_REQ,) + expected_patypes += (PADATA_PK_AS_REP_19,) + + self.assertElementEqual(rep, 'msg-type', KRB_ERROR) + self.assertElementEqual(rep, 'error-code', expected_error) + self.assertElementMissing(rep, 'ctime') + self.assertElementMissing(rep, 'cusec') + self.assertElementPresent(rep, 'stime') + self.assertElementPresent(rep, 'susec') + # error-code checked above + if self.strict_checking: + self.assertElementMissing(rep, 'crealm') + self.assertElementMissing(rep, 'cname') + self.assertElementEqualUTF8(rep, 'realm', expected_srealm) + self.assertElementEqualPrincipal(rep, 'sname', expected_sname) + if self.strict_checking: + self.assertElementMissing(rep, 'e-text') + if expected_error_mode != KDC_ERR_PREAUTH_REQUIRED: + self.assertElementMissing(rep, 'e-data') + return + edata = self.getElementValue(rep, 'e-data') + if self.strict_checking: + self.assertIsNotNone(edata) + if edata is not None: + rep_padata = self.der_decode(edata, asn1Spec=krb5_asn1.METHOD_DATA()) + self.assertGreater(len(rep_padata), 0) + else: + rep_padata = [] + + if self.strict_checking: + for i in range(0, len(expected_patypes)): + self.assertElementEqual(rep_padata[i], 'padata-type', expected_patypes[i]) + self.assertEqual(len(rep_padata), len(expected_patypes)) + + etype_info2 = None + etype_info = None + enc_timestamp = None + pk_as_req = None + pk_as_rep19 = None + for pa in rep_padata: + patype = self.getElementValue(pa, 'padata-type') + pavalue = self.getElementValue(pa, 'padata-value') + if patype == PADATA_ETYPE_INFO2: + self.assertIsNone(etype_info2) + etype_info2 = self.der_decode(pavalue, asn1Spec=krb5_asn1.ETYPE_INFO2()) + continue + if patype == PADATA_ETYPE_INFO: + self.assertIsNone(etype_info) + etype_info = self.der_decode(pavalue, asn1Spec=krb5_asn1.ETYPE_INFO()) + continue + if patype == PADATA_ENC_TIMESTAMP: + self.assertIsNone(enc_timestamp) + enc_timestamp = pavalue + self.assertEqual(len(enc_timestamp), 0) + continue + if patype == PADATA_PK_AS_REQ: + self.assertIsNone(pk_as_req) + pk_as_req = pavalue + self.assertEqual(len(pk_as_req), 0) + continue + if patype == PADATA_PK_AS_REP_19: + self.assertIsNone(pk_as_rep19) + pk_as_rep19 = pavalue + self.assertEqual(len(pk_as_rep19), 0) + continue + + if expected_error == KDC_ERR_ETYPE_NOSUPP: + self.assertIsNone(etype_info2) + self.assertIsNone(etype_info) + if self.strict_checking: + self.assertIsNotNone(enc_timestamp) + self.assertIsNotNone(pk_as_req) + self.assertIsNotNone(pk_as_rep19) + return + + self.assertIsNotNone(etype_info2) + if expect_etype_info: + self.assertIsNotNone(etype_info) + else: + if self.strict_checking: + self.assertIsNone(etype_info) + if unexpect_etype_info: + self.assertIsNone(etype_info) + + self.assertGreaterEqual(len(etype_info2), 1) + self.assertLessEqual(len(etype_info2), len(expect_etype_info2)) + if self.strict_checking: + self.assertEqual(len(etype_info2), len(expect_etype_info2)) + for i in range(0, len(etype_info2)): + e = self.getElementValue(etype_info2[i], 'etype') + self.assertEqual(e, expect_etype_info2[i]) + salt = self.getElementValue(etype_info2[i], 'salt') + if e == kcrypto.Enctype.RC4: + self.assertIsNone(salt) + else: + self.assertIsNotNone(salt) + if expected_salt is not None: + self.assertEqual(salt, expected_salt) + s2kparams = self.getElementValue(etype_info2[i], 's2kparams') + if self.strict_checking: + self.assertIsNone(s2kparams) + if etype_info is not None: + self.assertEqual(len(etype_info), 1) + e = self.getElementValue(etype_info[0], 'etype') + self.assertEqual(e, kcrypto.Enctype.RC4) + self.assertEqual(e, expect_etype_info2[0]) + salt = self.getElementValue(etype_info[0], 'salt') + if self.strict_checking: + self.assertIsNotNone(salt) + self.assertEqual(len(salt), 0) + + self.assertIsNotNone(enc_timestamp) + self.assertIsNotNone(pk_as_req) + self.assertIsNotNone(pk_as_rep19) + + kdc_exchange_dict['preauth_etype_info2'] = etype_info2 + return + + def generate_simple_tgs_padata(self, + kdc_exchange_dict, + callback_dict, + req_body): + tgt = kdc_exchange_dict['tgt'] + authenticator_subkey = kdc_exchange_dict['authenticator_subkey'] + body_checksum_type = kdc_exchange_dict['body_checksum_type'] + + req_body_blob = self.der_encode(req_body, asn1Spec=krb5_asn1.KDC_REQ_BODY()) + + req_body_checksum = self.Checksum_create(tgt.session_key, + KU_TGS_REQ_AUTH_CKSUM, + req_body_blob, + ctype=body_checksum_type) + + subkey_obj = None + if authenticator_subkey is not None: + subkey_obj = authenticator_subkey.export_obj() + seq_number = random.randint(0, 0xfffffffe) + (ctime, cusec) = self.get_KerberosTimeWithUsec() + authenticator_obj = self.Authenticator_create(crealm=tgt.crealm, + cname=tgt.cname, + cksum=req_body_checksum, + cusec=cusec, + ctime=ctime, + subkey=subkey_obj, + seq_number=seq_number, + authorization_data=None) + authenticator_blob = self.der_encode(authenticator_obj, asn1Spec=krb5_asn1.Authenticator()) + + authenticator = self.EncryptedData_create(tgt.session_key, + KU_TGS_REQ_AUTH, + authenticator_blob) + + ap_options = krb5_asn1.APOptions('0') + ap_req_obj = self.AP_REQ_create(ap_options=str(ap_options), + ticket=tgt.ticket, + authenticator=authenticator) + ap_req = self.der_encode(ap_req_obj, asn1Spec=krb5_asn1.AP_REQ()) + pa_tgs_req = self.PA_DATA_create(PADATA_KDC_REQ, ap_req) + padata = [pa_tgs_req] + + return padata, req_body + + def check_simple_tgs_padata(self, + kdc_exchange_dict, + callback_dict, + rep, + padata): + tgt = kdc_exchange_dict['tgt'] + authenticator_subkey = kdc_exchange_dict['authenticator_subkey'] + if authenticator_subkey is not None: + subkey = authenticator_subkey + subkey_usage = KU_TGS_REP_ENC_PART_SUB_KEY + else: + subkey = tgt.session_key + subkey_usage = KU_TGS_REP_ENC_PART_SESSION + + return subkey, subkey_usage + + def _test_as_exchange(self, + cname, +